8G Firewall Protection for WordPress – How to Enable in WP Ghost
April 16, 2024
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Quick summary: The 8G Firewall is a server-level ruleset built into WP Ghost that blocks SQL injection, script injection, directory traversal, and exploit attempts before they reach WordPress. Enable it in WP Ghost > Firewall > Firewall Against Script Injection > 8G Firewall.
Why Your WordPress Site Needs a Firewall
Path security makes your site invisible to bots. The firewall makes it defended. Together, they form a complete hack prevention strategy.
SQL injection and script injection are the most common attack vectors against WordPress. Patchstack’s 2024 report found that 43% of WordPress vulnerabilities were exploitable without authentication. Bots send thousands of injection queries per day, probing for database access, file inclusion, and code execution. The 8G Firewall blocks these at the request level – the malicious query is rejected before it reaches any vulnerable code.
The critical difference between the 8G Firewall and PHP-level security plugins: the 8G rules execute at the web server level. On Apache servers, they run from .htaccess. On Nginx and LiteSpeed, they load during WordPress initialization. Either way, malicious requests are blocked before your WordPress installation, plugins, or database are touched. Thousands of blocked requests cost almost nothing in server resources.
What Is the 8G Firewall
The 8G Firewall is a set of server-level security rules created and maintained by Jeff Starr of Perishable Press. It is the latest generation in a line of open-source firewall rulesets (5G, 6G, 7G, 8G) that have protected millions of websites. The “G” stands for “generation.” Each generation adds updated patterns to block modern attack techniques while removing false positives from older rules.
WP Ghost integrates the 8G ruleset natively. You do not need to manually edit configuration files or copy rules into .htaccess yourself. The plugin handles everything when you enable the feature.
What the 8G Firewall Blocks
The 8G ruleset filters HTTP requests across multiple attack vectors. Here is what it catches:
SQL injection attempts. Malicious queries that try to read, modify, or delete your database content. SQL injection is the most dangerous common attack – a successful one gives the attacker direct database access. The 8G ruleset blocks SQL injection patterns in URL parameters, POST data, and query strings.
Script injection and XSS. Attempts to inject JavaScript, PHP, or other executable code through URL parameters, form fields, or headers. These attacks try to execute code in visitors’ browsers (XSS) or on your server (remote code execution). The 8G firewall blocks common injection patterns including encoded payloads.
Directory traversal. Requests that use ../ sequences to navigate outside the web root and access sensitive server files like /etc/passwd or wp-config.php.
File inclusion exploits. Attempts to include remote or local files through URL parameters, which can lead to code execution or information disclosure.
Bad bots and automated scanners. Requests from known malicious user agents, vulnerability scanners, and automated attack tools. The 8G ruleset maintains a list of suspicious user agent strings and blocks them outright.
Malicious query strings. Unusual HTTP methods, excessively long query strings, and request patterns that match known exploit toolkits.
Why Choose 8G Over Other Firewall Levels
WP Ghost offers four firewall levels. Here is how they compare:
| Firewall Level | Protection Scope | Best For |
|---|---|---|
| Minimal | Basic injection filtering | Maximum compatibility, troubleshooting |
| Medium | Extended pattern matching | Broader protection with good compatibility |
| 7G Firewall | Comprehensive server-level filtering | Fallback if 8G causes false positives |
| 8G Firewall (recommended) | Latest generation, broadest coverage | Maximum protection for most sites |
The 8G ruleset includes everything from previous generations plus updated patterns for modern attack techniques. It has fewer false positives than 7G because each generation refines the rules. It executes at the server level with minimal resource consumption. And it is compatible with other security plugins like Wordfence, Solid Security, and Sucuri – they operate at different layers and complement each other without conflict.
WP Ghost automatically whitelists major search engine crawlers (Googlebot, Bingbot, Yandex, and others) when the 8G Firewall is active. Your SEO and indexing are unaffected.
How to Enable the 8G Firewall
Step 1: Activate a Security Level
Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode or Ghost Mode and click Save.
