Protect your WordPress website with a plugin-based WAF

30 Jul 2021, by Slade Baylis

It’s almost a certainty that, over time bugs and flaws will be discovered in software that makes it vulnerable to exploitation. Until they are patched by the software developers, your website will be at risk from increasing online threats. 

That’s why, not only is it important to make sure that any application or software that you use is up-to-date, but it’s also important to have multiple levels of protection against malicious activity so that the likelyhood of those vulnerabilies being exploitable is reduced

One of the standard ways of protecting a web-based application from exploits is to use a Web Application Firewall, but how do you do that without breaking the bank?

What is a Web Application Firewall?

A WAF or Web Application Firewall is a security application or appliance that is used to protect a website from a variety of attacks by monitoring traffic and requests sent to the website, and then (based on continually updated firewall rules) filtering/blocking any malicious activity that it detects. 

This form of protection can help prevent attacks such as Cross-Site Scripting (XSS), Cross-Site Forgery (CSRF), SQL Injection, that can result in data-theft or even your website being used to compromise user devices.

The cost of a Web Application Firewall

Usually a WAF is a dedicated appliance (either physical or virtual) that would exist separately to your web server, filtering any traffic to or from the server; this is the ideal way to run a WAF as it minimises the impact to the web server and makes sure malicious activity is caught before it even reaches the server.

However, dedicated WAF appliances can cost a small fortune which is a major hurdle for a lot of smaller businesses. For larger corporates it’s an easy decision, but for smaller organisations where every dollar counts, it’s a difficult balance to strike between due diligence around website security and the financial reality of running a business.

So the question is, are those smaller businesses able to get a similar type of protection without needing to spend a similar amount of money?

WordFence – A WordPress plugin with WAF-like functionality

WordFence is an Endpoint Firewall plugin that looks to increase the security of WordPress websites by providing firewall functionality, scanning websites for viruses and malware, as well as protecting websites against common web-based attacks and attacks specifically targetted at WordPress and WordPress plugins.

The WAF functionality specifically helps prevent SQL injection attacks, Cross Site Scripting (XSS) attacks, the uploading of malicious files, and more. All of this is done at the software/application level on the web server itself for a fraction of the cost of dedicated WAF appliances.

Through it’s real-time protection, it is regularly updated with signatures/patterns to look out for of newly discovered exploits.

As it’s not a dedicated appliance, it is not as sophisticated as solutions that cost thousands of dollars. WIth WordFence being a plugin rather than a separate physical appliance, it is part of your website, which means that any attack is only blocked once it has already reached the server. Due to that the server will need to use some of it’s resources (CPU and RAM) on both detecting and blocking the request.

Downsides like this are why the more expensive options exist, though WordFence still serves as a very important stepping stone in getting at least some form of protection against those types of exploits at an affordable cost

As mentioned above, WordFence is also one of the best malware scanning plugins that you can get for a WordPress website, being able to detect malicious code both within the website files and database, as well as even compare the plugins and themes against the originals stored on the WordPress repository 

This is why we recommend WordFence to Micron21 users who don’t already have a dedicated WAF appliance setup. 

What to do next

If you currently don’t have any sort of WAF protection in front of your WordPress website, the next step should be to install WordFence onto it.

The install process is as simple as any other plugin installation; you just need to:

• Login to your WordPress Dashboard as an administrator
• Click on the Plugins link within the menu on the left
• Click on the Add New button up the top
• Then search for WordFence and install it

Within the plugin itself there are various configuration options to do with scheduled scanning, notification options, defence against brute-force password attacks, and even the ability block IP addresses (or entire countries with their premium offering).

Have any questions about the above or want us to help?

If you have any questions about implementing WordFence into your WordPress website (or would rather we just get that setup for you instead), you can contact us on 1300 769 972 (Option #1).