Firewalls are indeed a must-have feature in any server security protocol. They role is pretty simple:
You just can't leave your website, or server more accurately, without a firewall.
Instead of inquiring about which firewall to use, you need to settle around what kind of firewall you need. Then picking the right tool depending on your budget.
You can use an app level server firewall, or a DNS server firewall, or a server-side level firewall.
I have some reservations about the first two methods:
Any firewall-related request will need to run through a PHP process, leading to more CPU usage. You factor that by the number of visits you get on your website.
One common mistake when depending on free app level firewall is that the threats/exploits database is not updated in real time.
Let's take Wordfence as an example.
The free version has a 30 days delay to get the updated firewall rules. You think it's alright until a zero day vulnerability starts kicking in. You no defense mechanism to immune you from that specific vulnerability, you get hacked almost instantly.
To get access to an updated threats database, you need to have a premium subscription (Wordfence goes for $99/y).
Most of the providers on the space have fast performance though.
The overall cost for the good ones is around $20/m.
A server level firewall will perform well with almost no performance impact. It requires that you have access to the hosting server (unmanaged VPS or Dedicated) and deploy something like ConfigServer Security & Firewall (CSF) and additional rules specific to what you are running.
CSF is a powerful firewall with GUI interfaces in all major servers administration panels like cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP and Webmin.
The true power of CSF is in how it can be tailored to harden your firewall rules and make your specific web environment a stronghold from outside attacks.
You can't possible think it's mission accomplished after you deploy or enable a firewall.
The firewall is just a tool It needs to be monitored and directed to do its job.