Website firewalls, or as technically known web application firewalls are relatively new to the industry of web security. Lately they have also been introduced in the WordPress security eco system and a number of businesses are offering specific WordPress website firewall service. Like with any other new technological advancement, many are still not sure of what it is all about. How does it work? Will it really protect my WordPress websites and blogs from malicious hacker attacks? Will it impact the performance of my WordPress?
In this article I explain what web application firewalls (website firewalls) are and what are the pros and cons of these WordPress security solutions.
The Concept of Firewalls
A firewall is a security system (software) that is installed between two or more networks to control both the incoming and outgoing traffic of each network. It acts as a barrier between a trusted and non-trusted network. In a typical setup, a firewall is installed between an internet connection and an internal network, thus protecting the network from hacker attacks and also used to control who can access the internet.
Evolving Into Web Application Firewalls
First Generation Firewalls – Packet Filtering
Originally firewalls were designed to control network traffic; they only did packet filtering and didn’t understand the actual content of the traffic. For example if you had a website running on a web server on your network you had to open port 80 through the firewall to the public. This allowed everyone to access the website. Once port 80 is open the firewall would allow any type of traffic through port 80, even malicious attacks.
Second Generation Firewalls – Stateful Filtering
The second generation of firewalls were able to operate on Layer 4 of the OSI model. Therefore firewalls were able to determine what type of connection they are dealing with, i.e. if a packet is opening a new connection or if a connection has been already established etc. Even with such advancements the second generation of firewalls were still very limited in terms of controlling incoming and outgoing traffic. Though at least administrators could now create firewall rules that contain connection status.
Third Generation Firewalls – Application Layer Filtering
The firewalls as we know them today, i.e. those that understand what each packet is all about were introduced in the mid-nineties. The third generation of firewalls can understand certain applications and protocols such as FTP, DNS and HTTP. Apart from the generic network firewalls, there is a wide variety of single scope firewalls, such as Web Application Firewalls.
Web Application Firewalls / Website Firewalls
Web application firewalls are application firewalls which have a single scope; to protect your website from malicious hacker attacks. A WAF (Web Application Firewall) is installed between your web server where your WordPress is hosted and the public connection (the internet) and analyses each and every HTTP request that is sent towards your website, as shown in the below screenshot.
Should an HTTP request contain malicious attacks, the web application firewall will drop the connection and alert the administrator. The action a WAF takes when it detects a malicious HTTP request is configurable. WAFs typically have a built-in list of known attack signatures. If an HTTP request contains content that matches any of these signatures it means that it is malicious and it will be blocked.
WAFs are highly configurable and you can tailor such software specifically for your website by creating your won set of security rules. One should be careful when configuring a WAF since wrong configuration might mean blocking out legitimate visitors.
Different Types of WordPress Web Application Firewalls
There are different types of web application firewalls. Some of them have to be physically installed on the same network of your web servers while some other are online services. Some of them have specific checks for specific frameworks, while others have specific WordPress security checks such as Sucuri Website Firewall.
Self-Hosted VS Online WAF solution
Self-hosted WAFs are typically appliances that are installed on the same network of your web server. They can be quite expensive and are typically configured by trained people, i.e. not for the non tech savvy users. In fact their market is typically the high end of SMBs and enterprises. In this article we will mostly talk about online WordPress website firewall solutions, which are relatively easy to setup and use, affordable and most popular with the WordPress community.
Online WordPress Website Firewalls
Unlike self-hosted WAFs, online an WordPress website firewall does not need to be installed on the same network of your web server since it is an online service. Typically an online firewall have more than one scope, i.e. apart from protecting your websites from malicious hacker attacks it can also serve as a caching server, CDN and performance boosters. Online web application firewalls are also very affordable when compared to self-hosted web application firewalls.
How do Online WordPress Website Firewalls Work?
An online WordPress website firewall needs to analyse the traffic before it hits your website, hence it has to act as a proxy server. To direct the traffic through the online web application firewall you have to configure the DNS records to point to the online web application firewall. This means that each time someone visits your website the HTTP requests are first sent to the online website firewall and after analysing them it forwards the requests to your website, as shown in the below diagram.
WordPress Website Firewall Limitations
Web Application Firewalls Are Vulnerable
First off, online website firewalls (web application firewalls) are like any other software, they can have their own problems, vulnerabilities and security flaws. In fact we have seen numerous attacks over the years where web application firewalls were bypassed. For example one specific vulnerability was used to switch off the website firewall’s “detection” engine, thus allowing all malicious traffic to go through unnoticed.
Your WordPress is Still Reachable by Attackers
When using an online web application firewall for your WordPress your web server has to be accessible over the internet for the WAF to forward traffic to your WordPress. This means that when someone tries to access your website via the domain name, they will go through the firewall. Though someone can still bypass the online WAF by communicating directly with your web server and website via the IP address as shown in the below diagram.
As explained in What are Targeted and Non-Targeted WordPress Hack Attacks attackers typically automatically scan whole networks for vulnerable WordPress websites and blogs in non-targeted attacks. This means that if the attackers scan the network where your WordPress is hosted, and your website is vulnerable to a specific attack, or you are using weak credentials your website will be hacked.
Limited Zero Day Vulnerability Protection
Similar to antivirus software, web application firewalls have signature based protection. This means that when someone visits your website, a.k.a. sends an HTTP request to your web server, they match the content of that HTTP request against a number of signatures of known web attacks. Therefore in case of a zero day vulnerability where the vulnerability uses a vulnerability variant that has not been seen before, the attack will not be blocked by the WordPress website firewall.
In such cases the responsiveness of the vendor is very critical. The response time is how long it takes the vendor to update the WordPress website firewall signatures to be able to detect the new vulnerability and block it. In most cases so far I have noticed that Sucuri were always very efficient at updating their WordPress website firewall. Since they are involved in the community most of the time they also publish a detailed explanation of the vulnerability on their blog.
No Protection from Configuration and Logical Vulnerabilities
Website firewalls are good at detecting technical vulnerabilities though they cannot protect your WordPress from configuration and user issues such as weak passwords. Specific WordPress web application firewalls such as Sucuri Website Firewall have brute force protection, though if the credentials you are using are weak, and the attacker launches a slow and controlled attack he can still guess your password and be unnoticed by the website firewall. The same applies for incorrect file and directory permissions, security misconfigurations, sensitive data exposure and several other non-technical vulnerabilities.
Should You Use a WordPress Web Application Firewalls?
As you might have already learnt, there is no bullet proof solution when it comes to WordPress security. You should look into every aspect of security (protection, detection, response) to ensure you get the best out of your systems and keep your WordPress secure.
WordPress website firewalls only address one aspect of security. Should your budget allow it, go for it. I highly recommend the Sucuri Website Firewall although there are many other good ones. It is very important to note that even though you use a WordPress web application firewall, you should not let your guards down since firewalls only address one aspect of security. You should still harden the security of your WordPress blogs and websites, get all custom code reviewed, ensure all WordPress users use strong passwords and last but not least, keep an audit log of everything that is happening on your WordPress.