Title: TrapFlux Request Firewall
Author: susheelhbti
Published: <strong>ಜೂನ್ 18, 2026</strong>
Last modified: ಜೂನ್ 18, 2026

---

ಪ್ಲಗಿನ್‌ಗಳನ್ನು ಹುಡುಕಿ

![](https://s.w.org/plugins/geopattern-icon/trapflux-request-firewall.svg)

# TrapFlux Request Firewall

 ‍[susheelhbti](https://profiles.wordpress.org/susheelhbti/) ಮೂಲಕ

[ಡೌನ್ಲೋಡ್](https://downloads.wordpress.org/plugin/trapflux-request-firewall.zip)

 * [ವಿವರಗಳು](https://kn.wordpress.org/plugins/trapflux-request-firewall/#description)
 * [‍ವಿಮರ್ಶೆಗಳು‍](https://kn.wordpress.org/plugins/trapflux-request-firewall/#reviews)
 *  [ಸ್ಥಾಪನೆ](https://kn.wordpress.org/plugins/trapflux-request-firewall/#installation)
 * [ಅಭಿವೃದ್ಧಿ](https://kn.wordpress.org/plugins/trapflux-request-firewall/#developers)

 [ಬೆಂಬಲ](https://wordpress.org/support/plugin/trapflux-request-firewall/)

## ವಿವರಣೆ

TrapFlux Request Firewall is a lightweight request firewall that blocks vulnerability
scanners and bot floods by **how they behave**, not just where they come from.

 * **Behavior-based blocking** — exploit-path probes (`.env`, `wp-config` backups,`.
   sql` dumps), malicious user agents, and request floods.
 * **Rate limiting** — every visitor is rate limited; hits on exploit paths count
   double, so scanners get banned far faster than real visitors ever could.
 * **Honeypot traps** — invisible links only bots follow; one visit means a permanent
   ban.
 * **Subnet bans** — block a whole CIDR range (e.g. `20.100.172.0/24`) when attackers
   rotate IPs on cloud providers.
 * **Text attack reports** — one-click downloadable `.txt` reports (summary + raw
   log) listing every URL attackers tried to access, ready to hand to your hosting
   company.
 * **fail2ban-friendly log** — one pipe-delimited line per blocked request, so your
   host can ban attackers at the network level using the plugin’s detections.
 * **Fails open** — any internal error and your site keeps working normally. An 
   emergency `disable.flag` file shuts blocking off instantly via FTP.

#### Strongest mode (optional)

By default the firewall runs when plugins load — before WP routing, themes and queries.
For maximum resource savings you can point PHP’s `auto_prepend_file` at `firewall.
php` so blocking happens before WordPress loads at all. See the FAQ.

#### Honest limitations

 * This is a request firewall, not a malware scanner — it will not detect an already-
   infected site.
 * It ships with rules for today’s common probes and has no cloud threat feed; review
   the rules occasionally.
 * The “Block xmlrpc.php” option breaks Jetpack and the WordPress mobile app — disable
   that single toggle if you use them.
 * All assets (CSS/JS) are bundled — the plugin makes no external network requests.

## ಸ್ಥಾಪನೆ

 1. Upload the `trapflux-request-firewall` folder to `/wp-content/plugins/`, or install
    the zip via Plugins  Add New  Upload.
 2. Activate **TrapFlux Request Firewall**. Your current IP is auto-whitelisted on 
    activation.
 3. Open the **TrapFlux Request Firewall** menu in wp-admin for stats, logs, reports
    and settings.

Data (config, bans, logs) is stored in `wp-content/uploads/trapflux-request-firewall/`.
An `.htaccess` deny rule is written automatically (Apache). On NGINX add:

    ```
    location ^~ /wp-content/uploads/trapflux-request-firewall/ { deny all; }
    ```

## FAQ

### How do I enable blocking before WordPress loads?

Set PHP’s `auto_prepend_file` to the engine, in `.user.ini` (most shared hosting)
or `php.ini`:

    ```
    auto_prepend_file = /full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php
    ```

Or in Apache `.htaccess` (mod_php):

    ```
    php_value auto_prepend_file "/full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php"
    ```

The engine guards against double-loading, so having both is safe.

### I locked myself out. What do I do?

Create an empty file named `disable.flag` inside `wp-content/uploads/trapflux-request-
firewall/` via FTP or your host’s file manager. All blocking stops instantly. Delete
the file to re-enable.

### Can my hosting company use the log with fail2ban?

Yes. Each blocked request is one line in `wp-content/uploads/trapflux-request-firewall/
blocked.log`:

    ```
    2026-06-11 14:32:07 | 20.100.172.37 | GET /xmlrpc.php | UA: ... | BLOCKED: rate-limit
    ```

Suggested failregex: `^.* \| <HOST> \| .* \| BLOCKED: .*$`

## ‍ವಿಮರ್ಶೆಗಳು‍

ಈ ಪ್ಲಗಿನ್‌ಗೆ ಯಾವುದೇ ವಿಮರ್ಶೆಗಳಿಲ್ಲ.

## ಕೊಡುಗೆದಾರರು & ಡೆವಲಪರ್‌ಗಳು

“TrapFlux Request Firewall” ಓಪನ್ ಸೋರ್ಸ್ ಸಾಫ್ಟ್‌ವೇರ್ ಆಗಿದೆ. ಕೆಳಗಿನ ಜನರು ಈ ಪ್ಲಗಿನ್‌ಗೆ
ಕೊಡುಗೆ ನೀಡಿದ್ದಾರೆ.

