Everything You Need to Know About Web Application Firewalls (WAFs)
This article is your one-stop, 360-degree resource covering all the information you need to know about WAFs, including how they function, what they protect against, how to implement them, and much more!
Protecting your web applications against malicious security attacks is essential. Luckily, WAFs (Web Application Firewalls) are here to help.
In a nutshell, a WAF works as a shield between the web application and the internet, preventing mishaps that could occur without it.
WAFs can protect you and your clients’ applications from cross-site forgery attacks, XSS (cross-site-scripting), and SQL injections, amongst others.
More and more so, web application security has become more crucial, considering web application attacks are one of the most common reasons for breaches.
As you’re about to see, WAFs are a critical part of security to guard against vulnerabilities.
In this article, we’ll be covering:
- What is a WAF?
- WAFs and Network Firewalls
- Differences Between Network-Based, Host-Based, and Cloud-Based WAFs
- How WAFs Protect Your Web Applications From Malicious Attacks
- WAFs Security Models: Blocklist, Allowlist, Or Both
- Attacks Prevented by WAFs
- How WAFs Guard Your Web Apps Against The “The OWASP Top 10”
- How WAFs Also Help You Meet Legal Security Standards
- Different Types of WordPress Firewalls
- Limitations of WordPress Firewalls
- WAF Deployment
- WAF Vendors
Let’s start at the beginning, with…
A Web Application Firewall (WAF) is a specific type of firewall that protects your web applications from malicious application-based attacks.
In layman’s terms, a WAF acts as the middle person or security guard for your WordPress site.
It will help protect web applications from attacks like cross-site scripting (XSS), cookie poisoning, SQL injection, cross-site forgery, and more.
WAFs will stand guard between the internet and your web applications, all the while monitoring and filtering the HTTP traffic that wants to get to your server.
It does this by adhering to policies that assist in determining what traffic is malicious and what traffic isn’t. Similar to how a proxy server acts as a mediator to protect the identity of a client, WAF functions in a similar way — but in reverse.
It’s a reverse proxy, which acts as a go-between that protects the web application server from a possible malicious client.
WAFs use a set of rules (or policies) to help identify who’s actually on your guest list and who’s just looking to cause trouble.
WAFs should not be confused with your standard Network Firewall (Packet Filtering), which assesses incoming data based on a set of criteria, including IP addresses, packet type, port numbers, and more.
Network firewalls are okay and great at what they do. The only downside is they don’t understand HTTP, and as a result, cannot detect specific attacks that target security flaws in web applications.
That’s where WAFs save the day and can help bolster your web security in ways a Network Firewall cannot. There are many layers to it.
And employing different security measures can help you further protect the individual layers.
To understand these layers, you need to understand the OSI Model (Open Systems Interconnection Model).
The OSI model is a framework that divides the overall architecture of a network into seven different sections.
Every layer has its own security postures and mechanisms, and anyone overly concerned with security should know how to detect and establish appropriate security methods for each.
The seven network layers are as follows:
When analyzing the layers above, your typical Network Firewall helps secure layers 3 – 4, and a WAF assists with the protection of layer 7.
This should also serve as a reminder that WAFs are NOT a one-size-fits-all solution. And they’re best paired with other effective security measures – such as a quality Network Firewall.
WAFs are used in one of three various ways — network-based, host-based, and cloud-based. Each has benefits and disadvantages, so let’s take a look at each one individually and see how they compare.
Network-Based: Network-based WAFs are typically hardware-based. They are installed locally; therefore they minimize latency. However, they’re an expensive option that also requires storage and maintenance of equipment.
Host-Based: In terms of costs, this is less than network-based WAFs. Plus, it offers more customization options. One of the downsides of this type of WAF is the consumption of local server resources, maintenance costs, and it can be complex to implement.
Cloud-Based: This is an affordable option — and it’s easy to implement. Usually, it’s just a matter of change in DNS to redirect traffic. Also, cloud-based WAFs have a low upfront cost, with flexible payment options. These WAFs are consistently updated to help protect against the newest threats that arise that won’t require any work or expenses on the user’s side.
