A Web Application Firewall (WAF) is a type firewall which protects any website, server, etc. against attacks. In this post, I will specifically talk about WordPress WAFs.
WAFs are a relatively new thing in the world of cybersecurity. It is quickly becoming an important part of the cybersecurity infrastructure of every organization.
What is a Firewall?
In layman’s terms, a Firewall is simply a software that is installed in a network that controls both the incoming and outgoing traffic of that network. It acts as a safeguard against malicious actors.
Typically, a firewall is installed between a local network and the wider internet. In this way, devices in the internal network can work without any disruption, but, if a malicious actor tries to hack into the internal network via the internet, he will be blocked.
A firewall software is usually pre-installed in every popular OS like Windows, MacOS, Ubuntu etc. Here, I have attached a picture of the Windows Firewall.
Also, these days, you will find firewalls built into almost every router.
Evolution of WAF
Now, let us see the evolution of the WAF.
First Generation – Packet Filtering
Originally, firewalls were “dumb” meaning they only could do traffic filtering. They could not tell the type of traffic going through them. Windows Firewall and most consumer grade router firewalls are of this type.
In this type of firewall, you have to open the ports that you need to use for your application. This also means that any malicious actor can connect to your internal network via the open port.
Second Generation – Stateful Filtering
The second generation of firewalls operate on the layer 4 of the OSI model. This enabled them to determine the type of connection that they are handling (for example – when a packet opens or closes a connection etc.).
Still, they were nowhere near to modern day WAFs. Administrators could create firewall rules based on connection status.
Third Generation – Application Layer Filtering
Most of the firewalls that we use today were developed in the early 90s. They understand the type of applications and the protocols they use. So, a third-generation firewall can understand if a packet’s payload is for an SSH server and the requests made or if it is an HTTP request and the requests made.
Third generation firewalls lead to the development of single scope firewalls. One of the single scope firewall is the WAF.
As told above, WAFs are single scope firewalls. Their main purpose is to protect a server or a website from hackers.
A WordPress WAF is a WAF specifically designed to protect WordPress. When we use a WordPress WAF, it intercepts every incoming and outgoing traffic to scan for malicious payloads.
If an HTTP request contains a malicious payload, the WAF blocks the IP and drops the connection.
How Do WordPress WAFs Work?
A WordPress WAF is a WAF whose rules are specifically designed to protect a WordPress site from malicious attacks. They match HTTP requests against well-known malicious requests and if a request matches the database, that request is dropped.
As WordPress WAFs are specifically designed for WordPress, most of them don’t allow the modification of rules. But, generic firewalls allow you to modify the rules.
No matter which option you choose for your firewall, make sure that they don’t block legitimate traffic. For this, some firewalls use AI to learn attack patterns that improves to decrease false positives.
Types of WordPress Firewalls
Now, let’s look at the types of firewalls available for WordPress.
WordPress WAF Pulgins
This is the most common type of firewall that is used in a WordPress site. The flow of traffic is as follows:
- The webserver receives the request
- Then it calls the PHP processor (as WordPress is a PHP program)
- Before WordPress processes the request, it’s scanned by the WAF plugin
These types of plugins are really easy to use and many of them are even available for free. But, as they are initialized by WordPress, if there is a vulnerability on your site before the firewall is initialized, then an attacker can gain full access to your site.
On-Site Dedicated WAFs
Dedicated WAFs can be configured with WordPress rules. These types of WAFs are either a dedicated hardware or a software.
Every packet flows through the WAF before hitting the WordPress site. This ensures that the firewall keeps working even if your site is compromised in such a way that plugin WAFs don’t initialize on time.
One major drawback of this approach is the cost and also the expertise needed to configure them. So, typically they are used by businesses and not by bloggers.
Online WordPress Firewalls
Unlike a self-hosted or plugin-based WAF, online WAFs do not need to reside on the same network as your WordPress site. Online WAFs acts like a proxy server that filters traffic and then forwards clean requests to your webserver.
Online WAFs need some DNS record changes. This means that the visitor’s point of interaction is the online WAF and not the webserver.
Most online firewalls also work as caching servers. So, in addition to providing protection to your WordPress site, it also helps to offload a lot of traffic from your webserver. They are highly affordable compared to on-site dedicated firewalls.
Online Firewalls Can Be Bypassed
One limitation of online WAF is that the webserver which hosts your website has to be accessible over the internet. So, if anyone who knows the server IP can access your site directly, bypassing the firewall.
There is a simple fix to this. Use your webserver firewall to allow traffic only from the online firewall IPs.
Should You Use a WordPress WAF?
Some security is always much better than having no security. So, yes one should always use a WAF whenever possible. Does a WAF ensure that you will never get hacked? No. Never. A WAF does not ensure that you will never get hacked. Even after setting up a WAF, always follow good security practices to minimize the risks of getting hacked.
The simple mantra is Hardenize -> Monitor -> Test -> Improve. Also, you should invest in WordPress backups. They are a lifesaver.
I hope this post has helped you. If you have any queries or suggestions, then please let me know in the comments down below.