WireWall - Advanced Security Firewall Module

[maximus]

Hello ! 👋

I'm excited to share WireWall, a comprehensive security firewall module I've been developing for ProcessWire. After months of real-world testing on production sites (including blocking 99.98% of malicious traffic on my e-commerce platform), I'm ready to release it to the community.

What is WireWall?

WireWall is a ProcessWire-native security module that provides enterprise-grade protection with granular geographic and network-level blocking. Unlike traditional firewalls that only block by country, WireWall lets you block by city, region (state/province), VPN/Proxy/Tor, ASN, and more.

Key Features

Geographic Blocking:

• City-level blocking - Block specific cities worldwide (e.g., "Philadelphia", "Beijing", "Tokyo")
• Region blocking - Block entire states/provinces (e.g., "Pennsylvania", "California", "Tokyo Prefecture")
• Country blocking - Traditional country-level controls with whitelist/blacklist modes

Network Protection:

• VPN/Proxy/Tor detection - Multi-API detection system with intelligent fallback
• Datacentre detection - Block AWS, Google Cloud, DigitalOcean, and other hosting providers
• ASN blocking - Block entire autonomous systems by ASN number
• Rate limiting - Per-IP rate limits with automatic temporary bans
• AI bot blocking - Automatically block GPTBot, ClaudeBot, and other AI scrapers

Performance & Scalability:

• File-based cache - Scales to 1M+ IPs with zero database overhead
• Lightning-fast lookups - 0.5-2ms with MaxMind databases
• HTTP fallback - Works without MaxMind databases (though less performant)
• Smart caching - GeoIP cached for 30 days, VPN checks for 7 days

Developer-Friendly:

• Priority-based system - 14 security layers evaluated in order
• JavaScript challenge - Detect and block headless browsers
• Comprehensive logging - Debug mode with detailed request information
• Cache management UI - Built-in interface to view stats and clear cache
• Triple admin protection - Logged-in users, IP whitelist, admin area bypass

Real-World Results

On my e-commerce site (LQRS.com), WireWall has been running for several months with impressive results:

• 99.98% blocking rate - Nearly all malicious traffic blocked
• Zero false positives - Legitimate customers unaffected
• Significant reduction in AWS/cloud-based automated attacks
• Complete elimination of VPN/proxy fraud attempts

Installation

cd /site/modules/
git clone https://github.com/mxmsmnv/WireWall.git

Then in ProcessWire admin:

1. Modules → Refresh
2. Install WireWall
3. Configure your blocking rules
4. You're protected!

How It Works - Priority System

WireWall processes every request through 14 prioritised security layers:

1. Admin Area → ALLOW (ProcessWire admin always accessible)
2. IP Whitelist → ALLOW (manual whitelist bypass)
3. Rate Limiting → BLOCK (excessive requests)
4. IP Blacklist → BLOCK (permanent blocks)
5. JavaScript Challenge → CHALLENGE (suspicious requests)
6. VPN/Proxy/Tor → BLOCK (anonymous services)
7. Datacentre Detection → BLOCK (cloud hosting)
8. ASN Blocking → BLOCK (autonomous systems)
9. Global Rules → BLOCK (known patterns)
10. Country Blocking → BLOCK (country rules)
11. City Blocking → BLOCK (city rules)
12. Region Blocking → BLOCK (region rules)
13. Country-specific Rules → BLOCK (custom rules)
14. Default → ALLOW ✓

First match wins - once a rule triggers, evaluation stops.

MaxMind Integration

WireWall works best with MaxMind GeoLite2 databases (free):

• GeoLite2-Country.mmdb - Country detection
• GeoLite2-City.mmdb - City and region detection
• GeoLite2-ASN.mmdb - Network/ISP detection

Without MaxMind, it falls back to ip-api.com HTTP API (slower, with rate limits). City and region blocking require the MaxMind City database.

Download MaxMind databases from: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data

Technical Details

• ProcessWire: 3.0.200 or higher
• PHP: 8.1 or higher
• Optional: MaxMind GeoLite2 databases (Country, ASN, City)
• Optional: Composer (for MaxMind GeoIP2 library)

Why Another Firewall Module?

I needed something specifically for ProcessWire that:

1. Scales efficiently - File-based cache handles millions of IPs without database bloat
2. Provides granular control - City and region blocking isn't available in other solutions
3. Works offline - MaxMind databases work without external API calls
4. Integrates natively - Built specifically for ProcessWire's architecture
5. Stays free - Open source, no premium tiers or upsells

Other solutions like Wordfence (WordPress), Sucuri (paid service), and ModSecurity (server-level) either don't integrate well with ProcessWire or lack the geographic granularity needed for fraud prevention.

Resources

• GitHub Repository: https://github.com/mxmsmnv/WireWall
• Documentation: Full README with installation, configuration, and troubleshooting
• Landing Page: https://wirewall.org
• Licence: MIT (free for commercial use)

---

Quick Start TL;DR

# Install
cd site/modules && git clone https://github.com/mxmsmnv/WireWall.git

# Activate in ProcessWire admin
Modules → Install → WireWall

# Configure
- Enable module
- Set blocking rules (cities/regions/countries)
- Enable VPN detection
- Configure rate limiting
- Save

# Monitor
Setup → Logs → wirewall.txt

---

I'm happy to answer any questions! Has anyone else been working on security solutions for ProcessWire? I'd love to hear about your approaches and challenges.

