Understand what they are and how they protect sites
A WordPress firewall is a piece of software that sits in front of a WordPress site, and protects sites by analyzing the requests to the site, deciding whether they are malicious or unwanted, and then blocking those requests, so they never reach the actual WordPress site.
Firewall and WordPress Security Overview
To best understand what a WordPress firewall is, we will first explain what a firewall is, then a web application firewall, and finally, a WordPress firewall.
Then, we'll talk about why WordPress sites need a firewall and the security risks that they can protect against.
Finally, we'll talk about different types of firewalls, bad practicies regarding firewalls and WordPress security
What is a firewall / WAF / WordPress firewall?
A firewall is a piece of software or hardware that is responsible for filtering (blocking) network traffic. Everything on the internet needs to be connected together to be useful, and it is firewalls that are responsible for making sure dangerous or malicious traffic do not make it past certain boundaries - usually sitting in front of valuable and important assets, such as computers, other network equipment, and of course - websites.
A Website Application Firewall (WAF) is a specific type of firewall that protects websites or web applications. In contrast to lower-level firewalls that might analyze sites & traffic primarily based on their source, a website firewall knows how to look more closely into the type of traffic that websites receive, also known as HTTP traffic or requests. These come either from humans using browsers, or from "bots", crawlers, and other third-party tools, scripts, & services.
A WordPress firewall is a an even more specialized type of web application firewall (WAF), that is designed & built specifically to protect WordPress sites. It understands what kind of traffic WordPress sites typically receive, both in terms of valid traffic, as well as malicioius traffic.
Why do WordPress sites need a firewall?
WordPress is one of the most popular pieces of software for building websites. It's estimated that there are more than 800 million websites worldwide running WordPress.
It is also easily customized, via themes, plugins, and other custom code. Any type of software can have vulnerabilities, which are bugs in the software that can allow an attacker to exploit a website in ways that are often damaging to the website owner and visitors. The greater the number of different pieces of software that can be installed across websites, the more likely there will be websites that are vulnerable to attack and not properly protected.
Protecting WordPress against attacks is hard. WordPress doesn't come with a firewall. Many plugins & services attempt to add firewall protection to WordPress. While the better ones can make a huge difference, even the best of these have their downsides. They can also fail to protect sites against hosting-level security holes.
It is this combination of popularity, potential for vulnerabilities, and lack of protection that makes WordPress a huge target for hackers. New WordPress sites will often start receiving traffic trying to hack the site within hours or a day of a site and domain going online.
WordPress Request Security
Website and WordPress security is a broad subject, and covers topics such as visitor and bot (HTTP) traffic, site isolation on the server, hosting-account level security, securing SSH and SFTP, and human-behavior risks such as social engineering.
In this article, we are concerning ourselves only with the first of those: visitor and bot (HTTP) traffic.
Security Risks for WordPress Sites
There are a number of risks in having an unprotected or under-protected WordPress site, when it comes to HTTP traffic. They include:
- Slowness / Performance issuesMany people are not aware that for most sites - and especially WordPress hosts with poorer performance or a lack of a firewall - the biggest risk of having bad traffic hit your site is not that your site will get hacked, but that the requests will overload it and slow it down. Actual exploitable vulnerabilities and weak passwords are rather rare on sites. Bots may send hundreds or thousands of requests at a site trying to find or exploit a vulnerability, or in some cases, just requests different pages over and over, such that the site and hosting slow to a crawl, and in some cases, the site becomes completely unavailabe to legitimate users.
- Security breachWhile less common in reality, the implications of an actual security breach or exploit are often worse. This is the kind of issue that many people have heard about most and are scared of. This is when an attacker gains a level of access to your WordPress site that is greater than they should have - in some cases granting complete control over the website. It's also the kind of risk that causes fear that certain WordPress security vendors prey upon to market and sell their products.
