WordPress Security: Why you Should use a Website Firewall (WAF)
A Website Firewall Adds an Additional Layer of Security
In a previous post, Keeping Your WordPress Website Secure, we discussed various options for securing your website files, databases and other WordPress related items from hackers. When our Security Services team implements a solution, we focus on adding layers of security to protect your website. One way we do this is with a website firewall (web application firewall or WAF).
In this post, we will help you understand the basics of a website firewall. We will discuss why having a web application firewall is important. Additionally, we will provide you with a list of website firewall providers you can use for your website.
What is a Website Application Firewall (WAF)?
A website firewall acts as a shield between your website and all network traffic. It analyzes bi-directional web-based (HTTP)) traffic. It detects and blocks anything malicious that is trying to get to your application, in this case, WordPress. Web application firewalls can be used for any type of website, not just a WordPress website.
There are two common types of firewalls:
- Server Level Firewall
- Application Level Firewall
A Server Level Firewall routes all of your website traffic through a separate, dedicated server. This allows it to send only genuine, clean traffic to your website. These servers are exceptionally good at what they do because they have only one task, to filter out malicious traffic. They also reduce the traffic load on your website server, increasing the performance of your website. This type pf firewall uses your domain names DNS settings to route the traffic to its server first. Then the traffic is routed to your website.
An Application Level Firewall resides on the same server as your website. But it does not allow network traffic to reach the website because it does its checking before loading any application scripts. These firewalls do NOT reduce the server load on your website.
Website firewalls protect your website from SQL Injection hacks, cross-site scripting, and arbitrary code execution attacks along with a host of other common network threats such as:
- Denial of Service (DOS / DDOS) Attacks
- Exploitation of Software Vulnerabilities
- Zero Day Disclosure Patches
- Brute Force Attacks against your Access Control Mechanisms
There are WordPress website firewall plugins available. Some of these are server based and some are application based. We would recommend a server based solution for any WordPress installation.
A website firewall should not be used as the only website security solution. It should always be used together with other security solutions to provide a holistic defense strategy for your website.
Which Website Firewalls are Best
There are a number of companies that offer a website firewall that will provide the level of security you require. We have listed these providers here in no specific order.
Cloudflare – Stand Alone
Cloudflare is probably best known for their Content Delivery Network (CDN). But with a paid plan, you can add a WAF as well.
Their Server Level Firewall is configured from their website. They do not offer a WordPress plugin that does any of the configuration for you. But they have made the configuration process very simple.
With servers around the globe, the Cloudflare WAF network is constantly identifying new potential threats. If these threats apply to a large number of users, their website firewall rules are updated globally to protect all of their users.
And because their primary focus is on website performance, their WAF service results in latency of less than 1 millisecond.
WebARX Website Security & Monitoring Platform – WordPress plug-in
WebARX provides a website firewall, uptime monitoring, vulnerability alerts and domain reputation monitoring for wordpress sites from a single dashboard. We wrote about our personal experience using WebARX in this article; WebARX Website Security & Monitoring Platform.
The WebARX website firewall offers:
- Complete security overview of all websites on a single dashboard
- Automatic Slack and email alerts when any security or uptime issues are detected
- Block hacking attacks and malicious traffic with an easy-to-install WordPress plug-in
- Monitor domain reputation, site errors, blacklists, domain expiration, and much more
In under three minutes (and with no technical knowledge), you can enable alerts, security monitoring and connect the website with WebARX plug-in and have website security firewall protect all your websites. Additionally, WebARX helps you to stay in compliance with cookie laws and add the cookie policy notification to your site directly from WebARX WordPress plugin.
The developers at WebARX are open to any suggestion and are actively adding new functionality and platforms. In September, you can remotely update and manage software on all sites directly from your WebARX portal. In October, every PHP based CMS and native application (Joomla, Drupal, Magento, Laravel, and Symphony) will be supported.
You get a 14-day, free trial when you register. After that, the basic service is $39 per month. They have more expensive packages that increase the number of websites you can monitor and the level of support you receive.
Sucuri – WordPress plug-in
Sucuri offers a Server Level Firewall, and is offered as a part of their Premium Plan offering.
As Sucuri also offers a WordPress Security Plugin, the WAF configuration is integrated into the plugin if you have upgraded to the Premium Plan. Sucuri do have a plugin dedicated to their WAF product. But as it has not been updated for a long time, I am assuming they have integrated the most recent version into their current security plugin.
SiteLock – Stand Alone
Sitelock is also a major player in the website security market. They offer their WAF product along with their WP Protect product. They have a special area on their website dedicated to WordPress called “The District”.
Their website hints at the fact that their product is a Server Level Firewall. But there is not that much detail about the products performance or latency. However, if you wish to ask questions, they have a US toll free number that you can use to ask questions.
WordFence – WordPress plug-in
WordFence offers their website firewall in a slightly different manner to the other companies. Their plugin includes a basic Application Level Firewall. But with a paid plan, you can activate more features for the firewall for additional website protection and updates.
The plugin uses its own caching mechanism to help keep your WordPress site running quickly.
All in One WP Security and Firewall – WordPress plug-in
The All in One plugin is offered completely free as an Application Level Firewall.
They use the .htaccess file to manage the firewall rules. This allows the WAF rules to run before any of the WordPress scripts kick into operation.
iTheme Security – no offering
I wanted to specifically point out an interesting fact for iThemes Security users. The user base for this plug-in is a lot higher than the user base for Sucuri and All In One. However, iThemes do not offer a WAF product.
This means you should carefully consider upgrading your security plugin to one that offers a WAF. Especially since this will add an additional layer of security towards protecting your website.
Conclusion
If you can afford a paid option, there are a couple of strong contenders for a website firewall product. If cost is a concern, you have one free option for implementing a website firewall.
We hope this has helped you to understand why you should use a WAF and the products available.
Mentions