NinjaFirewall

It allows PHP developers to protect their PHP website against various attacks it may be under.

Even if it can work as a stand-alone, NinjaFirewall is also compatible with most common CMSs and e-commerce platforms, like Drupal, Joomla, WordPress, Virtuemart, osCommerce, X-Cart and PrestaShop.

What is new in this release:

• The firewall will no longer sanitise user input when running in "Debugging Mode", but will only write the event to its log.
• Fixed PHP warning on systems that do not support exclusive locks.
• Loosened Base64 decoder rules to reduce the risk of false-positives.
• Updated security rules.
• [Pro+ edition] Updated IPv4/IPv6 GeoIP databases.

What is new in version 2.1 / 1.4.1-WP:

• The Live Log "Refresh Rate" and "Autoscrolling" options will be remembered when changed.
• Live Log will now use the timezone defined in the "Account > Options > Regional Settings" menu.
• The firewall will always ensure that "REMOTE_ADDR" contains only one IP or will remove any extra IP.
• Updated IPv4/IPv6 GeoIP databases.
• It is possible to set the Strict-Transport-Security (HSTS) header if the client has the `HTTP_X_FORWARDED_PROTO` set to 'https' (Firewall Policies > HTTP response headers).
• "File Guard" email alert will contain the date/time the file was last changed, rather than the date/time the detection occurred.
• Minor fixes and improvements.

What is new in version 2.0.6 / 1.3.7-WP:

• Updated security rules.
• Added an option to select HHVM (HipHop Virtual Machine) during the installation process. See our blog about installing NinjaFirewall on HHVM (http://nin.link/hhvm).
• If the 'auto_prepend_file' PHP directive is already in use, the installer will not stop but will attempt to override it instead.
• [Pro+ edition] Added an option to exclude a folder from being monitored by File Guard (see "Firewall > File Guard" menu).
• [Pro+ edition] On new installations, File Guard will be enabled by default.
• [Pro+ edition] Added an option to whitelist the administrator (see "Firewall > Access Control > Administrator" and its contextual help).
• [Pro+ edition] Updated IPv4/IPv6 GeoIP databases.

What is new in version 2.0:

• Improved performance: NinjaFirewall no longer uses MySQL, but plain text files to stores its configuration into the "conf/" folder.
• [Pro+ edition] Added "Access Control".
• [Pro+ edition] Added "Web Filter".
• [Pro+ edition] Added "File Guard".
• Changed "Firewall Policies" to better suit most sites; new features were added and deprecated ones were removed.
• Added possibility to edit the message to display to blocked users (see "Firewall > Options").
• Added options to disable, delete, rotate the firewall log and checkboxes for easy filtering (see "Firewall > Log").
• Added one-click updater: files and rules can be updated from the admin console (see "Account > Updates").
• Added contextual help: click on the Help link located in the upper right hand corner of each page to get help.
• Added "Regional Settings" with timezone and English/French language packs (see "Account > Options" menu).
• Added a new and intuitive installer.
• Added full IPv6 compatibility.
• Added ".htninja" optional configuration file to let users prepend

What is new in version 1.3.0:

• Updated and tweaked security rules.
• Fixed multiple file upload error.
• Added C source code to file upload restrictions (Pro edition).
• Fixed several small UI issues (fonts, textarea, white background etc).
• Monthly logs will not appear in the "Summary > Statistics" drop-down list if they are empty.

What is new in version 1.2.2:

• Updated firewall rules.
• Added an option to decode and scan BASE64-encoded values in POST requests (menu 'Firewall > Policies > Advanced Options').
• Fixed a bug where an extended ASCII code could make the log unreadable from the admin console.

What is new in version 1.2.1:

• Security rules updated.
• Added a 'Firewall > Rules Editor' menu to enable/disable built-in rules individually.

What is new in version 1.2.0:

• Switched to MySQLi extension.
• Changed log format and display.
• Rewritten and improved sanitising functions.
• Reduced number of SQL queries.

What is new in version 1.1.0:

• Better XSS detection (UTF-7 encoding, BBcode etc).
• Improved processing speed.
• Security ruleset update.
• Fixed an issue where IP:port in Host header was not detected.
• Stats page wasn't showing the right number.

What is new in version 1.0.9:

• Security ruleset update.
• Fixed incorrect DOCUMENT_ROOT variable on some servers.

What is new in version 1.0.8:

• Added stats from previous months in the 'Statistics' page.
• Timezone can be set up in the 'Account/Options' menu.
• Security ruleset update.
• Added 'hooked PHP script' to the debug console.
• Added isset($log_db_err) to the firewall to prevent potential PHP warning message.
• Increased line-height value in CSS. Buttons looked too small when using either Chrome or Safari browsers.
• HTTP return code writes '200 OK' to log when sanitizing a value instead of a wrong '403 Forbidden' message.

Requirements:

• PHP 5.3 or higher
• MySQL 5 or higher
• .htaccess and php.ini access