WordPress is a relatively secure content management system. As we’ve discussed before, there is no such thing as completely secure software, but the WordPress development team do an excellent job of keeping WordPress users safe by introducing as few vulnerabilities as possible and fixing them when they arise. That said, WordPress is enormously popular, which makes it a prime target for those of our fellow online citizens who lack a moral compass.
It falls on WordPress hosts like Nexcess and WordPress site owners like you to make every effort to prevent online criminals from getting what they want — access to your WordPress site and its users. We do this by building secure networks, following security best practices, and keeping our sites updated.
Web Application Firewalls are another way we can make life difficult for criminals. In essence, a web application firewall is just what it sounds like — a firewall specifically designed to protect web applications like WordPress. A WAF functions in much the same way as the firewalls you may have on your PC or at your work. It is positioned between your site and the Internet. The firewall looks at the requests made to your site and if it likes what it sees, it lets them through. If the request matches a pattern that the firewall considers a likely risk to security, it will drop the request, keeping your WordPress site safe.
As an example, there is a common attack known as an SQL injection attack. An attacker will try to trick your site into running SQL queries on its MySQL database. This is bad for obvious reasons, and for the most part, it doesn’t work because WordPress is designed to make it impossible to inject SQL code into the site. But, rarely, WordPress Core or a WordPress plugin will have a bug that makes an SQL injection attack possible. Most WAF’s can be configured to watch the requests to a site for tell-tale signs that they are part of an attempt at SQL injection. The firewall will stop those requests before they ever reach WordPress. Even if there is a vulnerability, the attacker won’t be able to exploit it.
Let’s take a quick look at a couple of the most popular Web Application Firewalls for WordPress.
If you follow WordPress news at all, you’re probably already familiar with Sucuri, the prominent WordPress security company. Their take on the WAF is a cloud-service; you install a plugin and their cloud-based WAF takes care of intercepting any incoming attacks.
The Sucuri Website Firewall has a number of interesting features, including the ability to apply virtual patches to a site, block cross-site scripting and SQL injection attacks, and prevent remote code execution attacks.
Sucuri is not a free service, but for a site that finds itself plagued by malicious attacks, it’s worth taking a look at.
Simple Security Firewall is a more basic offering than Sucuri’s, but it’s a worthy pick for a site owner who doesn’t want or need the full security services offered by the premium plugin, or who would prefer not to rely on a cloud service.
Simple Security Firewall is free, and will block URLs matching patterns associated with suspicious activity, attempting to stymie brute force attacks, spambot comments, and other attacks.
A Web Application Firewall is not a replacement for other security best practices, but it can be a great first line of defense against attacks against your WordPress site.