- Spam contentDifferent than a "security breach", in that the attacker doesn't actually gain a higher level of access than regular users. Instead, they submit unsolicited SEO and marketing content, phishing attempts, get-rich-quick spam, links to malware, pornography, pharmaceuticals, online gambling, and more. This could come in the form of comments on a blog post, form submissions, forum posts, and more.
- Fraudulent OrdersOn e-Commerce sites, attackers will sometimes attempt to place fraudulent orders, often using stolen credit cards. This type of fraud is often best prevented by the payment processor, who ideally should have far more experience, data, and tools for preventing fradulent orders, than WordPress hosts. Unfortunately, not all payment processors are equal when it comes to fraud protection, and it's often preferred to prevent fraudsters from even getting onto your site, or at least from attempting to submit fraudulent orders. This is another area where a WordPress firewall can help, or prevent the problem entirely.
- Excessive bandwidthTypically not a significant risk for most sites, excessive or specific requests to websites can generate excessive amounts of bandwidth (data transfer). Many hosts (including SiteDistrict) are limited in their bandwidth, and thus also limit the bandwidth for customers. In some cases, unblocked malicious traffic can cause overages on your monthly hosting bill.
The risk that we named "Security Breach" in the last section deserves some additional elaboration.
As stated, these types of security breaches result in an attacker gaining a higher level of access to a website than they should have.
Some ways that an attacker can accomplish a security breach are:
- Software Vulnerability ExploitBy far the most common method for compromising a WordPress site is when an attacker can send a request to a site that allows them to exploit a vulnerability present either in WordPress core, a theme, or a plugin. Vulnerabilities are special types of "bugs" in the software that lets an attacker craft a request that will cause the software to do something unintended by the author.
- Login compromisedAnother way that an attacker can gain access to a site is by gaining access to a user account on the WordPress site, that allows them a greater level of access than intended. One way this could happen is if an attacker is able to guess a username + password combination, usually because the password is too simple. Another case is when the login is compromised or captured in some way, either because a user accidentally installs password stealing malware onto their device, their email is hacked or compromised, or they send their password over the network in plaintext, because a site does not use
https. Finally, attackers might try to guess common usernames & passwords by submitting hundreds or thousands of requests to unprotected or under-protected sites, in what is known as a brute-force attack.
A security breach of a website can result in a number of different unwanted consequences. These include:
- Information compromiseThis is when an attacker gains access to information which they should not be able to access. This could include WordPress user and subscriber emails, WordPress user hashed passwords, restricted content, customer order information and addresses (for e-Commerce sites), and more.
- Content AlterationThis is when an attacker changes the website in some way. This could include malicious links to other sites, defacing the website by added a "Hacked by ..." message, adding hundreds or thousands of pages selling pharmaceuticals, knock-off luxury brands, and more.
- Content DeletionAn attacker might also delete content from your website, including, but not limited to: pages, posts, products, orders, users, comments, plugins, or your theme.
- Malware distributionWhile less common on compromised WordPress sites, attackers will sometimes upload malware directly onto the WordPress site, and attempt to distribute it directly to victims that visit the site, or that are directed to the compromised site in another way.
- RedirectsA fairly common issue with hacked sites is when an attacker causes requests to the site to be redirected to a different domain and URL, which might contain malware, pornography, products for sale, and more. Sometimes these redirects are hidden if you are logged in to WordPress, or visit pages on the site directly, and only active if you come from Google or an external referer, which makes them harder to detect as the site owner.
- Performance Degradation - Sometimes an attacker will embed PHP code into a site in order to accomplish one of the above, and as a result, the site performance becomes much worse than normal.
WordPress Firewall Basics
Allow, or Block?
Simply put, a WordPress firewall protects sites by examining HTTP requests, before they are passed on to WordPress, and makes a split second decision on whether to allow the request through, or to block the request.
There is no in between - this is a "Yes" or "No" decision, and it must be made very quickly.
