WireWall

WireWall - Advanced Security & Firewall Module for ProcessWire

Author: Maxim Alex | GitHub: mxmsmnv | Website: wirewall.org

Enterprise-grade security and firewall module for ProcessWire CMS with comprehensive geo-blocking, bot protection, rate limiting, VPN/Proxy detection, and city-level access control.

️ Overview

WireWall is a powerful, production-ready security module that transforms ProcessWire into a fortress. With MaxMind GeoLite2 integration, multi-API threat detection, and file-based caching that scales to millions of IPs, WireWall provides enterprise-level protection without the enterprise complexity.

Key Benefits:

• ⚡ Fast - File-based cache, 0.5-2ms GeoIP lookups with MaxMind
• Precise - 12+ priority levels, city/subdivision blocking
• Smart - AI bot detection, fake browser analysis, datacenter blocking
• Insightful - Comprehensive logging with city/region data
• Scalable - Handles 1M+ IPs without database overhead
• Flexible - Extensive whitelist/exception system for legitimate traffic

Core Features

Geographic Control

• Country Blocking - Block or whitelist entire countries (200+ countries)
• City-Level Blocking - Block specific cities (e.g., Philadelphia, Beijing, Moscow)
• Subdivision/Region Blocking - Block states, provinces, oblasts (e.g., Pennsylvania, California, Krasnodar)
• MaxMind GeoLite2 - Fast, accurate local geolocation (Country, ASN, City databases)
• HTTP API Fallback - Automatic fallback to ip-api.com when MaxMind unavailable
• IPv4/IPv6 Support - Full support with CIDR notation (e.g., 192.168.0.0/16, 2601:41:c780:6740::/64)

Bot Protection

• Bad Bot Blocking - Block scrapers, scanners, and malicious bots (wget, curl, scrapy, nikto, sqlmap)
• Search Engine Control - Block/allow search crawlers (Googlebot, Bingbot, Yandex, Baidu)
• AI Bot Blocking - Block AI training bots (GPTBot, ClaudeBot, GrokBot, Perplexity, Google-Extended)
• Custom Bot Lists - Define your own bot patterns to block
• Fake Browser Detection - Advanced User-Agent analysis to detect spoofed browsers
• Headless Browser Detection - Detect Puppeteer, Playwright, Selenium, PhantomJS

️ Security Features

• Rate Limiting - Configurable requests per minute with automatic temporary bans
• VPN/Proxy/Tor Detection - Multi-API detection with fallback (ip-api.com, ipinfo.io, ipapi.co)
• Datacenter Blocking - Block AWS, Google Cloud, DigitalOcean, Azure, and other hosting providers
• ASN Blocking - Block specific networks by Autonomous System Number
• JavaScript Challenge - Anti-bot challenge page for suspicious requests
• IP Whitelist/Blacklist - Manual override for specific IPs, ranges, and CIDR blocks
• ASN Whitelist - Allow specific networks (Google, Microsoft, Facebook, etc.)

Management & Monitoring

• File-Based Cache - Scales to millions of IPs without database overhead
• Cache Management UI - View statistics and clear cache by type
• Priority System - 12+ priority levels for precise rule control
• Admin Protection - Triple-layer admin area protection (never blocks admin)
• Detailed Logging - City/region/ASN included in all logs

User Experience

• Beautiful Block Page - Modern design with location display and wave pattern
• Silent 404 Mode - Alternative stealth blocking mode
• Custom Redirect - Redirect blocked users to custom URL
• Custom Messages - Personalise block messages

⚙️ Exception System

• Allowed User-Agents - Whitelist legitimate bots (Googlebot, Bingbot, Slackbot, etc.)
• Allowed IPs - Whitelist specific IPs or CIDR ranges for bot verification
• Allowed ASNs - Whitelist entire networks by ASN (Google, Microsoft, Facebook, CDNs)
• Trusted Modules - Automatic AJAX bypass for ProcessWire modules (RockFrontend, AppApi)
• Custom API Paths - Configure custom API endpoints that bypass all checks

Requirements

• ProcessWire: 3.0.200 or higher
• PHP: 8.1 or higher
• Optional: MaxMind GeoLite2 databases (Country, ASN, City)
• Optional: Composer (for MaxMind GeoIP2 library)

