Web-based attacks on WordPress sites come in several forms, but some of the most effective use application input to penetrate security. A web application firewall (WAF) stops many of these attacks, greatly reducing your level of risk. A large percentage of sites on the internet are built with WordPress, so it’s no surprise that attackers cater many scanning and exploit scripts to WordPress functionality. A WAF can help stop cross-site scripting (XSS), SQLi (SQL injection), distributed denial-of-service (DDoS), file inclusion, and cross-site request forgery (CSRF) to protect WordPress against common threats.
What is a WAF?
Traditional hardware firewalls work at layer three and four of the OSI (Open Systems Interconnection) model. The OSI model is a virtual concept that explains the ways protocols, applications, physical hardware, and data interact with each other. Layer three is where IP addresses function, and layer four is where TCP and UDP protocols function. Traditional firewalls work with these two layers to control the flow of data using IP addresses and TCP and UDP protocols.
Although traditional firewalls are useful in standard network cybersecurity, they don’t block specific web application attacks. To stop web application attacks, organizations use a web application firewall (WAF). A WAF will block specific attacks sent via application functionality. For example, if an attacker sends malformed input in textbox to perform SQL injection, a WAF detects the malicious attack and blocks it from reaching the database server. If malformed HTML is sent via the same textbox, a WAF detects the attack and blocks it.
A WAF can block these attacks because it works in layer seven of the OSI model. This layer is where applications run code and perform functionality on the webserver. The WAF acts as a proxy between the user’s browser and the web server, so it can review input and determine if it should be passed to the webserver. It blocks malicious attacks before they ever reach the targeted server.
Types of WAF Services
WordPress can be either hosted on a user’s private servers or used in a cloud-based hosting environment. If the site owner has cloud hosting, the WAF is typically hardware-based and located at the host’s data center.
Shared hosts have the challenge of protecting servers from cyberattacks when hundreds of sites are hosted on them. These hundreds of sites individually pose a threat to server security. It only takes one hacked site to threaten the security and performance of a shared host server, so most hosts work with physical hardware WAF devices to detect attacks. Hardware WAF devices may slightly affect the performance of sites hosted on the server, but it’s a small price to pay for cybersecurity to protect from being compromised.
A host-based WAF can be installed on a WordPress site as a plugin or additional application that monitors the entire server. WordFence is an example of a plugin host-based WAF that blocks malicious attacks. For every WordPress site hosted on the server, WordFence must be installed on the site software. Individual installs give the site owner more granular control of site configurations based on business needs.
Another option for a host-based WAF is to install an application that monitors and mitigates attacks on the entire server. Imunify360 is an example of a host-based application that can be installed on the server. It can also be installed on shared hosting servers so that they can monitor attacks in a shared environment. These tools alert administrators to suspicious activity for each site so that they can respond to issues even when the site owner is unaware of a compromise. In some cases, a host-based WAF will automatically clean malicious code from files and quarantine malicious files when they are uploaded to the host server.
To add to WordPress cybersecurity and protect from DDoS attacks, a cloud-based WAF can be configured to work with the website. A good example of a WAF popular with many sites is CloudFlare. Most people know CloudFlare as a mitigator in a DDoS attack, but the application is primarily a WAF. It acts as a proxy between the origin web server and the user’s browser. It shields the origin server’s IP address to protect from a DDoS and mitigates large data transfers intended to crash services. CloudFlare also protects from other web-based attacks such as SQL injection and XSS.
Which WAF Service Should You Use?
For business websites, a cloud-based and host-based WAF are best options to protect WordPress sites. This can be a more expensive option, but it will stop sophisticated attacks that target business sites. For users with a personal WordPress site, a simple host-based WAF is sufficient. As the site grows, it might be worth adding a cloud-based WAF in the future.
Shared hosts work with hardware-based WAF devices, so users get the service without configuring the site. The host’s WAF works in the background without any interference with the WordPress site. WAF plugins are also available for shared host WordPress sites, so both can be effective at stopping attacks.
Pressable Helps Keep Your WordPress Websites Protected
If you run a WordPress site, it’s important to think of cybersecurity since it’s a primary target for attackers. A WAF is just one component in your cybersecurity that can stop many web-based attacks. A hacked site can be damaging to business reputation, revenue, and brand trust, and a WAF can better protect your site’s integrity than simple monitoring and manual mitigation.
As a premium WordPress managed hosting provider, Pressable provides customers with a web application firewall designed to prevent all types of cyber threats and keep your website up and running 24/7/365. Additionally, all Pressable hosting plans include Jetpack Security Daily for free (a $239 per year value) to provide an added layer of safety and protection. And, if you choose to use a 3rd party service like CloudFlare, we can even help you get set up properly.
Amanda serves as the Head of Sales and Enablement for Pressable. She's worked in the tech space for well over a decade and has spent the majority of that time building/training/leading teams. She loves travel and adventure and when she's not working, you can find her spending time with her family, lounging pool/beach-side, playing tennis, working out, and meeting people/making friends all along the way!