Probably the biggest downside of this type of WAF is it’s from a 3rd party source, so you are limited to customization options and rely solely on their services.
Now that we have a basic idea of what a WAF is and the different types, let’s dive deeper into HOW it protects your precious web apps.
According to a 2019 web applications report by Positive technologies, on average, hackers can attack users in 9 out of 10 web applications. Yikes!
The report also found that breaches of sensitive data were a threat in 68% of web applications.
Statistics like these reinforce the need for more effective web app protection.
As mentioned earlier, WAFs protect your server by analyzing the HTTP traffic passing through – detecting and blocking anything malicious BEFORE it reaches your web applications (see below).
As we just discussed, WAFs can also be network (hardware) based, software-based, or cloud-based, meaning virtual or physical.
When it comes to how WAFs filter, detect, and block malicious traffic – they achieve this in a couple of different ways…
WAFs typically follow either a “Blocklist” (negative) or “Allowlist” (positive) security model, or sometimes both.
When employing a Blocklist security model, basically, you can assemble a list of unwanted IP addresses or user agents that your WAF will automatically block.
The Allowlist model does the opposite and allows you to create an exclusive list of IP addresses and user agents that are permitted. Everything else is denied.
Both models have their pros and cons, so modern WAFs often offer a hybrid security model that gives you access to both.
Obviously, not every attack out there can be stopped by a WAF, however, they help handle a lot of them.
Some of the major attacks that WAF security can help stop are:
SQL Injection: This is malicious code that is injected or inserted into a web entry field. The injections allow attacks to compromise the application and also underlying systems.
Cross-site Scripting (XSS): Client-side scripts are injected by attackers into web pages other users view.
Web Scraping: Used to extract data from websites by data scraping.
Unvalidated Input: HTTP requests are tampered with by attackers to bypass security mechanisms on a site.
Cookie Poisoning: When a cookie is modified to gain unauthorized info about the user for malicious purposes, such as identity theft.
Layer 7 DoS: HTTP flood attack that makes use of valid requests in typical URL data.
Security enhancements are constantly being updated and implemented, so keep in mind a good WAF can cover a lot more than just noted above.
When determining a WAF provider, or implementing one, be sure it’s up-to-date and includes the essentials, especially the OWASP Top 10 — which we’ll be discussing next.
As well as performing based on one of the three security models mentioned earlier, WAFs come automatically armed with a specific set of rules (or policies).
These policies combine rule-based logic, parsing, and signatures to help detect and prevent many different web application attacks like previously mentioned.
In particular, WAFs are well known for protecting against a number of the top 10 web application security risks listed every year by OWASP (Open Web Application Security Project).
This includes malicious attacks such as Server-Side Request Forgery (SSRF), Injections, and Security Logging.
Here’s a look at the current Top 10. You can see that there is some consolidation and new categories from 2017.
Find more information about OWASP here.
Another adequate safeguard you’ll hear many WAF providers talk about is something called a “virtual patch.”
A VP is essentially a rule (or often a set of rules) that can help resolve a vulnerability in your software without needing to adjust the code itself.
Many WAFs can deploy virtual patches to repair WordPress core, plugin, and theme vulnerabilities when required.
Along with security, a WAF can help with legalities.
If your organization works with, processes, or stores sensitive information (credit card details, etc.), it’s essential you comply with security requirements and standards. This is where a WAF comes into play.
WAFs can help businesses of all sizes comply with regulatory standards like the PCI, HIPAA, and GDPR, making the firewall valuable from compliance and security perspectives.
For example, the number one requirement for organizations under the Payment Card Industry Data Security Standard (PCI) is: “Installing and maintaining a firewall configuration to protect cardholder data.”
And let’s face it, keeping in compliance with legalities also gives you a great reputation. It’s a win-win to use a WAF to meet legal standards.