What factors are involved in the decision to block a specific HTTP request? Given that each HTTP request itself is state-less, the firewall is limited to three things:
- Origin: Where the request came from, which for website traffic over the internet, means the IP address. IP addresses can be mapped to blocks of IP addresses called CIDR blocks, and from there, to Autonomous Systems (AS). In addition, DNS can also be used to resolve an IP address to a hostname, via reverse DNS lookups (rDNS) or
- Request Data: This includes everything that makes up the request, including the HTTP method (
POST, etc.), the URL path and query arguments, the HTTP version, and the HTTP request headers. Common and often interesting request headers include the
- Reputation: Historical data and statistics derived from this data, regarding the properties listed above. More advanced & dynamic firewalls do not rely strictly on hard-coded rules regarding the request origin and data, but also use reputation to make more reliable blocking decisions. This reptutation can come from either data collected by the hosting provider or firewall vendor itself, or from third-party services or data files.
A false positive for a firewall is when a request is blocked that should not have been blocked.
False positives can be a very serious issue, because they prevent legitimate users and services from accessing the site. This can result in user frustration, lost revenue, damaged reputation, wasted time, and more.
One big challenge with false positives is that many firewalls do not have effective ways to detect them, nor do they provide a feature to challenge browsers or users to verify that they are indeed legitimate.
Second, many false positives can go unnoticed, because users have no way to know they are happening. Unless the blocked user already knows how to contact the site owner and is motivated to do so, or the site owner has access to detailed firewall logs and knows how to read them, site owners will often never even know they have this problem, or how bad it is.
WordPress Firewall Overview
There are several different types of WordPress firewalls, and different firewalls often offer different sets of features and protections. Logs and analytics are a critical supplement to the actual firewall as well.
Types of WordPress Firewalls
There are different types of WordPress firewalls available for protecting sites. Here is a summary of the types, including some of the pros & cons of each.
- WordPress Plugins
- NotesTypically requires a special PHP
auto_prepend_file configuration to effectively protect most of the website, especially non-WordPress PHP files.
- Pros Can typically be installed on any WordPress site, regardless of where the site is hosted, and can provide protection when the host doesn't have a (good enough) firewall.
- ConsMust be installed and activated on each site. Often requires a paid subscription for better protection. Must be updated regularly. Can be tampered with or disabled by an attacker. Much lower performance than non-plugin options, which means they are ineffective against larger (D)DoS attacks. Cannot protect against access or attacks to non-PHP files on most Nginx-based hosts. Often have a higher rate of false positives than other types. Cannot protect sites on insecure hosting if multiple sites are hosted but not isolated, and one or more of the sites is not protected by the firewall.
- Reverse / Cloud Proxy
- NotesRequires that you either use the service's DNS system, or you must change the IP address for your website.
- Pros User install & configuration not required. Automatically updated against new attacks by the provider. Often much higher performance and able to block higher volume attacks than a firewall plugin.
- ConsTypically not WordPress-specific, or as well-tuned for blocked WordPress attacks, as firewall plugins or firewalls provided by WordPress hosts. May require an additional paid subscription. Introduces an extra "hop" for each request, which can cause a minor performance hit to the website.
- WordPress Host
- ProsAutomatic protection for all sites hosted with the hosting provider. Typically provided at no additional cost. Typically higher performance than firewall plugins.
- ConsYour WordPress site must be hosted with the host to be protected. Many WordPress host firewalls are minimal, may offer less protection than firewall plugins, cloud proxies, or more advanced firewalls found at other hosts. Logs and analytics are often minimal or completely absent.
- Web Server Rules
- NotesRequires manual installation of a set of rules and sometimes restart of your web server.
- Pros Typically higher performance and can handle higher-volume attacks than firewall plugins.
- ConsMust be manually updated. Often have a much higher rate of false positives. Lack the ability to do more complete analysis and apply more advanced rules to requests, thus offering poorer protection compared to other types.
WordPress firewalls may protect against a wide variety of attacks, using different techniques. These can include:
- Exploit BlocksFirewalls can have specific rules for blocking known exploits & vulnerabilities. This kind of protection is some of the most valuable protection to have for websites that might not have their plugins & themes automatically updated with security patches.
