Title: TrapFlux Request Firewall
Author: susheelhbti
Published: <strong>18 de Junio de  2026</strong>
Last modified: 18 de Junio de  2026

---

Buscar plugins

![](https://s.w.org/plugins/geopattern-icon/trapflux-request-firewall.svg)

# TrapFlux Request Firewall

 Por [susheelhbti](https://profiles.wordpress.org/susheelhbti/)

[Descargar](https://downloads.wordpress.org/plugin/trapflux-request-firewall.zip)

 * [Detalles](https://cl.wordpress.org/plugins/trapflux-request-firewall/#description)
 * [Reseñas](https://cl.wordpress.org/plugins/trapflux-request-firewall/#reviews)
 *  [Instalación](https://cl.wordpress.org/plugins/trapflux-request-firewall/#installation)
 * [Desarrollo](https://cl.wordpress.org/plugins/trapflux-request-firewall/#developers)

 [Soporte](https://wordpress.org/support/plugin/trapflux-request-firewall/)

## Descripción

TrapFlux Request Firewall is a lightweight request firewall that blocks vulnerability
scanners and bot floods by **how they behave**, not just where they come from.

 * **Behavior-based blocking** — exploit-path probes (`.env`, `wp-config` backups,`.
   sql` dumps), malicious user agents, and request floods.
 * **Rate limiting** — every visitor is rate limited; hits on exploit paths count
   double, so scanners get banned far faster than real visitors ever could.
 * **Honeypot traps** — invisible links only bots follow; one visit means a permanent
   ban.
 * **Subnet bans** — block a whole CIDR range (e.g. `20.100.172.0/24`) when attackers
   rotate IPs on cloud providers.
 * **Text attack reports** — one-click downloadable `.txt` reports (summary + raw
   log) listing every URL attackers tried to access, ready to hand to your hosting
   company.
 * **fail2ban-friendly log** — one pipe-delimited line per blocked request, so your
   host can ban attackers at the network level using the plugin’s detections.
 * **Fails open** — any internal error and your site keeps working normally. An 
   emergency `disable.flag` file shuts blocking off instantly via FTP.

#### Strongest mode (optional)

By default the firewall runs when plugins load — before WP routing, themes and queries.
For maximum resource savings you can point PHP’s `auto_prepend_file` at `firewall.
php` so blocking happens before WordPress loads at all. See the FAQ.

#### Honest limitations

 * This is a request firewall, not a malware scanner — it will not detect an already-
   infected site.
 * It ships with rules for today’s common probes and has no cloud threat feed; review
   the rules occasionally.
 * The “Block xmlrpc.php” option breaks Jetpack and the WordPress mobile app — disable
   that single toggle if you use them.
 * All assets (CSS/JS) are bundled — the plugin makes no external network requests.

## Instalación

 1. Upload the `trapflux-request-firewall` folder to `/wp-content/plugins/`, or install
    the zip via Plugins  Add New  Upload.
 2. Activate **TrapFlux Request Firewall**. Your current IP is auto-whitelisted on 
    activation.
 3. Open the **TrapFlux Request Firewall** menu in wp-admin for stats, logs, reports
    and settings.

Data (config, bans, logs) is stored in `wp-content/uploads/trapflux-request-firewall/`.
An `.htaccess` deny rule is written automatically (Apache). On NGINX add:

    ```
    location ^~ /wp-content/uploads/trapflux-request-firewall/ { deny all; }
    ```

## FAQ

### How do I enable blocking before WordPress loads?

Set PHP’s `auto_prepend_file` to the engine, in `.user.ini` (most shared hosting)
or `php.ini`:

    ```
    auto_prepend_file = /full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php
    ```

Or in Apache `.htaccess` (mod_php):

    ```
    php_value auto_prepend_file "/full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php"
    ```

The engine guards against double-loading, so having both is safe.

### I locked myself out. What do I do?

Create an empty file named `disable.flag` inside `wp-content/uploads/trapflux-request-
firewall/` via FTP or your host’s file manager. All blocking stops instantly. Delete
the file to re-enable.

### Can my hosting company use the log with fail2ban?

Yes. Each blocked request is one line in `wp-content/uploads/trapflux-request-firewall/
blocked.log`:

    ```
    2026-06-11 14:32:07 | 20.100.172.37 | GET /xmlrpc.php | UA: ... | BLOCKED: rate-limit
    ```

Suggested failregex: `^.* \| <HOST> \| .* \| BLOCKED: .*$`

## Reseñas

No hay reseñas para este plugin.