Quick Start

Installation

# 1. Download module
git clone https://github.com/mxmsmnv/WireWall.git

# 2. Install to ProcessWire
cp -r WireWall /path/to/processwire/site/modules/

# 3. Activate in admin
Admin → Modules → Site → WireWall → Install

# 4. Configure
Admin → Modules → WireWall → Configure

Basic Configuration

✓ Enable WireWall
✓ Country Blocking: RU, CN, KP (blacklist)
✓ VPN/Proxy Detection: Enabled
✓ Rate Limiting: 10 requests/min, 60 min ban
✓ Block Bad Bots: Enabled
✓ Enable Stats Logging: Enabled
✓ Allowed User-Agents: Googlebot, Bingbot (default)
✓ Allowed ASNs: 15169 (Google), 8075 (Microsoft)

See INSTALL.md for detailed installation and CONFIGURATIONS.md for advanced setups.

Common Use Cases

1. Attack Protection (Recommended)

Country Blocking: RU, CN, KP, IR, BY (blacklist)
City Blocking: Philadelphia, Beijing (blacklist - adjust for your threat profile)
VPN/Proxy Detection: Enabled
Datacenter Blocking: Enabled
Rate Limiting: 10 req/min, 60 min ban
Bot Blocking: Bad bots + AI bots enabled
Fake Browser Detection: Enabled
Allowed Bots: Googlebot, Bingbot, Yandex (for SEO)
Allowed ASNs: 15169 (Google), 8075 (Microsoft)

2. E-commerce Security

Country Blocking: Blacklist fraud-prone countries
VPN/Proxy Detection: Enabled
Datacenter Blocking: Enabled
Rate Limiting: 15 req/min, 30 min ban
Bot Blocking: Bad bots enabled (keep search bots for SEO)
IP Whitelist: Payment gateway IPs
Allowed Bots: Googlebot, Bingbot (SEO)
Allowed IPs: 66.249.64.0/19 (Google Bot verified IPs)

3. Local Business (Australia Example)

Country Blocking: AU (whitelist - allow only)
Subdivision Blocking: New South Wales, Victoria, Queensland (whitelist)
City Blocking: Sydney, Melbourne, Brisbane (whitelist)
IP Whitelist: Office IP, staff IPs
Rate Limiting: 20 req/min
Allowed Bots: Googlebot, Bing (for local SEO)

4. API Protection

IP Whitelist: Known API consumers
Rate Limiting: 100 req/min, 10 min ban
Datacenter Blocking: Disabled (if API clients use cloud)
Bot Blocking: Custom bot list for API abuse
Allowed IPs: Trusted API client IPs
Allowed ASNs: 16509 (AWS), 13335 (Cloudflare) if using cloud

5. Content Protection (Block AI Scrapers)

Block AI Bots: Enabled (GPTBot, ClaudeBot, Perplexity, etc.)
Block Bad Bots: Enabled
Fake Browser Detection: Enabled
Rate Limiting: 5 req/min for suspicious UAs
Datacenter Blocking: Enabled
Allowed Bots: Googlebot, Bingbot ONLY (for SEO, not AI)

MaxMind GeoLite2 Setup

WireWall works with or without MaxMind, but MaxMind is strongly recommended for production use.

Comparison

Installation (Recommended)

# 1. Register for free MaxMind account
https://www.maxmind.com/en/geolite2/signup

# 2. Download databases
- GeoLite2-Country.mmdb (required for country blocking)
- GeoLite2-ASN.mmdb (required for ASN detection)
- GeoLite2-City.mmdb (optional for city/subdivision blocking)

# 3. Create directory and copy databases
mkdir -p /path/to/site/modules/WireWall/geoip/
cp *.mmdb /path/to/site/modules/WireWall/geoip/

# 4. Install PHP library (in module directory)
cd /path/to/site/modules/WireWall
composer require geoip2/geoip2

# 5. Verify in admin
Admin → Modules → WireWall → Configure
✅ MaxMind GeoLite2 Status: Active

Database Update Schedule

MaxMind releases updated databases every Tuesday and Friday. For best accuracy:

# Download latest databases weekly
# Set up cron job to auto-update (optional)
0 2 * * 2,5 cd /path/to/site/modules/WireWall/geoip/ && ./update-maxmind.sh

Exception System

WireWall includes a comprehensive exception system for whitelisting legitimate traffic.

