Raydium

Appearance

Firewall Configuration (firewall.json)

Virtual Application-Layer Firewall

The framework features a sophisticated virtual firewall that operates at the application layer, intercepting and evaluating requests before WordPress bootstraps. This early-stage filtering significantly reduces attack surface, mitigates abusive behavior, and enhances overall performance.

What is a Virtual Firewall?
A lightweight security layer that screens incoming traffic using intelligent rules, custom IP logic, and zero plugin overhead serving as your first line of defense before the WordPress core is engaged.

📌 Overview

This firewall functions as a pre-request filter, enabling advanced threat controls through a centralized configuration file. By operating independently of the WordPress plugin ecosystem, it delivers faster and more predictable responses to malicious traffic.

Core Benefits:

  • Blocks malicious requests before WordPress initialization
  • Reduces server load by rejecting abusive requests early in the pipeline
  • Maintains firewall logic in version-controlled, environment-aware configuration
  • Provides consistent security posture across deployments

🛡️ Key Features

IP Management

  • Comprehensive allowlist and blocklist support for individual IPs and CIDR ranges
  • Dynamic IP reputation scoring through threat intelligence integration

Rate Limiting

  • Sophisticated request throttling using sliding window algorithms
  • Configurable thresholds per IP address to prevent abuse

Traffic Filtering

  • User-Agent based blocking for suspicious or unwanted traffic patterns
  • Path-specific protection for common WordPress attack vectors

Threat Intelligence Integration

  • AbuseIPDB: Automated IP reputation filtering with configurable scoring thresholds
  • CrowdSec (optional): Real-time threat enrichment via local LAPI instances

Audit and Monitoring

  • Comprehensive request logging for blocked attempts
  • Structured logging format compatible with monitoring and compliance pipelines

⚙️ Configuration

All firewall rules and settings are centrally managed through a single JSON configuration file:

configs/firewall.json

Configuration Schema

json
{
  "enabled": true,
  "logBlockedRequests": true,
  "allowedIPs": [],
  "blockedIPs": [],
  "rateLimit": {
    "enabled": true,
    "maxRequests": 100,
    "windowSeconds": 60
  },
  "userAgentRules": {
    "blocked": ["BadBot", "curl", "Scanner"]
  },
  "pathFilters": {
    "blockedPaths": [
      "/wp-login.php",
      "/xmlrpc.php",
      "/wp-admin/admin-ajax.php"
    ]
  },
  "abuseIpDb": {
    "enabled": true,
    "threshold": 0.50,
    "cache_ttl": 3600
  },
  "crowdSec": {
    "enabled": false,
    "lapiUrl": "http://localhost:8080",
    "lapiKey": "CROWDSEC_LAPI_KEY"
  }
}

Configuration Parameters

ParameterTypeDescription
enabledbooleanMaster switch for firewall functionality
logBlockedRequestsbooleanEnable logging of blocked request attempts
allowedIPsarrayIP addresses/CIDR ranges to always permit
blockedIPsarrayIP addresses/CIDR ranges to always block
rateLimit.maxRequestsintegerMaximum requests per time window
rateLimit.windowSecondsintegerTime window duration in seconds

🔐 Threat Intelligence Modules

AbuseIPDB Integration

Automatically blocks IP addresses with poor reputations based on community-driven threat intelligence.

Configuration Options:

  • enabled: Toggle AbuseIPDB integration on/off
  • threshold: Block IPs with reputation scores ≥ threshold (range: 0.0–1.0)
  • cache_ttl: Cache duration for IP reputation results (seconds)

Recommended Settings:

  • Threshold: 0.25-0.50 for balanced security
  • Cache TTL: 3600 seconds (1 hour) for optimal performance

CrowdSec Integration (Optional)

Leverages local CrowdSec LAPI instances for real-time threat assessment and community-based threat intelligence.

Configuration Options:

  • enabled: Enable CrowdSec threat lookups
  • lapiUrl: Complete URL to local CrowdSec LAPI instance
  • lapiKey: Authentication token for LAPI access

Prerequisites:

  • Local CrowdSec installation with active LAPI
  • Valid API key with appropriate permissions

📁 Logging and Monitoring

When logBlockedRequests is enabled, all blocked requests are recorded in structured log files:

var/storage/logs/firewall-blocks.log

Log Format: The logging system uses a Common Log Format (CLF)-inspired specification optimized for security monitoring and compliance requirements.

Features:

  • Compatible with standard log analysis tools
  • Structured format for easy integration with SIEM systems
  • Detailed request metadata for forensic analysis

Note: Refer to the Blocked IP Reference documentation for detailed logging specifications and integration examples.

🚀 Performance Considerations

The virtual firewall is designed for minimal performance impact:

  • Early Termination: Blocks malicious requests before WordPress initialization
  • Efficient Caching: Intelligent caching of threat intelligence lookups
  • Optimized Rules: Fast rule evaluation with minimal computational overhead
  • Memory Efficient: Lightweight footprint with configurable cache limits

Recommended Monitoring:

  • Monitor firewall block rates and patterns
  • Track threat intelligence API response times
  • Review log file sizes and rotation schedules
  • Assess overall request processing latency

Important Disclaimer

IMPORTANT

⚠️ This virtual application firewall is a complementary security layer and should NOT be considered a substitute for comprehensive security infrastructure.

This firewall works best as part of a layered security approach that should include:

Network-Level Protection:

  • Traditional hardware/software firewalls at the network perimeter
  • Server-level firewall rules (iptables, Windows Firewall, etc.)
  • Network intrusion detection and prevention systems (IDS/IPS)

Upstream Security Services:

  • Content Delivery Networks (CDN) with DDoS protection (Cloudflare, AWS CloudFront, etc.)
  • Web Application Firewalls (WAF) at the edge
  • DNS-level filtering and threat blocking

Server and Application Security:

  • Regular security updates and patches
  • Secure server configuration and hardening
  • SSL/TLS encryption with proper certificate management
  • Database security and access controls

WordPress-Specific Security:

  • Security-focused plugins for additional protection layers
  • Regular WordPress core and plugin updates
  • Strong authentication and authorization mechanisms
  • File system permissions and access controls

Scope and Limitations

This virtual firewall provides application-layer protection but has inherent limitations:

  • Traffic Volume: Cannot handle massive DDoS attacks that require upstream mitigation
  • Network Attacks: Does not protect against network-level attacks or vulnerabilities
  • Resource Limits: Processing occurs on your server, consuming local resources

Best Practices

For optimal security posture:

  1. Layer your defenses - Use this firewall alongside, not instead of, other security measures
  2. Regular updates - Keep all security tools and configurations current
  3. Monitor and analyze - Review logs and adjust rules based on actual threat patterns
  4. Professional assessment - Consider periodic security audits and penetration testing
  5. Incident response - Maintain a comprehensive incident response plan

Remember: Security is an ongoing process, not a single solution. This firewall enhances your WordPress security but should be part of a broader, well-planned security strategy.