If your website is a critical part of your business, keeping it secure should be one of your highest priorities. A hack which takes your site out of action could seriously damage revenue, and a data breach could come with serious repercussions.
There are a broad range of things that can be done to harden a website against security threats, and as many as possible should be layered to maximise protection.
A good hosting partner will have a robust hosting infrastructure that will dramatically reduce risk, along with other features and solutions. One such solution, should be a good quality WAF (Website Application Firewall).
Firewalls are designed to protect your website from the likes of DDoS attacks, malware, intrusions, and brute force attacks.
So let’s take a look at what a WAF is, what it should do, the types that exist, and then some specific WAFs available for WordPress websites.
A quality WAF acts as a gatekeeper for your website, inspecting and filtering all traffic before it ever reaches your website. Some though, as we will look at shortly, do this at the application level, which is less ideal.
A WAF sends potentially malicious traffic away, whilst letting good traffic (your users) in. They do this in a similar way to the antivirus software you are using on your computer. Using a (constantly updated) list of signatures known to be malicious, and when a request matches one of those signatures, they block it from reaching your site.
Certain WAFs can also help to improve the performance of your site. They reduce server load by filtering out malicious requests, before they reach your website server. This means fewer requests, and greater availability.
Not all firewalls are created equally, and some are less efficient. So let’s take a look at the two main types you’ll find available for WordPress websites, and what differences between them are.
As the name makes obvious, these are firewalls installed on your site via a WordPress plugin. This means they operate at the application level. They are usually cheap or free, so are popular with personal websites and small businesses.
These plugin firewalls check requests that are sent to your site once they arrive. WordPress initialises, as does the firewall, which then screens the requests (filtering out the malicious ones) before WordPress processes them.
As these run on your site, there is the risk that should there be a vulnerability before the firewall initialises, attackers could gain access to your website.
A DNS Level Website Firewall, isn’t installed on the same network as your website server. Instead, these firewalls route and screen traffic via cloud proxy servers, so it has been filtered before it gets anywhere near your website.
This means that you have a whole extra layer of security, so that harmful traffic will be identified and removed, before it can reach your site, and long before any scripts run.
As they operate outside of your website, it also means that they don’t put any additional strain on your website.
These firewalls often come as part of a security platform, with numerous features to protect your site, and improve performance.
Here’s a selection of WAFs (often included as part of broader security or performance solutions) that are available for WordPress websites. We’ve included three DNS level and three application level options for you to start looking at, but there are many more out there for you to investigate, including: Shield, Astra & AWS among others.
This is our favourite, tried and tested WAF. We use it for our own clients, and we include Sucuri’s full cloud based security platform as part of most of our Support plans.
Sucuri is the leading website security choice for WordPress, with a DNS level firewall, brute force prevention, malware and blacklist removal services, virtual patching and hardening, and a great deal more. It also plays well with other CDNs, for your website performance improvements.
Cloudflare, mostly known for their CDN, also offer a DNS level firewall as part of their paid plans. Some more advanced protection levels for DDoS attacks only become available with their more expensive plans.
Whilst their CDN and caching features are quality, their plans do lack some of the more standard security features you get with other security solutions which incorporate a WAF – such as monitoring for file changes, scans, malware protection, etc.
StackPath’s WAF is a DNS level firewall, and they offer a good range of plans which are more accessible for smaller businesses price-wise, when compared to Cloudflare.
Stackpath has a good selection of features, and requires little configuration.
Wordfence is a popular choice of application level WordPress security plugin, including WAF.
It’s features include on-demand and scheduled security scans, and you can monitor traffic and block suspicious IPs manually, from the WordPress admin area.
Another popular WordPress plugin, Jetpack has an application level firewall, along with other features depending on whether you have the free version or one of the paid versions. These include things like downtime monitoring, brute force protection, backup management, and at a higher tier, malware scanning and so on.
Another Application Level option, Ninja makes use of Sensei, a great filter engine.
They have a free version, and then their paid version WP+, which comes with way more features. Both support multisite, and include brute force protection, event notifications, and regular file scans, whilst the paid version includes extras like dedicated support, geolocation, rate-limiting, and antispam for comments and registration forms.
So now you know what a WAF is, and the main types out there for WordPress websites. You also have a list of some of the available options to start you on your path.
Do your research, and remember that even DNS level firewalls aren’t completely infallible, and so a broader security solution, and layers of protection are important to consider for your website.
If you’re considering a WordPress/WooCommerce Support & Maintenance Agency, make sure you take a look at our range of plans and download our Support brochure.
We take great pride in keeping our clients’ websites secure. Our robust hosting infrastructure, WordPress expertise, technical knowledge, partnered with Sucuri’s leading website security platform (inclusive with most of our support plans), gives you peace of mind.
Password management company NordPass have recently released their list of the most common passwords of 2020, and it’s not comforting reading!
Hackers understand security and if your site is unprotected, they will see this as an opportunity, the same way a thief will open your car door, if it’s left unlocked.
Google will be soon punishing website owners without SSL certificates or a HTTPS connection; here’s what you need to know to avoid having your website publicly shamed.
Forget what you know about WordPress, we make it even easier. Want to know how?
