WireWall - Advanced Security Firewall Module

[maximus]

Hello ! 👋

I'm excited to share WireWall, a comprehensive security firewall module I've been developing for ProcessWire. After months of real-world testing on production sites (including blocking 99.98% of malicious traffic on my e-commerce platform), I'm ready to release it to the community.

What is WireWall?

WireWall is a ProcessWire-native security module that provides enterprise-grade protection with granular geographic and network-level blocking. Unlike traditional firewalls that only block by country, WireWall lets you block by city, region (state/province), VPN/Proxy/Tor, ASN, and more.

Key Features

Geographic Blocking:

• City-level blocking - Block specific cities worldwide (e.g., "Philadelphia", "Beijing", "Tokyo")
• Region blocking - Block entire states/provinces (e.g., "Pennsylvania", "California", "Tokyo Prefecture")
• Country blocking - Traditional country-level controls with whitelist/blacklist modes

Network Protection:

• VPN/Proxy/Tor detection - Multi-API detection system with intelligent fallback
• Datacentre detection - Block AWS, Google Cloud, DigitalOcean, and other hosting providers
• ASN blocking - Block entire autonomous systems by ASN number
• Rate limiting - Per-IP rate limits with automatic temporary bans
• AI bot blocking - Automatically block GPTBot, ClaudeBot, and other AI scrapers

Performance & Scalability:

• File-based cache - Scales to 1M+ IPs with zero database overhead
• Lightning-fast lookups - 0.5-2ms with MaxMind databases
• HTTP fallback - Works without MaxMind databases (though less performant)
• Smart caching - GeoIP cached for 30 days, VPN checks for 7 days

Developer-Friendly:

• Priority-based system - 14 security layers evaluated in order
• JavaScript challenge - Detect and block headless browsers
• Comprehensive logging - Debug mode with detailed request information
• Cache management UI - Built-in interface to view stats and clear cache
• Triple admin protection - Logged-in users, IP whitelist, admin area bypass

Real-World Results

On my e-commerce site (LQRS.com), WireWall has been running for several months with impressive results:

• 99.98% blocking rate - Nearly all malicious traffic blocked
• Zero false positives - Legitimate customers unaffected
• Significant reduction in AWS/cloud-based automated attacks
• Complete elimination of VPN/proxy fraud attempts

Installation

cd /site/modules/
git clone https://github.com/mxmsmnv/WireWall.git

Then in ProcessWire admin:

1. Modules → Refresh
2. Install WireWall
3. Configure your blocking rules
4. You're protected!

How It Works - Priority System

WireWall processes every request through 14 prioritised security layers:

1. Admin Area → ALLOW (ProcessWire admin always accessible)
2. IP Whitelist → ALLOW (manual whitelist bypass)
3. Rate Limiting → BLOCK (excessive requests)
4. IP Blacklist → BLOCK (permanent blocks)
5. JavaScript Challenge → CHALLENGE (suspicious requests)
6. VPN/Proxy/Tor → BLOCK (anonymous services)
7. Datacentre Detection → BLOCK (cloud hosting)
8. ASN Blocking → BLOCK (autonomous systems)
9. Global Rules → BLOCK (known patterns)
10. Country Blocking → BLOCK (country rules)
11. City Blocking → BLOCK (city rules)
12. Region Blocking → BLOCK (region rules)
13. Country-specific Rules → BLOCK (custom rules)
14. Default → ALLOW ✓

First match wins - once a rule triggers, evaluation stops.

MaxMind Integration

WireWall works best with MaxMind GeoLite2 databases (free):

• GeoLite2-Country.mmdb - Country detection
• GeoLite2-City.mmdb - City and region detection
• GeoLite2-ASN.mmdb - Network/ISP detection

Without MaxMind, it falls back to ip-api.com HTTP API (slower, with rate limits). City and region blocking require the MaxMind City database.

Download MaxMind databases from: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data

Technical Details

• ProcessWire: 3.0.200 or higher
• PHP: 8.1 or higher
• Optional: MaxMind GeoLite2 databases (Country, ASN, City)
• Optional: Composer (for MaxMind GeoIP2 library)

Why Another Firewall Module?