- Brute ForceOne of the most common attacks on WordPress sites are hundreds or thousands of requests sent to either
xmlrpc.php, attempting to guess username & password combinations. In most cases, this causes performance problems more than anything else if they are not blocked. Better firewalls will block nearly 100% of brute-force requests, while allowing valid users and third-party services access without additional hassle.
- Spam ProtectionSpam comments and form submissions can plague WordPress sites. More advanced or specialized firewalls can block all or most spam submissions without the use of annoying CAPTCHAs.
- File ProbesAnother very common issue on WordPress sites are lots of requests searching for different types of files which should either not exist or should not be publicly accessible. These include software configuration files that might reveal sensitive keys or information, entire or partial backup files, files that indicate that a site might have a particular type of vulerable software installed, and PHP files that could contain a backdoor or vulnerability that could be exploited to gain control of a site.
- Rate LimitingIn some cases a firewall can not confidently determine that a single request is malicious, but it can be fairly confident that a series of requests that follow some type of pattern is likely malicious. In such cases, the firewall can rate limit the requests, either drastically slowing down an attack and decreasing its effectiveness, or it can completely block the attack if the rate limit is strict enough.
- (D)DoS ProtectionOne way bots and attackers sometimes target a site is to send a large number of otherwise legitimate requests to a site in a very short span of time. This is called a Denial of Service attack. When the requests are spread across multiple IP addresses and network providers, then it becomes a Distributed Denial of Service attack. The requests could be many requests for a small number of pages, a very aggressive crawl of the site, or some combination. Requests that would not normally be cached and served from a server cache can be particularly problematic. While WordPress has decent performance in many cases, many sites that employ more complicated themes or a number of plugins, or have larger databases, are not scalable enough to handle this type of traffic, and the site will become unavailable if the request volume exceeds the site & server capacity.
- SQL injectionDynamic or partially dynamic websites that generate their content using a database such as MySQL can be susceptible to what are called SQL injection attacks. If the website software uses data sent by the web browser to query or generate its content, but does not always do this in a secure fashion, an attacker can exploit this type of vulnerability to gain access to sensitive data, alter data that they should not, or cause a SQL-based denial of service attack.
- Logs / Analytics / ReportsMost firewalls will provide some combination of tools that will let you review which requests were blocked, and hopefully tell you or give you a hint as to why the traffic was blocked. A combination of logs, charts, and reports, presented in an easily understandable manner, is extremely important if you want to be able to quickly understand attacks on your site, and what the firewall is actually doing. Not having all three of these together can also mean hours of wasted time trying to diagnose issues with blocked requests, large-scale attacks, and false positives.
- Automatic UpdatesNew vulnerabilities are discovered in software every day, leading to new attacks & different requests that need to be blocked. The type, scale, and origins of attacks also vary over time. The most effective firewalls receive frequent updates based on both new vulnerabilities, and the traffic that is actively being sent to the sites that they protect.
- Manual ConfigurationMany firewalls allow you to manually configure different options. This has both its pros and cons. Configuring a firewall can give you more flexibility on what should be allowed and what should not, but it also requires expertise with the firewall itself as well as security expertise about web traffic in general, and also requires time to make the configuration changes and maintain and update them over time. If a service provider is more focused on their firewall (such as on WordPress), and actively monitors traffic, reports of new vulnerabilities, and makes frequent updates that automatically protect all sites and prevent false positives, manual configuration of the firewall may not be either necessary, or desired.
- NotificationsSome firewalls will alert you when they detect an attack in progress, your site has failed login attempts, and for other instances. Plugins will often do this to "prove their worth", while firewalls provided by hosts typically block most attacks silently. With most WordPress sites and attacks, the site owner themself is ill-equipped to do anything productive regarding attacks, so the most these can do is serve as an "FYI". More often than not though, they are just noise.
There are a number of features and practices out there that various WordPress firewalls and security plugins either employ or offer, that are actually bad practices. While they are done with good intent, they can often cause problems, poor user experience (UX), and unnecessary work.
