You know that it’s better to proactively secure your WordPress site than to wait to clean up after an attack. A security breach is a serious and costly matter and one that you don’t want to get involved with if you don’t have to.
This is why you develop a well-rounded security plan that takes into account all the different points of entry a hacker could attack your site from. A lot of the time, though, we take these automated security strategies and tools for granted without ever really understanding the underlying technology that keeps our websites safe.
So, today, we want to dig into the WordPress firewall. More specifically, what a firewall is, in general, and why every website needs one. Since they didn’t originate with WordPress, there’s a bit more to understand about this security technology and how we can maximize it for our own purposes.
What Does a WordPress Firewall Do?
In the physical world, a firewall is one that’s built for the purposes of containing fires and preventing the spread of them through buildings. Because they’re designed based on an understanding of thermal limitations and other performance factors, the firewall is often successful in its mission.
This is really no different from how a firewall in computing works.
A firewall is much like other kinds of security software we use. It’s a layer of protection that sits between us and them. The way a firewall works, however, is slightly different from something like an SSL certificate which encrypts the exchange of data, hiding it from prying eyes.
A firewall instead works as a sort of rules-based filter. It looks at the person trying to access the site, assesses their “character” based on what it knows about security threats, and then grants or denies access.
Free Security eBook
[4 Pages] The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website
Firewalls didn’t start here originally, however. There have been three generations of firewalls available for the web:
1st Generation: Packet Filters
This first generation of firewalls was created for the purpose of filtering packets transmitted between computers (so, something like file transfer would fall under this). Unlike modern-day firewalls, these packet filters weren’t really created to abide by rules. It was more about simply allowing traffic in or out of an application. It didn’t discern whether or not it was good or bad traffic, just whether or not access was to be granted or denied.
2nd Generation: Stateful Filters
The second generation of firewalls was developed by AT&T Bell Laboratories. These stateful filters were also known as circuit-level gateways. They were the next step up from packet filters. Essentially, they still worked as a checkpoint, granting or denying access to the desired application destination. That said, administrators were able to program rules into the firewall that helped it determine the threat level of the entity trying to gain access.
3rd Generation: Application Layer Filters
The final generation of the firewall is the one we still use today. 🔒 Application layer filter firewalls are much smarter and more versatile. For instance, they now work with FTP, DNS, and HTTP(S), which means greater protection on many more levels for your website. #WordPress Click To Tweet And more specific rules can be programmed in to kick out harmful entities based on behavior as well as history on the web.
How Does a Firewall Work?
Web application firewalls (WAF), like the ones we get from WordPress security plugins, are a form of application layer filters. Their sole focus is on protecting the server and WordPress installation. They do this by acting as a sort of proxy server.
When an HTTPS request is received typically, your server packages the necessary files and then delivers them to visitors’ browsers. However, what you want a firewall to do is to stop that request from ever reaching your server if the requestor poses a threat.
So, the firewall needs to sit in front of the server in order to review all traffic against its data and rules it has for filtering traffic. Once you’ve configured your DNS records to direct all HTTPS requests through the WAF, this will happen every single time.
Blacklisted users (i.e. known hackers and bots) are immediately denied entrance. As new threats are detected by the firewall administrator, they’re added to the list so that it can respond more effectively to malware infections, SQL injections, and DDoS threats.
A WordPress firewall doesn’t just review traffic that visits websites either. It can be configured to review traffic that visits your admin login page, too. By programming rules that dictate what a reasonable amount of time spent or login attempts made are for the page, your firewall can help your site stay clear of brute force attacks, too.
Some firewalls will also monitor what’s happening on your website. The second activity is detected that fits the criteria of a threat, those users will be bounced out of the site. Really, there’s a lot that you can accomplish with a single firewall.
That said, because a WordPress firewall only works as well as the rules it's programmed to follow, you have to make sure you use the right WordPress firewall for your website as well as one from a reliable source.
Let’s discuss the types of firewalls first.
This type of WordPress firewall works as a filter for traffic once they’ve touched down on your WordPress site. The visitor, in this case, would have received the requested files from the server, but before everything has a chance to load, the firewall gets to work. It compares the visitors’ data against its rules and determines whether or not they need to be kicked out.
This isn’t a bad option for firewalls as it still enables you to filter the good and bad traffic through your site. However, the WordPress firewall still allows all traffic to get there before it does any sort of assessment.
This type of WordPress firewall routes traffic through a cloud proxy server. Because it works outside of your server, it actually helps improve website performance, too.
Think of the process like this:
- Someone attempts to visit your website.
- Before they get anywhere, the DNS level firewall stops them.
- It’s kind of like a bouncer at a club. It checks the user’s ID and any history they have with being kicked out or blacklisted from the community. Then, it grants or denies entry accordingly.
- Depending on how many threats hit your website a day, this could spare your server a lot of time in handling unnecessary HTTPS requests.
