Fortify: Zero-Trust WAF for WordPress

By the time Wordfence’s WAF fires (as a regular plugin at stage 5 of WordPress loading), Fortify has already blocked the attack at stage 3 (MU-plugins). This is not marketing hyperbole. It is the WordPress load order. MU-plugins fire before regular plugins, themes, or core hooks.

The 8-Stage Pipeline

Every inbound HTTP request passes through: (1) Emergency lockdown check, (2) IP allowlist, (3) IP blocklist, (4) Rate limiter, (5) Geo-block, (6) Bot detection, (7) Payload scan, (8) Security headers. If any stage returns a block verdict, the request dies immediately. No WordPress code executes. No database queries run. No plugins load.

Zero-Trust Scoring

Every request receives a trust score from 0 to 100, computed from seven signals: session age, IP reputation, geographic consistency, behavioural baseline, request integrity, device fingerprint, and MFA status. Scores below 40 trigger step-up challenges. Below 20, the request is blocked. The scoring is continuous: a trusted admin who suddenly starts accessing unusual endpoints at 3am from a new country gets challenged, not blocked.

Safety First

A security plugin that intercepts every HTTP request at the MU level is the highest-risk plugin in the ecosystem. If the sentinel has a bug, the entire site is unreachable. That is why every subsystem has a file-based kill switch: create disable.flag via FTP and the sentinel passes everything through. No WordPress, no database, no PHP code required. Just filesystem access.

MFA Step-Up Authentication

When trust drops into the challenge zone and AJT MFA is active, users see an inline TOTP modal overlaid on the current screen. Enter the 6-digit code, the original request replays transparently. No full-page redirect, no lost form state, no context switch. When MFA is not installed, Fortify falls back to password re-entry.