Quick Start Guide



Firewall Installation

To install the firewall, open your WordPress admin dashboard and go to: WTB Firewall → Firewall

On this page, click the Install button. The plugin will automatically install and configure the firewall for your site.

After installation, the firewall may not start running immediately. On servers using PHP-FPM, it can take a few minutes before the firewall becomes active. The exact delay depends on your server configuration and how frequently PHP processes are restarted.

The firewall itself is installed as the file wtb_firewall_main.php inside your uploads/wtb-firewall directory.

You should never delete this file manually. If you need to remove the firewall, always do so from the plugin page using the uninstall option.



Proxy Configuration

If your WordPress site is behind a proxy server, CDN, or load balancer, you must configure proxy support for the firewall to work correctly. Without this, the firewall may detect the proxy’s IP instead of the visitor’s real IP, which can cause incorrect blocking, logging errors, or even lock you out of your own site.

To configure proxy support, go to your WordPress admin dashboard and open: WTB Firewall → Firewall

Scroll down to the Proxy Support section.

Here you need to configure two things:

First, enter the correct IP address (or IP range) of your proxy server. This tells the firewall which connections are coming from a trusted proxy instead of a normal visitor.

Second, select the correct header used by your proxy to forward the real visitor IP address. Different providers use different headers, such as X-Forwarded-For, CF-Connecting-IP, or others. You must choose the header your server actually sends.

If these settings are incorrect, the firewall may:

If you are unsure which values to use, check your hosting provider’s documentation or ask their support which proxy IPs and headers they use.

After saving your proxy settings, it is recommended to test access to your site from another browser or device to confirm that IP detection is working correctly before enabling strict blocking rules.



IP Access Control Rules

To block or allow an IP address, go to your WordPress admin dashboard and open: WTB Firewall → Firewall Rules

On this page, you will find a form for creating new firewall rules.

You can choose to explicitly Block or Allow:

To create a rule:

  1. Select whether the rule should Block or Allow traffic.
  2. Enter the IP address or IP range.
  3. Save the rule.

Block rules will deny access to matching visitors before WordPress fully loads. Allow rules can be used to whitelist trusted IP addresses, such as your own office or home connection.

When using IP ranges, make sure you understand the scope of the range you are entering. Blocking a large range may unintentionally affect legitimate visitors.

After saving a rule, it becomes active immediately. If you are blocking IP addresses manually, always double-check that you are not blocking your own current IP address.

For safety, it is recommended to create an allow rule for your own IP address before adding strict block rules.



Country-Based Access Control

To block or allow visitors based on their country, go to your WordPress admin dashboard and open: WTB Firewall → Country Rules

On this page, you can create rules that apply to all connections from a specific country.

To add a rule:

  1. Select a country from the dropdown menu.
  2. Choose whether you want to Block or Allow connections from that country.
  3. Save the rule.

Country detection is based on IP geolocation. While this is generally accurate, it is not perfect, and some visitors may appear from a different country if they use VPNs, mobile networks, or corporate proxies.

After saving a country rule, it becomes active immediately.



Automatic Brute-Force Protection

The firewall can automatically block IP addresses that repeatedly fail authentication, helping protect your site from brute-force login attacks.

To configure this feature, go to your WordPress admin dashboard and open: WTB Firewall → Automatic Protection

On this page, you will find a form where you can enable automatic blocking for failed authentication attempts.

You can configure:

Be careful not to set these values too strict. If the limits are too low or the time window too long, legitimate users — including yourself — may be blocked accidentally if they mistype their password or have trouble logging in.

After saving your settings, the protection becomes active immediately. It is recommended to test the login process once to confirm everything behaves as expected and that you are not blocking yourself or other legitimate users.



If You Get Locked Out of Your Site

If the firewall blocks your access to the WordPress admin area, you can disable it quickly and regain access.

Step 1 — Disable the Firewall Configuration

  1. Connect to your site using FTP, SFTP, or your hosting file manager.
  2. Open the folder: /wp-content/uploads/wtb-firewall
  3. Locate the file: wtb_firewall_config.php
  4. Delete the file wtb_firewall_config.php.

Deleting this file immediately disables the firewall and should restore normal access to your site.

Step 2 — Log Back Into WordPress

  1. Open your WordPress login page.
  2. Log in normally.
  3. Your access should now be restored.

Step 3 — Uninstall the Firewall From Inside the Plugin

  1. In your WordPress dashboard, go to WTB Firewall → Firewall.
  2. Click the Uninstall Firewall button.

This removes the firewall configuration and disables all active firewall rules, while keeping the plugin installed.

Step 4 — Review What Caused the Lockout

Before enabling the firewall again, review your settings and rules, especially:

After reviewing and adjusting your rules/settings, you can reinstall and enable the firewall again from the same page.