WireWall - Advanced Security Firewall Module

[maximus]

Hello! 👋

I'm thrilled to (re-)introduce WireWall — an advanced security firewall module for ProcessWire that I've been actively developing and refining in production for months. After blocking massive amounts of malicious traffic (99.98%+ on my e-commerce sites) with zero impact on real users, it's time for a refreshed community announcement with all the latest features from v1.3.4.

What is WireWall?

WireWall turns your ProcessWire site into a secure fortress with enterprise-grade tools: city-level geo-blocking, full IPv6/CIDR, multi-layer bot protection, true stealth mode, rate limiting fixes, and file-based caching that easily handles 1M+ IPs.

Key Features (as of 1.3.4)

Geographic Control

• City-level blocking (e.g. Philadelphia, Beijing, Sydney)
• Subdivision/region blocking (Pennsylvania, New South Wales, Île-de-France)
• Country blocking (blacklist/whitelist 200+ countries)
• MaxMind GeoLite2 integration (Country + ASN + City) — 0.5-2ms lookups
• HTTP fallback (ip-api.com) when MaxMind not available
• Full IPv6 + CIDR support

Bot & Threat Protection

• Bad bots, scanners, vulnerability tools
• AI training bots (GPTBot, ClaudeBot, GrokBot, Perplexity, etc.)
• Fake/headless browser detection (Puppeteer, Selenium, etc.)
• VPN/Proxy/Tor detection (multi-API chain)
• Datacenter blocking (AWS, GCP, Azure, Hetzner, etc.)
• ASN blocking & whitelisting (block/allow entire networks)

Security & Rate Limiting

• Configurable rate limiting with burst handling & permanent/temporary bans
• JavaScript challenge for suspicious traffic
• IP whitelist/blacklist with CIDR
• Priority system — now 16 levels (logged-in users at #3, trusted modules at #2)

Stealth & UX

• True silent 404 mode — plain "Not Found" text (no HTML/branding)
• Beautiful custom block page with location/IP display
• Custom redirect or message on block
• Option to completely disable AJAX protection (fallback for tricky integrations)

Performance & Management

• File-based cache — scales to millions of IPs, no DB overhead
• Cache UI with stats & per-type clear buttons
• Detailed logging (city/region/ASN included)
• Admin area always protected (triple-layer)

Real-World Results On production sites (e-commerce + others), WireWall consistently:

• Blocks 99.98%+ of attacks/scrapers/VPN fraud
• Zero false positives for logged-in users & legitimate traffic (thanks to priority fixes)
• Handles spikes without issues after rate limiting improvements
• Eliminates most cloud-based automated probes

Installation (Quick)

cd site/modules/
git clone https://github.com/mxmsmnv/WireWall.git

Then in admin:

1. Modules → Refresh
2. Install WireWall
3. Configure (start with rate limiting + VPN detection + bad/AI bots)
4. Monitor: Setup → Logs → wirewall

Priority System (how requests are evaluated)

1. Admin area → always ALLOW
2. Trusted ProcessWire module AJAX → ALLOW
3. Logged-in users → ALLOW (new in 1.3.4 — unconditional bypass)
4. IP whitelist → ALLOW
5. Allowed bots / IPs / ASNs → ALLOW
6. Rate limiting → BLOCK if exceeded
7. IP blacklist → BLOCK
8. JS challenge → CHALLENGE
9. VPN/Proxy/Tor → BLOCK
10. Datacenter → BLOCK
11. ASN blocking → BLOCK
12. Global rules (bots/paths/UA/referer) → BLOCK
13. Country blocking → BLOCK/ALLOW
14. City blocking → BLOCK/ALLOW
15. Subdivision blocking → BLOCK/ALLOW
16. Country-specific rules → BLOCK

First match wins.

MaxMind Setup (strongly recommended) Free GeoLite2 databases → fast & offline.
See README or https://wirewall.org for setup guide.

Requirements

• ProcessWire 3.0.200+
• PHP 8.1+

Resources

• GitHub: https://github.com/mxmsmnv/WireWall
• Releases & Changelog: https://github.com/mxmsmnv/WireWall/releases
• Landing: https://wirewall.org
• License: MIT (free for commercial use)

Why build this? ProcessWire deserved a native, scalable, granular firewall with city-level control, offline capability, and proper exception handling — things missing or hard in other solutions.

