A frequent question users ask on the WordPress security Facebook group is which WordPress firewall should they install. Typical answer, everyone recommends what he or she uses, which is only fair. But to my surprise, some WordPress users recommended to run multiple WordPress firewalls for the best protection of their website or blog.
Running multiple firewalls in a multi tiered web farm? Yes, definitely. But running multiple firewalls in front of a single WordPress installation? That’s an overkill, to say the least. This article explains why running multiple WordPress firewalls is a bad idea.
Understanding the Role of a WordPress Firewall
Before you decide which WordPress firewall plugin to install you should first understand what is its scope and role. A WordPress firewall sits between your WordPress and the internet and analyzes every incoming connection request sent to your website. If it is a legitimate request it will allow it through. If it is a malicious request it will block or drop it.
For more detailed information about how WordPress firewalls, or better web application firewall work read All you need to know about WordPress firewalls.
Why You Shouldn’t Run Multiple WordPress Firewalls
Below are just a few points that explain why you shouldn’t run multiple WordPress firewalls:
A Slow WordPress Website
If you are running two WordPress firewalls every incoming connection request must be analysed by two firewalls, thus slowing down the connection request and eating up more resources.
More WordPress Plugins to Update and Bigger Attack Surface
WordPress plugins need to be kept up to date to ensure the security of your WordPress website or blog. As explained in WordPress Security VS Functionality – Striking the Right Balance, you shouldn’t limit the number of WordPress plugins to install on your website, as long as you need their functionality. Though installing plugins with the same functionality is definitely shooting yourself in the foot.
Increased Chances of Blocking Legitimate Incoming Requests
The stricter the controls are the more the chances are of blocking legitimate incoming requests. If a WordPress firewall is configured correctly this should not be the case but with two firewalls running back to back in front of your WordPress expect this to happen.
Choosing the Best WordPress Firewall
Unless you are a seasoned penetration tester or security professional it is very difficult to really test the blocking capabilities of a WordPress firewall. Also in terms of non-security features, there is hardly a firewall that is really much better than the other; they all roughly have the same features. So most of the time it is more a matter of opinion and what your requirements are rather than a matter of which one is the best WordPress firewall.
If you are in the process of choosing a WordPress firewall for your website I recommend the following approach:
- Make a list of your requirements in terms of features,
- Decide if you want to go for an online or a plugin based WordPress firewall,
- Check how well maintained, or how often the products are updated,
- Read a bit about the companies’ history and see how they responded to possible previous security flaws,
- Ask around and see what other people say about them. Word of mouth is a trustworthy source,
- Choose ONE WordPress firewall and install it,
- Configure it but don’t go overboard with tightening it down.