{"id":186704,"date":"2020-04-15T00:16:03","date_gmt":"2020-04-15T00:16:03","guid":{"rendered":"https:\/\/premium.wpmudev.org\/blog\/?p=186704"},"modified":"2022-03-11T00:45:21","modified_gmt":"2022-03-11T00:45:21","slug":"what-is-a-waf","status":"publish","type":"post","link":"https:\/\/wpmudev.com\/blog\/what-is-a-waf\/","title":{"rendered":"A Look At WPMU DEV&#8217;s Highly Optimized (free!) WAF"},"content":{"rendered":"<p>If a cyberattack targeting your web applications never reaches your website, did the attack even happen? The answer is YES, and it was most likely a WAF that stopped it. In this article learn more about this intuitive firewall that is offered with WPMU DEV&#8217;s hosting (for free!).<\/p>\n<p>Today could be the day you meet your brand new head of web security.<\/p>\n<p>And best believe this cyber security guard isn\u2019t your typical \u201cfall asleep on the job\u201d type.<\/p>\n<p>Because he doesn&#8217;t just check people&#8217;s I.D&#8217;s at the door\u2026 he checks their address, their height, their eye color, their card expiry date, what they have in their pockets, who they last texted&#8230;<\/p>\n<p>You get the point. This fierce protector is ensuring only trustworthy door knockers make it inside your WP doors.<\/p>\n<p>But enough with the small talk, you\u2019ve read the title of this article, and you know the head of security I\u2019m talking about is a <strong>Web Application Firewall (WAF).<\/strong><\/p>\n<p>And today we\u2019ll be covering how to implement the WAF with WPMU DEV.<\/p>\n<p>In this post:<\/p>\n<ul>\n<li><a href=\"#what-is-waf\">What is a WAF?<\/a><\/li>\n<li><a href=\"#wpmudev-waf\">WPMU DEV&#8217;s WAF<\/a><\/li>\n<li><a href=\"#wp-security\">You Can Never Have Too Much WordPress Security<\/a><\/li>\n<li><a href=\"#waf-path\">Choose Your Own WAF Path<\/a><\/li>\n<\/ul>\n<p>We\u2019ll give you a quick run-through of <a href=\"https:\/\/wpmudev.com\/waf\/\" target=\"_blank\" rel=\"noopener\">WPMU DEV\u2019s WAF<\/a>, which is <strong>completely free<\/strong> to use as part of our <a href=\"https:\/\/wpmudev.com\/hosting\/\" target=\"_blank\" rel=\"noopener\">managed hosting<\/a> service.<\/p>\n<p>We&#8217;re always hard at work testing and fine-tuning this puppy &#8211; ensuring it&#8217;s giving you the best web application protection possible.<\/p>\n<p>Unlike most in-built security plugin WAFs, ours also forms a protective wall OUTSIDE of your WP borders.<\/p>\n<p>We&#8217;ll get into why this is super important later&#8230; but first, let\u2019s start with the basics:<\/p>\n<h2 id=\"what-is-waf\">What is a WAF?<\/h2>\n<p>A <a href=\"https:\/\/www.cloudflare.com\/learning\/ddos\/glossary\/web-application-firewall-waf\/\" rel=\"noopener\" target=\"_blank\">Web Application Firewall<\/a> (WAF) is a specific type of firewall that protects your web applications from malicious application-based attacks.<\/p>\n<p>WAFs act as the middle person, or security guard for your WordPress site.<\/p>\n<p>Standing guard between the internet and your web applications, all the while monitoring and filtering the HTTP traffic that wants to join your bumping party.<\/p>\n<p>Of course, like any raging WP party, there are always gate-crashers to worry about.<\/p>\n<p>The good news is, WAFs use a set of rules (or policies) to help identify who\u2019s actually on your guest list, and who\u2019s just looking to cause trouble.<\/p>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\">\n<figure id=\"attachment_186766\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-186766 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/04\/Dev_Man_With_Guest_List-copy.jpg\" alt=\"WAFs act as cyber security guards for your site and web apps\" width=\"600\" height=\"300\" \/><figcaption class=\"wp-caption-text\">You&#8217;re not getting past a WAF unless you can be trusted.<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>Instead of going over all the details in this article, you can get a 360-degree look at WAFs, including how to implement them, what they help protect against, the different types of WAFs, and more in our article <a href=\"https:\/\/wpmudev.com\/blog\/web-application-firewall-waf-guide\/\" target=\"_blank\" rel=\"noopener\">Everything You Need to Know About WAFs<\/a>.<\/p>\n<p>For now, let&#8217;s get to the main attraction&#8230;<\/p>\n<h2 id=\"wpmudev-waf\">WPMU DEV\u2019s WAF<\/h2>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\">\n<p>A while back we introduced <a href=\"https:\/\/wpmudev.com\/waf\/\" target=\"_blank\" rel=\"noopener\">our own WAF<\/a> which is enabled by default for all new users and comes <strong>completely FREE<\/strong> with our <a href=\"https:\/\/wpmudev.com\/hosting\/\" target=\"_blank\" rel=\"noopener\">hosting<\/a>.<\/p>\n<p>Unlike plugins, our WAF builds a fence on the OUTSIDE of your house as it analyzes all traffic before it hits WordPress.<\/p>\n<p>We&#8217;ve done extensive testing and fine-tuning to ensure it will not slow your site down. And we keep it updated with the latest rules, and add any new known vulnerability footprints nightly.<\/p>\n<figure id=\"attachment_188173\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188173\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/04\/waf-rules.png\" alt=\"A look at how our WAF works to block attackers\" width=\"600\" height=\"491\" \/><figcaption class=\"wp-caption-text\">A snapshot of how our WAF works to detect, filter, and block malicious traffic.