Website firewalls, or as technically known web application firewalls are relatively new to the industry of web security. Lately they have also been introduced in the WordPress security eco system and a number of businesses are offering specific WordPress website firewall service. Like with any other new technological advancement, many are still not sure of what it is all about. How does it work? Will it really protect my WordPress websites and blogs from malicious hacker attacks? Will it impact the performance of my WordPress?
In this article I explain what web application firewalls (website firewalls) are and what are the pros and cons of these WordPress security solutions.
The Concept of Firewalls
A firewall is a security software / system that is installed between two or more networks to control both the incoming and outgoing traffic of each network. It acts as a barrier between a trusted and non-trusted network. In a typical setup, a firewall is installed between an internet connection and an internal network to protect the network from hacker attacks and also used to control who can access the internet.
Evolving Into Web Application Firewalls
First Generation Firewalls – Packet Filtering
Originally firewalls were designed to control network traffic; they only did packet filtering and didn’t understand the content of the traffic. For example if you had a website running on a web server on your network you had to open port 80 through the firewall to the public. Once port 80 is open the firewall would allow any type of traffic through port 80, even malicious attacks.
Second Generation Firewalls – Stateful Filtering
The second generation of firewalls were able to operate on Layer 4 of the OSI model. They were able to determine what type of connection they are dealing with, i.e. if a packet is opening a new connection or if a connection has been already established etc. Even with such advancements second generation firewalls had still a lot of limitations in controlling incoming and outgoing traffic. Though at least administrators could now create firewall rules based on connection status.
Third Generation Firewalls – Application Layer Filtering
The firewalls of today which were introduced in the mid-nineties understand the data in every packet. Third generation firewalls can understand applications and protocols such as FTP, DNS and HTTP. This technology led to the introduction of single scope firewalls, such as Web Application Firewalls.
Web Application Firewalls / Website Firewalls
Web application firewalls have a single scope; to protect your website from malicious hacker attacks. A WAF (Web Application Firewall) is installed between your web server, where your WordPress website is hosted, and the public connection, aka the internet. It analyses every incoming HTTP request as shown in the below screenshot.
Should an HTTP request contain malicious payload / attacks, the web application firewall drops the connection and alerts the administrator. Typically the action a WAF takes when it detects a malicious HTTP request is configurable. WAFs typically have a built-in list of known attack signatures. If an HTTP request contains content that matches any of these signatures it will be blocked.
WAFs are highly configurable and you can tailor such software specifically for your website by creating your won set of security rules. One should be careful when configuring a WAF because a wrong setup might block legitimate traffic.
Different Types of WordPress Web Application Firewalls
There are several different types of web application firewalls. Some of them have to be installed on the same network of your web servers, some of them have to be installed on your WordPress website as a plugin and some other are online services. Some of them have specific checks for specific frameworks, while others have specific WordPress security checks such as Malcare WordPress application firewall and malware scanner.
Self-Hosted VS Online WAF solution
Self-hosted WAFs come in two flavors. They can be a WordPress plugin, or appliances that are installed on the same network of your web server. Appliances tend to be quite expensive and are not for the non tech savvy users. In fact their market is typically the high end of SMBs and enterprises. In this article we will mostly talk about online WordPress website firewall solutions, which are relatively easy to setup and use, affordable and most popular with the WordPress community.
Online WordPress Website Firewalls
Unlike self-hosted WAFs, online an WordPress website firewall does not need to be installed on the same network of your web server since it is an online service. Typically an online firewall have more than one scope, i.e. apart from protecting your websites from malicious hacker attacks it can also serve as a caching server, CDN and performance boosters. Online web application firewalls are also very affordable when compared to self-hosted web application firewalls.
How do Online WordPress Website Firewalls Work?
An online WordPress website firewall needs to analyse the traffic before it hits your website, hence it has to act as a proxy server. To direct the traffic through the online web application firewall you have to configure the DNS records to point to the online web application firewall. This means that each time someone visits your website the HTTP requests are first sent to the online website firewall and after analysing them it forwards the requests to your website, as shown in the below diagram.
Online WordPress Website Firewall Limitations
Web Application Firewalls can have their own security issues
Online website firewalls (web application firewalls) are like any other software, they can have vulnerabilities and security flaws. In fact we have seen numerous attacks over the years where web application firewalls were bypassed. For example one specific vulnerability was used to switch off the website firewall’s “detection” engine, thus allowing all malicious traffic to go through unnoticed.
Your WordPress is Still Reachable by Attackers
When using an online web application firewall for your WordPress your web server has to be accessible over the internet for the WAF to forward traffic to your WordPress. This means that when someone tries to access your website via the domain name, they will go through the firewall. Though someone can still bypass the online WAF by communicating directly with your web server and website via the IP address as shown in the below diagram.
As explained in What are Targeted and Non-Targeted WordPress Hack Attacks attackers typically automatically scan whole networks for vulnerable WordPress websites and blogs in non-targeted attacks. This means that if the attackers scan the network where your WordPress is hosted, and your website is vulnerable to a specific attack, or you are using weak credentials your website will be hacked.
Limited Zero Day Vulnerability Protection
Similar to antivirus software, web application firewalls have signature based protection. This means that when someone visits your website, a.k.a. sends an HTTP request to your web server, they match the content of that HTTP request against a number of signatures of known web attacks. Therefore in case of a zero day vulnerability where the vulnerability uses a vulnerability variant that has not been seen before, the attack will not be blocked by the WordPress website firewall.
In such cases the responsiveness of the vendor is very critical. The response time is how long it takes the vendor to update the WordPress website firewall signatures to be able to detect the new vulnerability and block it. In most cases so far I have noticed that Malcare were always very efficient at updating their WordPress website firewall. Since they are involved in the community most of the time they also publish a detailed explanation of the vulnerability on their blog.
No Protection from Configuration and Logical Vulnerabilities
Website firewalls are good at detecting technical vulnerabilities though they cannot protect your WordPress from configuration and user issues such as weak passwords. Specific WordPress web application firewalls such as Malcare WordPress Firewall have brute force protection, though if the credentials you are using are weak, and the attacker launches a slow and controlled attack he can still guess your password and be unnoticed by the website firewall. The same applies for incorrect file and directory permissions, security misconfigurations, sensitive data exposure and several other non-technical vulnerabilities.
Should You Use a WordPress Web Application Firewalls?
There is no bullet proof solution when it comes to WordPress security. You should look into every aspect of the WordPress security wheel (harden, monitor, test improve) to ensure you get the best out of your systems and keep your WordPress secure.
WordPress website firewalls are definitely a must though. I highly recommend the Malcare WordPress firewall and malware scanner. It is very important to note that even though you use a WordPress web application firewall, you should not let your guards down since firewalls only address one aspect of security. You should also for example keep an audit log of everything that is happening on your WordPress.