Website Firewalls: What They Are & How to Set One Up for WordPress

Posted on April 2, 2015 by in Tips & Tricks | 30 comments

Website Firewalls: What They Are & How to Set One Up for WordPress

WordPress is insanely popular. It is widely used by large corporations and small DIY bloggers alike. All in all, WordPress websites make up more of the web than any other platform. This fact makes WordPress an attractive target for security attacks of all kinds.

In past posts here on Elegant Themes we have discussed WordPress security in detail and if you follow the advice in those posts you will be well on your way to making your WordPress website as secure as it can be. However, in this post, we’re going to discuss something that the other posts only mentioned indirectly or not at all–firewalls.

How Firewalls Work

A firewall, contrary to popular opinion, is not just something that keeps you from getting on all of the best websites at work or school. It is actually a valuable network security measure that places a set of rules on incoming and outgoing traffic in order to protect networks, servers, websites, and individual computers.

These rules are meant to place a wall between a trusted source (say, the server your WordPress website is hosted on) and an untrusted source (the internet) in which only trusted data is allowed entry. One, two, or all three of the methods below are implemented to make this happen.

Filtering: all of the packets of data coming in contact with your firewall are analyzed against a set of filters.

Proxy: a “middleman” is established between your website and the internet. This middleman, or proxy, passes along the good traffic while stopping the rest before it can get to your site.

Inspection: instead of analyzing all data coming at your site, key elements are identified and compared to a database of trusted information. If the data is a match then it’s allowed through.

Why You Should Use a Firewall with WordPress

When it comes to WordPress security there is no such thing as a perfect setup. No perfectly secure websites. Instead, the idea behind WordPress security is “hardening”. You want to harden your website against the inevitable possibility of attack by taking a wide variety of security measures–just one of which is a firewall.

Many of today’s top WordPress security plugins and features offer an extensive array of tools that cover the full breadth of security hardening options available to WordPress users. So at least you don’t have to worry about needing to manage a lot of different security options, each with their own plugin or service.

However, even within these tools and services you may choose to only use some of the security measures available. This will no doubt be for personal reasons based on the specific needs of your website. But there are some good reasons you may want to make a firewall one of those measures.

First, you can never have too many appropriate measures in place to secure your website. And the only inappropriate kind are those so stringent that they keep good data/traffic from reaching you.

Secondly, once you set up the rules that govern your firewall, it manages itself. You do not need to do anything afterwards.

And finally, there’s a reason firewalls have been around for so long (from the beginning of network security). They work.

So what I would recommend is that if you’re running a WordPress website (which you probably are, since you’re here) is that you pick out a tool or service from the list below and harden the security of your WordPress website with a firewall.

Tools for Hardening WordPress with Firewalls

For the vast majority of WordPress users setting up a WordPress firewall “manually” would be extremely impractical. Not to mention require technical chops possessed by a bare few. Thankfully though, some of those bare few within the WordPress community have created tools and services that the rest of us can use to establish firewalls that help harden the security of our WordPress website.

I’ve listed the highest rated and most recommended WordPress firewall tools and services below. If I missed any, please let me know in the comments below.

Sucuri Firewall

Sucuri-Firewall

Sucuri may be the most trusted name in WordPress security. Their firewall service creates a proxy that essentially makes the Sucuri network a middleman between your website and the rest of the web. They take care of all the malicious attacks and traffic, sending only legitimate traffic to your website.

While other options below have premium upgrades available, this is the only strictly premium option I’ve featured on this list. Based on my personal experience and the research for this post, Sucuri is a a trusted brand many bloggers and other WordPress professionals trust to handle their security.

If you’re interested in this service, I’d recommend thinking big picture before buying though. For example, many managed WordPress hosts already partner with Sucuri and if you buy their service the Sucuri service is included.

Price: from $9.99/month | More Information

WordPress Simple Security Firewall

WordPress-Simple-Security-Firewall

WordPress Simple Security Firewall is a new WordPress security plugin growing in popularity. Their reason for creating the plugin grew out of a frustration with the current WordPress Security Plugin status quo. Particularly the way other such plugins deal with WordPress’ .htaccess file.

WordPress Simple Security Firewall promises to keep your site as safe as possible without “frying it” due to unnecessarily altering of your .htaccess file. So far, users really seem to be liking it. If you’re interested in learning more about their approach you should check out their post series “Why We Built It”.

