SiteDistrict WordPress Firewall

Keep the bad guys out without bothering the good guys

At SITE DISTRICT, we take WordPress security seriously, and feel it is the responsibility of the hosting provider to protect WordPress sites and stop bad traffic. We don't recommend security plugins nor additional proxies like Cloudflare or Sucuri. Why? Because blocking bad traffic is best done at the hosting level, by a host that knows and specializes in WordPress hosting.

Firewall Basics

Before reading this page you probably should ensure you are familiar with what a WordPress Firewall actually is, and what it does.

It's pointless to talk about the features and capabilities of a WordPress firewall, without first understanding some basics about firewalls, and the security risks to websites that these can protect against.

Even if you think you are decently familiar with WordPress security, this section is worth a read and should provide some useful framing and context for the rest of this article.

Features

Some of the key features of the SiteDistrict firewall include:

• WordPress Specific - Our firewall has a built-in understanding of both what legitimate traffic to a WordPress looks like, as well as malicious traffic. Rules and algorithms know what type of URLs, cookies, query strings, referers, and other request parameters are likely valid for WordPress, and which are malicious or indicate an attack. Our firewall also knows if requests are sent by valid WordPress users - all without needing to execute any actual WordPress or PHP code. All of this means that when it comes to WordPress, we can block more of the junk from the bad guys, while still letting valid users through.
• High Performance - The SiteDistrict firewall is written in Lua, a high performance scripting language popular for embedding into other systems. It is embedded into a custom build of Nginx which makes use of OpenResty modules. By using Lua inside Nginx, instead of PHP, we can block hundreds to thousands of requests per second, without affecting site performance. Our firewall has many similarities to the one implemented by Cloudflare, a billion-dollar company, and technological leader in the field of web security.
• Universal - Because the SiteDistrict firewall is embedded directly into the web server, it automatically protects all sites on SiteDistrict. No need to install and update security plugins across any of your sites.
• Distributed / Global - Also like Cloudflare, SiteDistrict uses Anycast IP addresses and a global network or proxy servers that site close to site visitors, and handle incoming requests, either passing requests through to the origin server where the website is actually hosted, functioning as a content delivery network (CDN), by serving up a cached version of the page or asset, or blocking the request at the edge with the firewall. This reduces bad traffic across our network, and spreads out the job of blocking malicious traffic across multiple servers around the world.
• All-in-One - The SiteDistrict firewall protects sites against many different types of attacks, rather than just specific types. These include D(D)oS attacks, brute-force attacks, spam comments, spam form submissions, general file probes, PHP file probes, bad bots, software vulnerabilities & exploits, fraudulent orders, and more.
• Multi-factor - Unlike many WordPress security plugins & and simple rule-based firewalls like the 6G/7G firewall, ModSecurity, and others, the SiteDistrict firewall uses a far more powerful combintation of rules, reputation based on request history, and automatic challenges to calculate a score for each request, which is then used to make blocking decisions. This allows SiteDistrict to block a much greater number of requests, while also maintaining an excpetionally low level of false positives.
• Browser Integrity Checks - Another feature that we discovered Cloudflare also thought of, is our browser integrity checks, which are enabled across all sites automatically. It has been found that a good amount of malicious traffic "pretends" to be from browsers, by setting the User-Agent HTTP request header to those of common browsers. But by analyzing the requests more carefully, and using statiscal data from millions of requests across sites, we can determine which requests really do come from actual humans using browsers, and which are from bots.
• Human Recognition - In some cases, often when visitors use a VPN or service that is also used by attackers, we will block a request, and issue an automatic challenge to the visitor, which checks to see that they are using a valid browser and interact with the site like a human. This process is nearly transparent to users, and allows us to continue blocking bad traffic coming of all sorts and from all places, while letting legitimate users continue to access sites after establishing their requests are likely from an actual human.

Analytics

The SiteDistrict dashboard includes a number of features that lets you review requests and traffic that has been blocked by the firewall.

Access Logs

Individual requests can be viewed from inside the Access Logs feature, under the Blocked page.

Analytics

Requests are aggregated and displayed as both useful pie / donut charts, as well as timeseries charts, to help you understand the traffic being blocked, by grouping the requests using useful attributs such as the source network, URL, User-Agent, IP address, country, and more.

Reports

Similar to the Analytics feature, the Reports feature include a Blocked page which lets you create dynamic reports within the SiteDistrict portal, displaying counts for different groupings that you can toggle on & off, including request attributes such as ASN (source network), IP Address, HTTP request Method (GET, POST, etc.), URL, firewall block reason, HTTP Referer, Browser type and version, and complete User-Agent string.

False Positives

Complete false positives from the SiteDistrict firewall - where a visitor is blocked despite our systems for identifying actual humans, or a legitimate bot or third-party service is blocked - are quite rare.

Still, they do happen from time to time. The most common reasons for a false positives from the SiteDistrict firewall include:

Humans

• VPN usage -
• Old Browsers

Bots / Services

• Non-Identification
• Improper WordPress AJAX usage
• Bad Network / Service Provider

Human Challenge

In those rare cases when a human visitor is blocked (see False Positives above), the SiteDistrict firewall provides a way for the visitor to provde they are human, which in most cases - at least when the person isn't actually trying to cause michief - will allow them past the firewall, granting access to the protected website.

This challenge is a page that is returned by the firewall, that runs in modern browsers that have JavaScript enabled.

The first thing that a user will see in this case is a blank white page with a simple spinner:

If the user interacts quickly with the page, that is all they will see. However, if they fail to interact with the page within about a second, an additional message will be displayed above the spinner:

If they still haven't interacted with the page after 4 seconds, an additional message will be display below the spinner as well:

Once the user has interacted with the page, the message are hidden and the only the spinner is shown until the challenge is verified by the server.

This system was carefully designed & finalized after significant real-word testing, as providing the best user experience for users that might not be expecting to see any of this in the first place.

Access Denied

If the user has disabled JavaScript, or the request is blocked for some reason, despite passing the challenge, a bot or visitor to the site will be presented with an Access Denied page that looks something like this:

We sometimes refer to this screen as the "Yellow Screen of Death". The goal is that legitimate users will never see it, but there remain very occational instances where someone will encounter this page. Bots and third-party services that attempt to access sites on SiteDistrict and are blocked may also encounter this screen.

Testimonials

Those who managed WordPress sites and have dealt with security issues at other hosts and have moved to SiteDistrict are often amazed and enamored with the level of security that we provide for WordPress sites hosted on our platform.

Noteworth Stats