Due to the vast popularity, WordPress is the target of various malicious attacks. There are many security methods that are widely used to protect WordPress, such as changing the admin URL, while utilizing a firewall has been applied by only a few webmasters owing to either the lack of knowledge about firewall or the security issues of the method itself.
This tutorial is dedicated to resolving the problem. We will discuss what a firewall is, the pros and cons of using it, and how to set up one on a WordPress site.
What Is a WordPress Firewall?
A firewall, generally speaking, is a security measure used between networks to control the incoming and outgoing traffic to increase security. The rules included in the firewall works like a wall between a trusted network and an untrusted one, protecting the trusted source by controlling who has access to it.
A WordPress firewall, therefore, is a web application firewall that is installed between the Internet and the web server on which your WordPress site reside. It analyzes the HTTP requests sent to your site and filters them based on its rules to determine whether to stop any of them. If a request is detected to be malicious, the firewall will drop it and notify the administrator.
Why Should You Use a Firewall on WordPress Sites
There are good reasons for you to take a firewall into consideration. First of all, as there is never a perfect solution that can keep WordPress away from all kinds of attacks, using a firewall is not a bad idea for hardening the security of your site. Moreover, the proper use of firewall has been proven to be an effective method for stopping bad traffic.
Secondly, firewalls are configurable, so you can make changes according to your own needs. Once a firewall is set up properly, it runs automatically so that you do not need to take much time caring about the security of traffic.
The Limitations a WordPress Firewall
Although being secure and flexible, a firewall has its own inevitable limitations which you should also consider when making the decision. One drawback is that it comes with vulnerabilities, too. For example, if an attack is strong and specific enough, it can turn off some functions of the firewall or just bypass the detection.
Another limitation is that a firewall cannot protect WordPress from improper user configurations and other user issues. There are indeed firewall rules that set limits to the frequency of requests, but if an attack does not go beyond the limitation, it will not be detected. Weak login credentials and incorrect file permissions can still be broken down.
How to Set Up a Firewall for Your WordPress Site?
Setting up a firewall in WordPress is not challenging as long as you use the right tool. There are many WordPress security plugins and firewall plugins available on the web, and here we would like to recommend a free plugin named Simple Security Firewall. After installing and activating the plugin, you can see a menu appearing in the Dashboard named Simple Firewall along with several configuration options.
Clicking on the menu, you will be located at the dashboard of Simple Security Firewall where you can get a view about all the features included in the plugin. By default, the plugin does not turn on features in the installation, so you need to enable and configure the features you need by yourself.
Global Options & IP Whitelist
Whether you have enabled any feature in the image above, scrolling down you will find a tab named Global Options. There are two options under the tab, one allowing you to disable all features of the plugin globally, and another enabling you to make an IP whitelist. When trusted IPs are added into the box, the traffic from the IPs will not be restricted by the plugin.
General Options & Email Reports
Next to Global Options is a General Options tab. Under the tab you can change the email address to which reports will be sent, and configure several other options. By default, the “Delete Plugin Settings” is not checked, but we suggest you not to tick the box before you decide to delete the plugin from your system completely.
Admin Access Restriction
Do not turn this feature on unless your site has multiple administrators while you do not want them to access the plugin. In the case that you need this feature, you must remember the Admin Access Key carefully, or you can be locked out.
There are several settings you have to deal with when setting the firewall up. Firstly, you need to enable the feature as it is disabled by default.
Secondly, when it comes to Firewall Blocking, Directory Traversals, SQL Queries and Block Field Truncations Attacks have already been checked. You’d better not uncheck any of them unless you are experienced enough. If you are a beginner who does not deal with code, you can also get the options PHP Code and Exe File Uploads checked to prevent malicious codes from being uploaded to your site.
Thirdly, configure the Block Response to decide how the firewall responds to a blocked request. There are four options, so you can return a custom 404 error page, redirect the visitor to homepage, or just let the request die. Besides, checking the Send Email Report options allows the system to send you email notification once a visitor is blocked.
Fourthly, you can get administrators and search engine spiders free from the firewall rules by checking the corresponding options. We would suggest you not to apply firewall rules against search engine bots for the sake of search engine optimization.
At last, if you have got some IPs which send out requests too frequently or have been used for malicious attacks, add them to the IP blacklist to block them completely.
Besides the features mentioned above, Simple Security Firewall also has a large number of other security features that help you fight again brute force attacks, comment spam and other security issues. Try out the plugin by yourself and make the most out of it.