Allowed User-Agents (Bot Whitelist)

Whitelist legitimate bots to bypass ALL WireWall checks:

Default Allowed Bots:

Googlebot
Bingbot
Yandex
facebookexternalhit
Slackbot
LinkedInBot
Twitterbot
WhatsApp
Applebot

Location: Admin → Modules → WireWall → Exceptions/Whitelist

Use Cases:

• SEO: Keep search engines for indexing
• Social: Allow social media preview crawlers
• Monitoring: Whitelist uptime monitors
• Custom: Add your own trusted bots

Allowed IPs (IP Whitelist)

Whitelist specific IPs or CIDR ranges:

Examples:

# Google Bot verified IPs
66.249.64.0/19

# Bing Bot IPs
157.55.39.0/24

# Yandex Bot IPs
77.88.5.0/24

# Single IP
192.168.1.100

# Private network
10.0.0.0/8

Verification Resources:

• Google Bot: https://developers.google.com/search/docs/crawling-indexing/verifying-googlebot
• Bing Bot: https://www.bing.com/webmasters/help/verifying-bingbot-2195b2e2

Allowed ASNs (Network Whitelist)

Whitelist entire networks by ASN - the most powerful exception method:

Major Services ASNs:

# Search Engines
AS15169 or 15169 - Google
AS8075 or 8075 - Microsoft (Bing)
AS13238 or 13238 - Yandex

# Social Networks
AS32934 or 32934 - Facebook/Meta

# Cloud/CDN
AS16509 or 16509 - Amazon AWS
AS13335 or 13335 - Cloudflare
AS54113 or 54113 - Fastly CDN

# Services
AS46489 or 46489 - Twilio

Format Options:

• ASN number: 15169
• AS prefix: AS15169
• Organization name: Google

Requires: MaxMind GeoLite2 ASN database

Trusted ProcessWire Modules

Automatic AJAX bypass for ProcessWire modules:

Feature: allowTrustedModules (enabled by default)
Bypasses: ProcessWire module AJAX requests (RockFrontend, AppApi, etc.)
Benefits: No module conflicts, seamless operation
Supports: All HTTP methods (GET, POST, PUT, DELETE, PATCH)

Trusted modules automatically bypass WireWall checks, ensuring smooth ProcessWire operation.

Custom API Paths

Configure custom API endpoints that bypass all WireWall checks:

Feature: Custom API Paths
Location: Admin → Modules → WireWall → Exceptions
Format: One path per line (e.g., /api/webhook, /graphql)
Supports: All HTTP methods (GET, POST, PUT, DELETE, etc.)
Use Cases: External webhooks, API endpoints, third-party integrations

Example Configuration:

/api/webhook
/api/stripe
/graphql
/rest/v1

Benefits:

• Complete bypass for API endpoints
• Supports all HTTP methods
• No rate limiting on API paths
• Ideal for webhooks and integrations

Logging & Monitoring

Log Format

WireWall creates a single log file with all security events.

With City Database:

BLOCKED | US (Chicago, Illinois) | 174.198.11.141 | AS6167 CELLCO-PART | UA: Mozilla/5.0... | subdivision-blocked
ALLOWED | US (Philadelphia, Pennsylvania) | 1.2.3.4 | AS7922 Comcast Cable | UA: Mozilla/5.0...
BLOCKED | AU (Sydney, New South Wales) | 1.1.1.1 | AS13335 Cloudflare | UA: curl/7.68.0 | city-blocked
BLOCKED | RU (Moscow, Moscow) | 5.18.123.45 | AS12389 Rostelecom | UA: python-requests/2.28.0 | country-blocked
ALLOWED | US | 66.249.66.1 | AS15169 Google | UA: Mozilla/5.0 (compatible; Googlebot/2.1) | allowed-bot

Without City Database:

