A WordPress firewall is your first line of defense against cyber attacks. Every website, regardless of size or complexity, needs a firewall. Many web hosts will say they provide their own firewalls, but in our experience, these firewalls are set up to protect the hosting infrastructure first. The individual websites hosted on that server are a secondary concern wherein most web hosts will not take on any liability. This is why it’s very important to work with a web developer who understands the critical role of firewalls in overall cybersecurity.
There are many different firewalls on the market today, but not all firewalls are made equal. First of all, there are three broad categories of firewall that you might come across.
- Web application firewalls (many of these are available as WordPress plugins)
- CDN or DNS-based firewalls
- Physical hardware firewalls
At WordZite we rely on both a web application firewall and a CDN firewall from Cloudflare. Web application firewalls are great at catching traffic and seeing all the activities that are happening on your site, but since they sit on the same server as your website, they do put an extra strain on your server resources. CDN firewalls can stop a lot of bad traffic before it even makes it to your website, which protects your resources, however, these firewalls can be bypassed relatively easily if the IP address of the web server you’re trying to access is known.
Using both of these in tandem allows us to capitalize on the advantages of each firewall while mitigating their individual weaknesses.
We don’t deal with hardware-based firewalls, as these are the domain of in-house IT departments, and are only really used by companies that own their web servers with dedicated IP addresses and internet connections.
What are the Qualities of a Good WordPress Firewall?
In our years of experience working with websites and their firewalls, we’ve seen the good, the bad, and the ugly. Here are a few features that our favourite firewalls have in common.
Decent Out-of-the-Box Settings
We like to see a firewall that comes pre-configured with settings to block obvious threat actors. A firewall installed as-is without any customization is never going to be adequate. Don’t think that we’re suggesting a set-it-and-forget-it approach to WordPress firewalls. But if it’s serviceable immediately after install, that usually means it’s configured for the most common or critical issues a website is likely to encounter.
Brute Force Attack Prevention
We also like having specific options for preventing brute force attacks. These types of attacks are very common, and they capitalize on organizations that use weak or widely known usernames. Threat actors can program a bot with a list of common passwords, or dictionary words and various misspellings (like adding an exclamation mark to the end or replacing certain letters with numbers) to hammer a login page over and over again until they hit the right combination.
We always recommend having unique usernames for each user (not three people logging into the same admin account) and making sure the passwords are randomly generated alphanumeric codes, with at least 12 characters. Having a firewall with some brute force prevention settings is the next layer in your defense. If someone tries to log in as a given user and fails 5 times, they’re blocked.
Login Protection Features
On a related note, we appreciate a WordPress firewall that has customization options to protect user logins. The ability to set up 2-factor authentication and automatic kicks for idle users can make all the difference in securing your website from well-meaning humans that have different levels of access. We also like firewalls that force users (especially admins) to use strong passwords. This prevents the cardinal sin of logins: username “admin,” password “12345”.
Database of Known Vulnerabilities and Exploits
A WordPress firewall that can access a list of known security issues will allow us to set specific rules to block attacks on vulnerable plugins and third-party apps. This database should keep growing over time as more vulnerabilities and exploits are discovered.
Customization Features
A really good firewall will offer a base level of protection right out of the box. But if we want to be able to do our job really well, we need to be able to customize that firewall further. Some specific features that we look for in a firewall include:
- Settings to prevent DDoS attacks. Firewalls located on a CDN are ideal — since they don’t have to process all web traffic, this type of firewall gives us the option to shut everything out in case of emergency or to force all users to verify that they are humans and not bots or scripts. Cloudflare’s firewall, for example, has an “under attack” option — if we get alerted to a possible brute force or DDoS attack, we can simply flick a switch on the back end to lock down the website and start verifying every single user via a manual test.
