How to use the firewall

When you first install Security Ninja Pro the firewall is not enabled.

This is to make sure you understand the consequences and that you have saved the secret access URL in case you block your own access.

We recommend you use the easy to install wizard to set up standard features, including the firewall.

The firewall works out of the box, but depending on your particular website setup it is important to test afterwards to make sure the firewall is not blocking any legitimate access or functionality.


Enabling the firewall protection is very easy and takes just a few seconds.

Enable the firewall

Enable the firewall

Click the button to enable the firewall. This opens a window with information about getting into your website again if you are ever blocked entry by the firewall.

You can write down the URL or you can enter your email to get the direct URL sent to your inbox.

To continue, click the Close button. There is a 3 second wait time, just to make sure you read the information 🙂

Configure the firewall

By default, the firewall protects the known bad IPs from logging in to your website. If you enable this feature you will completely block entry from them. All they will be greeted with is a white screen and a text.

Prevent Banned IPs from Accessing the Site

If set to ON cloud and local firewall will prevent banned IPs from accessing the site all together.

If set to OFF they will not be able to log in, but will be able to view the site.

Prevent Banned IPs from Accessing the Site

Message for banned IPs

Here you can tweak which message to show to users who are banned.

Auto-ban rules

If a visitor not on the list of blocked IPs attempts too many times to log in and fail, the visitor will be banned. You can configure how many chances a visitor has.

Default is a maximum of 5 failed login attempts in a 5 minute period before the IP is banned for 2 hours.

Auto-ban rules for failed login attempts

Login Notice

Leave a message to users warning them what will happen if they fail to log in too many times. This message is shown when users are trying to log in.


Block “admin” login

It is not recommended to use the old default username “admin” on your website. If you have followed good security practice and make sure all your administrators have a different username you can turn on this feature.

This feature immediately blocks anyone trying to log in with “admin” as a username.

Please note – you should not enable this if you have any users with the username “admin”.

Block "admin" login

Change login URL

A way to get rid of many automated scripts trying to log in to your website is to simply remove the standard /wp-admin/ or wp-login.php functionality.

If you enable this feature you can rename the login URL to whatever you want.

Note: The URL needs to be valid, meaning you can only use letters, numbers, underscore and hyphen. The plugin will show you the updated login URL.

Change login URL

Read more details here:

Country blocking

If you are getting a lot of traffic from some countries that you do not want you can block visitors with the country blocking feature.

Visitors are identified and if they match any of the countries that you choose they will not be able to visit your website.

Click the input field to start choosing which countries to ban. To remove a country from the list click the x next to the country name.

Choose specific countries to block

Remember to save for the changes to take effect. Country detection is made via the free version of the IP2Location library. The list is updated locally on your website every month.

Please note the IP detection is pretty accurate, there is no guarantee for identifying the country of an IP with 100% certainty.

This product includes IP2Location LITE data available from

Whitelist IP

If you know of particular IPs you want to make sure always can access the website, then you can add it to the list here. Even if an IP is blocked by either the cloud firewall or the country list, a whitelisted IP will still have access.

Put each IP on a new line.

Locally Banned IPs

Contains a list of the IPs that have been banned on your website for logging in too often.

Secret Access URL

The secret URL you can use to get access to your website if you are ever locked out by mistake.

Test IP

You can test an IP to verify if it is blocked or has access.

How often are the lists updated?

The list of bad IPs are updated twice a day, the process takes a few seconds and happens in the background.

The GeoLite2 database is downloaded once you enable the firewall and then updated every month as long as the plugin is active.

This site or product includes IP2Location LITE data available from

Do you want to know more? Check out the firewall feature page for more details.

Was this helpful?