Considering WordPress is the world’s most popular content manager and a frequent target of attacks, it’s important WordPress sites have a WAF in place. There are several types of firewalls types you can deploy, which are:
- WAF Security Plugins
- On-site Dedicated WordPress WAFs
- Online WordPress Website WAFs
Here’s a look at each one.
Most self-hosted WordPress firewalls are WordPress plugins. They’re ideal, considering how easy they are to implement and affordable. Plus, it’s common for the WAF plugins to have malware scanners, too.
Some follow a “SAAS” model, offering an easy and stress-free introduction to the world of application firewalls.
On the other side of the coin, some plugins won’t fit the bill. It’s all dependent on the level at which the WAF sits.
For example, some plugin WAFs sit at the DNS level, which usually means the firewall monitors and filters HTTP traffic before reaching their cloud proxy servers.
This is the recommended level for these kinds of firewall plugins. Some well-known WAF providers are set up in this way (e.g. Cloudflare — which is one of the providers we’ll be discussing later in this article).
Then you have other WordPress security plugins with built-in WAFs that sit at the application level. This means the firewall examines incoming traffic after it has already reached your server – but before loading WordPress scripts.
Plugins are a simple and effective solution to WAF and generally work for small or medium-sized websites. We’ll be going over some options of WAF vendors later on in this article.
These types of firewalls are installed between your WordPress sites and an internet connection. This means that every HTTP request sent to your WordPress site initially passes through the WAF.
Web application WAFs are a bit more secure opinion than plugins. That being said, they’re more expensive and will require some technical knowledge to manage.
This type of firewall does not need to be installed on the same network as your webserver to function. It’s an online service that works like a proxy server, where your site’s traffic comes through it for filtering and is then forwarded to your website.
With an online WordPress firewall, your site’s domain’s DNS records will need to be configured to point to the online WAF. So, this entails your WordPress visitors communicating with the online WordPress firewall, not precisely with your WordPress website.
The downside? Your web server needs to be accessible over the internet for the WAF to forward traffic to your website. In other words, people can continue to communicate directly with your web server if the IP address is known.
Basically, in a non-targeted WordPress attack, in which attackers scan entire networks for vulnerable sites, your web server and site will still be reachable.
Luckily, you can configure your server’s firewall to only respond to traffic coming from the online WordPress firewall, so if this attack happens, you won’t be a victim.
Like anything, firewalls can be imperfect. Sure, they offer added protection, but there are some vulnerabilities.
A couple of examples of this are Limited Zero-Day Vulnerability Protection, and Web Application Firewall Bypasses.
With the zero-day WordPress vulnerability, there’s potential that your WordPress firewall won’t block an attack.
This is why your vendor responsive menu is critical. Plus, you should always use software from responsive and trusted businesses to ensure the firewall rules are updated.
In the case of web application firewall bypasses, it’s just a matter of them having vulnerabilities. There are techniques out there about bypassing the protection of WAFs.
Here again, if your vendor is responsive and can remediate issues in a quick time frame, you should be okay.
It’s also not uncommon for WAFs to have false positives (where they block harmless traffic) and false negatives (letting harmful traffic through). This is because the application is protected by WAF changes regularly.
Additionally, some security protocols are often neglected. This includes preventative measures, such as code and infrastructure audits not being taken.
There will always be new WAF vulnerabilities that arise as new digital tools emerge. Many security issues get resolved, but some aren’t noticed right away.
All this being said, WAFs need to be actively maintained and configured to ensure they’re up-to-date.
WAFs are deployed in a few ways. This all depends on where your applications are deployed, what services are needed, how you want them managed, and the level of flexibility and performance required.
Here’s the quick rundown…
Reverse Proxy: The WAF is a proxy to the application server, so device traffic heads directly to the WAF.
Transparent Reverse Proxy: This is a reverse proxy with transparent mode. Because of this, the WAF separately sends filtered traffic to web applications, which allows for IP masking by having the address of the application server hidden.
Transparent Bridge: This is where HTTP traffic goes straight to the web application. The result is the WAF is transparent between the device and the server.