Something is considered a Bad Practice if there is a better way to accomplish the security goals.
- Disable XML-RPC The
xmlrpc.php file that is included with WordPress is both a very popular target for brute-force attacks, as well as an important feature of WordPress that provides necessary functionality for many sites & external services. Better firewalls block bad requests to this URL without disabling this functionality completely.
- Changing Admin / Login URLThe standard URLs on WordPress sites for accessing the administrator interface, and for logging in, are
/wp-login.php, respectively. Changing these is a bad user experience, because it often makes it harder for legitimate users to access WordPress. Better firewalls are smarter and can protect these URLs without changing them.
- Limit login attemptsJust like changing the admin or login URLs, limiting login attempts by a user too often blocks legitimate users and causes bad user experience. Again, better WordPress firewalls protect against attackers guessing passwords, without affecting legitimate users that might have just forgotten their password, and are trying to guess what they might have used for a site.
- CAPTCHAAnother attempt to stop bots, a visible CAPTCHA that requires legitimate users to solve some type of test, such as selecting matching pictures, typing the letters from partially obscured text, or solving a match problem, wastes time and creates poor user experience for legitimate users. Better firewalls figure out if traffic is human or not using advanced techniques that are invisible to legitimate visitors and users.
- Disable CommentsCommenting on WordPress posts is a core feature of the software, and is desired in many cases, as it increases engagement from visitors. Even if you don't want or need comments on your site, you should not need to disable them completely. Better WordPress firewalls can analyze incoming requests and comments and reliably block ones that are spam, while letting your actual visitors leave comments and feedback.
- IP whitelistWhen requests are blocked by a firewall that should not be, a common practice is to whitelist the IP address(es) for those requests. But IP addresses change, and this practice is often not scalable. Better firewalls and service providers rarely block legitimate requests, and when they do, they can often adapt their rules in smarter ways to prevent future false positives, even if the IP address responsible for the legitimate traffic changes.
- IP blacklistSimilar to IP whitelisting, blacklisting or blocking specific IP addresses is also often a bad idea. Actual attackers often change their IPs faster than you can keep up, or may use hundreds or thousands of IPs in an attack. Some IPs from certain VPNs might carry both good and bad traffic. Better WordPress firewalls leverage all the data about a request, not just the IP address, to make accurate decisions about what traffic to block, and what to allow. If an IP address truly should be blocked, the firewall will do it for you automatically - this is never something you should need to do manually yourself.
- Too Many OptionsSome firewalls and plugins add options to their interface to please customers that ask for more control. But this is generally a bad practice. In most cases, when a user is asking for more control, it's because the firewall isn't doing its job well enough. It's better to use a firewall or service that improves and fixes issues for you, rather than making it your job and requiring you to spend additional time, because they didn't do their job in the first place.
- Country BlockingIt's almost never a good idea from a security perspective to block a country from accessing a website. The reasons are 1) there can easily be legitimate traffic from the country, even if you're not expecting it, and 2) a large percentage of bad traffic often comes from legitimate countries, such as the United States. Blocking traffic by country is both bad for user experience, and a fool's errand. Better firewalls block bad traffic, no matter what country it comes from, while letting even unexpected, but legitimate users through.
- Manual IP blockingWhile blocking specific IPs is sometimes an appropriate and effective way to stop certain types of bad traffic, it is way too often used when it should not be. Many attacks and types of bad traffic are best stopped by other means, and IP blocking is not only a last resort, but can be fragile, ineffective, and time consuming. Only when you have tools, data, and expertise to fully analyze traffic should this even be considered as an option.
WordPress Firewall Products
WordPress firewalls can be implemented in a number of ways, and located in different places, including within a proxy, at the server-level on the server where your site is hosted, and within the site itself, often as part of a WordPress plugin.
A security proxy is a WordPress Application Firewall (WAF) service that protects your site by sitting in front of the actual server that hosts your site. By changing your DNS to route all traffic through the service's proxy servers, their firewall can block traffic before it even gets to your hosting server.