BLOCKED | DE | 185.220.101.1 | AS13335 Cloudflare | UA: Tor Browser | country-blocked
ALLOWED | AU | 1.1.1.1 | AS13335 Cloudflare | UA: Mozilla/5.0...
BLOCKED | CN | 119.23.45.67 | AS4134 Chinanet | UA: curl/7.68.0 | vpn-detected
ALLOWED | US | 66.249.66.1 | AS15169 Google | UA: Mozilla/5.0 (compatible; Googlebot/2.1) | allowed-bot

Log File Location

Admin → Setup → Logs → wirewall

Log includes:

• Access status (ALLOWED/BLOCKED)
• Country code with city/region (if City database available)
• IP address
• ASN (Autonomous System Number) with organization name
• User-Agent (first 100 characters)
• Block reason (if blocked)

Common block reasons:

• country-blocked - Blocked by country rules
• city-blocked - Blocked by city rules
• subdivision-blocked - Blocked by subdivision/region rules
• rate-limit - Rate limit exceeded
• proxy-vpn-tor - VPN/Proxy/Tor detected
• datacenter - Datacenter IP detected
• asn-blocked - ASN blocked
• ip - IP blacklist match
• global - Global rule match (bot/path/UA/referer)
• allowed-bot - Legitimate bot allowed by exception system
• js-challenge - JavaScript challenge issued

Cache Management

Built-in cache management UI with real-time statistics:

Cache Statistics:

• Total cached files
• Rate limit entries
• Active bans
• Proxy/VPN cache
• Geo data cache

Cache Actions:

• Clear rate limits
• Clear bans
• Clear proxy cache
• Clear geo cache
• Clear all cache

Location:

Admin → Modules → WireWall → Configure → Cache Management

Performance:

• File-based cache in /site/assets/cache/WireWall/
• Automatically removes expired entries
• Scales to 1M+ entries without performance degradation

Priority System

WireWall evaluates requests in this order (higher priority = checked first):

1. Admin Area Protection → ALLOW (always, never blocked)
2. Trusted ProcessWire Modules → ALLOW (AJAX requests bypass all checks)
3. IP Whitelist → ALLOW (bypasses all rules)
4. Allowed Bots/IPs/ASNs → ALLOW (exceptions bypass all checks)
5. Rate Limiting → BLOCK if exceeded
6. IP Blacklist → BLOCK (always)
7. JS Challenge → CHALLENGE if suspicious
8. VPN/Proxy/Tor Detection → BLOCK if detected
9. Datacenter Detection → BLOCK if datacenter
10. ASN Blocking → BLOCK if ASN matched
11. Global Rules → BLOCK if bot/path/UA/referer matched
12. Country Blocking → BLOCK/ALLOW based on blacklist/whitelist
13. City Blocking → BLOCK/ALLOW based on blacklist/whitelist
14. Subdivision Blocking → BLOCK/ALLOW based on blacklist/whitelist
15. Country Rules → BLOCK if country-specific rule matched

Access ALLOWED if none of the above rules trigger.

Bot Detection Categories

Bad Bots (Malicious)

wget, curl, python-requests, scrapy, nmap, nikto, sqlmap
semrush, ahrefs, majestic, dotbot, mj12bot, ahrefsbot

Search Engine Bots (SEO)

Googlebot, Bingbot, Slurp (Yahoo), Yandex, Baidu
DuckDuckBot, Sogou, Exabot

Warning: Blocking search bots prevents indexing! Use exception system to allow them.

AI Training Bots (Content Protection)

GPTBot (OpenAI), ClaudeBot (Anthropic), GrokBot (xAI)
PerplexityBot, Google-Extended, Applebot-Extended
ChatGPT-User, Claude-Web, Omgilibot, FacebookBot

Headless Browsers (Automation)

Puppeteer, Playwright, Selenium, PhantomJS
HeadlessChrome, Chrome-Lighthouse, WebDriver

Custom Bot Patterns

Define your own patterns:

Admin → Modules → WireWall → Bot Detection → Custom Bot Patterns

BadSpider
MyCustomBot/1.0
AnnoyingCrawler

Block Page Customization

Default Block Page

• Modern, professional design
• Shows visitor's location (City, Region, Country)
• Displays IP address
• Custom message
• Wave pattern background (CSS animation)
• Fully responsive