Happy to answer questions, hear about your security setups, or debug any issues! Feedback from the community has already shaped big improvements (like the recent logged-in & stealth fixes).

Best regards,
Maxim

[maximus]

Check out more on website - https://wirewall.org

[jacmaes]

Hi @maximus. Quick question: I use adguard on my iPhone, which basically acts as a VPN to block ads in apps and in Safari. When I visit wirewall.org, I'm blocked. Isn't it a bit too aggressive? I'm not a threat, I just want to browse ad-free 😀

[matjazp]

I also can't reach it as I'm browsing with javascript off.

[Tiberium]

1 hour ago, matjazp said:

I also can't reach it as I'm browsing with javascript off.

I assume because of the JavaScript challenge ^^.

@maximus Can specific block steps be switched off?

[Stefanowitsch]

@maximus i really would like to give this module a try! I am having slight problems with spam bot form submissions from time to time.

But: I am using custom ajax endpoints via the RockFrontend Module: https://www.baumrock.com/en/processwire/modules/rockfrontend/docs/ajax/

Although I enabled the "Allow AJAX from trusted module" checkbox in the module settings, the ajax requests are getting blocked (status 403) when WireWall is active.

Is there a way to add "trusted modules" manually?

[matjazp]

@maximus, a minor inconsistency. In your post:

• ProcessWire Version: 3.0+
• PHP Version: 7.4+ (8.0+ recommended)

But in the module:

'requires' => 'ProcessWire>=3.0.200,PHP>=8.1',

[maximus]

On 12/15/2025 at 4:37 AM, jacmaes said:

Hi @maximus. Quick question: I use adguard on my iPhone, which basically acts as a VPN to block ads in apps and in Safari. When I visit wirewall.org, I'm blocked. Isn't it a bit too aggressive? I'm not a threat, I just want to browse ad-free 😀

I don't think you need a disguise to view your website, but you can always add exceptions. Also this week, I updated the module to version 1.1.9, where, in addition to prohibitions, exception fields have been added: for search robots (user agent), ASN and IP.

On 12/15/2025 at 1:38 PM, matjazp said:

@maximus, a minor inconsistency. In your post:

• ProcessWire Version: 3.0+
• PHP Version: 7.4+ (8.0+ recommended)

But in the module:

'requires' => 'ProcessWire>=3.0.200,PHP>=8.1',

Thanks a lot, I've corrected it everywhere.

On 12/15/2025 at 6:05 AM, matjazp said:

I also can't reach it as I'm browsing with javascript off.

Yes, I see that access to the site is blocked when javascript is disabled. I'll think about how to solve it.

[maximus]

On 12/15/2025 at 11:41 AM, Stefanowitsch said:

@maximus i really would like to give this module a try! I am having slight problems with spam bot form submissions from time to time.

But: I am using custom ajax endpoints via the RockFrontend Module: https://www.baumrock.com/en/processwire/modules/rockfrontend/docs/ajax/

Although I enabled the "Allow AJAX from trusted module" checkbox in the module settings, the ajax requests are getting blocked (status 403) when WireWall is active.

Is there a way to add "trusted modules" manually?

Please try manually making changes to the module code in the relevant lines and, if possible, let us know whether it works or not.
 

Spoiler

 

[Stefanowitsch]

The custom AJAX endpoints that RockFrontend is using are basically PHP files located in:

/site/templates/ajax/

So the requests go to:

http://www.mysite.com/ajax/myEndpoint

To prevent these requests from being blocked I tweaked this piece of module code:

// WireWall.module.php line 1140

// Check if request URL contains /processwire/ or /admin/ or /ajax/
$requestUri = $_SERVER['REQUEST_URI'] ?? '';
  if (stripos($requestUri, '/processwire/') !== false || 
  stripos($requestUri, '/admin/') !== false ||
  stripos($requestUri, '/ajax/') !== false) {
  return true;
}

[maximus]

WireWall v1.3.2 – Advanced Traffic Firewall

Released: January 4, 2026
Stable release with major improvements in data persistence, IPv6 support, and configuration reliability.