You’ll have to decide what method of deployment works best and covers all that you need.
When it comes to implementing WAFs, there’s no shortage of companies and vendors that are out there to help. Just google “WAF Vendors” — and a ton of results will appear, including a lot of Top 10 lists and more.
That being said, here is a look at some of the top companies out there that have stuck out to us as major contenders when it comes to WAFs. They all have features that cater to individual needs.
We’ll take a look at the following WAF vendors:
- WPMU DEV
There’s a summary of who they are and what they’re best at. Plus, we’ll point out some of the top features of each company and the significant preventative security measures they take care of.
Amazon’s AWS WAF helps stop attacks from web exploits and bots that can alter availability, affect your security, and consume a ton of resources.
With this WAF, you’ll be in control of how traffic reaches your applications by setting up security rules that run bot traffic and block common attack patterns (e.g. SQL Injections).
This WAF is deployed on Amazon CloudFront as part of your CDN. What’s especially lovely about this WAF is that you pay only for what you use, and the costs are based on the number of rules you have. Plus, there are costs associated with the number of web requests your application receives.
Top Features: Amazon’s AWS WAF includes its cost-effective web application protection. Along with that, it has an ease of deployment and maintenance. Security is also integrated depending on how you develop your applications, giving you more customization options than other WAFs.
Best For: Businesses of all sizes, as long as they’re AWS clients.
Helps Mitigate: DDoS attacks, SQL Injections, and Cross-Site Scripting (XSS).
Cloudflare is a top-rated cloud-delivered application security company. And, of course, a powerful WAF is integrated with its protection. Their WAF blocks over 57 billion cyber threats per day.
Its global 100 Tbps network sees 30M requests per second, so it’s up for the job when it comes to handling your websites. It offers complete application security from the same cloud network, making it practical and uniform when it comes to security posture.
Cloudflare’s network has unparalleled visibility into threats, which yields the sharpest and most effective machine learning.
Top Features: It has layered defenses, including Cloudfare managed rules, that offer advanced zero-day vulnerability protections. Plus, it utilizes the core OWASP rules, uses custom rulesets, monitors & blocks stolen or exposed credentials, and has flexible response options.
Additionally, it has logging & reporting, issue tracking, analytics, and application-layer control.
Best For: Personal use to small and mid-sized businesses. Also, it’s excellent for high-level enterprises and companies. Plus, it has WordPress WAF rules, so it’s great for WordPress sites.
Helps Mitigate: OWASP Top 10, Comment Spam, DDoS attacks, SQL injections, HTTP Headers, and more.
Microsoft’s Azure is a cloud-native WAF that is one of the most successful cloud platforms out there.
The Azure service offers a range of software that provide utilities to other systems, and one of the products is the WAF. It tracks for the top ten vulnerabilities logged by OWASP, and you can add custom rules, too.
It has a metered charge rate, calculated on an hourly rate and data throughput rate — then charged monthly. This provides much lower upfront costs compared to some other WAF providers.
Top Features: Azure has comprehensive protection for OWASP, real-time visibility into your environment, and security alerts. Plus, it has full REST API support so that it can automate DevOps processes. It also has DDoS protection.
Best For: Major and small businesses, alike.
Helps Mitigate: OWASP Top 10, DDos Attacks, and any custom rules (and more).
We couldn’t let this article go by without mentioning our very own highly optimized WAF here at WPMU DEV. Our WAF is completely free to use with our hosting, already tweaked for WordPress, updated daily, and much more.
The WAF we use uses fewer server resources by not running in PHP. Additionally, it doesn’t need to use a line of code, so your site’s performance will remain strong.
We also have over 300+ firewall rules (or policies). These policies combine rule-based logic, parsing, and signatures — which lets them detect and stop web application attacks.
See how to implement our WAF in this article.
Top Features: After testing, our WAF is 25% faster than leading plugin-based firewall. On top of our 300+ firewall ruleset, we also protect against the OWASP Top Ten. Additionally, it’s free with any hosted account!