Best regards, Maxim

[maximus]

Check out more on website - https://wirewall.org

[jacmaes]

Hi @maximus. Quick question: I use adguard on my iPhone, which basically acts as a VPN to block ads in apps and in Safari. When I visit wirewall.org, I'm blocked. Isn't it a bit too aggressive? I'm not a threat, I just want to browse ad-free 😀

[matjazp]

I also can't reach it as I'm browsing with javascript off.

[Tiberium]

1 hour ago, matjazp said:

I also can't reach it as I'm browsing with javascript off.

I assume because of the JavaScript challenge ^^.

@maximus Can specific block steps be switched off?

[Stefanowitsch]

@maximus i really would like to give this module a try! I am having slight problems with spam bot form submissions from time to time.

But: I am using custom ajax endpoints via the RockFrontend Module: https://www.baumrock.com/en/processwire/modules/rockfrontend/docs/ajax/

Although I enabled the "Allow AJAX from trusted module" checkbox in the module settings, the ajax requests are getting blocked (status 403) when WireWall is active.

Is there a way to add "trusted modules" manually?

[matjazp]

@maximus, a minor inconsistency. In your post:

• ProcessWire Version: 3.0+
• PHP Version: 7.4+ (8.0+ recommended)

But in the module:

'requires' => 'ProcessWire>=3.0.200,PHP>=8.1',

[maximus]

On 12/15/2025 at 4:37 AM, jacmaes said:

Hi @maximus. Quick question: I use adguard on my iPhone, which basically acts as a VPN to block ads in apps and in Safari. When I visit wirewall.org, I'm blocked. Isn't it a bit too aggressive? I'm not a threat, I just want to browse ad-free 😀

I don't think you need a disguise to view your website, but you can always add exceptions. Also this week, I updated the module to version 1.1.9, where, in addition to prohibitions, exception fields have been added: for search robots (user agent), ASN and IP.

On 12/15/2025 at 1:38 PM, matjazp said:

@maximus, a minor inconsistency. In your post:

• ProcessWire Version: 3.0+
• PHP Version: 7.4+ (8.0+ recommended)

But in the module:

'requires' => 'ProcessWire>=3.0.200,PHP>=8.1',

Thanks a lot, I've corrected it everywhere.

On 12/15/2025 at 6:05 AM, matjazp said:

I also can't reach it as I'm browsing with javascript off.

Yes, I see that access to the site is blocked when javascript is disabled. I'll think about how to solve it.

[maximus]

On 12/15/2025 at 11:41 AM, Stefanowitsch said:

@maximus i really would like to give this module a try! I am having slight problems with spam bot form submissions from time to time.

But: I am using custom ajax endpoints via the RockFrontend Module: https://www.baumrock.com/en/processwire/modules/rockfrontend/docs/ajax/

Although I enabled the "Allow AJAX from trusted module" checkbox in the module settings, the ajax requests are getting blocked (status 403) when WireWall is active.

Is there a way to add "trusted modules" manually?

Please try manually making changes to the module code in the relevant lines and, if possible, let us know whether it works or not.
 

Spoiler

 

[Stefanowitsch]

The custom AJAX endpoints that RockFrontend is using are basically PHP files located in:

/site/templates/ajax/

So the requests go to:

http://www.mysite.com/ajax/myEndpoint

To prevent these requests from being blocked I tweaked this piece of module code:

// WireWall.module.php line 1140

// Check if request URL contains /processwire/ or /admin/ or /ajax/
$requestUri = $_SERVER['REQUEST_URI'] ?? '';
  if (stripos($requestUri, '/processwire/') !== false || 
  stripos($requestUri, '/admin/') !== false ||
  stripos($requestUri, '/ajax/') !== false) {
  return true;
}

[maximus]

WireWall v1.3.2 – Advanced Traffic Firewall

Released: January 4, 2026
Stable release with major improvements in data persistence, IPv6 support, and configuration reliability.

What's New in v1.3.2

• Permanent data persistence
  GeoLite2 databases, Composer vendor folder, and composer files are now safely stored in /site/assets/WireWall/
  → No more data loss or reinstallation needed after module updates

• Automatic migration from older versions
  When upgrading from ≤1.2.0, old files from /site/modules/WireWall/ are automatically moved to the new location

• Full IPv6 CIDR support
  Complete IPv6 range matching for both blocking and whitelisting

• Enhanced exception system
  New configuration fields:
  • Custom Trusted AJAX Paths
  • Custom API Paths (bypass for ALL HTTP methods – GET/POST/PUT/DELETE/etc.)

• Robust checkbox handling
  All toggle options now reliably save as 0/1 (fixes old config issues after updates/reinstalls)

• Improved configuration interface
  New colorful "Setup Information" section with current paths, migration guide, and clear installation instructions

Recommended post-update steps

1. Go to Modules → WireWall → Configure
2. Verify GeoIP databases are located at:
   /site/assets/WireWall/geoip/GeoLite2-*.mmdb
3. If you have GeoLite2-City.mmdb → enable City & Subdivision blocking
4. Add any custom paths you need in:
   • Custom Trusted AJAX Paths
   • Custom API Paths

Requirements

• ProcessWire ≥ 3.0.200
• PHP ≥ 8.1
• Strongly recommended: MaxMind GeoLite2 databases (Country + ASN required, City optional for detailed logging)

Downloads

• WireWall.module.php
• Full module archive (zip)

Full documentation → README
Website → wirewall.org

Thanks to everyone testing and providing feedback!

Stay secure! 🛡️