WP-Safety

Deny All Firewall Security & Risk Analysis

wordpress.org/plugins/deny-all-firewall

Blocks access to everything except genuine site content using .htaccess

60 active installs v1.8.7 PHP 5.6+ WP 4.7.0+ Updated Jan 29, 2026
carbon-footprintdeny-from-allfirewallgreenhtaccess
99
A · Safe
CVEs total1
Unpatched0
Last CVEJun 22, 2019
Plugin page Download
Safety Verdict

Is Deny All Firewall Safe to Use in 2026?

Generally Safe

Score 99/100

Deny All Firewall has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jun 22, 2019Updated 2mo ago
Risk Assessment

The deny-all-firewall v1.8.7 plugin demonstrates a generally good security posture based on the provided static analysis. The absence of any taint analysis findings, coupled with strong practices like 100% prepared statement usage for SQL queries and a high percentage of properly escaped output, indicates a focus on secure coding. The plugin also incorporates a reasonable number of nonce and capability checks, which are crucial for preventing unauthorized actions. However, the presence of one historical Cross-Site Request Forgery (CSRF) vulnerability, though no longer unpatched, warrants a degree of caution, suggesting that the plugin's security mechanisms may have been bypassed in the past. While the attack surface is currently minimal and appears to be protected by authentication checks, the historical vulnerability, even if resolved, highlights a potential area of past weakness that users should be aware of. Overall, the plugin appears to be well-maintained and has addressed past security issues, but ongoing vigilance and prompt updates are always recommended.

Key Concerns

  • Historical CSRF vulnerability found
Vulnerabilities
1

Deny All Firewall Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2019-14681high · 8.8Cross-Site Request Forgery (CSRF)

Deny All Firewall <= 1.1.6 - Cross-Site Request Forgery

Jun 22, 2019 Patched in 1.1.7 (1676d)
Code Analysis
Analyzed Mar 16, 2026

Deny All Firewall Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
6
175 escaped
Nonce Checks
2
Capability Checks
3
File Operations
8
External Requests
1
Bundled Libraries
0

Output Escaping

97% escaped181 total outputs
Attack Surface

Deny All Firewall Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_daf_refresh_rulesdeny-all-firewall.php:71
WordPress Hooks 19
actionadmin_menudeny-all-firewall.php:33
actionwp_logindeny-all-firewall.php:43
actionupdate_option_daf_optionsdeny-all-firewall.php:44
actionadd_option_daf_optionsdeny-all-firewall.php:45
actionsave_postdeny-all-firewall.php:46
actionedited_termdeny-all-firewall.php:47
actioncreated_termdeny-all-firewall.php:48
actionattachment_updateddeny-all-firewall.php:49
actionadd_attachmentdeny-all-firewall.php:50
actionafter_switch_themedeny-all-firewall.php:51
actionload-post.phpdeny-all-firewall.php:52
actionload-post-new.phpdeny-all-firewall.php:53
actionadmin_noticesdeny-all-firewall.php:59
filtersite_status_testsdeny-all-firewall.php:76
actioninitdeny-all-firewall.php:80
filterthe_generatordeny-all-firewall.php:88
actionadmin_initdeny-all-firewall.php:321
actionadd_meta_boxesdeny-all-firewall.php:2700
filterplugin_row_metaincludes\class-daf-common.php:293
Maintenance & Trust

Deny All Firewall Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 29, 2026
PHP min version5.6
Downloads10K

Community Trust

Rating0/100
Number of ratings0
Active installs60
Alternatives

Deny All Firewall Alternatives

SAR One Click Security

SAR One Click Security

sar-one-click-security

A
92

Adds some extra security to your WordPress with only one click.

200 No CVEs
Wordfence Security – Firewall, Malware Scan, and Login Security

Wordfence Security – Firewall, Malware Scan, and Login Security

wordfence

A
96

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M 12 CVEs
Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

A
98

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs
Redirection

Redirection

redirection

A
97

Manage 301 redirects, track 404 errors, and improve your site. No knowledge of Apache or Nginx required.

2.0M 5 CVEs
All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Developer Profile

Deny All Firewall Developer Profile

Oliver Campion

12 plugins · 43K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
869 days
View full developer profile
Detection Fingerprints

How We Detect Deny All Firewall

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/deny-all-firewall/css/daf-admin-style.css/wp-content/plugins/deny-all-firewall/js/daf-admin-script.js
Version Parameters
deny-all-firewall/css/daf-admin-style.css?ver=deny-all-firewall/js/daf-admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
daf-content-changed-notice
JS Globals
daf_ajax_url
REST Endpoints
/wp-json/
FAQ

Frequently Asked Questions about Deny All Firewall