WireWall - Advanced Security Firewall Module

[maximus]

Hello ! 👋

I'm excited to share WireWall, a comprehensive security firewall module I've been developing for ProcessWire. After months of real-world testing on production sites (including blocking 99.98% of malicious traffic on my e-commerce platform), I'm ready to release it to the community.

What is WireWall?

WireWall is a ProcessWire-native security module that provides enterprise-grade protection with granular geographic and network-level blocking. Unlike traditional firewalls that only block by country, WireWall lets you block by city, region (state/province), VPN/Proxy/Tor, ASN, and more.

Key Features

Geographic Blocking:

• City-level blocking - Block specific cities worldwide (e.g., "Philadelphia", "Beijing", "Tokyo")
• Region blocking - Block entire states/provinces (e.g., "Pennsylvania", "California", "Tokyo Prefecture")
• Country blocking - Traditional country-level controls with whitelist/blacklist modes

Network Protection:

• VPN/Proxy/Tor detection - Multi-API detection system with intelligent fallback
• Datacentre detection - Block AWS, Google Cloud, DigitalOcean, and other hosting providers
• ASN blocking - Block entire autonomous systems by ASN number
• Rate limiting - Per-IP rate limits with automatic temporary bans
• AI bot blocking - Automatically block GPTBot, ClaudeBot, and other AI scrapers

Performance & Scalability:

• File-based cache - Scales to 1M+ IPs with zero database overhead
• Lightning-fast lookups - 0.5-2ms with MaxMind databases
• HTTP fallback - Works without MaxMind databases (though less performant)
• Smart caching - GeoIP cached for 30 days, VPN checks for 7 days

Developer-Friendly:

• Priority-based system - 14 security layers evaluated in order
• JavaScript challenge - Detect and block headless browsers
• Comprehensive logging - Debug mode with detailed request information
• Cache management UI - Built-in interface to view stats and clear cache
• Triple admin protection - Logged-in users, IP whitelist, admin area bypass

Real-World Results

On my e-commerce site (LQRS.com), WireWall has been running for several months with impressive results:

• 99.98% blocking rate - Nearly all malicious traffic blocked
• Zero false positives - Legitimate customers unaffected
• Significant reduction in AWS/cloud-based automated attacks
• Complete elimination of VPN/proxy fraud attempts

Installation

cd /site/modules/
git clone https://github.com/mxmsmnv/WireWall.git

Then in ProcessWire admin:

1. Modules → Refresh
2. Install WireWall
3. Configure your blocking rules
4. You're protected!

How It Works - Priority System

WireWall processes every request through 14 prioritised security layers:

1. Admin Area → ALLOW (ProcessWire admin always accessible)
2. IP Whitelist → ALLOW (manual whitelist bypass)
3. Rate Limiting → BLOCK (excessive requests)
4. IP Blacklist → BLOCK (permanent blocks)
5. JavaScript Challenge → CHALLENGE (suspicious requests)
6. VPN/Proxy/Tor → BLOCK (anonymous services)
7. Datacentre Detection → BLOCK (cloud hosting)
8. ASN Blocking → BLOCK (autonomous systems)
9. Global Rules → BLOCK (known patterns)
10. Country Blocking → BLOCK (country rules)
11. City Blocking → BLOCK (city rules)
12. Region Blocking → BLOCK (region rules)
13. Country-specific Rules → BLOCK (custom rules)
14. Default → ALLOW ✓

First match wins - once a rule triggers, evaluation stops.

MaxMind Integration

WireWall works best with MaxMind GeoLite2 databases (free):

• GeoLite2-Country.mmdb - Country detection
• GeoLite2-City.mmdb - City and region detection
• GeoLite2-ASN.mmdb - Network/ISP detection

Without MaxMind, it falls back to ip-api.com HTTP API (slower, with rate limits). City and region blocking require the MaxMind City database.

Download MaxMind databases from: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data

Technical Details

• ProcessWire: 3.0.200 or higher
• PHP: 8.1 or higher
• Optional: MaxMind GeoLite2 databases (Country, ASN, City)
• Optional: Composer (for MaxMind GeoIP2 library)

Why Another Firewall Module?

