Security is a result of security “practices” rather than plugin “functionality”. No security plugin is perfect, but we make do, and that, like everything else in life, is what defines the outcome.
Here’s a simple diagram of how an attacker tries to get inside your website.
There are 4 levels that each request has to go trough to get to your website:
|Network||connection from the attacker to the server (internet)|
|Server||physical machine – computer (HP, Dell, Huawei, etc.)|
|Web Server||service running the website (Apache, LiteSpeed, Nging, IIS..)|
|Website||CMS (WordPress, Joomla, PrestaShop, etc.)|
A hacker must use the network to gain access to the website and this is the first step in the right direction.
Network firewall will stop attacks from happening before they even reach your website.
There are two types of firewalls:
- Hardware firewalls: Standalone products or a built-in component of a router or other networking device such as Cisco or Microtik routers. They are an essential part of any traditional security system and network configuration.
- Software firewalls: These are installed on a software or network device manufacturer. A software firewall can protect a system from standard control and access attempts, but doesn’t help much with sophisticated network breaches.
Whether it’s hardware or software firewall, there is no such thing as an ideal firewall. This means that some malicious traffic will still find its way to your hosting and website. If your hosting or website is misconfigured, hackers will most likely be able to gain access.
There are dozens of open source firewall application available for Linux OS in the market. Here are just a few firewalls that might be very useful:
- Single tool with consistent syntax
- Faster kernel-side transactional ruleset updates
- Sets are more flexible and powerful than ipset
- flowtables provide a software fast path and hardware acceleration
- Backup and restoration
ConfigServer Security Firewall
Configserver security & firewall is a cross platform and a very versatile Firewall, that’s based on the concept of Stateful packet inspection (SPI) Firewall. It supports almost all Virtualization environments like Virtuozzo, OpenVZ, VMware, XEN, KVM and Virtualbox.
In the hosting industry it’s known as the most used firewall for Plesk and WHM (cPanel) servers.
- Daemon process LFD ( Login failure daemon) that checks for login failures of sensitive services such as ssh, SMTP, Exim, Imap, Pure & ProFTP, and mod_security failures.
- Email alerts to notify you if something goes unusual
- Easily integrated with popular web hosting control panels like cPanel, Plesk, DirectAdmin and Webmin.
- Protects from Syn flood and ping of death attacks.
UFW – Uncomplicated Firewall
UFW is the default firewall tool for Ubuntu servers, and it is basically designed to simplify the complexity of the iptables firewall and make it more user friendly. A GUI of ufw known as GUFW is also available for Ubuntu and Debian users.
- Supports IPV6
- Status Monitoring
- Extensible Framework
- Easy to Add/Remove/Modify Rules
IPCop is an Open Source Linux firewall distribution that provides a well designed web interface to manage the firewall. It’s very useful and good for Small businesses and Local PCs.
Features of IPCop Firewall:
- Color coded Web Interface allows you to Monitor the performance Graphics for CPU, Memory and Disk as well as Network throughput
- Auto rotate logs
pfSense is another Open Source and a very reliable firewall for FreeBSD servers. Its based on the concept of Stateful Packet filtering and offers wide ranges of feature which is normally available on expensive commercial firewalls only.
Features of pfSense:
- Highly configurable from its web based interface.
- Can be deployed as a perimeter firewall, router, DHCP & DNS server.
- Configured as wireless access point and a VPN endpoint.
- Traffic shaping and Real Time information about the server.
Web Application Firewalls
Web Application Firewalls (WAF) play a critical role in the protection of WordPress websites on any hosting server. They form the backbone for defensive against cloud-based exploits that compromise security or harm the availability of the website and data.
Here are some of the best Open Source WAF’s to secure your WordPress website:
And some paid WAFs:
ModSecurity is the best open-source web application firewall thats equipped with tons of features to help you protect your web apps.
ModSecurity offers you complete freedom to extend the capabilities of the tool so it can fit your needs.
WebKnight is an application firewall for the Microsoft IIS with set of tools that scan all the requests and filter them according to rules set by the administrator. Unlike other WAFs that rely on past attack signatures, WebKnight uses buffer overflow, SQL injection, directory traversal, and character encoding for filtering.
Vulture is a lightweight and effective Linux WAF and a reverse proxy based on the Apache web server. Vulture distributes all the incoming traffic to various nodes of the cluster to enhance the performance. The process could become faster by adding more nodes to the cluster.
Cloudflare offers a range of web security services and one of these services is WAF, which is a paid function of the Cloudflare.
Sucuri Web Application Firewall (WAF) and Intrusion Prevention System (IPS) provide the protection required against website threats.
With SP// WAF, you can instantly enable enterprise-class protection with little-to-no configuration required. Go further with powerful customization and integration options to create and tailor WAF policies and behavior to fit your workloads’ unique security needs.
WordPress Firewall Plugins
WordPress firewall plugins monitor your website traffic and blocks many common security threats before they reach your WordPress site. WordPress Firewall plugins are basically WAF that can be installed directly inside the application.
Similar to WordFence, Jetpack is an application level firewall which means that bad traffic is blocked after it reaches your WordPress hosting server.
You can install one or many security plugins and WAFs but you should be careful on what you need and what works. Installing multiple plugins without any afterthought would result in bloat and plugin conflict that can even slow down your website or make it dysfunctional.
For optimal security you should use different firewalls for each security levels: network, server and the application itself.
Use security vulnerability scanners to discover your points of security weakness. Test your WordPress Application (
WPScan), Web Server (
Nikto), System (
OpenVAS) and Firewall (
Nmap) for any issues.
What do i use?
|WAF on the VPS||CSF|
|WAF on the webserver||ModSecurity|
What do you use?