Alternative Block Actions

1. Silent 404 Mode (Stealth)

Block Action: Return 404 silently
- No block page shown
- Looks like page doesn't exist
- Frustrates attackers

2. Custom Redirect

Block Action: Redirect to URL
Redirect URL: https://example.com/blocked
- Redirects to your custom page
- Full control over message
- Can collect analytics

⚡ Performance Benchmarks

With MaxMind GeoLite2

GeoIP Lookup:        0.5-2ms
ASN Lookup:          0.5-2ms
Rate Limit Check:    0.1ms
Total Overhead:      1-3ms per request
Memory Usage:        ~70MB (with City DB)
                     ~12MB (without City DB)

Without MaxMind (HTTP API)

GeoIP Lookup:        100-500ms (network dependent)
Rate Limit Check:    0.1ms
Total Overhead:      100-500ms per request
API Rate Limits:     Apply (varies by provider)

Cache Performance

File Cache:          Scales to 1M+ IPs
Cache Hit:           0.1ms
Cache Miss:          2-5ms (with MaxMind)
Expired Entry:       Automatic cleanup

Exception System Performance

IP Whitelist Check:  0.1ms
ASN Whitelist Check: 0.5ms (with cached ASN)
Bot Whitelist Check: 0.1ms
Total Exception:     <1ms (complete bypass)

Troubleshooting

Issue: Admin Area Blocked

WireWall NEVER blocks admin area by design.
If you can't access admin:
1. Check server configuration
2. Verify admin path in config.php
3. Check firewall rules outside WireWall
4. Check if IP is in blacklist (shouldn't affect admin)

Issue: Legitimate Traffic Blocked

1. Add to IP Whitelist: Specific trusted IPs
2. Add to Allowed User-Agents: Legitimate bot patterns
3. Add to Allowed ASNs: Entire trusted networks
4. Adjust Rate Limiting: Increase limits
5. Review Logs: Admin → Setup → Logs → wirewall
6. Disable specific rules temporarily
7. Check subdivision/city blocking (might be too broad)

Issue: Search Engines Blocked

1. Add to Allowed User-Agents: Googlebot, Bingbot, Yandex
2. Add to Allowed ASNs: 15169 (Google), 8075 (Microsoft)
3. Add to Allowed IPs: Verified search engine IPs
4. Verify with: /admin/setup/logs → wirewall
5. Check if country blocking affects crawlers

Issue: Bots Still Getting Through

1. Enable Fake Browser Detection
2. Enable Datacenter Blocking
3. Reduce Rate Limiting threshold
4. Check custom bot patterns
5. Enable JS Challenge for suspicious requests
6. Review logs for bot signatures
7. Add specific ASNs to blocked list

Issue: MaxMind Not Working

1. Verify databases in /site/modules/WireWall/geoip/
2. Check composer installation: composer require geoip2/geoip2
3. Verify file permissions (readable by PHP)
4. Check module config: MaxMind Status indicator
5. Ensure correct file names (case-sensitive)

Issue: High Memory Usage

1. City DB is large (~70MB) - optional, can be removed
2. Consider using Country + ASN only (~12MB)
3. Clear cache regularly if millions of IPs
4. Reduce cache TTL in code if needed
5. Monitor with Admin → Modules → WireWall → Cache Management

Issue: CDN/Proxy Conflicts

1. Whitelist CDN ASNs: 13335 (Cloudflare), 54113 (Fastly)
2. Add CDN IPs to Allowed IPs
3. Disable Datacenter Blocking if using CDN
4. Ensure X-Forwarded-For header is configured
5. Check getRealClientIP() configuration

Security Best Practices

Recommended Configuration

✓ Enable Rate Limiting (10-15 req/min)
✓ Enable VPN/Proxy Detection
✓ Enable Datacenter Blocking (unless you need CDNs)
✓ Block Bad Bots + AI Bots
✓ Enable Fake Browser Detection
✓ Enable Stats Logging
✓ Whitelist your office/home IP
✓ Whitelist legitimate bots (Googlebot, Bingbot)
✓ Whitelist trusted ASNs (Google, Microsoft for SEO)
✓ Regular log review

