Описание
Traffic Origin Guard helps protect your origin server from direct traffic by requiring a secret header value on every request.
Use case:
— Your site is behind Cloudflare or another reverse proxy.
— You want only proxy-originated requests to reach WordPress.
— You want automatic Apache rule management.
How it works:
— You set one token in plugin settings.
— The plugin writes Apache rules into .htaccess using a managed block.
— Requests missing the expected X-Origin-Secret header are blocked with HTTP 403.
Features:
— Apache .htaccess rule writer with managed BEGIN/END markers.
— Header validation status visibility on the settings page.
— One-click token utilities in admin (generate, copy, and «Use as token»).
— In-page Cloudflare setup guide with step-by-step instructions.
— Lockout recovery instructions displayed directly in the settings page.
— View details link on the Plugins list page.
— Automatic cleanup on plugin deactivation and uninstall.
Установка
- Upload the plugin folder to /wp-content/plugins/traffic-origin-guard/.
- Activate Traffic Origin Guard from Plugins in WordPress admin.
- Go to Settings -> Traffic Origin Guard.
- Generate a token using the generator on the settings page.
- In Cloudflare, go to Rules -> Transform Rules -> Modify Request Header and add a rule setting X-Origin-Secret to your token on all requests. Do this BEFORE saving the token to avoid locking yourself out.
- Paste the token into the token field and click Save Token. Confirm the Active server rules block appears on the page.
- Verify direct origin access without the header returns 403.
Часто задаваемые вопросы
-
Will this lock me out of wp-admin?
-
Yes, it can if misconfigured. This plugin enforces access at Apache level, so a wrong token/header setup can block wp-admin access.
To recover: connect to your server via FTP, SFTP, or your host’s file manager and open .htaccess in your WordPress root. Find and delete the entire block between (and including) the lines «# BEGIN Traffic Origin Guard» and «# END Traffic Origin Guard». Save the file — your site will be accessible immediately. Then set up your Cloudflare Transform Rule first before re-entering the token.
-
Which servers are supported?
-
This plugin manages Apache .htaccess rules directly.
-
What if .htaccess is not writable?
-
The plugin cannot enforce protection until .htaccess is writable. Fix permissions/ownership and save settings again.
-
What header name does the plugin check?
-
X-Origin-Secret
Отзывы
Нет отзывов об этом плагине.
Участники и разработчики
«Traffic Origin Guard» — проект с открытым исходным кодом. В развитие плагина внесли свой вклад следующие участники:
УчастникиПеревести «Traffic Origin Guard» на ваш язык.
Заинтересованы в разработке?
Посмотрите код, проверьте SVN репозиторий, или подпишитесь на журнал разработки по RSS.