- The ability to manually block certain IP addresses. Cybersecurity experts know that certain IP addresses are just bad news. A good firewall will allow us to preemptively block traffic from specific IP addresses or even entire countries. In some special cases, we’ve started by blocking everyone, then specifically allowing traffic only from the regions where a client does business (this isn’t a strategy we necessarily recommend, but it’s nice to have the option).
- Custom firewall rules. This is where firewall junkies like us get our hands dirty. The best WordPress firewall products have custom rules that allow us to set conditions for the firewall to check for and then set responses to those conditions. In layman’s terms, this might read something like “If the firewall sees a user trying to directly access a .bak or .backup file, block them.” Unfortunately, many web hosts store their website backups in the root directory or sub-folder of the server. Old versions of the site are potentially full of vulnerabilities and should never be stored in the same location as the live site. We tend to automatically block users trying to poke around in old website backups.
Rate Limiting
We also like to see WordPress firewalls with some sort of rate-limiting feature. This means we can set automated rules against users trying to load more than a specified number of pages per minute. Rate limiting helps a bit with DDoS attacks, but it’s more effective against bots and scripts that hit a site with a laundry list of potential exploits in one fell swoop. With rate limiting, if we see a long list of queries and strings in the logs all coming from one IP address, that IP gets blocked. It’s not a perfect solution (threat actors can still change their IP addresses), but it’s fairly effective against automated scripts.
Security Scans and Reports
Ideally, a firewall will perform regular security scans and provide us with a human-readable report. This allows us to be proactive and take steps to secure any problem areas, before breaches happen. This is especially useful when there have been major announcements in the world of cybersecurity about various software programs and applications that might be vulnerable. A scan connected to the existing database of vulnerabilities helps alert technicians so they don’t have to try to keep abreast of the thousands of exploits and vulnerabilities at play at any given time.
Alerts and Notifications
A good firewall will have some sort of alert or notification system, so if an issue arises or there’s suspicious activity, it can let us know and we can make a judgement call or take immediate action. The best products will send alerts as texts, emails, Slack channel posts, or tickets for technicians to investigate.
Logs and Analytics
This is a feature that’s often overlooked, but many WordPress firewalls do keep fairly robust activity and change logs. We always appreciate this — having in-depth logs allows us to see what’s going on with a website, and similar to alerts, allows us to respond appropriately to any unusual or suspicious activity.
Engaged Developers
Ensuring that the original developers are present and haven’t abandoned the product is crucial. We may need someone on the firewall side for technical support. And we definitely want to know that the product is being updated and improved. The level of support we get from the original developers in terms of the quality of the resolutions and response time is also a factor to consider.
Growing Userbase and Community
Along with the developers continuing to support the product, we also look for WordPress firewalls that have an active community of users. A large user base means the product is widely adopted and unlikely to get deprecated or abandoned anytime soon. It’s also easier to find troubleshooting information and even support other community members who may be stuck – it’s good to have friends in the fight against cyberthreats.
Active Innovations
Top-tier firewall providers like Cloudflare are actively innovating. Beyond just a database of known exploits and vulnerabilities, a good firewall provider will also be regularly adding new features and integrations to enhance their offering, while also increasing the security and usability of their product. Cybersecurity is an arms race, after all. Hackers are constantly becoming more and more sophisticated. So the products that secure WordPress websites need to at least keep pace – or better yet, stay ahead.
Conclusion
A firewall isn’t the only requirement for a secure website — there are other peripherals like backups, speed optimization, malware scans, change monitoring, and much more. These are all necessary for keeping a website safe and running efficiently. While some firewalls offer these in a limited fashion, we prefer to use specialized, best-in-class services for each slice of our WordPress security stack. In short, we don’t rely on a single service for everything, as nothing is infallible — redundancy is important.
If you don’t have a firewall on your website, look for one with the above features and install it as soon as possible. A WordPress firewall in any case is better than no firewall at all. But don’t stop there. If you’re not a web expert, or you don’t have one on your team, reach out to us. We’re happy to help secure your website against online threats.