Why Choose An Endpoint Firewall Like Wordfence

When choosing a firewall for your WordPress website to protect it against attacks, you have a handful of choices. Wordfence is one of the only effective “endpoint” firewalls available. The alternative is a “cloud” firewall from vendors like Sucuri (now owned by GoDaddy) and Cloudflare.

I’d like to explain the difference between a cloud firewall vs an endpoint firewall like Wordfence. I would also like to explain the risks of choosing cloud versus the peace of mind and simplicity of an endpoint firewall like Wordfence. I will also explain why endpoint firewalls are far more effective at protecting your WordPress website.

The Difference Between Cloud and Endpoint Firewalls

A “cloud” firewall is a server that is located in a remote data center belonging to another company. Your website traffic goes from your visitors to that remote data center and then back out over the internet to your website.

When vendors use the word “cloud” they really mean “our data center”. When you store photos in the Apple’s “cloud”, you are storing photos in Apple’s data center. When you host your website in the “cloud” you are hosting it in some company’s data center.

“Cloud” firewalls are the same. The actual firewall is just located in another company’s data center. The important thing to note is that your traffic passes across the internet from your visitor, to that company’s data center, then back out over the Internet to your website.

Configuring a cloud firewall is a bit more complex because you need to point your domain name away from your own server and at the cloud firewall vendor’s servers. That way your traffic can be routed through their data center.

When we talk about “cloud” firewalls we refer to your website as the “origin server”. Because your origin server is also on the internet, it can still be reached by anyone on the internet provided they have your server IP address. That includes attackers. Here is a diagram to illustrate:

An endpoint firewall like Wordfence is different in that it runs on the actual server it is protecting. That means there is no way to bypass it over the internet. Your traffic is also routed directly from your site visitor to your server. You have total control over your firewall and it is not shared by any other website. You don’t have to point your domain at someone else’s servers or data center.

The diagram below illustrates how an endpoint firewall like Wordfence runs on your server and cannot be bypassed. It also shows how we integrate with WordPress and have “local knowledge” of user access levels via the WordPress API.

The Risks Associated With Cloud Firewalls

The Cloud Firewall Bypass Problem

When you run a cloud firewall, the firewall server lives out on the open internet. That server can be bypassed by an attacker and they can still access your website directly. It is not possible to bypass an endpoint firewall.

We have discussed the Cloud Firewall bypass problem in detail in the past. This problem is a fundamental flaw in cloud firewall design. Unless you move the firewall to the endpoint, as Wordfence does, you can’t get around this issue.

The Cloud Firewall Data Leak Problem

Cloud firewalls use a single server on the internet to provide firewall functionality to hundreds, perhaps thousands of different websites. If I told you 2 years ago that a major cloud provider would accidentally start sending data for one site visitor to other visitors, you would probably say I’m crazy.

That is what happened in February of this year. Cloudflare experienced a data leak over a 5 month period that mixed sensitive data between websites and visitors. A visitor to one website using Cloudflare may have seen data from another website using Cloudflare that was being sent to a completely different site visitor.

If you use a cloud firewall, you are sharing your firewall with many other websites. You trust your vendor to keep your data and configuration information segregated and secure. Vendors are not perfect. They experience bugs and breaches too. By adding a shared firewall to your configuration, you are introducing an additional point of risk and failure.

The Cloud Firewall User Identity Problem

Cloud firewalls run on servers that are on the internet. They are completely separate from your WordPress server. They don’t know who a user is or what access level they have. Cloud firewalls don’t even know if a user is logged in or not. 

What this means is that they don’t have identification, authentication and authorization data for any visitor to your website. They can’t use that data in their rules. Cloud firewall vendors may make bold claims, but when their firewall makes decisions about who to grant access to and who to block, those decisions do not take into account who a visitor is, what access level they have and whether they are logged in or not.

