SiteFort security guide

Firewall

Recommended settings for IP detection, bot protection, scanner blocking, rate limiting, and traffic rules. Configure in this order and the firewall will protect without blocking the wrong people.

Security GuideFirewall Docs

Setup order

Open SiteFort → Firewall. The firewall has several moving parts and the order matters. Skipping IP Detection before enabling strict rules is the most common cause of false positives and self-lockouts.

  1. Verify IP Detection in Advanced before anything else.
  2. Enable Server-Level WAF if available on your server.
  3. Add Trusted IPs for your office, VPN, or agency network.
  4. Enable Protection settings: bot policy, scanner detection, community blocklist, rate limiting.
  5. Add Traffic Rules only when you have a specific reason: a known bad IP, a country you do not serve, or a bot causing real problems.
  6. Connect Cloudflare Sync if the site uses Cloudflare. See the Cloudflare Sync guide.
  7. Review the Traffic Log after a few days and adjust rules based on what you see.
Do not skip IP Detection. If the site sits behind Cloudflare, a CDN, or a reverse proxy and IP Detection is wrong, the firewall will ban, rate-limit, and trust the wrong addresses. Fix this first.

IP Detection

Go to SiteFort → Firewall → Advanced → IP Detection.

SiteFort needs to read the real visitor IP from incoming requests. On a direct server connection this is straightforward. Behind Cloudflare or a proxy it requires configuration.

Your setupRecommended detection setting
Standard hosting, no proxy or CDN Automatic
Cloudflare in front of WordPress Automatic, then apply the Cloudflare preset if prompted
Other CDN or reverse proxy Automatic first. Switch to Manual only if Automatic reads the wrong IP

After selecting a mode, compare the detected IP shown in SiteFort with your actual public IP. If they match, the firewall is reading requests correctly. If they do not match, do not enable enforcement yet.

Trusted IPs

Trusted IPs bypass all firewall rules. Keep this list short and intentional. Add your office static IP, your agency or developer VPN, and any uptime monitoring service you rely on. Do not add large IP ranges, shared VPN exit nodes, or IPs you do not fully control.

If you add your current IP as trusted, confirm it is a static IP. A residential or dynamic IP that changes later will either become useless as a trusted rule or accidentally trust a different person after your ISP reassigns it.

Protection settings

Go to SiteFort → Firewall → Protection.

These are the settings that do the daily blocking work. Enable them after IP Detection is verified.

SettingRecommendedWatch out for
Bot and Crawler Policy Balanced Balanced blocks hacking tools, scrapers, and automated scripts while keeping Google, Bing, and major AI assistants unaffected. Move to Maximum only during active abuse, then review the Traffic Log for false positives before leaving it there permanently.
Detect and Block Scanners On Set the threshold at 3 to 5 failed probe attempts with a 10 to 15 minute window. If a legitimate monitoring tool starts triggering it, add that tool's IP to Trusted IPs rather than disabling scanner detection.
Community IP Blocklist On Nothing to watch for most sites. Blocks refresh every 6 hours automatically.
Rate Limiting On, moderate values Start with moderate limits and review the Traffic Log before tightening. WooCommerce checkout, membership account pages, and LMS course players generate more requests per user than a static site. Tune limits around your actual traffic patterns.

Which bot policy level to use

LevelUse when
Basic Testing a new site with many third-party integrations, or rolling out cautiously for the first time.
Balanced Default for most WordPress sites. Start here.
Maximum Active scraping attack, aggressive bot traffic, or sustained abuse from unknown crawlers. Review the Traffic Log after switching to check for blocked legitimate services.

Rate limiting by site type

Site typeRecommended approach
Business or brochure site Moderate limits. Low logged-in user activity makes limits easier to set.
WooCommerce store Moderate limits, then test cart, checkout, account pages, filters, and payment callbacks. These generate real multi-request flows from legitimate customers.
Membership or LMS Set limits higher than a brochure site. Logged-in users browsing course content or member areas generate significantly more requests per session.
Site under active attack Temporarily tighten limits, then relax once traffic normalises. Permanent tight limits on a dynamic site cause friction for real users.

Traffic rules

Go to SiteFort → Firewall → Rules.

Traffic rules are for specific situations: blocking a known bad IP, allowing a trusted service, or restricting access by country. Do not create rules speculatively. Add a rule when you have a concrete reason from the Traffic Log or a support request.

IP rules

SituationRecommended actionDuration
IP repeatedly fails login attempts Block 1 to 7 days
IP probing sensitive file paths Block 30 days
Known malicious server or hosting range Block 90 days or permanent
Your office, agency VPN, or developer IP Allow (only if IP is static) Permanent
Trusted monitoring or integration service Allow Permanent
Allowed IPs bypass all firewall rules including scanner detection, rate limiting, and community blocklist. Only allowlist IPs you own or fully trust.

Bot and crawler rules

Add a bot rule when a specific crawler is wasting server resources, scraping content aggressively, or hitting the site repeatedly in ways the Balanced bot policy is not catching.

When adding a Trust rule for a crawler, use the most specific User-Agent pattern you can. Avoid trusting broad patterns like bot, Mozilla, or crawler. Trusted bot patterns bypass all firewall checks.

Country blocking

Go to SiteFort → Firewall → Rules → Country.

Country blocking is a useful tool in specific situations. It is not the right first response to general attack traffic because most attacks originate from many countries simultaneously and from compromised servers in countries you do serve.

When to use block-selected mode

Block specific countries when the Traffic Log shows a sustained pattern of abuse from a country your site does not serve, and the volume is high enough to justify the risk of occasionally blocking a legitimate visitor using a VPN or travelling.

When to use allow-only mode

Allow-only mode blocks every country except the ones you select, including countries with unknown or unresolvable origin. This is appropriate for local business sites, private portals, internal tools, or sites with a tightly defined geographic audience.

Do not use allow-only mode if: you sell internationally, your customers travel, your team works remotely from different countries, you rely on global payment gateways or shipping providers, or you are not confident about where your legitimate traffic comes from. Allow-only mode blocks all unknown-country traffic, which includes many real users on VPNs and corporate networks.

GeoIP source

Country blocking requires a GeoIP source. If the site uses Cloudflare, SiteFort can use Cloudflare country headers and push country rules to the edge. If not, configure MaxMind GeoIP under Settings → Integrations and click Update Country Database before enabling country rules.