For other, more standard details, check out the more information link below.

Price: FREE | More Information

All In One WP Security & Firewall

All-In-One-WP-Security

All In One WP Security & Firewall is has definitely grown in the last few years to be one of a handful of top, dominating, WordPress Security Plugins. They offer a comprehensive array of features that are all designed to help harden your WordPress security as much as possible; a primary one being their firewall feature.

The All In One firewall has features ranging from basic, to intermediate, to advanced. All of which are designed to stop malicious code from ever being processed by your site. Once installed you will be able to easily configure them from the WP Admin menu options.

Price: FREE | More Information

NinjaFirewall

NinjaFirewall

NinjaFirewall is a web application firewall designed to sit between the web and your WordPress installation. It will “hook, scan, sanitize or reject any HTTP / HTTPS request sent to a PHP script before it reaches WordPress or any of its plugins”.

Price: FREE | More Information

Wordfence

Wordfence-Security

Wordfence has proven itself over the last few years to be a complete WordPress Security Monster. And I mean that in the best way possible. As a free WordPress Security Plugin it offers an outstanding service with a wide array of features. Of which, a great firewall is but one.

The Wordfence firewall is designed to block common security threats like fake Googlebots, malicious scans from hackers and botnets–all which can cause major headaches and (even if they don’t take down your website) hurt its search rankings and more.

Price: FREE | More Information

BulletProof Security

BulletProof-Security

Another popular WordPress Security plugin is BulletProof Security. Again, like a few of the others above, they offer a wide variety of security options. BulletProof proudly states that their plugin will protect you from “100,000’s” of different WordPress attacks–which is nice, you know, since that many exist in the first place.

Based on their description of it, the BulletProof security firewall takes the inspection route we defined above. It has a database of attack patterns that it matches against incoming data. When malicious patterns are detected it blocks that data from reaching your WordPress site.

Price: FREE | More Information

In Conclusion

WordPress security is not to be taken lightly. Firewalls are a great way to add an extra layer of hardening to your security efforts. Thankfully, there are plenty of tools and/or services to help the average WordPress user in terms of both broad security and specific actions–like enacting an effective firewall.

Any of the tools/services above should serve to protect your WordPress site well, but of course everyone will have their own needs and preferences to consider. If you’ve used one or another of these tools/services we would love to hear about your experiences in the comments below and help the rest of the community here make the most informed decisions possible.

Article Thumbnail via Sentavio // shutterstock.com

30 Comments

  1. Thanks, Nathan. I use Sucuri, but really looking towards changing it to something else. Their marketing is shady to the point where I suffer as an affiliate. Thanks for the list.

    • Hi Elijah

      Tony here, I’d love to hear more about your thoughts on our shady marketing. We take a lot of pride in how we do things, would you mind sending me an email at [email protected]?

      Thanks

  2. Doesn’t cloudflare also offer a free firewall, along with their free CDN?

  3. Great article!, … what do you think about iThemes Security?

    • I use others security pro too. Keen to know how it stacks up.

  4. Having spent the last week trying to keep the bad guys out of one of my clients sites this was very useful reading – cheers! I would be interested in your views on themes security also.

  5. I do would be interested in hearing your opinion on IThemes Security.

  6. We have had great luck with Wordfence for the most part. It is easy to use and understand and we sleep a lot better knowing that it has our backs.

    • Exactly the same here Mark…
      With Wordfence protecting my sites I needed to purchase a Pro version! Not because I needed the extra features or anything like that, it’s just because laying in bed I was feeling guilty that this awesome plugin is given free without an option to donate to it.

  7. I used All In One for a few years and while it was powerful, it is a pain to manage and had too many problems.

    I have been using Wordfence over the last year across 20 sites and love it. Easy to manage, active scanning features, and a great catching engine as well so I no longer have to have a separate plug in for that.

    Liked it so much I pay for the upgraded version so I can country block of certain regional sites.

  8. Thanks for the article, I commonly use All In One WP Security & Firewall, and I found it very good and very simple to use, beyond that I would know what is really the best, I guess I’ll have to try the other options..

  9. We’re using wordfence .. it’s simple and gets the job done.
    Sucuri is a bit costly tho..

  10. Elegant ran a great post by Brenda Barron on iThemes Security that is worth a read! 🙂

  11. Great article. If you use something like Cloudflare, would you be doing double the work if you use one of these plugins?