What's New in v1.3.2

• Permanent data persistence
  GeoLite2 databases, Composer vendor folder, and composer files are now safely stored in /site/assets/WireWall/
  → No more data loss or reinstallation needed after module updates

• Automatic migration from older versions
  When upgrading from ≤1.2.0, old files from /site/modules/WireWall/ are automatically moved to the new location

• Full IPv6 CIDR support
  Complete IPv6 range matching for both blocking and whitelisting

• Enhanced exception system
  New configuration fields:
  • Custom Trusted AJAX Paths
  • Custom API Paths (bypass for ALL HTTP methods – GET/POST/PUT/DELETE/etc.)

• Robust checkbox handling
  All toggle options now reliably save as 0/1 (fixes old config issues after updates/reinstalls)

• Improved configuration interface
  New colorful "Setup Information" section with current paths, migration guide, and clear installation instructions

Recommended post-update steps

1. Go to Modules → WireWall → Configure
2. Verify GeoIP databases are located at:
   /site/assets/WireWall/geoip/GeoLite2-*.mmdb
3. If you have GeoLite2-City.mmdb → enable City & Subdivision blocking
4. Add any custom paths you need in:
   • Custom Trusted AJAX Paths
   • Custom API Paths

Requirements

• ProcessWire ≥ 3.0.200
• PHP ≥ 8.1
• Strongly recommended: MaxMind GeoLite2 databases (Country + ASN required, City optional for detailed logging)

Downloads

• WireWall.module.php
• Full module archive (zip)

Full documentation → README
Website → wirewall.org

Thanks to everyone testing and providing feedback!

Stay secure! 🛡️

[adrian]

Big thanks for this @maximus

A couple of feature suggestions if I may :)

1. Could you change the "Return 404 silently (stealth mode)" option to really be a stealth 404 error because at the moment it still returns the styled black Wirewall page with all its branding - it's just a change to the wording.
2. Any chance of an option to disable the AJAX protection completely?

And a confusion - I am logged into my admin, but in the same browser window I have still managed to trigger the rate limit (intentionally), but your docs state "First, all logged-in ProcessWire users are automatically whitelisted." but I am blocked and actually don't seem to be able to remove the block even after deleting the files in /assets/cache/WireWall - what am I missing?

[adrian]

Even after 60 mins I still can't get in and now even my backend admin is blocked. I ended up having to remove the module folder to get access again. What am I doing wrong?

[maximus]

8 minutes ago, adrian said:

Even after 60 mins I still can't get in and now even my backend admin is blocked. I ended up having to remove the module folder to get access again. What am I doing wrong?

Quick question: you are use Firefox?

[adrian]

Just now, maximus said:

Quick question: you are use Firefox?

Brave

[maximus]

Hint (temporary solution), open Chrome browser or Safari, add keywords: Brave and Firefox to Allowed User-Agents (Bots Whitelist) section

[adrian]

Thanks for the suggestion, but after deleting the module files and reinstalling them, I have access again for now.

But still having issues with the ban duration. I set it to 2 minutes but I am still blocked out (this time just on the frontend). Note that I am logged in, but my admin is not at /processwire or /admin (in case that has any impact on the previous issue where I was actually locked out of the backend).

[adrian]

Interestingly if I try to open the frontend in Chrome, Firefox, or Zen now, it's still blocked, but it opens in Safari.

[maximus]

8 hours ago, adrian said:

Interestingly if I try to open the frontend in Chrome, Firefox, or Zen now, it's still blocked, but it opens in Safari.

Ok, I will try. 

[adrian]

Just an FYI that I'm still blocked again this many hours later. 

[maximus]

@adrian,

Big thanks for the detailed reports and for sticking with testing this — especially the browser-specific blocks (Chrome/Firefox/Zen vs Safari) and the fact that bans were coming back many hours later. That helped a ton to reproduce and nail down the issues.

Just released 1.3.4 with fixes for exactly those problems (logged-in users bypassing rate limiting properly, no re-triggering bans after expiry, true plain 404 in stealth mode, etc.).

Release: https://github.com/mxmsmnv/WireWall/releases/tag/1.3.4
Full changelog: https://github.com/mxmsmnv/WireWall/blob/main/CHANGELOG.md