Exception System Best Practices

✓ Always whitelist search engines: Googlebot, Bingbot, Yandex
✓ Use ASN whitelisting for major services: Google (15169), Microsoft (8075)
✓ Verify bot IPs: Use official verification methods
✓ Monitor exceptions: Check logs for allowed bot activity
✓ Keep trusted modules enabled: Prevents ProcessWire conflicts
✓ Document exceptions: Note why each exception exists
✓ Review periodically: Remove unnecessary exceptions

What WireWall Does NOT Replace

• ✗ Regular ProcessWire/PHP updates
• ✗ Strong passwords and 2FA
• ✗ HTTPS/SSL certificates
• ✗ Server hardening (firewall, SSH, etc.)
• ✗ Regular backups
• ✗ DDoS protection at network level
• ✗ Application-level security (SQL injection, XSS)

Use WireWall as part of a comprehensive security strategy.

File Structure

WireWall/
├── WireWall.module.php          # Main module
├── README.md                    # This file
├── INSTALL.md                   # Installation guide
├── CONFIGURATIONS.md            # Configuration examples
├── LICENSE                      # License
├── geoip/                       # MaxMind databases (create this)
│   ├── GeoLite2-Country.mmdb
│   ├── GeoLite2-ASN.mmdb
│   └── GeoLite2-City.mmdb
├── vendor/                      # Composer dependencies
│   └── geoip2/                  # MaxMind GeoIP2 library
└── composer.json                # Composer config

Contributing

Contributions, issues, and feature requests are welcome!

1. Fork the repository
2. Create your feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

License

This module is provided as-is under the MIT License. See LICENSE file for details.

Credits & Acknowledgements

• MaxMind - GeoLite2 free databases (MaxMind.com)
• ProcessWire - Exceptional CMS platform (ProcessWire.com)
• Community - Testing, feedback, and support
• ip-api.com - Free GeoIP API fallback
• ipinfo.io - VPN/Proxy detection API
• ipapi.co - Alternative detection API

Tips & Tricks

Whitelist Your Development IPs

Always add your office/home IP to whitelist during setup:
Admin → Modules → WireWall → Exceptions → Allowed IPs
Your IP: 1.2.3.4 (automatically detected and shown in config)

Verify Search Engine Bots

Use official verification methods:
1. Google: https://developers.google.com/search/docs/crawling-indexing/verifying-googlebot
2. Bing: https://www.bing.com/webmasters/help/verifying-bingbot-2195b2e2
3. Add verified IPs to Allowed IPs
4. Add ASNs (Google: 15169, Microsoft: 8075) to Allowed ASNs

Test Before Going Live

1. Configure rules
2. Test with VPN from blocked country
3. Verify logs show blocks
4. Ensure admin access always works
5. Test from mobile (different network)
6. Verify search engines can still crawl (check Search Console)
7. Test rate limiting with repeated requests

Monitor Attack Patterns

Regular log review reveals patterns:
- Common attack countries
- Bot signatures
- Peak attack times
- Repeated IPs (add to blacklist)
- Legitimate bots being blocked (add to exceptions)
- ASN patterns (datacenters, VPNs)

Optimize for Your Traffic

High Traffic Sites:
- Use MaxMind (not HTTP API)
- Increase rate limits
- Enable cache aggressively
- Use ASN whitelisting for CDNs

Low Traffic Sites:
- Can use HTTP API
- Stricter rate limits OK
- More aggressive blocking
- Fewer exceptions needed

E-commerce Sites:
- Moderate rate limits
- Whitelist payment processors
- Enable VPN/Proxy detection
- Whitelist search engines (SEO)

Exception Hierarchy

Most Efficient → Least Efficient:
1. Admin Area (automatic)
2. IP Whitelist (instant)
3. ASN Whitelist (fast, covers entire networks)
4. User-Agent Whitelist (fast, covers bot families)
5. Country Whitelist (covers entire countries)

Best Practice: Use ASN whitelisting for legitimate services
Example: AS15169 whitelists ALL Google services at once