If you own a website, you need to protect it. Like personal computers, web servers — and the software running on them — are constantly probed and attacked by hackers. Because of this, it’s important to keep hackers and other bad traffic away from your site. And that’s where a website application firewall or WAF steps in. We can call it a “website firewall” to keep it simpler.
What Exactly is a Website Firewall?
In short, a website firewall is a security filter between a computer or server and the rest of the world. Malicious hackers make a living by breaking into insecure servers. Widely used web applications like WordPress and other popular content management systems make a large attack surface. This is why it’s so important for you to secure your WordPress site.
A helpful line of defense against security threats is a website firewall.
There are quite a few different firewall types, so you’ll want to make sure you’re using the best solution. In this guide, we’ll discuss the different types of firewalls. We’ll explain why you need one to protect your WordPress site, and how you can set one up.
Let’s dive in.
Think of a firewall as a huge security gate for your website.
What Does a Website Firewall Do?
Every time you go to a website, you’re connecting to another computer called a web server. Web servers are as exposed to malicious attacks as any other computer.
It’s not safe to connect to a foreign or unknown device directly without a layer of protection between them. An insecure connection may allow hackers to infect a connected device with malware.
They may even launch an all-out Distributed Denial of Service (DDoS) attack on a web server that accepts every request sent to it. A million bad requests in a minute won’t break into your site, but they may overwhelm your server and take your site down. If you have a firewall that recognizes bad requests and fake traffic, it will block them and serve only legitimate requests from real people who want to view your site.
This is why a firewall is so important. Firewalls stand between your site and all other devices that try to connect with it. In the case of your web server, your host uses firewalls as filters standing between your server and hundreds, thousands, or even millions of connections with other devices every single day. In the case of your website, a software-based website firewall added to WordPress will add another layer of protection you can control.
How Does a Website Firewall Work?
A firewall monitors outgoing and incoming traffic, constantly scanning for signs of hacks or other malicious activity. When it detects something out of the ordinary, the firewall stops it from reaching its intended destination.
Think of a website firewall as a huge filter for your web server.
When network firewalls were first available in the early 1990s, they were simple packet analyzers that could only block incoming traffic using a very small set of rules. They were, in fact, quite easy for hackers to bypass.
Today, firewalls have become complicated programs that excel at keeping hackers from reaching their goals. With the high volume of hacking attempts happening on a daily basis, hardware firewalls are a key feature of network routers, switches, and web servers. A good host takes care of all this for you. But your website is your responsibility to maintain, and setting up a firewall for it will cap off these other layers of security.
Do I Need a Firewall on My Website?
Is a firewall really necessary for your website? Do you actually need one?
A cloud-based WAF is the most performant way to put a solid security gate between your WordPress site and the world. Because it’s in the cloud, won’t use up any of your own hosting resources. Just be sure to secure, harden, and properly maintain your site.
No, you absolutely do not need a firewall running on your website as part of a WordPress security feature plugin or addon when you could use an external, cloud-based WAF instead.
Yes, you absolutely will benefit from a firewall running in front of your website as part of a cloud WAF or Firewall-as-a-Service platform like Cloudflare or Sucuri.
Every website will take performance hits if it has to host a WAF and do the work of filtering incoming requests while also responding to them, accessing databases, rendering pages, managing cached content, and powering content management and e-commerce applications.
If you are not using solid Managed WordPress hosting, a higher risk and burden of responsibility for security falls to you, the website owner, and your server performance may not be ideal. In this case, a cloud WAF is a very practical choice. (We recommend Liquid Web and Nexcess for WordPress hosting, and Cloudflare and Sucuri for their cloud WAF services.)
Are You Feeling Lucky?
Nobody can go wrong with more security, but some websites may benefit more than others from a website firewall. If you are running a business on your website, storing sensitive customer data and personal identity information, you may be more of a target and also have greater responsibility. The stakes are higher for you to protect your site, so you should consider every way you can harden your security.
If hackers took over or destroyed your website, would you be devastated? If so, a website firewall will add to your peace of mind, along with quality hosting.
What Could Go Wrong?
