SiteFort documentation

Firewall

Block malicious traffic before it reaches WordPress. Covers IP Detection, bot filtering, country rules, Cloudflare Sync, Traffic Log, and advanced firewall controls.

Documentation HomeRecommended Settings

Firewall

The SiteFort Firewall filters abusive requests, scanner traffic, suspicious bots, blocked IPs, country policies, rate-limit violations, and selected user-agent rules. It also integrates with Cloudflare to push supported rules to the edge before requests reach WordPress. The Firewall header shows detected IP context, Server-Level WAF status, Cloudflare status, and the master firewall toggle. Firewall states include Updating firewall..., Firewall is ON, Firewall is validating, Firewall is paused, and Firewall is OFF.

Activation

The Activation tab appears in the setup flow and includes Activate SiteFort Firewall, IP Detection, Server-Level WAF, Trusted IPs & Defaults, Cloudflare summary, and Save Activation Settings.
Important: Do not enable strict firewall controls until the detected visitor IP is correct. If IP Detection is wrong behind Cloudflare, a proxy, or a load balancer, SiteFort may block or trust the wrong client.

Verify IP Detection First

IP Detection tells SiteFort which request header contains the real visitor IP. This matters for every firewall decision, including bans, allowlists, country rules, rate limits, and lockout actions.
  1. Open Firewall > Advanced > IP Detection.
  2. Compare the detected IP with your current public IP or administrator network.
  3. If the site is behind Cloudflare, use the Cloudflare preset when prompted.
  4. If your host uses another proxy, choose the correct manual header and configure Trusted Proxy IPs/CIDRs.
  5. Click Verify again. Enable enforcement only after the warning state clears.
Detection modeUse when
Automatic (Recommended)Most sites, including common CDN and hosting proxy setups, when SiteFort can detect the best source.
Manual (specify header)Automatic gives the wrong result and you know the header your proxy or CDN sends.
Disabled (direct connection only)The site receives traffic directly and no proxy or CDN sits in front of WordPress.
Manual header options include CF-Connecting-IP, X-Forwarded-For, Forwarded, X-Real-IP, X-Client-IP, Client-IP, and X-Cluster-Client-IP. Status panels can report missing headers, wrong manual headers, Cloudflare detection, or setup checks. Actions include Auto-Configure, Verify again, Show diagnostic details, Apply Cloudflare preset, Switch to Automatic, and switching to a recommended header.

Protection

The Protection tab controls bot filtering, scanner detection, community threat feed, and rate limiting. Start with conservative settings, review logs, then tighten as needed.
ProtectionWhat it doesRecommended use
Bot & Crawler PolicyFilters bot traffic by profile. Google, Bing, social previews, and major AI assistants remain allowed at every level.Use Balanced for most sites. Use Maximum only after reviewing business needs for unknown crawlers.
Basic profileBlocks known hacking and vulnerability scanning tools.Good starting point for cautious production rollouts.
Balanced profileBlocks hacking tools, data scraping bots, and automated scripts. Marked recommended in the UI.Recommended default for public production sites.
Maximum profileBlocks hacking tools, scraping bots, automated scripts, and unrecognized bot traffic.Use for high-risk sites that do not rely on niche crawlers, SEO tools, or third-party monitoring bots.
Detect & Block ScannersDetects probes targeting config files, backups, version metadata, and sensitive paths. IPs over threshold are automatically banned.Enable on production sites. Tune failed attempts and observation window if legitimate monitoring triggers it.
Community IP BlocklistBlocks malicious IPs detected across the SiteFort network and refreshes every 6 hours.Enable unless your environment requires every third-party threat source to be reviewed before enforcement.
Rate LimitingReduces abusive request spikes and repeated 404 probes without interrupting trusted search crawlers.Enable for login-heavy, ecommerce, and public content sites. Review Traffic Log during the first week.
Scanner detection settings include failed attempts per IP from 1 to 20 and an observation window from 1 to 60 minutes. Rate limiting settings include Site Requests from 10 to 300 and 404 Not Found Errors from 0 to 100.

Probe and Scanner Detection

Detect & Block Scanners catches reconnaissance before it becomes an exploit attempt. SiteFort blocks each matching sensitive-path request and escalates the source IP into the ban list after the configured threshold is reached inside the observation window.
Detection areaExamples and operational meaning
Configuration probesRequests for .env, .git, .htaccess, .user.ini, and similar paths indicate an automated scanner looking for exposed secrets or server files.
WordPress config backupsRequests for backup variants of wp-config.php are high-risk because they often expose database credentials.
Backup and dump discoveryRequests for SQL dumps, compressed archives, ZIP files, or tar archives suggest an attacker is searching for downloadable site backups.
Version and install metadataRequests for readme.html, plugin and theme readme.txt, debug logs, error logs, phpinfo.php, and installer paths help attackers fingerprint the stack.
Threshold behaviorEach matching request is blocked. The IP is banned only after the failed-attempt count is reached within the observation window.
EvidenceEscalated events appear in Firewall Traffic Log as Sensitive Path activity, and the resulting IP block appears in Active Rules.