<\/figcaption><\/figure>\n<p>It also couldn\u2019t be easier to manage!<\/p>\n<p>To access and activate our WAF (if you\u2019re a member) simply navigate to our <a href=\"https:\/\/wpmudev.com\/blog\/manage-all-your-wordpress-sites-with-the-hub\/\" target=\"_blank\" rel=\"noopener\">Website Hub<\/a> and click on the website you\u2019d like to set up or manage your firewall on.<\/p>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-186882\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/04\/Hub-website.png\" alt=\"Start by selecting the website you'd like to activate your WAF on.\" width=\"600\" height=\"390\" \/><\/div>\n<p>You can then access the firewall through either the &#8220;<strong>Hosting&#8221;<\/strong> or the <strong>&#8220;Security&#8221;<\/strong> tabs. For this example let&#8217;s go through Hosting.<\/p>\n<\/div>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-186883\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/04\/waf-security-tools.png\" alt=\"Click either hosting or security to access the WAF.\" width=\"599\" height=\"375\" \/><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cgrid-col cgrid-col-span-full\">\n<p>Next, select the <strong>\u201ctools\u201d<\/strong> toolbar, and then you should see the <strong>\u201cWeb Application Firewall\u201d<\/strong> option.<\/p>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\">\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\">\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-186884\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/04\/WAF-select-1.png\" alt=\"Click web application firewall to begin the process of adjusting your WAF.\" width=\"600\" height=\"414\" \/><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Once you\u2019ve clicked through, you\u2019ll be given the option to protect your site with our firewall.<\/p>\n<p>After you elect to do so, the firewall will activate and begin protecting your site.<\/p>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-186754\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/04\/WAF-toggle.jpg\" alt=\"Here's where you choose whether to activate the WAF or not.\" width=\"610\" height=\"333\" \/><\/div>\n<\/div>\n<p>You\u2019ll also now see the <strong>\u201cAllowlist\u201d<\/strong> and <strong>\u201cBlocklist\u201d<\/strong> fields that appear below.<\/p>\n<p>We already maintain a set of rules that will identify unsafe traffic &#8211; but as mentioned above, admins can Allowlist (allow) or Blocklist (block) IP addresses and user agents as they see fit by filling out these fields.<\/p>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\">\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-194036\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/04\/block-allow-list.png\" alt=\"Choose to block or allow various party's with our WAFs blocklist and allowlist features.\" width=\"600\" height=\"602\" \/><\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Scroll past the allow listing and blocklisting rules and you&#8217;ll find our final WAF feature: <strong>The ability to disable specific WAF rule Ids. <\/strong><\/p>\n<\/div>\n<p>This feature can come in handy if specific WAF rules are not compatible with your site, and are causing false alarms.<\/p>\n<p>Simply enter the rule Id that&#8217;s causing problems, and it&#8217;ll be immediately disabled.<\/p>\n<p>Rule Ids and errors can be found in your <strong>&#8220;WAF Log.&#8221;<\/strong><\/p>\n<div class=\"cgrid-col cgrid-col-span-full\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-186758\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/04\/WAF-disable-rule.png\" alt=\"If you're running into issues you can also disable a WAF rule if needed.\" width=\"600\" height=\"179\" \/><\/div>\n<p>The WAF log itself can be found\u00a0under the <strong>\u201cLogs\u201d<\/strong> tab, which is in the same toolbar as <strong>\u201cTools\u201d<\/strong> was above.<\/p>\n<div class=\"cgrid-col cgrid-col-span-full\">\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-186887\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/04\/waf-log.png\" alt=\"Use our WAF log to identify attackers and rulesets.\" width=\"600\" height=\"267\" \/><\/p>\n<p>Logs can come in handy when you want to see where attacks are coming from, which requests have been blocked, and what rules those requests triggered.<\/p>\n<\/div>\n<p>For example, let\u2019s say you\u2019re performing a valid action on your site, and for some reason, you get blocked.<\/p>\n<p>The logs allow you to understand exactly why this happened, so you can allowlist a particular IP, or disable a specific WAF rule.<\/p>\n<p>After all, you wouldn&#8217;t want your security guard kicking your best friends out of the club!<\/p>\n<p>And don\u2019t worry, if this sounds at all complicated, our members get access to <a href=\"https:\/\/wpmudev.com\/get-support\/\" target=\"_blank\" rel=\"noopener\">24\/7 round the clock support<\/a>, and someone will always be on hand to help out with any difficulties.<\/p>\n<h2 id=\"wp-security\">You Can Never Have Too Much WordPress Security<\/h2>\n<p>As I touched on earlier, WAFs aren\u2019t the answer to ALL of your security problems.