Due to the vast popularity, WordPress is the target of various malicious attacks. There are many security methods that are widely used to protect WordPress, such as changing the admin URL, while utilizing a firewall has been applied by only a few webmasters owing to either the lack of knowledge about firewall or the security issues of the method itself.
This tutorial is dedicated to resolving the problem. We will discuss what a firewall is, the pros and cons of using it, and how to set up one on a WordPress site.
What Is a WordPress Firewall?
A firewall, generally speaking, is a security measure used between networks to control the incoming and outgoing traffic to increase security. The rules included in the firewall works like a wall between a trusted network and an untrusted one, protecting the trusted source by controlling who has access to it.
A WordPress firewall, therefore, is a web application firewall that is installed between the Internet and the web server on which your WordPress site reside. It analyzes the HTTP requests sent to your site and filters them based on its rules to determine whether to stop any of them. If a request is detected to be malicious, the firewall will drop it and notify the administrator.
Why Should You Use a Firewall on WordPress Sites
There are good reasons for you to take a firewall into consideration. First of all, as there is never a perfect solution that can keep WordPress away from all kinds of attacks, using a firewall is not a bad idea for hardening the security of your site. Moreover, the proper use of firewall has been proven to be an effective method for stopping bad traffic.
Secondly, firewalls are configurable, so you can make changes according to your own needs. Once a firewall is set up properly, it runs automatically so that you do not need to take much time caring about the security of traffic.
How It Works
As we have mentioned, this special technology will place a wall between the suspicious source and the reliable one so as to protect your website, script, server machine and network. To make this happen, there are 4 main practices adopted by the service provider.
- Packet Filtering – The firewall technology will have a close look at all the packets leaving and entering the network. After analyzing them based on the defined rules, the service will reject or accept the packets. Personally, this filtering practice is surely effective for all the users, but might be difficult to configure for newbies.
- Special Gateways – This technology will apply the exclusive security mechanism to the specific applications. If there is nothing suspicious, packets can flow without the further identifications.
- Proxy Servers – The proxy server will be established as the middleman to intercept all the messages passing through the network, and then, allows the good traffic and stops the bad one.
The Limitations a WordPress Firewall
Although being secure and flexible, a firewall has its own inevitable limitations which you should also consider when making the decision. One drawback is that it comes with vulnerabilities, too. For example, if an attack is strong and specific enough, it can turn off some functions of the firewall or just bypass the detection.
Another limitation is that a firewall cannot protect WordPress from improper user configurations and other user issues. There are indeed firewall rules that set limits to the frequency of requests, but if an attack does not go beyond the limitation, it will not be detected. Weak login credentials and incorrect file permissions can still be broken down.
How to Set Up a Firewall for Your WordPress Site?
Setting up a firewall in WordPress is not challenging as long as you use the right tool. There are many WordPress security plugins and firewall plugins available on the web, and here we would like to recommend a free plugin named Simple Security Firewall. After installing and activating the plugin, you can see a menu appearing in the Dashboard named Simple Firewall along with several configuration options.
Clicking on the menu, you will be located at the dashboard of Simple Security Firewall where you can get a view about all the features included in the plugin. By default, the plugin does not turn on features in the installation, so you need to enable and configure the features you need by yourself.
Global Options & IP Whitelist
Whether you have enabled any feature in the image above, scrolling down you will find a tab named Global Options. There are two options under the tab, one allowing you to disable all features of the plugin globally, and another enabling you to make an IP whitelist. When trusted IPs are added into the box, the traffic from the IPs will not be restricted by the plugin.
General Options & Email Reports
Next to Global Options is a General Options tab. Under the tab you can change the email address to which reports will be sent, and configure several other options. By default, the “Delete Plugin Settings” is not checked, but we suggest you not to tick the box before you decide to delete the plugin from your system completely.
Admin Access Restriction
Do not turn this feature on unless your site has multiple administrators while you do not want them to access the plugin. In the case that you need this feature, you must remember the Admin Access Key carefully, or you can be locked out.