Step 2: Enable the 8G Firewall
1. Go to WP Ghost > Firewall.
2. Switch on Firewall Against Script Injection.
3. Select 8G Firewall from the firewall level options.
4. On Apache servers: choose whether to place rules in .htaccess (fastest – blocks before PHP loads) or load during WordPress initialization (more compatible). On Nginx and LiteSpeed, the firewall loads during initialization automatically.
5. Click Save to apply.
Step 3: Test Your Site
After enabling the firewall, test your site thoroughly. Browse your key pages, submit forms, test checkout if you use WooCommerce, and verify that admin functions work correctly. The firewall works silently in the background – there is no visible change on the frontend for legitimate visitors.
Troubleshooting
A plugin feature or form stopped working after enabling 8G
This is usually a false positive – a legitimate request that matches an attack pattern. It can happen with plugins that use complex query strings or unusual URL parameters. Try switching to 7G Firewall to see if the issue resolves. If it does, add the affected path to Firewall > Whitelist Paths and switch back to 8G.
The firewall does not seem to be blocking anything
The firewall works silently. It blocks requests before they reach WordPress, so there is no visible indication on the frontend. Check the Security Threats Log (Premium) to see blocked requests. If logs show no blocks, your site simply has not received malicious traffic since enabling. This is normal for low-traffic sites or sites already protected by hosting-level firewalls.
Something broke and I need to recover
If you have lost access or something stopped working, check the emergency disable guide or add the HMWP_DISABLE constant in wp-config.php to disable WP Ghost temporarily.
Frequently Asked Questions
Should I use .htaccess or WordPress initialization?
On Apache servers, .htaccess is faster because rules execute at the web server level before PHP loads. Use WordPress initialization if you are on Nginx or LiteSpeed (which do not use .htaccess), or if the .htaccess option causes compatibility issues. Both provide the same protection – the difference is only in the execution layer.
What is the difference between 7G and 8G?
The 8G ruleset adds updated patterns for newer attack techniques, removes false positives from 7G, and refines existing patterns. If 7G works for your site, 8G provides strictly better protection. Think of 7G as the reliable fallback: proven, stable, and thoroughly tested – but without the latest pattern updates that 8G includes.
Can I use the 8G Firewall alongside Wordfence?
Yes. The 8G Firewall operates at the server/configuration level while Wordfence operates at the PHP/application level. They protect at different layers and complement each other without conflict. WP Ghost blocks malicious requests before PHP starts; Wordfence monitors at the application level after PHP loads.
Does the 8G Firewall affect site performance?
It actually improves performance for sites under attack. Malicious requests are rejected at the server level with minimal resources. For legitimate traffic, the overhead is negligible. When placed in .htaccess, the rules execute before PHP starts, so blocked requests cost almost nothing to process.
Does this work with WooCommerce?
Yes. WooCommerce checkout, cart, AJAX, payment processing, and REST API all work normally with the 8G Firewall enabled. If a specific WooCommerce feature triggers a false positive, whitelist the affected path in Firewall > Whitelist Paths.
Does the firewall affect SEO?
No. WP Ghost automatically whitelists major search engine crawlers (Googlebot, Bingbot, Yandex, and others) when the firewall is active. Legitimate crawlers access and index your site normally. Your rankings, sitemaps, and page indexing are unaffected.
Does WP Ghost modify WordPress core files?
No. The 8G rules are placed in .htaccess (Apache) or loaded through WordPress hooks (Nginx/LiteSpeed). No core, plugin, or theme files are modified. Disabling the firewall removes all rules instantly.
Related Tutorials
Build your complete security stack with these related features:
7G Firewall for WordPress – The previous generation ruleset, use as a fallback if 8G causes compatibility issues.
Brute Force Attack Protection – Block login attacks with attempt limits and reCAPTCHA.
Header Security – Add Content-Security-Policy, HSTS, and other protective HTTP headers.
Security Threats Log – Monitor every blocked attack and exploit attempt in real-time (Premium).
Customize Paths in WP Ghost – The core path security feature that complements firewall protection.
