A Look At WPMU DEV’s Highly Optimized (free!) WAF
If a cyberattack targeting your web applications never reaches your website, did the attack even happen? The answer is YES, and it was most likely a WAF that stopped it. In this article learn more about this intuitive firewall that is offered with WPMU DEV’s hosting (for free!).
Today could be the day you meet your brand new head of web security.
And best believe this cyber security guard isn’t your typical “fall asleep on the job” type.
Because he doesn’t just check people’s I.D’s at the door… he checks their address, their height, their eye color, their card expiry date, what they have in their pockets, who they last texted…
You get the point. This fierce protector is ensuring only trustworthy door knockers make it inside your WP doors.
But enough with the small talk, you’ve read the title of this article, and you know the head of security I’m talking about is a Web Application Firewall (WAF).
And today we’ll be covering how to implement the WAF with WPMU DEV.
We’re always hard at work testing and fine-tuning this puppy – ensuring it’s giving you the best web application protection possible.
Unlike most in-built security plugin WAFs, ours also forms a protective wall OUTSIDE of your WP borders.
We’ll get into why this is super important later… but first, let’s start with the basics:
What is a WAF?
A Web Application Firewall (WAF) is a specific type of firewall that protects your web applications from malicious application-based attacks.
WAFs act as the middle person, or security guard for your WordPress site.
Standing guard between the internet and your web applications, all the while monitoring and filtering the HTTP traffic that wants to join your bumping party.
Of course, like any raging WP party, there are always gate-crashers to worry about.
The good news is, WAFs use a set of rules (or policies) to help identify who’s actually on your guest list, and who’s just looking to cause trouble.
Instead of going over all the details in this article, you can get a 360-degree look at WAFs, including how to implement them, what they help protect against, the different types of WAFs, and more in our article Everything You Need to Know About WAFs.
For now, let’s get to the main attraction…
WPMU DEV’s WAF
Unlike plugins, our WAF builds a fence on the OUTSIDE of your house as it analyzes all traffic before it hits WordPress.
We’ve done extensive testing and fine-tuning to ensure it will not slow your site down. And we keep it updated with the latest rules, and add any new known vulnerability footprints nightly.
It also couldn’t be easier to manage!
To access and activate our WAF (if you’re a member) simply navigate to our Website Hub and click on the website you’d like to set up or manage your firewall on.
You can then access the firewall through either the “Hosting” or the “Security” tabs. For this example let’s go through Hosting.
Next, select the “tools” toolbar, and then you should see the “Web Application Firewall” option.
Once you’ve clicked through, you’ll be given the option to protect your site with our firewall.
After you elect to do so, the firewall will activate and begin protecting your site.
You’ll also now see the “Allowlist” and “Blocklist” fields that appear below.
We already maintain a set of rules that will identify unsafe traffic – but as mentioned above, admins can Allowlist (allow) or Blocklist (block) IP addresses and user agents as they see fit by filling out these fields.
Scroll past the allow listing and blocklisting rules and you’ll find our final WAF feature: The ability to disable specific WAF rule Ids.
This feature can come in handy if specific WAF rules are not compatible with your site, and are causing false alarms.
Simply enter the rule Id that’s causing problems, and it’ll be immediately disabled.
Rule Ids and errors can be found in your “WAF Log.”
The WAF log itself can be found under the “Logs” tab, which is in the same toolbar as “Tools” was above.
Logs can come in handy when you want to see where attacks are coming from, which requests have been blocked, and what rules those requests triggered.
For example, let’s say you’re performing a valid action on your site, and for some reason, you get blocked.
The logs allow you to understand exactly why this happened, so you can allowlist a particular IP, or disable a specific WAF rule.
After all, you wouldn’t want your security guard kicking your best friends out of the club!
And don’t worry, if this sounds at all complicated, our members get access to 24/7 round the clock support, and someone will always be on hand to help out with any difficulties.
You Can Never Have Too Much WordPress Security
As I touched on earlier, WAFs aren’t the answer to ALL of your security problems.
Doing simple things like installing a Network Firewall, keeping WordPress up to date, ensuring your PHP is up to date, and making sure your sites are constantly backed up – can all go a long way to protecting your sites.
And although we don’t think a WAF belongs inside of a plugin, security plugins still have their place and can be a handy last line of defense.
Speaking of WordPress security plugins, you can’t go past our own Defender.
Yep, this guy’s as mean as he looks when it comes to fighting off hackers and bots (although he’s a teddy bear outside of the cyber-security ring).
In short, Defender can also help protect you from Brute force attacks, SQL injections, Cross-site scripting XSS, and more!
He also handles operations like malware scans and two-factor authentication login security.
Choose Your Own WAF Path
Don’t you just love it when the conclusion of an article ends with “it depends”?
Well, sorry to be a bummer, but when answering the question of: “Do I need a WAF?”
It does indeed depend on your personal situation!
Do you need one? No. Should you have one? Of course!
The more security layers you can cover, the safer your and your client’s data will be.
Speaking of client data, if your website does collect client data it’s vital that you have extra security measures like WAFs and Network Firewalls in place.
Not just for protection, but to protect your reputation, and to adhere to website security regulations and standards.
This is especially important for eCommerce sites, and sites that handle a ton of monetary transactions every day.
We’re Not Ones To Toot Our Own Horn, But…
Finally, if you’re already a WPMU DEV member and you don’t currently host any sites with us, be sure to migrate a site over, or whip up a test site if you want to give our new WAF a no-hassle whirl.
Other than that, stay cyber-safe out there folks!