Community Threat Feeds

Community IP Blocklist blocks traffic from malicious IPs detected across the SiteFort network and external threat intelligence sources. The UI shows blocked IP count, last synced timestamp, and Fetch Latest Threats.
  • The list refreshes every 6 hours when enabled.
  • Manual refresh is available from Fetch Latest Threats.
  • If a refresh fails or returns no valid entries, SiteFort keeps the last known blocklist instead of silently removing protection.
  • Blocks from this feature appear under the Community Blocklist filter in Traffic Log.

Traffic Rules

Traffic Rules lets you block or allow traffic by IP address, country, or crawler name. If Cloudflare Sync is enabled, the Rules screen can show a Synced to Cloudflare badge.
Rule typeHow to configureBe careful with
IP AddressEnter an IP, CIDR, or wildcard. Choose Block or Allow, set duration, add a reason, then click Add Rule. Use Allow my current IP when securing your own access.Allowed IPs bypass all firewall rules. Only allow trusted administrators, monitoring services, office or VPN ranges, or partners.
CountryEnable country blocking, choose Block selected countries or Allow only selected countries, select countries, and add them to the policy.Allow-only mode blocks unknown countries and any country not selected. Use it only when the legitimate visitor countries are known and limited.
Bot / CrawlerEnter a User-Agent pattern. Choose Block for unwanted crawlers or Trust for crawlers that should bypass checks.Trusted patterns bypass all firewall checks, including IP blocks, country rules, threat feeds, scanner detection, and rate limiting.
Valid IP rules can use IPv4, IPv6, CIDR such as 10.0.0.0/24, or wildcard such as 192.168.1.*. Durations include Permanent, 1 day, 7 days, 30 days, and 90 days. Active Rules show metrics for Blocked IPs, Allowed IPs, Countries, and Bot Rules, plus filters for All, IPs, Countries, Bots, and Allowed.

Country Blocking and GeoIP

Country Blocking enforces geographic policy from the Firewall Rules screen. It supports two modes:
  • Block selected countries: only the selected countries are blocked. Unknown countries are allowed because they are not proven to be in the blocked list.
  • Allow only selected countries: only selected countries are allowed. Unknown countries are blocked.
GeoIP sourceHow SiteFort uses it
Cloudflare country headersWhen Cloudflare is connected and traffic arrives from a verified Cloudflare edge IP, SiteFort can use the trusted CF-IPCountry header.
Cloudflare edge rulesWhen Cloudflare Sync is enabled, supported country rules can be pushed to Cloudflare so blocked traffic is stopped before WordPress loads.
MaxMind GeoIP fallbackMaxMind GeoLite2-Country provides local origin-level lookups without runtime API calls. Configure it under Settings > Integrations and click Update Country Database.
No GeoIP sourceCountry blocking cannot be enabled until Cloudflare edge enforcement or a downloaded MaxMind country database is available.
Administrator accessLogged-in administrators are exempt from origin-level country checks. Cloudflare edge rules still apply before WordPress loads.
For ecommerce and membership sites: use block-selected mode unless the business has a strict geographic access policy. Allow-only mode can block customers, payment callbacks, shipping integrations, uptime monitors, and remote staff.

Cloudflare Sync

Cloudflare Sync pushes supported SiteFort firewall rules to Cloudflare before requests reach your server. Use it when the domain is routed through Cloudflare and you want edge-level enforcement for high-volume blocking.
Cloudflare status or featureMeaning
Connect CloudflareCloudflare credentials are not configured. Open Settings > Integrations and add Zone ID plus credentials.
Cloudflare ConnectedSiteFort verified the zone and required permissions.
Cloudflare Connection IssueCredentials are saved, but SiteFort could not verify a working connection for this website.
Block at the edgeBlocked IPs and countries are stopped at Cloudflare's global network before reaching your server.
300+ global locationsCloudflare enforces rules from the nearest data center to the attacker, reducing origin load.
Live attack escalationIPs that repeatedly trigger firewall blocks are temporarily escalated to Cloudflare edge blocks.
When sync is enabled, rule changes push automatically and Push now forces an immediate sync. Status can show plan badge, processing state, Cloudflare limits, last push time, completed-with-warning messages, conflicting targets, and plan limit warnings.Automatic Edge Blocks for Active Attacks uses four fields: Block Threshold from 2 to 50, Observation Window from 1 to 1440 minutes, Edge Block Duration from 5 to 10080 minutes, and Max Edge Blocks capped by the detected Cloudflare plan. These temporary blocks are managed separately from the manual block list.

Cloudflare Integration Guide

Use this guide to connect Cloudflare to SiteFort for edge firewall enforcement, country blocking, manual IP rules, manual user-agent rules, and automatic temporary edge blocks during active attacks. Edge enforcement works only for traffic routed through Cloudflare, so make sure the site's DNS records are proxied when you expect Cloudflare to block traffic before it reaches WordPress.
Cloudflare integration setup screen for SiteFort showing Zone ID and API token connection guidance
Cloudflare setup uses the website Zone ID and a scoped API token with the permissions listed below.