    I know Cloudflare has some of these features as well.

  12. Hey Nathan !

    Website firewall is something that we can’t ignore these days. With the hacking and brute attacks increasing, one must not compromise with his/her site’s safety. I think loading WP blog with so many security plugins is not a good idea, instead using Cloudflare is better as it has got all such features.

    Anyways, thanks for sharing man !

  13. Let Cloudflare handle this. I don’t think we need to double our work.
    anyway, I’ll try the plugin and post you the feedback..

  14. Hey Nathan!

    Huge thanks for featuring our Simple Security Firewall on your round-up here – really appreciate the word of mouth!

    Just for any one here not sure (as I saw some comments there about CloudFlare), I think you should definitely put something like CloudFlare at the front of your website, regardless of which WordPress security plugin you’re using.

    CloudFlare is FREE and there’s no reason not to take full advantage of their service to protect your servers. We’ve been using it on all our websites for years now.

    Anyways, if anyone has a question about the Simple Firewall plugin, drop me a line any time – happy to answer questions you have.

    Thanks again Nathan!
    Paul.

  15. Hi Nathan,

    Another great post. I’m new to Elegant Themes and I have learned so much from reading these posts you put out. Thanks so much for sharing and keep up the great work!

    Elizabeth

  16. Hi,

    Great post! I use Wordfence both on my personal blog and for my corporate sites. Its simple and keeps your site secured. Also advised for beginners 🙂

  17. I’m currently using SiteLock on one of my sites. I’m paying $9.99 per month through iPage.
    Recently all of my WP sites got hacked, so thanks for the info. I’m going to try Wordfence on my other sites.
    Thanks again for the useful info.
    Debbie

  18. I’m really interested to know why you didn’t include ithemes security. I use it on all my sites and am keen to know if these ones are ranked better than ithemes.

  19. Really thumbs up for this article. Great work.
    thanks for sharing

  20. Hi Nathan,
    It’s good that WordPress offer so many security plugins. So we the novice don’t really have to understand the technical part of it.
    But this is very good reference. And thanks for that.

  21. Using @Wordfence on any site I run and I’m happy with it. Tried BulletProof before but got confused with it.

  22. Hi Nathan
    I use WordPress Simple Security Firewall and it has some great features.
    The support is also pretty good and it is updated regularly.

    A must have plugin for any WordPress website.

  23. Hi Nathan

    Great article, one point of clarification. Sucuri does not partner with any hosts where the Firewall is a feature. At the moment, it’s a feature you purchase directly from Sucuri.

    Thanks

  24. Great and complete information about Website Firewalls. Everyone must be aware of these things nowadays. You did a wonderful job in simplifying the info too, otherwise these things look too complicated.

  25. Stopping attacks before they hit the site would be a great addition to this approach. It reduces load on the server as it doesn’t need to compile or make DB connections.

    There are .htaccess ‘firewalls’ such as,

    http://perishablepress.com/5g-blacklist-2013/
    http://perishablepress.com/6g-beta/

    which are interesting but not had the opportunity to try out yet.

    There is also ModSecurity which works at the server level, and can do things such as recognising a brute force attack on logins and block automatically. https://www.modsecurity.org/about.html

    An article on either of these topics would be useful.

  26. NATHAN

    Thanks for the article. I installed Simple Security Firewall on my three sites, and followed the set-up instructions on a video on YouTube. I assumed all went well . . . but after a few weeks I noticed that I was not receiving any email notifications of new subscribers to any of my sites.

    Since Firewall was the most recent plug-in, I deactivated it and immediately began receiving notices of new registrations on my sites. Any idea what happened here?

    Thanks in advance,

    NEAL

  27. I use Sucuri’s firewall on several of my WordPress sites, however I have one client who is in the publishing business and they publish several PDF’s to their website each day. They are unable to get a true accounting of page views and downloads because Sucuri is caching those PDFs on their edge (even though I have caching turned-off for this client). Does anyone know of another solution?

554,210 Customers Are Already Building Amazing Websites With Divi. Join The Most Empowered WordPress Community On The Web

We offer a 30 Day Money Back Guarantee, so joining is Risk-Free!

Sign Up Today

Pin It on Pinterest