FlyWP includes four server-level filters that inspect every incoming request before it reaches WordPress: the 8G and 7G firewalls, Bad Bot Protection, and Bad Referrer Protection. This guide explains what each one does, how they decide what to block, and which real-world services — Google, curl, SEO tools, AI crawlers — are affected when you turn them on.
Where to find these: All four toggles live under Site → Security in the FlyWP dashboard. They run at the Nginx level, so blocked requests are rejected before PHP, MySQL, or your plugins ever load, fast and with no impact on legitimate page loads.
Firewall and Bot Protection are available on Nginx sites only, not OpenLiteSpeed.
Overview
Each filter targets a different kind of unwanted traffic. They are independent — you can enable any combination — and they complement each other rather than overlap completely.
| Filter | Target Type | Primary Function |
|---|---|---|
| 8G Firewall | Firewall | Pattern-matches requests for injection, traversal, and exploit signatures. The newest, broadest rule set. |
| 7G Firewall | Firewall | The previous-generation rule set. Smaller and slightly looser than 8G, kept for compatibility. |
| Bad Bot Protection | User-Agent | Blocks known scrapers, scanners, spam bots, and aggressive crawlers by their User-Agent string. |
| Bad Referrer Protection | Referrer | Blocks traffic arriving from known spam, malware, and referrer-spam domains. |
On this page
- How the filters work
- 8G Firewall
- 7G Firewall
- Bad Bot Protection
- Bad Referrer Protection
- What services might be blocked
- Allowed by default
- Blocked by default
- AI & LLM crawlers
- Handling false positives
- Which protections to enable
How the filters work
All four filters work the same way: they compare parts of an incoming HTTP request against a list of patterns. If a request matches, Nginx rejects it immediately with a 403 Forbidden (the bot filter may close the connection outright). Nothing is logged to your WordPress site and no PHP runs, which is why these filters are extremely lightweight.
Each filter inspects a different part of the request:
| Filter | Inspects | Looks for |
|---|---|---|
| 8G / 7G Firewall | Query string, URL path, User-Agent, referrer, cookies, request method | Attack signatures — SQL injection, XSS, directory traversal, file-inclusion, shell uploads, sensitive-file probes |
| Bad Bot Protection | User-Agent header | Names of known bad bots, scrapers, scanners, and crawlers |
| Bad Referrer Protection | Referer header | Domains of known spam and malicious sites |
Important: Because matching is based on patterns and substrings, a small number of legitimate requests can occasionally match a rule. This is called a false positive. See Handling false positives for how to identify and fix them safely without disabling a whole layer.
8G Firewall
By Perishable Press · next-generation rule set
Highly recommended
The 8G Firewall is the latest evolution of the long-running nG firewall series. It inspects the whole request — query string, path, User-Agent, referrer, cookies, and HTTP method — and blocks anything that matches a known malicious pattern.
What it blocks:
- SQL injection — patterns like union…select, order by 1–, concat(, cast(0x…, or 1=1.
- Cross-site scripting (XSS) — encoded <script>, <iframe>, <object>, and javascript: payloads.
- Directory traversal & file disclosure — ../ sequences, etc/passwd, boot.ini, self/environ, null bytes (%00).
- Remote/local file inclusion — php://, base64_decode, allow_url_fopen, auto_prepend_file.
- Shell & backdoor probes — requests for c99shell, wso.php, adminer.php, eval(, shell_exec, passthru.
- Sensitive files — direct requests for .env, .git, wp-config.php, .htaccess, .sql, .bak, and backup archives.
- Disallowed methods — CONNECT, DEBUG, MOVE, TRACE, TRACK.
8G builds on 7G with a wider rule set — including a cookie filter and a larger list of shell/exploit signatures and blocked file extensions — while tuning for fewer false positives.
Recommendation: Enable 8G for the strongest protection. If you run both 8G and 7G together you gain little extra coverage and slightly raise the chance of a false positive, so 8G alone is the usual choice.
7G Firewall
By Perishable Press · previous-generation rule set
Optional
The 7G Firewall is the predecessor to 8G and uses the same approach with a smaller, slightly older rule set. It protects against the same broad categories — SQL injection, XSS, traversal, file inclusion, bad bots, and spam — across all HTTP methods.
7G inspects the query string, request URI, User-Agent, and referrer, but unlike 8G it does not include a cookie filter and has a shorter list of shell-probe and file-extension rules.
When to use 7G instead of 8G: If you have a site or plugin that conflicts with an 8G rule and you’d rather run the lighter rule set while a fix is found, 7G is a reasonable middle ground. For most sites, 8G is the better default.
Bad Bot Protection
User-Agent blocklist · based on nginx-ultimate-bad-bot-blocker
Essential
This filter checks the User-Agent string of every request against a large list of known automated agents and rejects matches. It protects your content, conserves bandwidth, and cuts down the automated probing that wastes server resources.
Categories it blocks:
- Content scrapers & site copiers — HTTrack, WebCopier, SiteSnagger, Wget-style harvesters.
- Vulnerability scanners — Nikto, Nmap, WPScan, Acunetix, masscan, Nuclei, sqlmap.
- Aggressive SEO crawlers — AhrefsBot, SemrushBot, MJ12bot, DotBot, BLEXBot, rogerbot, dataforseobot.
- Spam & harvest bots — email harvesters, comment-spam bots, and link crawlers.