ಕೊಡುಗೆದಾರರು

 *   [ susheelhbti ](https://profiles.wordpress.org/susheelhbti/)

[“TrapFlux Request Firewall” ಅನ್ನು ನಿಮ್ಮ ಭಾಷೆಗೆ ಅನುವಾದಿಸಿ.](https://translate.wordpress.org/projects/wp-plugins/trapflux-request-firewall)

### ಅಭಿವೃದ್ಧಿಯಲ್ಲಿ ಆಸಕ್ತಿ ಇದೆಯೇ?

[ಕೋಡ್ ಬ್ರೌಸ್ ಮಾಡಿ](https://plugins.trac.wordpress.org/browser/trapflux-request-firewall/),
[SVN ರೆಪೊಸಿಟರಿ](https://plugins.svn.wordpress.org/trapflux-request-firewall/) ಪರಿಶೀಲಿಸಿ,
ಅಥವಾ [ಅಭಿವೃದ್ಧಿ ಲಾಗ್](https://plugins.trac.wordpress.org/log/trapflux-request-firewall/)
ಗೆ [RSS](https://plugins.trac.wordpress.org/log/trapflux-request-firewall/?limit=100&mode=stop_on_copy&format=rss)
ಚಂದಾದಾರರಾಗಿ.

## Changelog

#### 1.0.5

 * Removed the last hardcoded WP_CONTENT_DIR fallback (in plugin activation). Data
   directory now resolves exclusively via wp_upload_dir(); activation aborts with
   a clear message if that is unavailable, instead of guessing a path.

#### 1.0.4

 * Used wp_upload_dir() exclusively for data directory resolution; removed WP_CONTENT_DIR
   hardcode and dirname walk-up fallbacks.
 * Replaced custom SCRIPT_FILENAME direct-access guard with the standard ABSPATH
   check (plus TRAPFLUX_PREPEND_MODE constant for auto_prepend_file users).
 * Plugin activation now stores the resolved upload path in config.json so prepend-
   mode engine can locate its data without guessing.

#### 1.0.3

 * Renamed to TrapFlux Request Firewall with a distinctive trapflux_ prefix on all
   options, hooks, AJAX actions and constants.
 * Moved all data (config, bans, logs) to the uploads directory: wp-content/uploads/
   trapflux-request-firewall/.
 * Sanitized all $_SERVER inputs at intake (user agent, IPs, request method, request
   URI).
 * Added a direct-access guard to the firewall engine file.

#### 1.0.2

 * Replaced Tailwind with a small handwritten stylesheet (~8 KB, prefixed classes,
   no build step, no framework).

#### 1.0.1

 * Replaced the Tailwind CSS CDN with a locally compiled stylesheet. The admin dashboard
   now makes zero external requests.

#### 1.0.0

 * Initial release: behavior-based blocking, rate limiting, honeypots, subnet bans,
   text reports, fail2ban-friendly logging, emergency off-switch.

## ಮೆಟಾ

 *  Version **1.0.5**
 *  ಕೊನೆಯದಾಗಿ ನವೀಕರಿಸಿದ್ದು **2 ವಾರಗಳು ರ ಮುನ್ನ**
 *  ಸಕ್ರಿಯ ಸ್ಥಾಪನೆಗಳು **10 ಕ್ಕಿಂತ ಕಡಿಮೆ**
 *  ವರ್ಡ್ಪ್ರೆಸ್ ಆವೃತ್ತಿ ** 5.8 ಅಥವಾ ಹೆಚ್ಚಿನದು **
 *  **7.0** ವರೆಗೆ ಪರೀಕ್ಷಿಸಲಾಗಿದೆ
 *  PHP ಆವೃತ್ತಿ ** 7.2 ಅಥವಾ ಹೆಚ್ಚಿನದು **
 *  Language
 * [English (US)](https://wordpress.org/plugins/trapflux-request-firewall/)
 * ಟ್ಯಾಗ್‌ಗಳು
 * [bot blocking](https://kn.wordpress.org/plugins/tags/bot-blocking/)[firewall](https://kn.wordpress.org/plugins/tags/firewall/)
   [honeypot](https://kn.wordpress.org/plugins/tags/honeypot/)[rate limiting](https://kn.wordpress.org/plugins/tags/rate-limiting/)
   [security](https://kn.wordpress.org/plugins/tags/security/)
 *  [ಸುಧಾರಿತ ನೋಟ](https://kn.wordpress.org/plugins/trapflux-request-firewall/advanced/)

## ರೇಟಿಂಗ್‌ಗಳು

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/trapflux-request-firewall/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/trapflux-request-firewall/reviews/)

## ಕೊಡುಗೆದಾರರು

 *   [ susheelhbti ](https://profiles.wordpress.org/susheelhbti/)

## ಬೆಂಬಲ

ಹೇಳಲು ಏನಾದರೂ ಸಿಕ್ಕಿದೆಯೇ? ಸಹಾಯ ಬೇಕೇ?

 [ಬೆಂಬಲ ವೇದಿಕೆಯನ್ನು ವೀಕ್ಷಿಸಿ](https://wordpress.org/support/plugin/trapflux-request-firewall/)