- CloudflareProbably the most popular and well-known security proxy used on WordPress sites is Cloudflare. Cloudflare provides both DNS resolution as well as the option to proxy (and thus filter) traffic through their world-wide network of servers. Cloudlare is not as specialized to WordPress though as many options, and while is may block certain attacks, a large number of bad requests are not blocked by default. Better protection of WordPress sites may involve paid plans or more extensive manual configuration.
- Sucuri Cloud ProxyAs a paid product, and now owned by GoDaddy, the only sites we usually see using this are sites that are hosted on GoDaddy, were hacked at some point, and then sold Sucuri as way to clean it up and protect the site from future attacks. Given the alernatives, it's almost never a good idea to use Sucuri. For a similar price, you can get much better hosting, and an effective firewall included. We immediately recommend to any new customers that they cancel Sucuri once they've migrated to SiteDistrict.
Some WordPress hosting providers include a WordPress firewall with their platform that automatically protects all sites that are hosted on their platform.
- SiteDistrictAt SITEDISTRICT, we have a custom, high-performance WordPress firewall that protects all sites on our platform. Read more about it here.
- WPEngineWPEngine has a limited firewall that provides some protection for WordPress sites, specifically blocked a good number but not all brute-force requests and attacks. Marketing material and information about their firewall is very limited, as are the tools and logs within their platform for reviewing traffic & requests blocked by it.
- KinstaKinsta has a similar firewall to WPEngine, blocking some of the same types of traffic, but information and tools related to their firewall is also similarly limited.
There are numerious WordPress plugins that implement either a firewall or some other type of protection against unwanted traffic. These plugins must be installed on each site to be protected, and are often the best and only way to protect some sites, if either the hosting platform does not have a firewall, or a security proxy cannot be used for the domain.
- WordfenceOne of the most popular WordPress security plugins, backed by an experienced team and receiving regular updates. One of the biggest drawbacks of Wordfence is a decently high rate of false positives.
- CleanTalkFocused more on prevent spam on sites than blocking other types of attacks, CleanTalk is often used by site owners that struggle with comment or form spam. Like Wordfence, one of the main drawbacks is the rate of false positives.
- Other pluginsThere are many, many other WordPress security plugins, both free, and those requiring a paid subscription. They can vary wildly, and while they might be better than nothing, they can cause false positives, degrade user experience, cannot fix innately insecure hosting (such as cPanel), and fail to protect against higher-scale attacks.
- 6G/7G firewallThis appears to be one of those options that has been overhyped mostly because of the drawbacks of other options, such as security plugins - not because this "firewall" is actually a good idea. This firewall is limited and inflexible by design, meaning it will both miss many types of attacks, is unable to block new & novel types of attacks, and also can have a high rate of false positives.
- ModSecurityYou don't hear much about this product being used to protect WordPress sites, and for good reason - it's not designed to do so very well. To be even somewhat effective, it requires manual configuration, which requires signficant expertise. Even then, it can't come close to being as "smart" as host, plugin, or proxy solutions.
WordPress sites are a very popular target for attackers, for a number of reasons. It doesn't matter the type or size of your WordPress site - just having it online pretty much guarantees that it will be attacked.
A good WordPress firewall protects your site in many ways, from these attacks and their effects. Sites that are intermittently slow and don't have a good firewall in place could be suffering because of unblocked traffic. Sites which run plugins that have vulnerabilities exposed are far more likely to be hacked.
One very important consideration with a WordPress firewall that is often overlooked is how well it prevents false positives, and how well it ensures that false positives are resolved, so that legitimate users are not blocked from accessing your sites.
For anyone serious about securing their sites, and for any provider that is serious about ensuring their firewall is performing as it should, being able to easily view, filter, and review logs and other firewall analytics is critical. You really can have no idea how good or bad your firewall is, unless you can effectively review the requests that it has, and has not, blocked.
To learn even more about WordPress firewalls, you can read about the SiteDistrict WordPress firewall, which protects thousands of sites, and blocks millions of requests every day.