I’m looking to see both whats out there and what people use and recommend or don’t.
I want to know what others think so I am in touch with what happening outside of my bubble. I also want to better educate myself and in turn others.
What do you use?
What have you heard that is good or interesting?
What do you think about using a DNS firewall verses and application or endpoint firewall? Or do you use both?
What are you manually configuring and when what do you tweak or do you just leave it “out of the box” with the config?
I’ve looked at the following
CloudFlare
WordFence
Sucuri
PatchStack (virtual patching)
Barracuda
Fastly
CloudFront
Akami
Have I missed any worth thinking about?
Personally I’m using the free CloudFlare WAF and WPE GES at work.
So what are you using and how?
Thanks in advance!
[ad_2]
If you don’t use a waf you’re doing it wrong
I’m using cloudflare and patchstack. But I highly recommend ninja firewall if you’re able to use it in full protection mode.
Wordfence. It’s the best out of the box solution and even the free tier offers excellent protection. Spend some time reading the documentation then some more time setting it up as you require.
For most sites putting it into learning mode (this is default after install anyway) will let it configure itself for your site type and traffic.
I have custom set ups depending on what I need and I get a good sense of control when I get the summary emails stating that it has caught an attempt and blocked it at source.
I’ll reiterate though, RTFM. Configure it properly and pair it with some aggressive account lockout settings.
I’m overly paranoid, I only allow one failed login then lock that account out for 5 days. I’ll also review and block entire subnets as required.
Caution though, only do the above if you’re comfortable removing access from directly in the database. I have, on more than one occasion locked myself out as the only admin to the site and the only way to fix this quickly is by resetting the password directly on the DB via phpMyadmin and / or renaming the plugin folder to stop wordfence loading. You will need direct access to the hosting account for this.
: Edited because spelling….
One overlooked thing often here if you’re only using a WAF provided by a reverse proxy like CloudFlare:
This does not protect your origin server from direct attack. In other words, if someone spent some time, they could discover your server IP and attack it directly, bypassing CloudFlare WAF completely. I have found origin server IPs behind CloudFlare probably about a third of the times I’ve tried.
How and whether to remediate this of course is a different question, but it should be considered based on your risk assessment and risk aversion.
CloudFlare itself does provide mechanisms and recommendations for this as well:
[https://developers.cloudflare.com/fundamentals/basic-tasks/protect-your-origin-server/](https://developers.cloudflare.com/fundamentals/basic-tasks/protect-your-origin-server/)
If you hable múltiple sites I think can get very expensive easily,l decided to get immunify 360 and has good so far it will try to patch the sites also clean the sites if infected I really like it
WordFence is kind of a dumb idea and its better than nothing.
Despite popular opinions, I do not think WAFs, as they are presented today (plugin+CDN’s proxy) are necessary. I see security as a multilayer issue:
* **Host level** – any decent host has DDOS protection and Firewall Tool. If you are at some of EIG hosts or at shared plan, it’s hard to be isolated from overflow attacks, no WAF can help you there.
* **OS level** – ssh, sftp, fail2ban, proper file/folder access config and other tools
* **web server level** – hardened dbase, updated php version, mod_security, ssl certs, etc
* **WP level** – strong password, proven and updated theme and plugins, file/folder access, protected xmlrpc, etc
More or less, follow https://developer.wordpress.org/advanced-administration/security/ and you’re covered. If you do not have skills or do not want to control host, OS and webserver levels, use some of managed WP hosts (Kinsta, WPEngine, SiteGround and alike).
I do not use WAF plugins nor CDN proxy, although I can see some advantage in moving burden to extern service. I do not like any middleman in my backyard and I do not believe in concept of protecting WP from inside WP, eg WAF plugin.
The only ‘security’ plugin I use is Honeypot, and for some paranoid clients NinjaFirewall. YMMV, it’s always a question of taste.
All in all – good host, strong password, updated theme and plugins, disabled xmlrpc and your security is 99% covered.