How to Use a WordPress Firewall for Enhanced Security and Performance

Become a WordPress Buff
Share on twitter
Share on email
Share on facebook
Share on linkedin

You know that it’s better to proactively secure your WordPress site than to wait to clean up after an attack. A security breach is a serious and costly matter and one that you don’t want to get involved with if you don’t have to. WebARX explains the issue perfectly:

“With modern websites, third-party component security has become a huge issue. WordPress is a good example, in 2018, the amount of discovered plugin vulnerabilities have grown 3 times when compared to 2017.” 

This is why you develop a well-rounded security plan that takes into account all the different points of entry a hacker could attack your site from. A lot of the time, though, we take these automated security strategies and tools for granted without ever really understanding the underlying technology that keeps our websites safe.

shrug

So, today, we want to dig into the WordPress firewall. More specifically, what a firewall is, in general, and why every website needs one. Since they didn’t originate with WordPress, there’s a bit more to understand about this security technology and how we can maximize it for our own purposes.

Our team at WP Buffs helps website owners, agency partners and freelancer partners with enhanced firewall security. Whether you need us to manage a 1 website or support 1000 client sites, we’ve got your back.

What Does a WordPress Firewall Do?

In the physical world, a firewall is one that’s built for the purposes of containing fires and preventing the spread of them through buildings. Because they’re designed based on an understanding of thermal limitations and other performance factors, the firewall is often successful in its mission.

This is really no different from how a firewall in computing works.

A firewall is much like other kinds of security software we use. It’s a layer of protection that sits between us and them. The way a firewall works, however, is slightly different from something like an SSL certificate which encrypts the exchange of data, hiding it from prying eyes.

A firewall instead works as a sort of rules-based filter. It looks at the person trying to access the site, assesses their “character” based on what it knows about security threats, and then grants or denies access.

Firewalls didn’t start here originally, however. There have been three generations of firewalls available for the web:

1st Generation: Packet Filters

This first generation of firewalls was created for the purpose of filtering packets transmitted between computers (so, something like file transfer would fall under this). Unlike modern-day firewalls, these packet filters weren’t really created to abide by rules. It was more about simply allowing traffic in or out of an application. It didn’t discern whether or not it was good or bad traffic, just whether or not access was to be granted or denied.

2nd Generation: Stateful Filters

The second generation of firewalls was developed by AT&T Bell Laboratories. These stateful filters were also known as circuit-level gateways. They were the next step up from packet filters. Essentially, they still worked as a checkpoint, granting or denying access to the desired application destination. That said, administrators were able to program rules into the firewall that helped it determine the threat level of the entity trying to gain access.

3rd Generation: Application Layer Filters

The final generation of the firewall is the one we still use today. 🔒 Application layer filter firewalls are much smarter and more versatile. For instance, they now work with FTP, DNS, and HTTP(S), which means greater protection on many more levels for your website. #WordPress Click To Tweet And more specific rules can be programmed in to kick out harmful entities based on behavior as well as history on the web.

How Does a Firewall Work?

Web application firewalls (WAF), like the ones we get from WordPress security plugins, are a form of application layer filters. Their sole focus is on protecting the server and WordPress installation. They do this by acting as a sort of proxy server.

stormtrooper action figure standing next to a computer

When an HTTPS request is received typically, your server packages the necessary files and then delivers them to visitors’ browsers. However, what you want a firewall to do is to stop that request from ever reaching your server if the requestor poses a threat.

So, the firewall needs to sit in front of the server in order to review all traffic against its data and rules it has for filtering traffic. Once you’ve configured your DNS records to direct all HTTPS requests through the WAF, this will happen every single time.

Blacklisted users (i.e. known hackers and bots) are immediately denied entrance. As new threats are detected by the firewall administrator, they’re added to the list so that it can respond more effectively to malware infections, SQL injections, and DDoS threats.

A WordPress firewall doesn’t just review traffic that visits websites either. It can be configured to review traffic that visits your admin login page, too. By programming rules that dictate what a reasonable amount of time spent or login attempts made are for the page, your firewall can help your site stay clear of brute force attacks, too.

Some firewalls will also monitor what’s happening on your website. The second activity is detected that fits the criteria of a threat, those users will be bounced out of the site. Really, there’s a lot that you can accomplish with a single firewall.

That said, because a WordPress firewall only works as well as the rules it’s programmed to follow, you have to make sure you use the right WordPress firewall for your website as well as one from a reliable source.

Let’s discuss the types of firewalls first.

Application Level

This type of WordPress firewall works as a filter for traffic once they’ve touched down on your WordPress site. The visitor, in this case, would have received the requested files from the server, but before everything has a chance to load, the firewall gets to work. It compares the visitors’ data against its rules and determines whether or not they need to be kicked out.

This isn’t a bad option for firewalls as it still enables you to filter the good and bad traffic through your site. However, the WordPress firewall still allows all traffic to get there before it does any sort of assessment.

