NinjaFirewall Full WAF vs WordPress WAF mode.

Revision: July 29, 2021

Since version 3.4, NinjaFirewall (WP and WP+) can be installed in two different modes: Full WAF or WordPress WAF.

Full WAF mode

In Full WAF mode, NinjaFirewall will hook, scan, reject or sanitise any HTTP and HTTPS request sent to a PHP script before it reaches WordPress, its plugins or even the database. All scripts located inside the blog installation directories and sub-directories will be protected, including those that aren’t part of the WordPress package. Even encoded PHP scripts (e.g., ionCube), potential backdoors and shell scripts (e.g., c99, r57) will be filtered by NinjaFirewall.
That makes it a true firewall and gives you the highest possible level of protection: security without compromise.
To run NinjaFirewall in Full WAF mode, your server must allow the use of the auto_prepend_file PHP directive. It is required to instruct the PHP interpreter to load the firewall before WordPress or any other script. Most of the time it works right out of the box, or may require some very little tweaks. But in a few cases, mostly because of some shared hosting plans restrictions, it may simply not work at all.

WordPress WAF mode

The WordPress WAF mode makes it easy to setup and the installation will always be successful, regardless of your hosting plan restrictions. The downside of this mode is that NinjaFirewall will be able to hook and filter HTTP requests sent to WordPress only. A few features such as “File Guard”, the URL Access Control and “Web Filter” (WP+ Edition only) will be limited.
Despite being less powerful than the Full WAF mode, it still offers a level of protection and performance higher than any other security plugin.

Switching from one mode to the other

To upgrade to Full WAF mode, simply click on the “Activate Full WAF mode” button in the “NinjaFirewall > Dashboard” page:

If you want to downgrade from Full WAF to WordPress WAF mode, click the “Configure” button in the “NinjaFirewall > Dashboard” page:

Then, click the “Downgrade” button in the pop-up box:

If you are using the LiteSpeed HTTP server, you will need to manullay remove the auto_prepend_file directive that you added in your LiteSpeed admin dashboard.