## Colaboradores & Desarrolladores

“TrapFlux Request Firewall” es software de código abierto. Las siguientes personas
han contribuido a este plugin.

Colaboradores

 *   [ susheelhbti ](https://profiles.wordpress.org/susheelhbti/)

[Traduce “TrapFlux Request Firewall” a tu idioma.](https://translate.wordpress.org/projects/wp-plugins/trapflux-request-firewall)

### ¿Interesado en el desarrollo?

[Revisa el código](https://plugins.trac.wordpress.org/browser/trapflux-request-firewall/),
echa un vistazo al [repositorio SVN](https://plugins.svn.wordpress.org/trapflux-request-firewall/),
o suscríbete al [registro de desarrollo](https://plugins.trac.wordpress.org/log/trapflux-request-firewall/)
por [RSS](https://plugins.trac.wordpress.org/log/trapflux-request-firewall/?limit=100&mode=stop_on_copy&format=rss).

## Historial de cambios

#### 1.0.5

 * Removed the last hardcoded WP_CONTENT_DIR fallback (in plugin activation). Data
   directory now resolves exclusively via wp_upload_dir(); activation aborts with
   a clear message if that is unavailable, instead of guessing a path.

#### 1.0.4

 * Used wp_upload_dir() exclusively for data directory resolution; removed WP_CONTENT_DIR
   hardcode and dirname walk-up fallbacks.
 * Replaced custom SCRIPT_FILENAME direct-access guard with the standard ABSPATH
   check (plus TRAPFLUX_PREPEND_MODE constant for auto_prepend_file users).
 * Plugin activation now stores the resolved upload path in config.json so prepend-
   mode engine can locate its data without guessing.

#### 1.0.3

 * Renamed to TrapFlux Request Firewall with a distinctive trapflux_ prefix on all
   options, hooks, AJAX actions and constants.
 * Moved all data (config, bans, logs) to the uploads directory: wp-content/uploads/
   trapflux-request-firewall/.
 * Sanitized all $_SERVER inputs at intake (user agent, IPs, request method, request
   URI).
 * Added a direct-access guard to the firewall engine file.

#### 1.0.2

 * Replaced Tailwind with a small handwritten stylesheet (~8 KB, prefixed classes,
   no build step, no framework).

#### 1.0.1

 * Replaced the Tailwind CSS CDN with a locally compiled stylesheet. The admin dashboard
   now makes zero external requests.

#### 1.0.0

 * Initial release: behavior-based blocking, rate limiting, honeypots, subnet bans,
   text reports, fail2ban-friendly logging, emergency off-switch.

## Meta

 *  Versión **1.0.5**
 *  Última actualización **hace 2 semanas**
 *  Instalaciones activas **Menos de 10**
 *  Versión de WordPress ** 5.8 o superior **
 *  Probado hasta **7.0**
 *  Versión de PHP ** 7.2 o superior **
 *  Idioma
 * [English (US)](https://wordpress.org/plugins/trapflux-request-firewall/)
 * Etiquetas
 * [bot blocking](https://cl.wordpress.org/plugins/tags/bot-blocking/)[firewall](https://cl.wordpress.org/plugins/tags/firewall/)
   [honeypot](https://cl.wordpress.org/plugins/tags/honeypot/)[rate limiting](https://cl.wordpress.org/plugins/tags/rate-limiting/)
   [security](https://cl.wordpress.org/plugins/tags/security/)
 *  [Vista Avanzada](https://cl.wordpress.org/plugins/trapflux-request-firewall/advanced/)

## Calificaciones

Aún no se han enviado valoraciones.

[Your review](https://wordpress.org/support/plugin/trapflux-request-firewall/reviews/#new-post)

[Ver todas las reseñas](https://wordpress.org/support/plugin/trapflux-request-firewall/reviews/)

## Colaboradores

 *   [ susheelhbti ](https://profiles.wordpress.org/susheelhbti/)

## Soporte

¿Tienes algo que decir? ¿Necesitas ayuda?

 [Ver el foro de soporte](https://wordpress.org/support/plugin/trapflux-request-firewall/)