Which WordPress firewall to use for your website?

Firewalls are indeed a must-have feature in any server security protocol. They role is pretty simple:
  • Prevent known malicious IPs from reaching your server
  • Stopping abusive IPs from doing bruteforce attacks
  • Locking IPs that try to exploiting known vulnerabilities
You just can’t leave your website, or server more accurately, without a firewall. Instead of inquiring about which firewall to use, you need to settle around what kind of firewall you need. Then picking the right tool depending on your budget. You can use an app level server firewall, or a DNS server firewall, or a server-side level firewall. I have some reservations about the first two methods:

App level firewalls are resource intensive

Any firewall-related request will need to run through a PHP process, leading to more CPU usage. You factor that by the number of visits you get on your website. One common mistake when depending on free app level firewall is that the threats/exploits database is not updated in real time. Let’s take Wordfence as an example. The free version has a 30 days delay to get the updated firewall rules. You think it’s alright until a zero day vulnerability starts kicking in. You no defense mechanism to immune you from that specific vulnerability, you get hacked almost instantly. To get access to an updated threats database, you need to have a premium subscription (Wordfence goes for $99/y). Known providers:
  • Wordfence ($99/y per website)
  • Jetpack (starts at $3/m per website)
  • BBQ Pro ($20 one-time per website)

DNS level firewall makes you depend on the DNS provider’s performance

Most of the providers on the space have fast performance though. The overall cost for the good ones is around $20/m. Known providers:
  • Sucuri (starts at $199/y per website)
  • Cloudflare ($20/m per website)
  • StackPath ($10/m per website)

Server level firewall is the way to go but it’s not made for everyone

A server level firewall will perform well with almost no performance impact. It requires that you have access to the hosting server (unmanaged VPS or Dedicated) and deploy something like ConfigServer Security & Firewall (CSF) and additional rules specific to what you are running. CSF is a powerful firewall with GUI interfaces in all major servers administration panels like cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP and Webmin. The true power of CSF is in how it can be tailored to harden your firewall rules and make your specific web environment a stronghold from outside attacks. Notes:
  • This is a server level tool meant for server administrators and not for the end user.
  • Your web service might have it enabled in a more relaxed way to accommodate with shared hosting environments.
Known providers:
  • ConfigServer Security & Firewall (free)

There is a catch…

You can’t possible think it’s mission accomplished after you deploy or enable a firewall. The firewall is just a tool :) It needs to be monitored and directed to do its job.