I needed something specifically for ProcessWire that:

1. Scales efficiently - File-based cache handles millions of IPs without database bloat
2. Provides granular control - City and region blocking isn't available in other solutions
3. Works offline - MaxMind databases work without external API calls
4. Integrates natively - Built specifically for ProcessWire's architecture
5. Stays free - Open source, no premium tiers or upsells

Other solutions like Wordfence (WordPress), Sucuri (paid service), and ModSecurity (server-level) either don't integrate well with ProcessWire or lack the geographic granularity needed for fraud prevention.

Resources

• GitHub Repository: https://github.com/mxmsmnv/WireWall
• Documentation: Full README with installation, configuration, and troubleshooting
• Landing Page: https://wirewall.org
• Licence: MIT (free for commercial use)

---

Quick Start TL;DR

# Install
cd site/modules && git clone https://github.com/mxmsmnv/WireWall.git

# Activate in ProcessWire admin
Modules → Install → WireWall

# Configure
- Enable module
- Set blocking rules (cities/regions/countries)
- Enable VPN detection
- Configure rate limiting
- Save

# Monitor
Setup → Logs → wirewall.txt

---

I'm happy to answer any questions! Has anyone else been working on security solutions for ProcessWire? I'd love to hear about your approaches and challenges.

Best regards, Maxim

[maximus]

Check out more on website - https://wirewall.org

[jacmaes]

Hi @maximus. Quick question: I use adguard on my iPhone, which basically acts as a VPN to block ads in apps and in Safari. When I visit wirewall.org, I'm blocked. Isn't it a bit too aggressive? I'm not a threat, I just want to browse ad-free 😀

[matjazp]

I also can't reach it as I'm browsing with javascript off.

[Tiberium]

1 hour ago, matjazp said:

I also can't reach it as I'm browsing with javascript off.

I assume because of the JavaScript challenge ^^.

@maximus Can specific block steps be switched off?

[Stefanowitsch]

@maximus i really would like to give this module a try! I am having slight problems with spam bot form submissions from time to time.

But: I am using custom ajax endpoints via the RockFrontend Module: https://www.baumrock.com/en/processwire/modules/rockfrontend/docs/ajax/

Although I enabled the "Allow AJAX from trusted module" checkbox in the module settings, the ajax requests are getting blocked (status 403) when WireWall is active.

Is there a way to add "trusted modules" manually?

[matjazp]

@maximus, a minor inconsistency. In your post:

• ProcessWire Version: 3.0+
• PHP Version: 7.4+ (8.0+ recommended)

But in the module:

'requires' => 'ProcessWire>=3.0.200,PHP>=8.1',

[maximus]

On 12/15/2025 at 4:37 AM, jacmaes said:

Hi @maximus. Quick question: I use adguard on my iPhone, which basically acts as a VPN to block ads in apps and in Safari. When I visit wirewall.org, I'm blocked. Isn't it a bit too aggressive? I'm not a threat, I just want to browse ad-free 😀

I don't think you need a disguise to view your website, but you can always add exceptions. Also this week, I updated the module to version 1.1.9, where, in addition to prohibitions, exception fields have been added: for search robots (user agent), ASN and IP.

On 12/15/2025 at 1:38 PM, matjazp said:

@maximus, a minor inconsistency. In your post:

• ProcessWire Version: 3.0+
• PHP Version: 7.4+ (8.0+ recommended)

But in the module:

'requires' => 'ProcessWire>=3.0.200,PHP>=8.1',

Thanks a lot, I've corrected it everywhere.

On 12/15/2025 at 6:05 AM, matjazp said:

I also can't reach it as I'm browsing with javascript off.

Yes, I see that access to the site is blocked when javascript is disabled. I'll think about how to solve it.

[maximus]

On 12/15/2025 at 11:41 AM, Stefanowitsch said:

@maximus i really would like to give this module a try! I am having slight problems with spam bot form submissions from time to time.

But: I am using custom ajax endpoints via the RockFrontend Module: https://www.baumrock.com/en/processwire/modules/rockfrontend/docs/ajax/

Although I enabled the "Allow AJAX from trusted module" checkbox in the module settings, the ajax requests are getting blocked (status 403) when WireWall is active.

Is there a way to add "trusted modules" manually?

Please try manually making changes to the module code in the relevant lines and, if possible, let us know whether it works or not.
 

