Fall Sale! Code FALL2024 takes 25% OFF our Pro Plugins & Books »
Web Dev + WordPress + Security

8G Firewall

After more than a year of beta testing, 8G Firewall is ready for use on production sites. So you can benefit from the powerful protection provided by the latest evolution of the nG Firewall (aka nG Blacklist). The 8G Firewall offers lightweight, server-level protection against a wide range of malicious requests, bad bots, automated attacks, spam, and many other types of threats and nonsense. 8G is a lightweight (only 17KB) strong firewall that provides site security and peace of mind. Plus, 8G is open source and 100% free for everyone :)

Update: 8G Firewall is out of beta as of version 1.3, now available for download. A huge thank you to all beta testers :)
Update: 8G has been forked for both Nginx and Apache by Tonkünstler-on-the-Bund. The Apache fork uses SetEnvIf instead of mod_rewrite. Learn more and download at GitHub.

Contents

About 8G Firewall

The 8G Firewall is a carefully crafted set of security rules for Apache and Nginx servers. It can be applied via your site’s public root .htaccess file, or added via server configuration. Once added, 8G provides powerful server-level protection against a wide range of malicious requests, bad bots, automated attacks, spam, and many other types of threats and nonsense. It’s a lightweight (only 17KB) strong firewall that improves site security and peace of mind.

8G Firewall builds on 7G, optimizing scope with performance while minimizing false positives. Learn more about nG-series firewall, including 8G and all the details:

Support 8G Firewall: Donate via PayPal or your favorite digital coin »

Reporting Bugs

As of version 1.3, 8G is out of beta and ready for production sites. Any bugs (false positives) may be reported via my contact form. Or if you have any questions or non-bug-related feedback, you are welcome to leave a comment on this post. Thank you :)

nG Logging: Just FYI, 7G and 8G Firewall support logging of each request, matching patterns, and more. Learn how to enable logging with nG Firewall.

Download 8G Firewall

By downloading 8G, you agree to the terms set forth in the License and Disclaimer. You will find copy of the 8G changelog included in the zip download file. Check out the nG homepage for install steps and complete information.

Download 8G FirewallVersion 1.3 ( 7.13 KB ZIP )
Note: To retain the Unix LF EOL characters (line breaks) in the 8G text file, it is recommended to use a program that supports them, such as Notepad++ (free for Windows) or TextEdit or BBEdit (free for Mac). The line breaks keep the code structured and readable, instead of a big jumbled mess.

License & Disclaimer

8G Firewall is open source and 100% free for all. The only requirement is that the following credit lines are included when using 8G (or any of its parts).

# 8G FIREWALL
# https://perishablepress.com/8g-firewall/

Other than that, it’s all yours!

Disclaimer

The 8G Firewall is provided “as-is”, with the intention of helping people protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk and responsibility for anything that happens. So use wisely, test thoroughly, and enjoy the benefits of my work :)

Show support

I spend countless hours developing the nG Firewall. I share it freely and openly with the hope that it will help make the Web a more secure place for everyone.

If you benefit from my work with nG Firewall and would like to show support, consider buying one of my books, such as .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site.

Of course, tweets, likes, links, and shares are super helpful and very much appreciated. Your generous support allows me to continue developing the nG Firewall and other awesome resources for the community. Thank you kindly :)

Support 8G Firewall: Donate via PayPal, Stripe, or your favorite digital coin »

8G Notes

Any 8G-related notes will be added/updated here..

  • Only use 7G or 8G, not both
  • 8G is modular: each section can be removed/added as desired
  • 8G is designed to work flawlessly with WordPress or any other non-WP site
  • 8G adds new “HTTP COOKIE” rules
  • Please report any strings or user agents that should not be blocked
  • Always test well before going live and report any bugs or issues
  • Joomla sites: remove “administrator” from Request URI rules
  • Other 8G-related notes will be added here..

About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
WP Themes In Depth: Build and sell awesome WordPress themes.

132 responses to “8G Firewall”

  1. Hey Jeff, ever consider adding http version? http 1.X is pretty much obsolete for current browsers, even 2 and is another easy way to filter out the trash.

  2. Just out of interest… what is the reason that the user agents are all blocked with a single rule. Can’t they all be contained in one rule?

    I mean these lines. There are several of them, all matching the same base, blocking user agents. But why all of them individually? So that the rule doesn’t get too long?

    RewriteCond %{HTTP_USER_AGENT} (linkscan…

    • Jeff Starr 2023/02/26 12:29 am Reply

      Correct, it’s to keep lines short and manageable, organized. Some environments have problems parsing long lines, especially when regex is involved. You’ll notice the same is true for other sections, like Query String and Request URI.