So, not only does the DNS level WordPress firewall secure your website at a distance, but it saves your server from undue pressure.
<code># yum install mod_security
# /etc/init.d/httpd restart</code>
In so doing, this will decrease the chance your site will be hit with cross-site scripting, session hijackings, and other attacks that target the server.
What Are the Best WordPress Firewall Tools?
As you can see, there are a number of ways in which you can use a firewall to protect your WordPress site. But in terms of which tools are best for you to use? Well, let’s consider the options:
Best WordPress Firewall Plugins
Let’s focus on the best WordPress firewall plugins, to start. Not only are these made available by some quality security developers, in general, but a plugin sits much closer to your site than online software.
All In One WP Security & Firewall
All In One WP Security & Firewall is a fully loaded WordPress security plugin. In addition to providing rigorous coverage over your site’s security, this WordPress firewall also gives you choices over how much control you want, with settings from Basic to Advanced. Once you’ve configured the custom rules you want to apply to the firewall, it will then load code to your .htaccess file and bump threats off your site before they have a chance to do harm.
BulletProof Security is an all-in-one WordPress security plugin with a firewall included.
What makes this one particularly special, however, is its detection of and immediate blocking of on-site threats. So, things like spam and SQL injections are closely monitored in addition to the general filtering work that a firewall does. Also, it watches for known plugin threats (like the timthumb vulnerability), which protects your site from one of the areas that tends to make it weak when not kept in check.
If you’re looking for a WordPress plugin that moves the firewall off of the server and into the cloud, NinjaFirewall is a good choice. This plugin monitors all HTTPS requests in front of your WordPress site, preventing known threats from ever stepping foot on it. It also comes with wp-login brute force protection, file monitoring, and real-time traffic alerts.
One more plugin I’d like to recommend is Shield Security. This web application firewall--WordPress-specific, of course--only focuses on filtering traffic at the WordPress level. You won’t get any Apache protection through .htaccess nor will you prevent all threats from coming through at the cloud proxy server level. That said, this firewall plugin still works well in conjunction with its other security features, and also makes configuration of your firewall simple.
Best Firewall Software
As you can see, much of what you get with WordPress firewall plugins is a lot of protection at the application and server level. However, there are other solutions that can sit above your site and give you protection much earlier in the process.
Here are some good WordPress firewall software solutions:
The Cloudflare WAF has a huge storage of data to pull from (2.9 million HTTP requests are processed every second), which makes this an ultra-powerful firewall solution for WordPress websites. In addition to helping you filter out bad traffic, you can use this tool for brute force protection and spam monitoring. They also provide a service that helps if you’re experiencing a DDoS attack.
Would you like a WordPress firewall that not only stops bad traffic in its tracks, but that also improves your website’s performance? Check out SiteLock’s TrueShield firewall, in that case. It requires just a few minutes of configuration, but then you’ll have premium firewall protection along with 24/7 support in case something should go wrong.
The Sucuri WAF is one other recommendation we’d make for WordPress firewalls. While Sucuri does offer a WordPress security plugin that’s free for download, the cloud-based firewall requires a premium upgrade. But there’s a good reason for that. In addition to getting a firewall, you also get an SSL certificate, antivirus software, malware and DDoS protection, a CDN, virtual patching, brand monitoring, and more.
Oh, and for those of you using the WordPress security plugin iThemes, this is the WordPress firewall they recommend you use on top of their solution.
Another Way to Get a Firewall
There is one more way in which you can procure a firewall for your WordPress website. And this is through a WordPress maintenance company. The WP Buffs security solution, in particular, includes the installation of a firewall.
Free Security eBook
[4 Pages] The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website
Do WordPress Firewalls Really Keep Your Site Secure?
Obviously, there’s been lots of talk here about what WordPress firewalls do in terms of securing your website. The benefits are clear:
- WordPress firewalls are generally easy to set up. Even with custom configuration, it shouldn’t take more than a few minutes. Or you can offload it to your WordPress maintenance provider.
- With WordPress plugins and third-party providers who are compatible with WordPress, there’s no shortage of options for getting a firewall installed on your server.
- You can implement firewalls at the key checkpoints you believe need protection--the server, the application, the front door, as well as the backend code.
- Because security providers monitor heavy amounts of threats, relying on them to power the rules of your firewall ensures that your website is in a good position to protect itself.
That said, a WordPress firewall cannot act as the sole protector of your site. Hackers are very smart and know way too many methods for getting inside of WordPress - and that involves tricking firewalls by masking their identities. This is why zero-day vulnerabilities are such a scary occurrence when they pop up.
There’s also the matter of performance. Some application level firewalls are just too draining. If you want to secure your site and preserve performance, you’ll have to pay to do it in the cloud.
Bottom line: a WordPress firewall is an essential piece of your site’s security. But be careful who you entrust it to and how you support it with other security measures. If you haven’t yet built out a well-rounded security plan for your website, get started with this WordPress security checklist.
Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.