When it comes to web servers, when a hacker gets through they can quickly deface your entire website. They may embed malware that will infect your site visitors, change WordPress admin passwords to lock you out, or completely take down your website.
If your site lacks a firewall it may be vulnerable to DDoS attacks. In this type of attack, an attacker will send thousands (or millions) of fake data packets that overload your server and bring down your website.
Beyond DDoS attacks, a website firewall will protect your site against:
- Intrusions — A website firewall prevents unauthorized users from accessing your website. When a hacker breaks into your site, the sky is the limit on the damage they can do to it.
- Malware — Malicious attackers that infiltrate your server will most often infect it with malware. They create malware to steal personal and private information, spread itself to other devices, and cause damage to computers.
- Brute Force Attacks — Brute force attacks are hacking attempts where an attacker attempts thousands of username and password combinations to try to break into your WordPress site’s admin and other user accounts. Like DDoS attacks, hackers use botnets to conduct brute force attacks. Botnets can test hundreds of different login combinations every minute until they succeed.
Types of Firewalls: Where They’re Installed
As we’ve indicated, there are several different types of firewalls. Each of them is designed for a specific situation. Some work great for personal computers. Other firewalls are specially designed for network filtering. Website firewalls protect websites as the last line of defense after these other types of firewalls.
Firewalls are best categorized in terms of where they can be deployed, what they do, and how they do it.
Each type of firewall is located or installed in a unique position on a network or computing device. They may be embedded in hardware. They may be packaged as software you can install on your computer or within a web application, like WordPress. Each type of firewall has different features. There are also a variety of techniques firewalls use to filter different types of traffic.
We’ll briefly cover the main categories, types, and techniques of firewalls to give you a big-picture understanding of them. We’ll discuss how firewalls differ and relate with an eye to understanding where a website firewall for WordPress fits in.
Difference Between Hardware and Software Firewalls
All firewalls are software, but some are embedded in hardware devices like routers and network switches. They may be read-only and unchangeable or require updates that change the software stored in Flash memory or other non-volatile, rewritable memory chips. Firewalls like these are considered hardware firewalls.
A software firewall is a standalone application that runs on top of a computing device’s hardware. It may be part of an operating system or run on top of an operating system, like a personal firewall application, which we’ll discuss further below.
A software firewall may run on top of a web server’s operating system and serve as a network firewall for many other web servers in combination with network hardware firewalls.
A software firewall might be added as a component of a content management system, like a WAF for WordPress. A firewall within WordPress stands high on the technology stack with an operating system and middleware between your site and the underlying hardware. As we’ve seen, that’s an example of a web application firewall.
Hardware vs. Software Firewalls: Advantages and Disadvantages
Hardware firewalls provide the same type of functionality as software firewalls, but they operate upstream on your network, ahead of your computing devices and the web servers hosting your site. They are embedded on a much deeper level of your technology stack.
Even if you’re not aware of it, you have a hardware firewall located in your internet router. While it’s a bit different from dedicated hardware firewall devices, it provides similar monitoring and security features.
Updates and Adaptability
Software and hardware firewalls both stand between your devices and the rest of the world where they can analyze all connection requests and block the bad ones. A software firewall can be updated to improve its effectiveness and respond to new threads. Hardware firewalls are harder to update.
Sometimes network hardware needs updates applied to fix bugs and patch vulnerabilities, but this is a rare and difficult task if you don’t have a network support team. It’s also a reason why older network hardware tends to be less secure. Hackers have figured out how to exploit it. You’re relying on your hosting provider to maintain their hardware infrastructure for you — another reason not to go cheap.
Hardware firewalls have some drawbacks like this. Because they’re quite difficult to update and do need continued maintenance to ensure they’re secure, they need IT support in any serious business network. Home and many small business networks tend to be badly set up and insecure.
Accessibility and Performance
Additionally, hardware firewalls can cause speed and performance issues as they examine and filter network traffic. This is especially true when they’re used together with software firewalls. You may get higher security from multiple firewalls working together, but if they all have complex rules the cost may be to your throughput — the speed of your data transfers on the network.