DNS Level

This type of WordPress firewall routes traffic through a cloud proxy server. Because it works outside of your server, it actually helps improve website performance, too.

Think of the process like this:

  1. Someone attempts to visit your website.
  2. Before they get anywhere, the DNS level firewall stops them.
  3. It’s kind of like a bouncer at a club. It checks the user’s ID and any history they have with being kicked out or blacklisted from the community. Then, it grants or denies entry accordingly.
  4. Depending on how many threats hit your website a day, this could spare your server a lot of time in handling unnecessary HTTPS requests.

So, not only does the DNS level WordPress firewall secure your website at a distance, but it saves your server from undue pressure.

Apache Firewall

Your Apache server could also use firewall protection. To install it, you’ll need to use the mod_security module and add the following to the .htaccess file:

<code># yum install mod_security

# /etc/init.d/httpd restart</code>

In so doing, this will decrease the chance your site will be hit with cross-site scripting, session hijackings, and other attacks that target the server.

What Are the Best WordPress Firewall Tools?

As you can see, there are a number of ways in which you can use a firewall to protect your WordPress site. But in terms of which tools are best for you to use? Well, let’s consider the options:

Best WordPress Firewall Plugins

Let’s focus on the best WordPress firewall plugins, to start. Not only are these made available by some quality security developers, in general, but a plugin sits much closer to your site than online software.

MalCare

MalCare

MalCare is an all-in-one WordPress security and firewall plugin. If your website is already fully fortified and you’re simply looking for a firewall add-on, check out MalCare’s premium plugin.

Malcare firewall

MalCare’s algorithms go far beyond signature matching to detect even the most complex of hacks that generally go undetected in other popular security plugins.

Malcare blacklist

In addition to providing instantaneous firewall coverage, you have total control over how it works, making this one of the easier and more effective firewalls available for WordPress.

And then there are the great reviews left online for Malcare! If your website is hacked, they’re definitely one of the go-to solutions.

Malcare testimonials

Joe, our Head Buff, also got the chance to hang out with the Team from Malcare at WordCamp Europe 2018. They’re some of the friendliest people he’s met in the WordPress space and are driven by making malware cleanup frictionless for their customers.

 

All In One WP Security & Firewall

All In One Firewall

All In One WP Security & Firewall is a fully loaded WordPress security plugin. In addition to providing rigorous coverage over your site’s security, this WordPress firewall also gives you choices over how much control you want, with settings from Basic to Advanced. Once you’ve configured the custom rules you want to apply to the firewall, it will then load code to your .htaccess file and bump threats off your site before they have a chance to do harm.

WebARX

WebARX

WebARX is not just a plugin, it’s a platform as well that you can use to add a lightweight web application firewall to your website. You can also use it to update plugins and software, view activity, add 2FA and a cookie notice, add reCaptcha, block malware, and more. WebARX can also be used to view all websites within a single dashboard, block bad traffic, and for enabling uptime monitoring.

BulletProof Security

BulletProof Security

BulletProof Security is an all-in-one WordPress security plugin with a firewall included.

What makes this one particularly special, however, is its detection of and immediate blocking of on-site threats. So, things like spam and SQL injections are closely monitored in addition to the general filtering work that a firewall does. Also, it watches for known plugin threats (like the timthumb vulnerability), which protects your site from one of the areas that tends to make it weak when not kept in check.

NinjaFirewall

NinjaFirewall

If you’re looking for a WordPress plugin that moves the firewall off of the server and into the cloud, NinjaFirewall is a good choice. This plugin monitors all HTTPS requests in front of your WordPress site, preventing known threats from ever stepping foot on it. It also comes with wp-login brute force protection, file monitoring, and real-time traffic alerts.

Shield Security

Shield Security

One more plugin I’d like to recommend is Shield Security. This web application firewall–WordPress-specific, of course–only focuses on filtering traffic at the WordPress level. You won’t get any Apache protection through .htaccess nor will you prevent all threats from coming through at the cloud proxy server level. That said, this firewall plugin still works well in conjunction with its other security features, and also makes configuration of your firewall simple.

Best Firewall Software

As you can see, much of what you get with WordPress firewall plugins is a lot of protection at the application and server level. However, there are other solutions that can sit above your site and give you protection much earlier in the process.

Here are some good WordPress firewall software solutions:

Cloudflare WAF

Cloudflare WAF

The Cloudflare WAF has a huge storage of data to pull from (2.9 million HTTP requests are processed every second), which makes this an ultra-powerful firewall solution for WordPress websites. In addition to helping you filter out bad traffic, you can use this tool for brute force protection and spam monitoring. They also provide a service that helps if you’re experiencing a DDoS attack.

SiteLock WAF

SiteLock WAF

Would you like a WordPress firewall that not only stops bad traffic in its tracks, but that also improves your website’s performance? Check out SiteLock’s TrueShield firewall, in that case. It requires just a few minutes of configuration, but then you’ll have premium firewall protection along with 24/7 support in case something should go wrong.