In contrast, Wordfence is an endpoint firewall that integrates deeply with the WordPress API. Wordence knows who a user is, what access level they have and whether they are signed in or not. Wordfence uses this data to make effective decisions on who to allow and who to block.

Cloud Firewalls are Generic and Not Designed for WordPress

In the past we have seen cloud firewalls that have let through some of the best known WordPress attacks. Cloud firewalls run on remote servers and are not designed to integrate with WordPress or to work specifically with WordPress. They usually have a generic rule-set that is not tailored for WordPress specifically.

Wordfence is designed specifically for WordPress. It integrates deeply with the platform and is designed to block well known and emerging attacks that specifically target WordPress.

Cloud Firewalls Break End-to-End Encryption

In order to inspect your web traffic to determine if it is malicious, cloud firewalls have to decrypt your website traffic. That decryption happens on another company’s servers away from your servers and outside of your data center.

Wordfence is a strong supporter of end-to-end encryption on the web. We don’t think that encryption should be intercepted and decrypted in transit. We think that website visitors have a reasonable expectation of privacy and their data should remain secure from their web browsers all the way to the destination server they are communicating with.

Endpoint firewalls like Wordfence do not break end-to-end encryption. Your data stays encrypted and secure from your site visitor all the way to your website.

Secure Your Site At The Endpoint

Securing your website using an endpoint security product like Wordfence has many advantages over a cloud product. Wordfence provides a robust endpoint firewall that is continuously updated. Wordfence Premium customers receive firewall rules in real-time and free users receive new rules 30 days later.

Wordfence includes a malware scanner. Cloud firewalls only provide firewall functionality – they do not have the ability to scan your website for malware. Wordfence Premium customers receive malware rules that are updated in real-time as new threats emerge.

Wordfence also provides a range of other features like two factor authentication, brute force protection, country blocking and more. Our Premium customers also benefit from an IP blacklist that is updated in real-time. Because we only protect WordPress websites, our attack data is specific to WordPress. We know who is targeting WordPress websites and we can block them on your website, immediately.

Install the free version of Wordfence today to immediately secure your website at the endpoint. Then consider upgrading to Wordfence Premium to receive real-time firewall rule updates, real-time malware signature updates and protection by our real-time IP blacklist.

Note: All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

The post Why Choose An Endpoint Firewall Like Wordfence appeared first on Wordfence.


5 Things to be Aware of When Buying WordPress Security

If you are new to WordPress or reevaluating your security strategy, you are overwhelmed by choice in today’s market. The reality is that there are only a handful of tools that truly protect your WordPress website from a hack and help you detect an incident. With all of the claims that vendors are making, it can be tough to choose the most effective product to protect your investment and your customer data.

To help you in your decision making, I’m going to call out 5 things in this post that you need to be aware of before you choose a security plugin, a cloud solution or something that runs in the hosting environment that your hosting provider is selling.

1. Not all security products include a firewall

Many of the best known security plugins for WordPress don’t actually include a firewall. To understand this, it’s important to understand what a firewall actually is. The firewall in Wordfence is known as a Web Application Firewall or ‘WAF’.

For a WAF to be effective, it needs to fulfill a few basic requirements:

  1. It needs to block a wide range of attacks based on it’s ability to recognize website requests as attacks. Types of attacks include SQL injection attacks, remote code execution, cross site scripting and cross site request forgery attacks.
  2. The WAF needs to have a rule-set that is continuously updated. These rules are used to recognize attacks and block them. They can’t be updated only when the software is upgraded. They need to be updated constantly via a ‘feed’.
  3. The WAF needs to analyze ALL requests, not just requests that hit a particular application. In other words, if you have installed a WordPress WAF, it must block requests that try to directly access a script in a WordPress subdirectory along with requests that hit WordPress itself.
  4. The WAF needs to be very high performance. It will be inspecting every request that hits your site and it’s very important it doesn’t slow your site down at all.