Also, most hardware firewalls are not intended to block or place restrictions on individual users and devices. That’s not typically in their feature set.
If you have a large network, hardware firewalls can easily protect the entire network and will keep working even if the network is compromised. Software firewalls are much more difficult to set up on a large network, and they are easy to disable if a hacker is able to break in. Hackers typically won’t be able to disable a hardware firewall.
Software firewalls are intended to be more user-friendly for people who may not be technical experts. These firewalls offer functionality to block specific applications, manage device users, create logs, and monitor the users on a network. They’re much more difficult to set up in a network setting, but when they’re installed on several devices they give you more control than hardware firewalls.
Types of Firewalls: Different Techniques They Use
Firewall software is constantly evolving with different techniques emerging over time to handle different tasks and situations.
Today we have nearly a dozen major types of firewalls defined by the techniques they use to protect you. These are packet-filtering firewalls, circuit-level gateways, application-level gateways or proxy firewalls, stateful multilayer Inspection (SMLI) firewalls, next-generation firewalls (NGFW) including threat-focused NGFWs, network address translation (NAT) firewalls, cloud firewalls, and unified threat management (UTM) firewalls.
We’ll look at just three of these that represent the older, more basic firewall technology and the newest, most cutting-edge developments in network filtering.
Packet Filtering Firewalls
This type of firewall was one of the first that was ever developed. It’s also the simplest kind of firewall.
Packets are data exchanges between a server and a computer. For example, when you upload a file, send an email, or click on a link, you’re sending a packet to a server. When your device loads a webpage, the server is sending a packet back to you.
Packet filtering firewalls analyze packets and block them if they break some predefined rules. They can block packets that come from an IP address or specific server or packets that are trying to reach certain server locations.
Unfortunately, packet-filtering firewalls are pretty easy for hackers to work around. They can’t apply any advanced rules. If it’s set up to allow access through a given port, the firewall will let anything go through. Even the traffic that modern firewalls will know is not legitimate will make it through without being stopped.
On the upside, packet filtering firewalls are extremely simple and don’t impact performance. They don’t save any logs, inspect traffic, or carry out advanced functions. But today these firewalls aren’t intended as your primary source of protection.
Stateful Firewall
Stateful firewalls were introduced after the simple packet filtering firewalls. The idea was revolutionary at the time. Instead of analyzing the packets when they arrive and blocking some with simple rules, a stateful firewall could deploy more dynamic blocking rules while also monitoring packets coming through the network.
While simple packet filtering firewalls only block traffic based on static predefined rules, a stateful firewall detects and blocks bad traffic by detecting user patterns and other more advanced techniques.
The only downside to a stateful firewall is that it uses more resources than its simpler counterpart. But it’s a solution that can be trusted.
Next-Generation Firewalls
Finally, we have the NGFW or next-generation firewall. This is a recent invention that the current generation of security and web server technology has birthed. NGFWs are enterprise tools that combine many firewall techniques into one solution. Typically they are cloud-based or part of a Firewall-as-a-Service platform. Cloudflare and Sucuri offer cloud-based WAF features through their Software-as-a-Service (SaaS) platforms in this way.
Some of the networking features that NGFWs have included application monitoring, intrusion prevention, and deep packet inspection and filtering. They may have awareness of other applications in the network they’re protecting and be able to control them. They’re also able to be updated with new threat intelligence to respond to the latest and emerging dangers.
The Types of Firewalls You’ll Use Most
Unless you’re a network administrator or spend time customizing a router or wireless access point in your home, it’s unlikely you’ll ever have much contact with hardware firewalls. The most user-friendly and accessible firewalls you’re likely to use run on your computer or website. These are personal and web application firewalls.
Personal Firewalls
Personal firewalls are used on a single computer. It’s the type of firewall that is built into pre-installed on macOS, Windows, and many Linux machines, or with third-party antivirus solutions may also contain a personally configurable firewall.
Personal firewalls work a lot like server firewalls. They reject or allow connections from outside applications, IPs, and devices based on predefined rules. But in their functioning, a personal firewall acts a bit differently than a server firewall.