Spoiler

 

[Stefanowitsch]

The custom AJAX endpoints that RockFrontend is using are basically PHP files located in:

/site/templates/ajax/

So the requests go to:

http://www.mysite.com/ajax/myEndpoint

To prevent these requests from being blocked I tweaked this piece of module code:

// WireWall.module.php line 1140

// Check if request URL contains /processwire/ or /admin/ or /ajax/
$requestUri = $_SERVER['REQUEST_URI'] ?? '';
  if (stripos($requestUri, '/processwire/') !== false || 
  stripos($requestUri, '/admin/') !== false ||
  stripos($requestUri, '/ajax/') !== false) {
  return true;
}

[maximus]

WireWall v1.3.2 – Advanced Traffic Firewall

Released: January 4, 2026
Stable release with major improvements in data persistence, IPv6 support, and configuration reliability.

What's New in v1.3.2

• Permanent data persistence
  GeoLite2 databases, Composer vendor folder, and composer files are now safely stored in /site/assets/WireWall/
  → No more data loss or reinstallation needed after module updates

• Automatic migration from older versions
  When upgrading from ≤1.2.0, old files from /site/modules/WireWall/ are automatically moved to the new location

• Full IPv6 CIDR support
  Complete IPv6 range matching for both blocking and whitelisting

• Enhanced exception system
  New configuration fields:
  • Custom Trusted AJAX Paths
  • Custom API Paths (bypass for ALL HTTP methods – GET/POST/PUT/DELETE/etc.)

• Robust checkbox handling
  All toggle options now reliably save as 0/1 (fixes old config issues after updates/reinstalls)

• Improved configuration interface
  New colorful "Setup Information" section with current paths, migration guide, and clear installation instructions

Recommended post-update steps

1. Go to Modules → WireWall → Configure
2. Verify GeoIP databases are located at:
   /site/assets/WireWall/geoip/GeoLite2-*.mmdb
3. If you have GeoLite2-City.mmdb → enable City & Subdivision blocking
4. Add any custom paths you need in:
   • Custom Trusted AJAX Paths
   • Custom API Paths

Requirements

• ProcessWire ≥ 3.0.200
• PHP ≥ 8.1
• Strongly recommended: MaxMind GeoLite2 databases (Country + ASN required, City optional for detailed logging)

Downloads

• WireWall.module.php
• Full module archive (zip)

Full documentation → README
Website → wirewall.org

Thanks to everyone testing and providing feedback!

Stay secure! 🛡️

[adrian]

Big thanks for this @maximus

A couple of feature suggestions if I may :)

1. Could you change the "Return 404 silently (stealth mode)" option to really be a stealth 404 error because at the moment it still returns the styled black Wirewall page with all its branding - it's just a change to the wording.
2. Any chance of an option to disable the AJAX protection completely?

And a confusion - I am logged into my admin, but in the same browser window I have still managed to trigger the rate limit (intentionally), but your docs state "First, all logged-in ProcessWire users are automatically whitelisted." but I am blocked and actually don't seem to be able to remove the block even after deleting the files in /assets/cache/WireWall - what am I missing?

[adrian]

Even after 60 mins I still can't get in and now even my backend admin is blocked. I ended up having to remove the module folder to get access again. What am I doing wrong?

[maximus]

8 minutes ago, adrian said:

Even after 60 mins I still can't get in and now even my backend admin is blocked. I ended up having to remove the module folder to get access again. What am I doing wrong?

Quick question: you are use Firefox?

[adrian]

Just now, maximus said:

Quick question: you are use Firefox?

Brave

[maximus]

Hint (temporary solution), open Chrome browser or Safari, add keywords: Brave and Firefox to Allowed User-Agents (Bots Whitelist) section

[adrian]

Thanks for the suggestion, but after deleting the module files and reinstalling them, I have access again for now.

But still having issues with the ban duration. I set it to 2 minutes but I am still blocked out (this time just on the frontend). Note that I am logged in, but my admin is not at /processwire or /admin (in case that has any impact on the previous issue where I was actually locked out of the backend).

[adrian]

Interestingly if I try to open the frontend in Chrome, Firefox, or Zen now, it's still blocked, but it opens in Safari.

[maximus]

8 hours ago, adrian said:

Interestingly if I try to open the frontend in Chrome, Firefox, or Zen now, it's still blocked, but it opens in Safari.

Ok, I will try. 

[adrian]

Just an FYI that I'm still blocked again this many hours later.