Best For: Small to major WordPress sites, hosting resellers, and any agency or individual that manages multiple websites.
Helps Mitigate: Attacks ranging from SQL injections, XSS, and many more.
Imperva’s WAF stops attacks with practically zero errors when it comes to false positives. It also has a global SOC to make sure your company is protected within moments of discovery.
It’s an all-in-one security solution that has all the features required for website security. There are free tools for Data Classification and Database Vulnerability Testing.
Top Features: Imperva features secure cloud and on-premises applications. It stops OWASP Top 10 and Automated Top 20, plus has attack detection, SIEM integration, and reporting.
Best For: Small to large-sized companies.
Helps Mitigate: OWASP Top 10 and Automated Top 20 and more.
Prophaze WAF handles a ton when it comes to security. Not only is it a WAF, but it’s also a combination of RASP, CDN, DDoS, and more.
It offers real-time website protection by implementing powerful cloud-based technologies that work against the latest threats. It automatically scans your site for thousands of vulnerabilities and the OWASP Top 10. On top of that, it doesn’t need any additional configurations and automatic updates to tackle new threats.
Prophaze has unlimited rule sets. Plus, custom integrations with SIEM Solutions and supports all public clouds (e.g. AWS).
Top Features: Some key security features are Bot Migration, Real-Time Dashboard, 24-7 support, and ML Based Threat Intelligence.
Best For: A range from midmarket to high level enterprise.
Helps Mitigate: OWASP Top 10 API, DDoS, Bot Protection, and more.
Akamai’s WAF is a dependable solution that will protect your site against all known attacks. Its a world leader in DDoS, plus integrates complete DDoS protection with its WAF. That makes it so you won’t need to have traffic routed through two companies to receive positive requests to your web server.
With Akamai, detect threats with crowdsourced intelligence. Plus, deploy and manage efficiently with just a few clicks.
Top Features: Akamai has more automation than many other options. It’s also easy to use with protection against DDoS attacks and more. It also features a dashboard, alerts, and additional information about blocked attacks and how your site was protected.
Best For: Small to Large Companies
Helps Mitigate: DDoS Attacks and all OWASP Top 10.
Wordfence is another solid option for a WAF that’s made for WordPress sites as a popular all-in-one security plugin with over two million active installs. It includes an endpoint firewall and malware scanner that was specifically built for WordPress.
Its WAF runs at the endpoint, which enables deep integration with WordPress, which is different than cloud alternatives since it doesn’t break encryption, can’t be bypassed, and can’t leak data.
It also comes with a nice dashboard that indicates security threats, scans, and more.
Top Features: Spam filter, scheduled security scans, brute force attack prevention, live traffic monitoring, and more.
Best For: WordPress sites and small to large corporations.
Helps Mitigate: Brute force attacks, OWASP Top 10, and other malicious attacks.
Sucuri is a leading security company for WordPress. It features a cloud-based WAF that’s consistently updated to improve detection and mitigation against new and evolving threats. Plus, you can add your own custom rules.
With Sucuri, you can also enhance your WordPress’s performance. It features caching optimization, Analyst CDN, and website acceleration.
Top Features: DNS Level Firewall, malware & blocklist removal services, and brute force protection.
Best For: WordPress sites and companies/businesses of any size.
Helps Mitigate: All known attacks (e.g. SQL injections, RCE, RFU, etc.).
Of course, there are many more options out there as well. This is just a shortlist of some highly rated companies that can serve you well when it comes to WAFs.
Now that we’ve covered the spectrum of WAFs, in case you didn’t know, you can see that they’re beneficial for security, compliance, reputation, and peace of mind. And hopefully, you learned more about WAFs than you ever thought you would!
Plus, with the many vendors to provide a WAF, you can have one up and running in a matter of moments. Whether you run a WordPress site or not — there’s a WAF for you.
Hopefully, this reference guide has helped to answer any questions you or your clients have about WAFs.