Personal firewalls will:
- Protect all computer ports that connect to online applications or websites.
- Stop attacks that try to sneak through the network.
- Prevent bad actors from taking over or accessing your personal devices.
- Analyze all outgoing and incoming traffic for suspicious activity.
In addition, they are application firewalls that monitor your device’s app activity. An effective personal firewall will refuse to allow connections with unknown or unsafe software.
Personal firewalls are easy to employ. If you’re running Windows 10, a personal firewall is automatically running.
For macOS users, you’ll need to turn on the personal firewall in order to be protected. All you need to do on your machine is navigate to System Preferences >> Security & Privacy >> Firewall.
Most antivirus programs will come with a firewall as well. Avast Antivirus is one example.
You can buy personal firewalls, but they tend to conflict with the default setup of most machines and aren’t as useful as they were before computer operating systems had them.
Web Application and Application Firewalls
Web application and application firewalls represent the most evolved and dynamic firewall security today.
A traditional network firewall will only monitor the general network traffic. It will struggle or fail to detect the traffic that comes and goes from changing apps, services, and other software used on the network.
Application firewalls were designed to catch intrusion attempts that probe for and exploit vulnerabilities on a network or within an application. They are embedded on wireless access points and router hardware. They are software bundled with operating systems or security software designed for particular operating systems.
Network application firewalls are used to set limits on users, for parental controls like Apple’s Family Sharing system. Many organizations use them to block access to certain websites and apps.
A web application firewall works very much like these other application firewalls. What sets it apart is that it runs within the application it protects and is dedicated to it. A WAF is focused on security for just one web app — yours.
Firewalls For WordPress: What To Know
If you want to protect yourself and your WordPress site, you need a firewall that keeps hackers on the outside looking in.
When it comes to a personal firewall on your computer, you normally don’t need to install your own. The built-in firewalls in modern operating systems work quite well without the need for any further setup. When they’re coupled with the application firewall that rides on antivirus software and your router’s packet filter, your personal devices should be protected from someone breaking into them and getting access to all your online accounts.
But what about your WordPress site?
Combining a Firewall with iThemes Security Pro
That’s an entirely different story. Websites can be attacked directly across the web, and even if you’re using high-quality hosting with good network security, some attacks will always get through. When that happens, the last layer of defense is the primary one you can control as a website owner or administrator. It’s your responsibility and yours alone to secure and harden your website.
The first step to WordPress site security is to download and install a powerful WordPress security plugin. iThemes Security Pro is the perfect solution for this.
The iThemes Security Pro plugin is easy to use, provides lock-down security protocols for your site, and will keep hackers and malicious attacks at bay 24/7/365.
The next step is to employ a web application firewall. The simplest and most effective way to do this is with a remote, cloud-based WAF from Cloudflare or Sucuri. Since their Firewall-as-a-Service is running on their hosting infrastructure, not yours, there’s no performance cost to your site — which would be the case if you used a WordPress security plugin with a firewall. Within minutes, you can have a cloud WAF up and running, fully protecting your site alongside the iThemes Security Pro plugin which focuses on foundational security hardening for your WordPress site and user authentication.
Beyond that, make sure you choose a Managed WordPress web host that properly maintains its servers. Many, many other benefits come with a hosting company that’s present in and focused on the WordPress community of users and professionals. That’s why we recommend Liquid Web and Nexcess for all your WordPress hosting needs.
Cheap WordPress hosts often lack proper security protocols, which can cause big problems with your site.
It’s Your Job To Protect Your WordPress Site
There’s nobody but you who will make sure your WordPress site stays safe from hackers and malicious attacks. And the best way to do that is by using the one-two punch of a web application firewall combined with the iThemes Security Pro plugin.
And because there is no 100% foolproof way to ensure that a skilled hacker will never break into your site and cause damage, a WordPress backup plugin is an absolute must.
When you use a backup plugin such as BackupBuddy, you’ll be able to immediately restore your site to working condition even if it’s damaged or taken down during a hack.
It’s a plugin you’ll hope you never need to use, but you will be glad you have it if you do need it.
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.
