PHPMatters Help You Better Hosting Your PHP-based Sites
Why and How to Use Firewall in WordPress

Why and How to Use Firewall in WordPress

At present, WordPress is widely used for the creation of the small blogs, personal websites, photo galleries, online stores and many more. Due to the wide popularity and the open source feature, this script now is the hot target of many hackers and intruders. In this case, you need to adopt a lot of security measurements to better protect your WordPress powered site, such as the frequent backup, the utilization of SSL, the installation of some security plugins and many more.

This time, we’d like to tell you another useful security method – the utilization and proper configurations of firewall. In the following, we have made a detailed introduction of this technology, along with why and how to use Firewall in WordPress.

Something You Need to Know About Firewall in WordPress

In fact, there are a large number of WordPress hosting providers now already include the firewall into their hosting packages for the ultimate hosting security, such as Arvixe. However, do you really know what firewall is, how it works and why it is necessary for your WordPress sites?

To put it simply, the firewall is a special system for network security, which controls, tests and monitors all the traffic, both incoming and outcoming, based on some predetermined rules and regulations. Generally, the firewall will establish a solid barrier to isolate the secure and trusted network away from the outside ones. Internet, for instance, can be regarded as the outside network that is not to be trusted and risk-free.

Typically, the firewall service has been categorized into two groups – the network one and the self-hosted one. The former one can be viewed as the software appliance that runs on the hardware to filter traffic among different networks, while the latter one ensures a powerful layer on a single machine to control the traffic in and traffic out.

Firewall in WordPress

Why to Use It in WordPress

Here, we have to note that you can never set up WordPress perfectly to against all the dangers. What you can do is WordPress hardening to fight against all the inevitable chances of online hacking and attacks. And one of the effective hardening methods is the utilization of firewall.

Here, we’d like to list some benefits of using firewall in WordPress that can act as the supplementary practice to safeguard your web content and data.

  • Unlike many inappropriate measures that may keep the good traffic and data away from you, this option only filters the suspicious ones.
  • Once you have set up firewall on your WordPress site properly, it simply manages itself with the decided rules. There is no need for you to do some afterwards.
  • To be frank, the firewall technology emerges for a long time. Experiencing constant updates and adjustments, it turns to be the truly working security option.

How It Works

As we have mentioned, this special technology will place a wall between the suspicious source and the reliable one so as to protect your website, script, server machine and network. To make this happen, there are 4 main practices adopted by the service provider.

  • Packet Filtering – The firewall technology will have a close look at all the packets leaving and entering the network. After analyzing them based on the defined rules, the service will reject or accept the packets. Personally, this filtering practice is surely effective for all the users, but might be difficult to configure for newbies.
  • Special Gateways – This technology will apply the exclusive security mechanism to the specific applications. If there is nothing suspicious, packets can flow without the further identifications.
  • Proxy Servers – The proxy server will be established as the middleman to intercept all the messages passing through the network, and then, allows the good traffic and stops the bad one.

How to Use Firewall in WordPress

In fact, for most WordPress users, it can be impractical to set up the firewall manually, for this practice needs some advanced skills. Thankfully, WordPress is supported by a large number of firewall plugins that allows you to use this technology easily for hardening your website.

This time, we sincerely recommend the All In One WP Security and Firewall plugin that is comprehensive and user-friendly. In fact, this plugin has plenty of security related features, among which the firewall is the primary and highlighted one.

Here, you can feel easy and free to download it to your WordPress site. After clicking the WP Security button, you can check its dashboard.

WP Security Dashboard

Firstly, you can find a Security Strength Meter section. The purpose of it is to inform you of how secure your website is based on the number of security features you have enabled.

Now, to add the firewall protection to your site, you should click the Firewall button from the drop-down menu. Here, you can add some basic firewall rules, advanced rules, 6G blacklist rules, internet bots rules, hotlink prevention rules, 404 detection rules and some custom options.

Note that this plugin adds the firewall functionality to your site by inserting the special coding stuff into your .htaccess file. To avoid some unexpected cases, you’d better backup your site in the beginning. For this, you can directly click the Settings button of this plugin. In the General Settings page, you can start a backup for your wp-config.php file, database and .htaccess file easily.

Backup WordPress

Basic Firewall Rules

Firstly, you can enable the basic mechanism of firewall protection for your site. For instance, you can protect your .htaccess file and the wp-config.php file by denying the outside access into them, limit the uploading size of files to 10 MB and deactivate the server signature. Note that these basic features have little or even no effect on the overall functionality of your site.

In addition, you can enable the pingback vulnerability protection. By doing so, hackers cannot exploit the pingback vulnerabilities by denying the DoS attacks and hacking the internal routers. However, this firewall rule can only be enabled if you are not using the special functionality of XML-RPC on the WordPress installation.

The last basic rule is highly enabled, with which you can block the external access to the debug.log file that contains some sensitive data of your site.

Now, you can enable these rules based on your needs. To do this, you simply need to tick the checkbox for each protection.

Basic Firewall Rules

Advanced Firewall Rules

In addition to the basic rules, you can also optionally enable some advanced options.

  • Disable the listing of web contents and directories even if there is no index.php file. However, to use this rule, you need to make sure that the Indexes Directive is enabled in the httpd.conf file. If not, contact your web host.
  • Disable the Track and Track so as to better prevent any HTTP trace attacks and XSS attacks.
  • Disallow the proxy comment posting, forbidding all the requests that require a proxy server for posting comments.
  • Prevent any string attacks on your website via XSS.

Advanced Firewall Rules

Blacklist Firewall Rule

Here, you are allowed to activate the 6G or 5G firewall rule for protection. By doing so, you can block some forbidden characters commonly used in the attacks and encoded URLs. Also, you can fight against both common and specific malicious exploits.

Note that the 6G protection is the updated version of the 5G one.

Blacklist Firewall Rule

Other Additional Rules

If you want, you can also enable the Internet Bots, Hotlink and 404 Detection rules. By doing so, you can block all the fake Googlebots, avoid the hotlinking to your images and manage the 404 events happened on your site.