If you use WordPress, then WordPress itself takes care of a ton of security issues and keeps resolving new ones in every update. Recent update WordPress 5.5 provides features to auto-update themes and plugins to improve site security.
In this article, I will talk about some of the very common security threats for websites and how to secure our websites using cloud-based firewalls for WordPress.
Plugins or themes vulnerabilities
Not just WordPress but every other content management system faces security threats from a variety of non-patched vulnerabilities. But WordPress is the most targetted CMS by hackers because of its popularity and usage. Today it powers the majority of websites on the Internet.
WordPress is easy to use CMS and has a large number of third-party plugins to extend its functionality. There are over 56000+ plugins in the WordPress repository and counting. Anyone can develop a plugin and publish it in WordPress repositories.
All the developers are required to follow WordPress guidelines to make WordPress plugins and their users safe. Still, it is not a big thing to commit a single mistake and publish a vulnerable plugin or theme update. Hackers keep looking for security issues in WordPress plugins and themes. Once they discover a vulnerability in a plugin or theme, they can target websites that have installed the vulnerable plugin.
Hackers also write scripts aka. bots that target websites in bulk. Hackers use already compromised servers to run these malicious scripts and target as many websites as possible. If you have a website, no matter what CMS you’re using, hackers bots are always scanning your website for vulnerable code.
These bots find vulnerabilities and exploit them automatically. Many times site admins do not even notice their website has been compromised. A compromised website can be used to mine bitcoin for the hacker, redirect visitors to other malicious websites, and even target other websites to inject malicious code.
Brute force attacks
Brute force attacks are the second most common type of attack on the Internet. In brute-forcing, hackers try to guess site passwords. They try passwords found in other hacks and try a large list of commonly used passwords. The brute force also consumes servers bandwidth which causes the website to crawl.
The third most common type of attack is DDoS. When DDoS happens, it scares website admins. When hackers conduct a DDoS attack on any website or service, they send an enormous amount of requests to the server that the server stops responding to legit requests.
In DDoS attacks, hackers use already compromised servers or even desktops to send fake traffic to the targetted server. As a result, websites hosted on that server stops responding. In other words, if it is an eCommerce shop, customers can’t make any purchase during the period of DDoS, and website business goes down to zero in a span of a few minutes.
There are two types of firewalls, Cloud firewalls and application firewalls. Cloud firewalls as the name suggest is hosted on the cloud and can be used as a proxy to filter out request coming to a site.
Second, application firewalls. These firewalls are installed on the server itself and filter malicious traffic that’s targetting the server.
In this article, I will be reviewing some of the best Cloud-based firewalls for WordPress. So let’s get started.
A Cloud firewall sits between a website and its visitors. Each request is scanned by the firewall before it hits the website hence a cloud firewall can block a malicious request before reaching a WordPress site.
Cloud firewalls have a large database of vulnerabilities and they keep adding new ones. Cloud firewalls also block users whose IP addresses may have been involved in targetting other websites. Cloud firewalls can also stop DDoS attacks by verifying that the visitor is actually a human, not a bot that’s spamming the site.
Most cloud firewalls also speed up the site by providing CDN support. The website is served from different servers across the globe.
Below is the list of Cloud firewalls that are easy to set up and provide excellent features to keep your site secure.
Cloud Firewalls for WordPress
Securi is the leading firewall provider for WordPress. When it comes to security, sucuri can handle DDoS, brute-force, malicious bots that try to inject code into your site, and also support country blocking.
Sucuri can also monitor who is trying to log in to your WordPress dashboard. It can also allow only specific IP address from logging in to your WordPress site. It is an excellent feature if you have a few WordPress users.
Besides this, Sucuri provides CDN support that serves your WordPress site over the content delivery network. It reduces the bandwidth of the origin server and improves website loading speed. There is also a WordPress plugin that can be installed from the WordPress plugins page. Sucuri’s WP plugin monitors all the changes happening on the site and emails the admin regarding them.
Sucuri’s basic plan starts with $199/year and goes all the way up to $499/year for businesses. It is expensive but provides great WordPress protection from all types of threats.
Cons of sucuri
- Poor support
Mostly they take more than 48 hours to reply. Sometimes they take 4+ days to reply. It is my personal experience with them.
- Bug in IP whitelisting feature
Sucuri’s IP whitelisting feature where site admins can only allow specific IPs to login to the website stops users from updating posts and pages. The request is blocked if you are trying to update your articles with code in it such as SQL queries or PHP statements. It is a bug and can be bypassed just by either removing or adding any IP address from the list on Sucuri. I raised a ticket regarding this bug and hope they’ll fix it soon.
Cloudflare is the most popular network on the Internet. Cloudflare takes care of any type of security threat from small DDoS to a large scale DDoS attacks where devices in an entire network are infected to be controlled by the attacker.
Cloudflare is also used by large organizations to protect their servers from large scale threats. No matter what threat you are dealing with in website security, Cloudflare has covered it all.
Most of their basic features are free of cost including DDoS protection, CDN support, HTTPS support, Firewall with the ability to create custom firewall rules, site caching, page rules, advanced analytics, and even add third-party apps to the website.
If you stream videos, they also provide multi-bitrate encoding without any cost. All of these and even more features come with a free plan.
Cloudflare also has a plugin for WordPress that allows us to manage basic features from the WordPress dashboard.
Cloudflare’s basic plan is free that provides DDoS protection, Global CDN support, and email support. The next plan costs $20/month with enhanced firewall protection for websites, image compression, automatic mobile optimization, and cache analytics.
Business plan costs $200/month that provide a wide array of security features for websites.
MaxCDN is now a part of StackPath, a well-known cloud services provider in the industry. They provide CDN support, DDoS protection, SSL, DNS at more affordable prices.
StackPath provides lightning-fast CDN support and promises to reduce network latency by 60%. To use their services, one can either subscribe to Website & application services or Edge compute to deploy virtual machines or containers.
There is no StackPath plugin for WordPress. So all their services are manageable from the StackPath dashboard.
The basic StackPath pricing starts from $20/month to $2000/month. The basic pricing includes unlimited SSL certificates, 1TB CDN bandwidth, 5M WAF requests, 2M DNS requests, 1 Monitored service, and network layer DDoS protection.
Malcare provides WordPress protection with the realtime malware scanner and instant malware removal. To protect websites from malicious requests, it provides WordPress firewall, stops unnecessary access to the login page by login protection, WordPress hardening, and website management to manage multiple sites from a single dashboard.
The USP of Malcare is the realtime malware scanner and instant malware removal within 60 seconds of infection.
Malcare pricing is the most affordable in this list. It starts from $99/year for one site and goes up to $599/year for developers.
Besides the firewalls I mentioned above, there are many firewall protections available in the market. The ones I have mentioned provide firewall support at affordable prices that will block the majority of threats before even reaching your server.
If you use any other firewall for website protection, please mention it in the comment section below.