<\/p>\n<p>Doing simple things like installing a Network Firewall, keeping WordPress up to date, ensuring <a href=\"https:\/\/wpmudev.com\/blog\/how-to-update-php-in-wordpress\/\" target=\"_blank\" rel=\"noopener\">your PHP is up to date<\/a>, and making sure your sites are <a href=\"https:\/\/wpmudev.com\/blog\/free-quality-backup-plugins\/\" target=\"_blank\" rel=\"noopener\">constantly backed up<\/a> &#8211; can all go a long way to protecting your sites.<\/p>\n<p>And although we don\u2019t think a WAF belongs inside of a plugin, security plugins still have their place and can be a handy last line of defense.<\/p>\n<p>Speaking of WordPress security plugins, you can\u2019t go past <a href=\"https:\/\/wordpress.org\/plugins\/defender-security\/\" rel=\"noopener\" target=\"_blank\">our own Defender.<\/a><\/p>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\">\n<figure id=\"attachment_186790\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-186790 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/04\/defender-waf.png\" alt=\"Our Defender plugin is the added security you need for your sites.\" width=\"600\" height=\"331\" \/><figcaption class=\"wp-caption-text\">Bots and hackers are no match for our Defender.<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>Yep, this guy\u2019s as mean as he looks when it comes to <a href=\"https:\/\/wpmudev.com\/blog\/http-security-headers-defender\/\" target=\"_blank\" rel=\"noopener\">fighting off hackers and bots<\/a> (although he\u2019s a teddy bear outside of the cyber-security ring).<\/p>\n<p>In short, Defender can also help protect you from\u00a0Brute force attacks, SQL injections, Cross-site scripting XSS, and more!<\/p>\n<p>He also handles operations like malware scans and two-factor authentication login security.<\/p>\n<h2 id=\"waf-path\">Choose Your Own WAF Path<\/h2>\n<p>Don\u2019t you just love it when the conclusion of an article ends with <strong><em>\u201cit depends\u201d?<\/em><\/strong><\/p>\n<p>Well, sorry to be a bummer, but when answering the question of:<em> \u201cDo I need a WAF?\u201d<\/em><\/p>\n<p><strong>It does indeed depend on your personal situation!<\/strong><\/p>\n<p>Do you need one? No. <em>Should<\/em> you have one? Of course!<\/p>\n<p>The more security layers you can cover, the safer your and your client\u2019s data will be.<\/p>\n<p>Speaking of client data, if your website does collect client data it\u2019s vital that you have extra security measures like WAFs and Network Firewalls in place.<\/p>\n<p>Not just for protection, but to protect your reputation, and to adhere to website security regulations and standards.<\/p>\n<p>This is especially important for eCommerce sites, and sites that handle a ton of monetary transactions every day.<\/p>\n<h2>We\u2019re Not Ones To Toot Our Own Horn, But&#8230;<\/h2>\n<p>As mentioned earlier, we have WAF as part of our <a href=\"https:\/\/wpmudev.com\/hosting\/\" target=\"_blank\" rel=\"noopener\">hosting service<\/a>, and we&#8217;d love for you to try it at no risk with a WPMU DEV membership <a href=\"https:\/\/wpmudev.com\/\" target=\"_blank\" rel=\"noopener\">free trial.<\/a><\/p>\n<p>Finally, if you\u2019re already a WPMU DEV member and you don\u2019t currently host any sites with us, be sure to migrate a site over, or whip up a test site if you want to give our new WAF a no-hassle whirl.<\/p>\n<p>Other than that, stay cyber-safe out there folks!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If a cyberattack targeting your web applications never reaches your website, did the attack even happen? The answer is YES, and it was most likely a WAF that stopped it. In this article learn more about this intuitive firewall that is offered with WPMU DEV&#8217;s hosting (for free!). Today could be the day you meet [&hellip;]<\/p>\n","protected":false},"author":775041,"featured_media":186706,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"blog_reading_time":"12","wds_primary_category":0,"wds_primary_tutorials_categories":0,"footnotes":""},"categories":[263,11260,11259,11119],"tags":[],"tutorials_categories":[11233],"class_list":["post-186704","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials","category-wpmu-dev-products","category-wpmudev-tutorials","category-wordpress-hosting","tutorials_categories-hosting"],"_links":{"self":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/186704","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/users\/775041"}],"replies":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/comments?post=186704"}],"version-history":[{"count":103,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/186704\/revisions"}],"predecessor-version":[{"id":215661,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/186704\/revisions\/215661"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media\/186706"}],"wp:attachment":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media?parent=186704"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/categories?post=186704"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tags?post=186704"},{"taxonomy":"tutorials_categories","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tutorials_categories?post=186704"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}