Firewalls are indeed a must-have feature in any server security protocol. They role is pretty simple:
- Prevent known malicious IPs from reaching your server
- Stopping abusive IPs from doing bruteforce attacks
- Locking IPs that try to exploiting known vulnerabilities
App level firewalls are resource intensiveAny firewall-related request will need to run through a PHP process, leading to more CPU usage. You factor that by the number of visits you get on your website. One common mistake when depending on free app level firewall is that the threats/exploits database is not updated in real time. Let’s take Wordfence as an example. The free version has a 30 days delay to get the updated firewall rules. You think it’s alright until a zero day vulnerability starts kicking in. You no defense mechanism to immune you from that specific vulnerability, you get hacked almost instantly. To get access to an updated threats database, you need to have a premium subscription (Wordfence goes for $99/y). Known providers:
- Wordfence ($99/y per website)
- Jetpack (starts at $3/m per website)
- BBQ Pro ($20 one-time per website)
DNS level firewall makes you depend on the DNS provider’s performanceMost of the providers on the space have fast performance though. The overall cost for the good ones is around $20/m. Known providers:
- Sucuri (starts at $199/y per website)
- Cloudflare ($20/m per website)
- StackPath ($10/m per website)
Server level firewall is the way to go but it’s not made for everyoneA server level firewall will perform well with almost no performance impact. It requires that you have access to the hosting server (unmanaged VPS or Dedicated) and deploy something like ConfigServer Security & Firewall (CSF) and additional rules specific to what you are running. CSF is a powerful firewall with GUI interfaces in all major servers administration panels like cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP and Webmin. The true power of CSF is in how it can be tailored to harden your firewall rules and make your specific web environment a stronghold from outside attacks. Notes:
- This is a server level tool meant for server administrators and not for the end user.
- Your web service might have it enabled in a more relaxed way to accommodate with shared hosting environments.
- ConfigServer Security & Firewall (free)