Further articles of the series
Security Plugins for WordPress: #1 Security is important
Security Plugins for WordPress: #2 Wordfence Security
Security Plugins for WordPress: #3 iThemes Security
Security Plugins for WordPress: #4 NinjaFirewall
Security Plugins for WordPress: #5 Sucuri Security
Security Plugins for WordPress: #6 All In One WP Security
Security Plugins for WordPress: #7 VaultPress
Insider tip of the Security Plugins
With the WordPress Plugin Ninja firewall we now come to my absolute favorite of the security plugins. Although NinjaFirewall is still quite unknown in comparison, it is currently developing into a kind of insider tip. The firewall for WordPress is very effective, written with high performance and at the same time impressively efficient. Furthermore, the extension is kept very slim and therefore the NinjaFirewall plugin runs noticeably better than the big competition. Why NinjaFirewall is my favourite security plugin, why it is an insider tip and why you should definitely try this extension, I will explain a little bit more detailed in the following test.
Firewall for WordPress
Compared to all other WordPress security plugins, NinjaFirewall takes itself much more serious. The whole thing is not a scanner or a plugin optimized for beginners, but a real firewall that sits directly in front of WordPress and all accesses have to pass it first. So before the users get to the actual WordPress page, they are first scanned and checked, which of course applies especially to bots and crawlers. Shortly after activation, NinjaFirewall blocks a lot of aggressive accesses, which may not necessarily affect security, but are superfluous and affect the performance of the server. For example, the bots and crawlers that come by every few minutes. In no time the log file of NinjaFirewall is filled with blocked accesses that nobody wants to have on their website and probably nobody needs them. The first step is done.
For beginners and professionals
In the further test it turns out that NinjaFirewall is also suitable for beginners, even if it looks completely different at first. The default settings are quite perfect, actually no changes are necessary, unless you know your way around and have some special cases in the code. If you don't know what to do, just activate NinjaFirewall, leave everything as it is and have a look at the log from time to time. This fills up very quickly and besides the blocked bots and crawlers, the first failed attacks also land there quite quickly. Among them attacks on the "admin-ajax.php" or attempted file uploads that NinjaFirewall could block. The individual accesses are all recorded in writing, the entry is sorted into a security level (Low, Medium, High and Cirtical) and also the applied rule of the firewall is output and stored in the log. These rules, which are used depending on access, can also be deleted or edited in the settings, so that individual procedures can still be adjusted. This is partly complicated and requires some background knowledge, but as said before: Beginners basically don't need to change anything. If something goes wrong or is wrongly blocked, a look into the log helps, although it is basically useful to protect potential targets in other ways or even block them completely if the attacks become too strong.
All-round protection for WordPress
The settings of NinjaFirewall provide not only special rules but also everything webmasters could wish for. As said before: If you don't know what to do, leave everything on the default settings to avoid accidentally blocking real users with the firewall. If you know something about it, you can configure and define the behaviour of HTTP GET variables, HTTP POST variables, HTTP REQUEST variables, the HTTP response headers and much more in detail. You can also lock WordPress typical directories, even the XML-RPC API can be deactivated with a click (about this I had also already writtenamong others in Reference to DDoS attacks). The plugin and theme editor is also simply switched off by NinjaFirewall as desired. Why this makes sense? Because normally you don't have to fiddle around with the editor all the time, but potential attackers can gain direct access to it, like WordPress recently did with most serious security vulnerability for 5 years has happened. There was a variable that allowed attackers to make changes to the files via the plugin and theme editor. So NinjaFirewall leaves no possibilities open and is an absolutely successful all-round protection for WordPress. A real and very effective firewall, no 0815 collection of security tweaks.
Exemplary implementation and effective
Besides the quite strong and extensive firewall, NinjaFirewall of course also provides some extras. For example, the File Guard checks the execution of files, while the File Check creates an image of all current data to detect possible changes later on. Thus WordPress is virtually bulletproof, also because File Guard is a real-time detection and directly blocks external access. Apart from that, there is the usual brute force protection at login, as well as the possibility that NinjaFirewall will send you an email in case of changes. For example when a plugin is installed or deactivated, when admins log in, or when WordPress does an automatic update. So you'll always be informed and NinjaFirewall logs blocked files in the monthly log file anyway, which is why you can always check again if an access was blocked wrongly. The statistics also give you an overview of what kind of attacks and how many times per month. All of this is implemented in an absolutely exemplary manner and is also extremely effective.
NinjaFirewall WP+ Edition
Of course, such an extensive plugin has not been programmed simply out of good will. The NinjaFirewall is not only available for WordPress, but also as standalone for other applications. In addition, an extended license can be ordered, which can NinjaFirewall WP+ Edition and with about 30 dollars per year and domain is probably one of the cheapest offers on the market. The features of the WP+ edition include the use of the shared memory of the server (which increases the performance), IP's or whole countries can be locked out, there are more settings for bots and rules, a function for antispam within comments is enabled and much more. In addition, HTML pages can be scanned before delivery and there are a few other conveniences. Everything is great, but already in the free version NinjaFirewall does its job really almost perfectly. The WP+ edition just brings a few more additions, at an absolutely fair price, I think. The competition can hardly keep up with that.
Conclusion on NinjaFirewall
Even though we haven't reached the end of the article series yet, NinjaFirewall is already one of the winners for me. The WordPress plugin works extremely stable, is an absolute dream in terms of performance, even brought me noticeable improvements in the test, so it relieved the server, because it simply blocked and locked out attacks and nonsensical accesses. All of this was already almost perfectly implemented in the free version, but with the WP+ Edition it was simply made even more extensive and equipped with more possibilities. But it should be clearly stated that the free version already offers a great added value for virtually everyone, which is why users are happy to pay for the extended version, as they don't have the feeling of being ripped off or baited with a demo. NinjaFirewall is as it is also fantastic and those who appreciate it or need a few more settings will pay the 30 dollars a year. For me the cheapest and still best method to equip WordPress with a real and powerful firewall. My tip: Install the extension, leave it active for one or two weeks, check the log and then decide yourself if you want to continue using NinjaFirewall or uninstall the extension again. In contrast to most other security plugins, NinjaFirewall is not an annoying ballast, but a really useful extension that really provides more security and performance instead of just paralyzing everything and opening further security holes, as it is the case with some other plugins. So if you ask me directly for a security plugin, you will get NinjaFirewall recommended.