Yes. WP Ghost includes the 7G Firewall natively, along with its newer sibling the 8G Firewall, plus Minimal and Medium protection levels. Both rulesets were built by security researcher Jeff Starr and block malicious requests, bad bots, SQL injection, and script injection at the server level, before WordPress even loads. The 8G Firewall is the recommended default for most sites, but 7G is still available as a stable fallback for server setups or plugin combinations where 8G causes compatibility issues.
What the 7G Firewall Does
The 7G Firewall is a ruleset created and maintained by Jeff Starr at Perishable Press. It is part of the “G-series” (5G, 6G, 7G, 8G), a family of open-source firewall rules that have protected millions of WordPress sites. The rules target known malicious request patterns: SQL injection strings, script injection payloads, file inclusion attempts, directory traversal probes, spam bots, brute force tools, and all sorts of automated scanning traffic.
The important thing about where these rules run is that they operate at the web server layer, not the WordPress layer. On Apache and LiteSpeed, the rules live in .htaccess and filter requests before PHP even starts. On Nginx, they load during WordPress initialization. Either way, malicious requests are blocked before they can touch your themes, plugins, or database. This is the architectural difference between WP Ghost’s firewall and PHP-level scanners like Wordfence, they run at different layers and catch different things.
The Four Firewall Levels in WP Ghost
| Level | Coverage | When to Use |
|---|---|---|
| Minimal | Basic pattern matching | Maximum compatibility, start here if unsure |
| Medium | Extended patterns, still broadly compatible | More coverage without compatibility risk |
| 7G Firewall | Jeff Starr’s mature ruleset, proven and stable | Reliable fallback when 8G conflicts |
| 8G Firewall (recommended) | Latest generation, all 7G protections plus updated patterns for modern attacks | Default choice for most sites |
7G vs 8G: Which Should You Use?
Start with 8G. It is the most current ruleset, includes everything 7G blocks plus newer attack patterns, and has fewer false positives because it was rebuilt with compatibility feedback from the last few years. Think of 8G as 7G plus years of refinement.
Use 7G if 8G causes a specific problem. A few plugins, particularly ones with unusual AJAX patterns or custom form submission formats, occasionally trip on the newer 8G rules. When that happens, 7G is the reliable fallback: older, thoroughly tested, and broadly compatible. You can always switch back to 8G later after whitelisting the specific paths that caused the conflict under WP Ghost > Firewall > Whitelist Paths. For the deeper comparison, see the 8G Firewall Protection guide.
How to Activate the 7G Firewall
- Go to WP Ghost > Change Paths > Level of Security and activate Safe Mode or Ghost Mode if you have not already.
- Go to WP Ghost > Firewall.
- Switch on Firewall Against Script Injection.
- Select 7G Firewall from the level options.
- On Apache or LiteSpeed, choose whether to place the rules in
.htaccess(fastest, blocks at the web server) or load them during WordPress initialization (broader compatibility). - Click Save.
After saving, test your site in an incognito window. Browse a few pages, submit a contact form, and if you run WooCommerce, test the checkout. If something stops working, step down to Medium or Minimal and escalate from there once you identify what was getting blocked. Full walkthrough in the 7G Firewall for WordPress tutorial.
Why Server-Level Filtering Matters for Hack Prevention
A lot of security plugins run their firewall as PHP code inside WordPress. That works, but it means every malicious request still boots WordPress, loads plugins, hits the database, and consumes a PHP worker before being rejected. On high-traffic sites, or sites under bot attack, that can crush your server before the firewall even gets a chance to say no.
The 7G and 8G rules run at the web server layer, in .htaccess on Apache and LiteSpeed, or during early initialization on Nginx. Malicious requests are rejected with a 403 before PHP or WordPress spin up. That means less server load from bot traffic, more headroom for real visitors, and attack patterns blocked before they reach vulnerable plugins. It is a pillar of the hack prevention philosophy: stop attacks before they start, not clean up after.
Frequently Asked Questions
Does WP Ghost have 7G Firewall protection?
Yes. WP Ghost includes the 7G Firewall natively, alongside the 8G Firewall and two lighter levels (Minimal and Medium). Activate it under WP Ghost > Firewall by turning on Firewall Against Script Injection and selecting the 7G option.
Should I use 7G or 8G Firewall?
8G for most sites. It includes all 7G protections plus updated patterns for newer attack techniques and has fewer false positives. Use 7G only if 8G triggers a specific incompatibility with a plugin or server setup. Both are free and included in WP Ghost.
Does the 7G Firewall slow down my site?
No, and on sites under attack it actually improves performance. The rules run at the server level with minimal overhead, and blocked malicious requests never reach PHP or WordPress, which frees up resources for real visitors. On Apache with rules in .htaccess, blocked requests cost almost nothing to process.
Will the 7G Firewall block Googlebot or hurt SEO?
No. WP Ghost automatically whitelists major search engine crawlers (Googlebot, Bingbot, Yandex) when the 7G or 8G Firewall is active. Legitimate crawlers access and index your site normally. If you ever notice indexing issues, check the firewall logs to confirm and add the crawler to your whitelist manually.
Does the 7G Firewall work on all server types?
Yes. On Apache and LiteSpeed, the rules are written to .htaccess. On Nginx, they load during WordPress initialization. On IIS, they are written to web.config. On any server where Apache or LiteSpeed can apply .htaccess rules (which is nearly all shared hosting), placing the rules in .htaccess is the fastest option. For hosting-specific notes, see the hosting and server types reference.
Can I use the 7G Firewall alongside Wordfence or Solid Security?
Yes. The 7G Firewall operates at the server or configuration level. Wordfence, Solid Security, and similar plugins operate at the PHP or application level. They run at different layers and complement each other. A common combo is WP Ghost for path security and 7G/8G firewall plus Wordfence for malware scanning and file integrity monitoring.
What if the 7G Firewall blocks legitimate functionality?
Step down to Medium or Minimal firewall levels temporarily to identify what was being blocked. Once you know which plugin or feature triggered the rule, whitelist its path under WP Ghost > Firewall > Whitelist Paths and re-enable 7G. This way you keep most of the protection without breaking specific functionality.
Does WP Ghost modify WordPress core files?
No. The 7G rules are written to .htaccess (Apache, LiteSpeed) or loaded through WordPress hooks (Nginx). No core files are modified. Deactivating the firewall or the plugin removes all rules instantly.