There are several settings you have to deal with when setting the firewall up. Firstly, you need to enable the feature as it is disabled by default.
Secondly, when it comes to Firewall Blocking, Directory Traversals, SQL Queries and Block Field Truncations Attacks have already been checked. You’d better not uncheck any of them unless you are experienced enough. If you are a beginner who does not deal with code, you can also get the options PHP Code and Exe File Uploads checked to prevent malicious codes from being uploaded to your site.
Thirdly, configure the Block Response to decide how the firewall responds to a blocked request. There are four options, so you can return a custom 404 error page, redirect the visitor to homepage, or just let the request die. Besides, checking the Send Email Report options allows the system to send you email notification once a visitor is blocked.
Fourthly, you can get administrators and search engine spiders free from the firewall rules by checking the corresponding options. We would suggest you not to apply firewall rules against search engine bots for the sake of search engine optimization.
At last, if you have got some IPs which send out requests too frequently or have been used for malicious attacks, add them to the IP blacklist to block them completely.
Besides the features mentioned above, Simple Security Firewall also has a large number of other security features that help you fight again brute force attacks, comment spam and other security issues. Try out the plugin by yourself and make the most out of it.
In addition, we sincerely recommend the All In One WP Security and Firewall plugin that is comprehensive and user-friendly. In fact, this plugin has plenty of security related features, among which the firewall is the primary and highlighted one.
Here, you can feel easy and free to download it to your WordPress site. After clicking the WP Security button, you can check its dashboard.
Firstly, you can find a Security Strength Meter section. The purpose of it is to inform you of how secure your website is based on the number of security features you have enabled.
Now, to add the firewall protection to your site, you should click the Firewall button from the drop-down menu. Here, you can add some basic firewall rules, advanced rules, 6G blacklist rules, internet bots rules, hotlink prevention rules, 404 detection rules and some custom options.
Note that this plugin adds the firewall functionality to your site by inserting the special coding stuff into your .htaccess file. To avoid some unexpected cases, you’d better backup your site in the beginning. For this, you can directly click the Settings button of this plugin. In the General Settings page, you can start a backup for your wp-config.php file, database and .htaccess file easily.
Basic Firewall Rules
Firstly, you can enable the basic mechanism of firewall protection for your site. For instance, you can protect your .htaccess file and the wp-config.php file by denying the outside access into them, limit the uploading size of files to 10 MB and deactivate the server signature. Note that these basic features have little or even no effect on the overall functionality of your site.
In addition, you can enable the pingback vulnerability protection. By doing so, hackers cannot exploit the pingback vulnerabilities by denying the DoS attacks and hacking the internal routers. However, this firewall rule can only be enabled if you are not using the special functionality of XML-RPC on the WordPress installation.
The last basic rule is highly enabled, with which you can block the external access to the debug.log file that contains some sensitive data of your site.
Now, you can enable these rules based on your needs. To do this, you simply need to tick the checkbox for each protection.
Advanced Firewall Rules
In addition to the basic rules, you can also optionally enable some advanced options.
- Disable the listing of web contents and directories even if there is no index.php file. However, to use this rule, you need to make sure that the Indexes Directive is enabled in the httpd.conf file. If not, contact your web host.
- Disable the Track and Track so as to better prevent any HTTP trace attacks and XSS attacks.
- Disallow the proxy comment posting, forbidding all the requests that require a proxy server for posting comments.
- Prevent any string attacks on your website via XSS.
Blacklist Firewall Rule
Here, you are allowed to activate the 6G or 5G firewall rule for protection. By doing so, you can block some forbidden characters commonly used in the attacks and encoded URLs. Also, you can fight against both common and specific malicious exploits.
Note that the 6G protection is the updated version of the 5G one.
Other Additional Rules
If you want, you can also enable the Internet Bots, Hotlink and 404 Detection rules. By doing so, you can block all the fake Googlebots, avoid the hotlinking to your images and manage the 404 events happened on your site.