August 18, 2015

Web Application FirewallWordPress is a relatively secure content management system. As we’ve discussed before, there is no such thing as completely secure software, but the WordPress development team do an excellent job of keeping WordPress users safe by introducing as few vulnerabilities as possible and fixing them when they arise. That said, WordPress is enormously popular, which makes it a prime target for those of our fellow online citizens who lack a moral compass.

It falls on WordPress hosts like Nexcess and WordPress site owners like you to make every effort to prevent online criminals from getting what they want — access to your WordPress site and its users. We do this by building secure networks, following security best practices, and keeping our sites updated.

Web Application Firewalls are another way we can make life difficult for criminals. In essence, a web application firewall is just what it sounds like — a firewall specifically designed to protect web applications like WordPress. A WAF functions in much the same way as the firewalls you may have on your PC or at your work. It is positioned between your site and the Internet. The firewall looks at the requests made to your site and if it likes what it sees, it lets them through. If the request matches a pattern that the firewall considers a likely risk to security, it will drop the request, keeping your WordPress site safe.

As an example, there is a common attack known as an SQL injection attack. An attacker will try to trick your site into running SQL queries on its MySQL database. This is bad for obvious reasons, and for the most part, it doesn’t work because WordPress is designed to make it impossible to inject SQL code into the site. But, rarely, WordPress Core or a WordPress plugin will have a bug that makes an SQL injection attack possible. Most WAF’s can be configured to watch the requests to a site for tell-tale signs that they are part of an attempt at SQL injection. The firewall will stop those requests before they ever reach WordPress. Even if there is a vulnerability, the attacker won’t be able to exploit it.

Let’s take a quick look at a couple of the most popular Web Application Firewalls for WordPress.


If you follow WordPress news at all, you’re probably already familiar with Sucuri, the prominent WordPress security company. Their take on the WAF is a cloud-service; you install a plugin and their cloud-based WAF takes care of intercepting any incoming attacks.

The Sucuri Website Firewall has a number of interesting features, including the ability to apply virtual patches to a site, block cross-site scripting and SQL injection attacks, and prevent remote code execution attacks.

Sucuri is not a free service, but for a site that finds itself plagued by malicious attacks, it’s worth taking a look at.

Simple Security Firewall

Simple Security Firewall is a more basic offering than Sucuri’s, but it’s a worthy pick for a site owner who doesn’t want or need the full security services offered by the premium plugin, or who would prefer not to rely on a cloud service.

Simple Security Firewall is free, and will block URLs matching patterns associated with suspicious activity, attempting to stymie brute force attacks, spambot comments, and other attacks.

A Web Application Firewall is not a replacement for other security best practices, but it can be a great first line of defense against attacks against your WordPress site.


Nexcess, the premium hosting provider for WordPress, WooCommerce, and Magento, is optimized for your hosting needs. Nexcess provides a managed hosting infrastructure, curated tools, and a team of experts that make it easy to build, manage, and grow your business online. Serving SMBs and the designers, developers, and agencies who create for them, Nexcess has provided fully managed, high-performance cloud solutions for more than 22 years.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.