Does RSFirewall! have any unpatched vulnerabilities?

No. All known vulnerabilities in RSFirewall! have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is RSFirewall! compatible with WordPress 6.9.4?

According to WordPress.org data, RSFirewall! 1.1.46 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is RSFirewall! compatible with PHP 5.4+?

RSFirewall! requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is RSFirewall! updated?

RSFirewall! was last updated on Mar 12, 2026. Frequent updates are generally a positive security signal.

What is RSFirewall!'s security score?

RSFirewall! has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

RSFirewall! Security & Risk Analysis

wordpress.org/plugins/rsfirewall

Based on the success of the most popular firewall for Joomla!, RSFirewall! is now available to protect your WordPress website as well.

4K active installs v1.1.46 PHP 5.4+ WP 4.5.15+ Updated Mar 12, 2026

firewallmalware-scannersecuritysystem-checkweb-application-firewall

A · Safe

CVEs total2

Unpatched0

Last CVEJul 11, 2025

Plugin page Download

Safety Verdict

Is RSFirewall! Safe to Use in 2026?

Generally Safe

Score 98/100

RSFirewall! has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jul 11, 2025Updated 22d ago

Risk Assessment

The rsfirewall plugin version 1.1.46 presents a mixed security posture. While it demonstrates strengths in its limited attack surface and the presence of nonce and capability checks, significant concerns arise from its output escaping and SQL query practices. The static analysis reveals that only 45% of output is properly escaped, indicating a potential for Cross-Site Scripting (XSS) vulnerabilities. Furthermore, while a majority of SQL queries use prepared statements, a substantial portion do not, which could lead to SQL injection if user-supplied data is not handled with extreme care. The taint analysis, although limited in scope, found unsanitized paths, suggesting a risk of path traversal if these flows are exploitable.

The plugin's vulnerability history, with two medium-severity CVEs related to path traversal and use of less trusted sources, reinforces these concerns. The fact that the last vulnerability was recently patched in 2025 suggests that while the developers are addressing issues, new vulnerabilities may emerge or have existed previously. The absence of currently unpatched vulnerabilities is positive, but the historical pattern of path traversal vulnerabilities is a recurring risk factor.

In conclusion, rsfirewall 1.1.46 has a somewhat robust framework with its contained attack surface and security checks. However, the prevalent lack of proper output escaping and the presence of raw SQL queries, coupled with historical path traversal issues, necessitate caution. While not critically vulnerable based on the provided data, these weaknesses represent significant attack vectors that could be exploited, especially in conjunction with the identified unsanitized paths.

Key Concerns

Significant portion of outputs not properly escaped
Portion of SQL queries not using prepared statements
Flows with unsanitized paths identified
History of medium severity path traversal vulnerabilities
History of medium severity 'Use of Less Trusted Source' vulnerabilities

Vulnerabilities

RSFirewall! Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-7518medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

RSFirewall! <= 1.1.42 - Authenticated (Admin+) Arbitrary File Read

Jul 11, 2025 Patched in 1.1.43 (1d)

CVE-2021-4226medium · 6.5Use of Less Trusted Source

RSFirewall! <= 1.1.24 - IP Address Spoofing

Apr 13, 2022 Patched in 1.1.25 (650d)

Code Analysis

Analyzed Mar 16, 2026

RSFirewall! Code Analysis

Dangerous Functions

Raw SQL Queries

15 prepared

Unescaped Output

149

124 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

48% prepared31 total queries

Output Escaping

45% escaped273 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

save_grade (models\check.php:943)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

RSFirewall! Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 31

actionadmin_initmodels\configuration.php:24

filtermime_typesmodels\configuration.php:29

actionadmin_noticesmodels\configuration.php:144

actionadmin_noticesmodels\exceptions.php:67

actionadmin_headmodels\exceptions.php:70

actionadmin_menumodels\exceptions.php:73

filterscreen_options_show_screenmodels\exceptions.php:76

filterpre_get_postsmodels\exceptions.php:82

filterget_search_querymodels\exceptions.php:85

filterpost_updated_messagesmodels\exceptions.php:88

filterwp_untrash_post_statusmodels\exceptions.php:93

actionrestrict_manage_postsmodels\exceptions.php:97

actionadmin_noticesmodels\lists.php:65

actionadmin_headmodels\lists.php:68

actionadmin_menumodels\lists.php:71

filterscreen_options_show_screenmodels\lists.php:74

filterpre_get_postsmodels\lists.php:80

filterget_search_querymodels\lists.php:83

filterpost_updated_messagesmodels\lists.php:86

filterwp_untrash_post_statusmodels\lists.php:91

actionrestrict_manage_postsmodels\lists.php:95

actionmanage_posts_extra_tablenavmodels\lists.php:98

filterpre_get_postsmodels\threats.php:65

filterget_search_querymodels\threats.php:68

actionrestrict_manage_postsmodels\threats.php:71

actionmanage_posts_extra_tablenavmodels\threats.php:72

actioninitrsfirewall.php:125

actioninitrsfirewall.php:127

actioninitrsfirewall.php:128

actioninitrsfirewall.php:135

actionplugins_loadedrsfirewall.php:145

Scheduled Events 1

rsfirewall_clear_transient

Maintenance & Trust

RSFirewall! Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 12, 2026

PHP min version5.4

Downloads30K

Community Trust

Rating100/100

Number of ratings5

Active installs4K

Alternatives

RSFirewall! Alternatives

Security Optimizer – The All-In-One Protection Plugin

sg-security

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.

1.0M 5 CVEs

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

malcare-security

100

Get Bulletproof Security for your WordPress site. WordPress security plugin packed with comprehensive Firewall, malware scanner, cleaner & more.

200K No CVEs

BBQ Firewall – Fast & Powerful Firewall Security

block-bad-queries

100

The fastest firewall plugin for WordPress. Protect against a wide range of threats with minimal performance impact.

100K No CVEs

Defender Security – Malware Scanner, Login Security & Firewall

defender-security

WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.

90K 7 CVEs

BulletProof Security

bulletproof-security

WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam...

30K 12 CVEs

Developer Profile

RSFirewall! Developer Profile

RSJoomla!

1 plugin · 4K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

326 days

View full developer profile

Detection Fingerprints

How We Detect RSFirewall!

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/rsfirewall/assets/css/rsfirewall.css/wp-content/plugins/rsfirewall/assets/js/rsfirewall.js/wp-content/plugins/rsfirewall/assets/js/rsfirewall_admin.js/wp-content/plugins/rsfirewall/assets/js/vendors/jquery.knob.js/wp-content/plugins/rsfirewall/assets/js/rsfirewall_check.js

Script Paths

/wp-content/plugins/rsfirewall/assets/js/rsfirewall.js/wp-content/plugins/rsfirewall/assets/js/rsfirewall_admin.js

Version Parameters

rsfirewall/assets/css/rsfirewall.css?ver=rsfirewall/assets/js/rsfirewall.js?ver=rsfirewall/assets/js/rsfirewall_admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

rsfirewallrsfirewall_menursfirewall_notice

HTML Comments

RSFirewall! FirewallRSFirewall! End Firewall

Data Attributes

data-rsf-ajax

JS Globals

rsfirewall_check_localersfirewall_check_securityRSFirewall

REST Endpoints

/wp-json/rsfirewall/

FAQ