Step 1: Copy the Cloudflare Zone ID

  1. Log in to Cloudflare.
  2. Open the website zone you want SiteFort to manage.
  3. Go to Website > Overview.
  4. Copy the Zone ID from the API panel.
The Zone ID tells SiteFort exactly which Cloudflare zone should receive firewall rules. Do not use an Account ID in this field.

Step 2: Create a scoped API Token

Use API Token (Recommended) where possible. Paste only the token value into SiteFort. Do not include Authorization:, Bearer, spaces, Token ID, or a Global API Key in the API Token field.
PermissionRequiredPurpose
Zone - Zone - ReadYesValidate the selected zone and discover the owning Cloudflare account.
Account - Filter Lists - EditYesCreate and update SiteFort-managed edge allow and block lists.
Zone - WAF - EditYesCreate and update the SiteFort managed custom firewall rule.
Account - Firewall Access Rules - EditOptionalAllow fallback access-rule support if Cloudflare Lists are unavailable on the account or plan.
Set Zone Resources to include the website zone and Account Resources to include the account that owns that zone. If a required permission is missing, SiteFort shows Permission Required or Required Scopes Missing in the Cloudflare status cards.

Step 3: Save and verify in SiteFort

  1. Open SiteFort > Settings > Integrations > Cloudflare Connection.
  2. Select API Token (Recommended).
  3. Paste the Zone ID and API Token value.
  4. Click Save & Verify.
  5. Confirm the status cards: Connection, Account ID, Permission Check, and Detected Plan.

Step 4: Enable Cloudflare Sync

  1. Open Firewall > Cloudflare Sync.
  2. Enable Cloudflare Sync.
  3. Review the limits and plan badge.
  4. Click Push now if you want an immediate sync instead of waiting for the next automatic push.
Synced itemCloudflare behavior
Manual IP and CIDR rulesBlocked and allowed IP entries are pushed to Cloudflare lists or fallback access rules when supported. Wildcard IP patterns are enforced locally and may be skipped during edge sync.
Country rulesCountry policies can be enforced at Cloudflare before requests reach WordPress, subject to Cloudflare plan and rule limits.
Manual user-agent rulesManual user-agent block and trust patterns are included in the synced rule set when Cloudflare Sync is enabled. Built-in bot classifications remain origin-level controls.
Automatic edge blocksIPs that repeatedly trigger firewall blocks can be escalated to temporary Cloudflare edge blocks managed separately from the manual block list.

Step 5: Troubleshoot Cloudflare status

Status or warningWhat to check
Not ConfiguredConfirm the Zone ID and credential are saved in Settings > Integrations.
Permission RequiredAdd the missing required token scopes in Cloudflare, then use Save & Verify or Re-verify Credentials.
Verification FailedCheck the Zone ID, token value, account access, and Cloudflare API availability.
Limited fallback supportRequired permissions passed, but the optional fallback permission is missing. Managed lists and WAF rules can still be available.
Plan limit warningsReduce synced entries or adjust rule strategy when the detected Cloudflare plan cannot hold every requested edge rule.
Conflicting targetsRemove or update opposite-action rules already present in Cloudflare, then push again.

Advanced Firewall Settings

Trusted Proxy Configuration

Trusted Proxy Configuration ensures proxy headers are trusted only when the direct connection comes from a known proxy server. This prevents attackers from spoofing headers such as X-Forwarded-For. Provider options are None, Cloudflare with auto-updated ranges, and Custom IPs/CIDRs.

Server-Level WAF

Server-Level WAF intercepts malicious requests at the server level before WordPress loads, so blocks and rate limits take effect earlier in the request lifecycle. States can include checking availability, not installed, active at the web server layer, installed while runtime activation is being verified, pending activation, another server-level firewall conflict, stale runtime state, and current startup file. If automatic file writing is disabled or server configuration is managed by your host, use generated manual rules or involve hosting support. Then click Check again.

Trusted IPs & Defaults

  • Trusted IPs: one IP address, CIDR range, or wildcard per line. Trusted entries bypass all firewall rules.
  • Block Page Message: message shown to visitors whose requests are blocked by the firewall.
  • Default Block Duration: used for manually added IP blocks unless a rule overrides it.
  • Add my current IP: useful before enabling strict controls from a new network.

Firewall Traffic Log

Firewall Traffic Log is the first place to look when a visitor reports a block or when traffic suddenly spikes. Filter by attack type, search by IP, select a time range, export CSV, refresh, and page through results. Available type filters are All Types, IP Ban, Rate Limit, 404 Flood, XML-RPC, Sensitive Path, Community Blocklist, Country Block, UA Ban, Bot Ban, Login Lockout, and REST API Block. Time ranges include 24h, 7d, 30d, and All.