Sucuri WAF

Sucuri WAF

The Sucuri WAF is one other recommendation we’d make for WordPress firewalls. While Sucuri does offer a WordPress security plugin that’s free for download, the cloud-based firewall requires a premium upgrade. But there’s a good reason for that. In addition to getting a firewall, you also get an SSL certificate, antivirus software, malware and DDoS protection, a CDN, virtual patching, brand monitoring, and more.

Oh, and for those of you using the WordPress security plugin iThemes, this is the WordPress firewall they recommend you use on top of their solution.

Another Way to Get a Firewall

There is one more way in which you can procure a firewall for your WordPress website. And this is through a WordPress maintenance company. The WP Buffs security solution, in particular, includes the installation of a firewall.

Do WordPress Firewalls Really Keep Your Site Secure?

Obviously, there’s been lots of talk here about what WordPress firewalls do in terms of securing your website. The benefits are clear:

  • WordPress firewalls are generally easy to set up. Even with custom configuration, it shouldn’t take more than a few minutes. Or you can offload it to your WordPress maintenance provider.
  • With WordPress plugins and third-party providers who are compatible with WordPress, there’s no shortage of options for getting a firewall installed on your server.
  • You can implement firewalls at the key checkpoints you believe need protection–the server, the application, the front door, as well as the backend code.
  • Because security providers monitor heavy amounts of threats, relying on them to power the rules of your firewall ensures that your website is in a good position to protect itself.

That said, a WordPress firewall cannot act as the sole protector of your site. Hackers are very smart and know way too many methods for getting inside of WordPress – and that involves tricking firewalls by masking their identities. This is why zero-day vulnerabilities are such a scary occurrence when they pop up.

There’s also the matter of performance. Some application level firewalls are just too draining. If you want to secure your site and preserve performance, you’ll have to pay to do it in the cloud.

Bottom line: a WordPress firewall is an essential piece of your site’s security. But be careful who you entrust it to and how you support it with other security measures. If you haven’t yet built out a well-rounded security plan for your website, get started with this WordPress security checklist.

Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.

Share this post:
Share on twitter
Share on email
Share on facebook
Share on linkedin
Did you enjoy this post? Subscribe for more
No thanks. I can manage, speed up, secure, fix and grow websites myself.

Schedule a private call with our team to discuss our 24/7 WordPress care plans for serious website owners or 24/7 white-label site management for agencies and freelancers

Register for our next live WP AMA event!

🏆Chance to win weekly giveaways

📆 Instant invites to our Weekly WP AMA

🙋 First access to submit questions

💻 Direct links to all of our events

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Read about how we increased Rigorous Digital's profit margin by 23% and helped remove all website issues for MEP Publishers and their 3 complex websites.

Case study eBook cover (MEP Publishing)
No thanks, I don't need more profit and I can tackle all my WordPress issues myself.
Case study eBook cover (Rigorous Digital)

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

 

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Which care plans best fit your websites (or client sites)?

✔️ White-label site management

✔️ $1,000+ of premium plugins free under our care plans
✔️ 24/7 website edits and priority support
✔️ Ongoing speed and security optimization
✔️ 24/7 website uptime monitoring
✔️ 4x daily cloud backups
✔️ Weekly plugin, theme and core file updates
✔️ Weekly reports detailing any on-site changes

No thanks. I can manage, speed up, secure, fix and grow websites myself.
Questionnaire

Finally, a WordPress newsletter you'll actually read every single month.

✔️ High-impact news

✔️ Actionable tutorials and videos

✔️ #WordPress Twitter highlights

✔️ Vote on receipient of $200 donation and WP Buffs merch giveaways

✔️ Fully curated so you only receive the best 5% of content

No thanks, I have other ways to stay updated with WP

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Finally, get your website 99.9999% secure and loading in under 1 second.

Our free eBooks and easy-to-follow checklists will have your website fully optimized in just a few hours.

No thanks, my website is as fast and secure as I want it.

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

How to Sell Your Very First Care Plans Cover

Finally, an email list that helps make WordPress simple and effective for you.

Speed & security optimization tips and detailed how-to guides with advice you can implement today.

No thanks, I already know everything about WordPress.
Speed checklist eBook cover

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

 

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.

Case study eBook cover (Rigorous Digital)
Case study eBook cover (MEP Publishing)
How to Sell Your Very First Care Plans Cover

Honed and proven strategies we've used successfully 500+ times to help you sell your first care plans. Action steps you can implement in minutes.

No thanks, I can already sell as many care plans as I want.
How to Sell Your Very First Care Plans Cover

WP Buffs, LLC is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please enter your name and email address above.

 

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit above, you consent to allow WP Buffs, LLC to store and process the personal information submitted above to provide you the content requested.