  3. There is a problem.
    When I go to the plugin settings page (/wp-admin/admin.php?page=Wordfence) the request is blocked.
    The problem is in the line:

    RewriteCond %{REQUEST_URI} (/)((boot)?_?admin(er|istrator|s)?(_events)?)(\.php) [NC,OR]

    I commented it out. What can be done?

    • Jeff Starr 2023/03/08 12:20 pm Reply

      Yeah that line needs re-worked. Until then, just leave commented out.

    • problem with loading js, css (for plugin) in admin panel

      console (Error):

      .../plugins/seo-by-rank-math/assets/admin/css/common.css net::ERR_ABORTED 403 (admin.php)

      The problem is in the line:

      RewriteCond %{REQUEST_URI} (/)((.*)crlf-?injection|(.*)xss-?protection|__(inc|jsc)|admin(istrator)?|author-panel|cgi-bin|database|downloader|(db|mysql)-?admin)(/) [NC,OR]

      I commented it out

    • Hi Jeff, Thanks for the 8G Firewall. One issue I have found is AHREFS’ bot is getting blocked. I need to whitelist their bot. How do I do this and how do I whitelist other benign bots?

      • Just remove their name/string from the User Agents section should do the trick. Also when it comes to bots, “benign” is highly relative (imo).

  4. This line block Elementor info page in wp admin

    RewriteCond %{REQUEST_URI} (/)((boot)?_?admin(er|istrator|s)?(_events)?)(\.php) [NC,OR]
  5. Rank Math not working. Problem in string:

    RewriteCond %{REQUEST_URI} (/)((boot)?_?admin(er|istrator|s)?(_events)?)(\.php) [NC,OR]
  6. I have just installed 8g replacing the 7g I was using previously on my phpBB 3.3.10 test board. So far no errors have made them selves known to me and the board is much ‘snappier’ than it was.

  7. I was thinking that it would be nice to have an “addon” part of 8G that blocks all bad bots looking for sites that do NOT use woocommerce, NOT use wordpress, NOT use PHP, not whatever framework or plugin, etc. that people can optionally install based on their site design… not unlike the current ADD-ON of 7G Firewall…

  8. It would be cool if OpenAI ChatGPT user agents were blocked.

    • Jeff Starr 2023/05/01 9:13 pm Reply

      I’ve not seen much activity from “OpenAI” or “ChatGPT” as user agents.. what specifically are you noticing?

  9. Jonathan 2023/05/01 3:25 pmReply

    Regarding HTTP version as mentioned earlier in the comments. Unfortunately, there is an issue with that. WordPress operates on 1.0 or 1.1 and for now you can’t change that. Entire site gets blocked if you require HTTP/2 and higher.

    https://core.trac.wordpress.org/ticket/53513

    • Jeff Starr 2023/05/01 9:12 pm Reply

      Yeah I’ve seen a lot of posts pushing HTTP version whitelisting, but it’s just a bad idea in general. There may be specific cases where it can help, but as you say WordPress isn’t one of them.

  10. Hi, is there any test unit I can run all possible attacks that it would stop? If not, how can I know it works?
    Thanks!
    Jaro

    • Jeff Starr 2024/02/26 1:08 am Reply

      No units tests (that I know of), but an easy way to test is to pick any pattern/string from the URI Requests or Query String rules. Then try making a request using your browser’s address bar, or any HTTP/request app/extension will work too. For example, one of the URI request patterns is ,,, (three commas), so you can enter in the address bar: https://example.com/some/path/whatever/,,,. If the result is 403 Forbidden, the firewall is working. You can test with as many patterns as needed until confident things are working properly.

  11. Wonderful, awesome work! Can we expect a NGINX version soon?

  12. Hi there, just to let you know, there are a couple user-agents strings I’m blocking on my own and you could add to your list:

    AlphaBot
    CensysInspect
    ImagesiftBot
    MauiBot
    Mozlila
    seoscanners.net

    My pleasure. Hope it helps.

Leave a reply

Name and email required. Email kept private. Basic markup allowed. Please wrap any small/single-line code snippets with <code> tags. Wrap any long/multi-line snippets with <pre><code> tags. For more info, check out the Comment Policy and Privacy Policy.

Subscribe to comments on this post

Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
WP Themes In Depth: Build and sell awesome WordPress themes.
Thoughts
I disabled AI in Google search results. It was making me lazy.
Went out walking today and soaked up some sunshine. It felt good.
I have an original box/packaging for 2010 iMac if anyone wants it free let me know.
Always ask AI to cite its sources. Also: “The Web” is not a valid answer.
All free plugins updated and ready for WP 6.6 dropping next week. Pro plugin updates in the works also complete :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
RIP ICQ
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.