- AI / LLM training crawlers — GPTBot, ClaudeBot, CCBot, Bytespider, anthropic-ai, cohere-ai, google-extended.
- Malformed agents — empty User-Agents and suspiciously short or single-character strings.
Search engines you want – Googlebot, Bingbot, DuckDuckBot – are not on the list and crawl normally.
Bad Referrer Protection
Referrer blocklist · spam & malware domains
Strongly recommended
This filter blocks inbound requests whose Referer header matches a domain on a large blocklist of spam, malware, phishing, counterfeit, and “referrer-spam” sites (such as semalt.com, buttons-for-website.com, and darodar.com).
Why it helps:
- Keeps junk referrals out of your analytics, so traffic reports stay accurate.
- Blocks a common vector for hotlinking and exploitative traffic.
- Stops your site being associated with disreputable referring domains.
It only acts on the referrer a browser or bot sends; it has no effect on SEO, since search engines are identified by User-Agent, not referrer.
What services might be blocked
The most common question is which real tools and services keep working once these filters are on. Here’s the practical breakdown.
Allowed by default
These are not on any blocklist and continue to work normally:
| Service | Status | Notes |
|---|---|---|
| Googlebot | Allowed | Standard search indexing is unaffected. |
| Google services (AdSense, Search Console, PageSpeed, Lighthouse) | Allowed | Verified Google crawlers and tools are not blocked. |
| Bingbot, DuckDuckBot, YandexBot | Allowed | Major search engines crawl normally. |
| Uptime monitors (most) | Allowed | Standard monitoring user-agents pass. |
| Payment & webhook callbacks (Stripe, PayPal) | Allowed | Legitimate API callbacks are not affected by the bot list. |
| Real human visitors | Allowed | Normal browser traffic is never matched by design. |
Blocked by default
These match a blocklist and will be rejected. Some are purely malicious; others are legitimate tools you may actually use, in which case you can disable the rules.
| Service / Tool | Status | Why |
|---|---|---|
curl (default UA) | Blocked | The default curl User-Agent matches a firewall rule. Set a custom --user-agent for legitimate scripted requests. |
wget, libwww-perl, python-requests (default UA) | Often blocked | Default automation user-agents are common attack tools, so several are filtered. Set a custom UA for trusted scripts. |
| Ahrefs, Semrush, Majestic, Moz | Blocked | Aggressive SEO crawlers are blocked by default. Allowlist them if you use these tools on your own site. |
| Nikto, Nmap, WPScan, sqlmap, Acunetix | Blocked | Vulnerability scanners — blocked as intended. |
| HTTrack, WebCopier, site copiers | Blocked | Content-scraping tools — blocked as intended. |
| Referrer-spam & malware domains | Blocked | Rejected by Bad Referrer Protection. |
About curl & scripts If you run cron jobs, health checks, or integrations with curl or a scripting library, give them a recognizable custom User-Agent (for example --user-agent "mycompany-healthcheck/1.0"). Requests sent with the tool’s default agent — or with no agent at all — are the ones most likely to be filtered.
AI & LLM crawlers
AI training and retrieval crawlers are blocked by default by Bad Bot Protection. Whether that’s desirable is a content decision, not a malfunction — many site owners prefer to keep their content out of AI training sets, while others want the visibility.
| Crawler | Operator | Default |
|---|---|---|
GPTBot | OpenAI (training) | Blocked |
ChatGPT-User | OpenAI (user-triggered fetch) | Blocked |
ClaudeBot, anthropic-ai | Anthropic | Blocked |
CCBot | Common Crawl | Blocked |
Bytespider | ByteDance | Blocked |
cohere-ai, Ai2Bot, ImagesiftBot | Various | Blocked |
Want AI crawlers to access your site? If you’d like specific AI crawlers to index your content (for example, to appear in AI search answers), you can allowlist those User-Agents. If you’d rather keep them out, no action is needed, the default behaviour already blocks them.
Handling false positives
A false positive is a legitimate request that happens to match a rule and gets a 403. The most common triggers are:
- A trusted tool using a default User-Agent —
curl, a monitoring script, or an integration that hasn’t set a custom agent. - Very long URLs or query strings — page builders, faceted search, or signed URLs that contain long character runs.
- Search or filter terms with SQL-like words — a URL parameter containing
select,update,union, or the phraseorder by. - A file with a flagged extension — a plugin serving or referencing something ending in
.inc,.env,.yml, or similar. - WebDAV or non-standard methods — a plugin that uses
MOVEorTRACE.
Which protections to enable
For a typical WordPress, WooCommerce, or Dokan site, this configuration gives strong coverage with minimal friction:
| Filter | Recommended | Reason |
|---|---|---|
| 8G Firewall | Enable | Strongest, most current exploit protection. |
| 7G Firewall | Optional | Use instead of 8G only if an 8G rule conflicts with your site; running both adds little. |
| Bad Bot Protection | Enable | Saves bandwidth and blocks scrapers, scanners, and spam bots. |
| Bad Referrer Protection | Enable | Cleans up analytics and blocks malicious referrers; no SEO downside. |
After enabling, test the things your site relies on — checkout, login, REST/AJAX endpoints, scheduled tasks, and any external integrations — so any false positive can be caught and allowlisted early.
Related: Security overview · Vulnerability Scanner · WordPress Integrity Checker · Logs
Blocklists are updated regularly. For the exact rules active on your server, refer to the live configuration or contact FlyWP support via Live Chat.