I needed something specifically for ProcessWire that:

1. Scales efficiently - File-based cache handles millions of IPs without database bloat
2. Provides granular control - City and region blocking isn't available in other solutions
3. Works offline - MaxMind databases work without external API calls
4. Integrates natively - Built specifically for ProcessWire's architecture
5. Stays free - Open source, no premium tiers or upsells

Other solutions like Wordfence (WordPress), Sucuri (paid service), and ModSecurity (server-level) either don't integrate well with ProcessWire or lack the geographic granularity needed for fraud prevention.

Resources

• GitHub Repository: https://github.com/mxmsmnv/WireWall
• Documentation: Full README with installation, configuration, and troubleshooting
• Landing Page: https://wirewall.org
• Licence: MIT (free for commercial use)

---

Quick Start TL;DR

# Install
cd site/modules && git clone https://github.com/mxmsmnv/WireWall.git

# Activate in ProcessWire admin
Modules → Install → WireWall

# Configure
- Enable module
- Set blocking rules (cities/regions/countries)
- Enable VPN detection
- Configure rate limiting
- Save

# Monitor
Setup → Logs → wirewall.txt

---

I'm happy to answer any questions! Has anyone else been working on security solutions for ProcessWire? I'd love to hear about your approaches and challenges.

Best regards, Maxim

[maximus]

Check out more on website - https://wirewall.org

[jacmaes]

Hi @maximus. Quick question: I use adguard on my iPhone, which basically acts as a VPN to block ads in apps and in Safari. When I visit wirewall.org, I'm blocked. Isn't it a bit too aggressive? I'm not a threat, I just want to browse ad-free 😀

[matjazp]

I also can't reach it as I'm browsing with javascript off.

[Tiberium]

1 hour ago, matjazp said:

I also can't reach it as I'm browsing with javascript off.

I assume because of the JavaScript challenge ^^.

@maximus Can specific block steps be switched off?

[Stefanowitsch]

@maximus i really would like to give this module a try! I am having slight problems with spam bot form submissions from time to time.

But: I am using custom ajax endpoints via the RockFrontend Module: https://www.baumrock.com/en/processwire/modules/rockfrontend/docs/ajax/

Although I enabled the "Allow AJAX from trusted module" checkbox in the module settings, the ajax requests are getting blocked (status 403) when WireWall is active.

Is there a way to add "trusted modules" manually?

[matjazp]

@maximus, a minor inconsistency. In your post:

• ProcessWire Version: 3.0+
• PHP Version: 7.4+ (8.0+ recommended)

But in the module:

'requires' => 'ProcessWire>=3.0.200,PHP>=8.1',

[maximus]

On 12/15/2025 at 4:37 AM, jacmaes said:

Hi @maximus. Quick question: I use adguard on my iPhone, which basically acts as a VPN to block ads in apps and in Safari. When I visit wirewall.org, I'm blocked. Isn't it a bit too aggressive? I'm not a threat, I just want to browse ad-free 😀

I don't think you need a disguise to view your website, but you can always add exceptions. Also this week, I updated the module to version 1.1.9, where, in addition to prohibitions, exception fields have been added: for search robots (user agent), ASN and IP.

On 12/15/2025 at 1:38 PM, matjazp said:

@maximus, a minor inconsistency. In your post:

• ProcessWire Version: 3.0+
• PHP Version: 7.4+ (8.0+ recommended)

But in the module:

'requires' => 'ProcessWire>=3.0.200,PHP>=8.1',

Thanks a lot, I've corrected it everywhere.

On 12/15/2025 at 6:05 AM, matjazp said:

I also can't reach it as I'm browsing with javascript off.

Yes, I see that access to the site is blocked when javascript is disabled. I'll think about how to solve it.

[maximus]

On 12/15/2025 at 11:41 AM, Stefanowitsch said:

@maximus i really would like to give this module a try! I am having slight problems with spam bot form submissions from time to time.

But: I am using custom ajax endpoints via the RockFrontend Module: https://www.baumrock.com/en/processwire/modules/rockfrontend/docs/ajax/

Although I enabled the "Allow AJAX from trusted module" checkbox in the module settings, the ajax requests are getting blocked (status 403) when WireWall is active.

Is there a way to add "trusted modules" manually?

Please try manually making changes to the module code in the relevant lines and, if possible, let us know whether it works or not.