Wordfence fulfills all these requirements. It has a comprehensive rule-set that blocks a wide range of attacks and is continuously updated via our Threat Defense Feed. The Wordfence WAF inspects every request made to a PHP application on your website. Whether it’s a WordPress request or a direct attack on a script like Timthumb, Wordfence will see it and analyze it and block it if necessary. Wordfence is extremely high performance. We use core PHP functionality for our rule-set that executes very fast, we pre-filter rules and only execute what is relevant and our rule-set is highly optimized.

Many popular security plugins for WordPress don’t include a WAF, or firewall. They include features like brute-force protection, file change detection, backups, strong password enforcement and so called system ‘tweaks’. But they don’t include the most basic security component of them all: An effective web application firewall.

When purchasing a security product, make sure it actually includes a firewall.

2. Cloud firewalls can be bypassed and don’t have identity data

cloud-waf-diagramBecause cloud firewalls execute on remote servers out on the Internet, it’s possible for an attacker to go around them and attack your site directly. We’ve written about this in some detail.

Because cloud firewalls execute remotely, they don’t have access to your WordPress API and database. That means they don’t know basic things like: “Is a user signed into your website or not?” They don’t have this data so they can’t use it in their decision making about who to allow and who to block.

If you don’t even know whether a request is coming from a site administrator or an attacker, how can you provide effective protection? We’ve written about the cloud WAF user identity problem in some detail.

Cloud firewalls also use a rule-set that is generic. Their rules are designed for all websites. That means they don’t specialize in a specific platform. The result is that they can allow through some of the best known and most basic attacks on a platform like WordPress.

Wordfence Protecting the EndpointWordfence is designed specifically for WordPress, it knows and uses user identity to make it’s decisions and it’s not possible to go around the Wordfence web application firewall because it runs directly on your WordPress website.


3. Some malware scans don’t check very much

When choosing a malware scanner for WordPress, it’s important to choose one that does a deep thorough scan of your site. Malware authors have become very creative in how and where they hide malware once they’ve compromised your website. Without a deep scan, your site may be infected and you won’t be aware of it.

iThemes Security, the second most popular security plugin for WordPress, uses Sucuri Sitecheck to perform a malware scan. You have to pay for iThemes Pro to gain access to this feature, which currently costs $48 per year.

Once you’ve paid for iThemes security and have access to the malware scan feature, you can launch a scan. A Sucuri scan using iThemes Security on my test WordPress site only performed 22 page requests. All the checks are remote, so no source code is inspected.

After doing this scan, this is what my logfile looks like. Click for a larger image.

ithemes sucuri malware scan

As you can see, it didn’t do very much.

Below we show what a typical free Wordfence scan looks like (it’s in reverse chronological order). As you can see we analyze the source code of over 4,000 files on the same site and perform a host of other checks. Click the image for a larger version in a new tab.


When choosing a malware scanner, make sure you pick one that performs a comprehensive scan of your website and doesn’t just do a cursory check. Malware can be hard to find and well hidden. Wordfence performs a deep and comprehensive scan of your site every time it runs.

4. Malware scanning takes a team, forensic work and processes

Forensic WorkHave you wondered why our Wordfence site cleaning service is is so reasonably priced, even though you get your own Wordfence analyst working closely with you to fix your hacked site?

It’s because your hacked website is an amazing source of forensic data for us. We take the footprints that a hacker left behind and add that to our malware scan.

To provide an effective malware scan, you need to perform hands-on forensic analysis of the latest attacks as they happen. That’s what our site cleaning team does.

Then you need to take that attack data and run it through a process to turn it into threat intelligence and distribute it, in real-time to a great malware scanner. That is what our Threat Defense Feed is. The TDF describes our process of gathering, analyzing and distributing threat intelligence to the Wordfence malware scanner and firewall.

I’m not currently aware of a single WordPress specific malware scanner that combines a high performance scan engine with a team and process like Wordfence does.

5. Watch out for ‘automated‘ malware removal

Some companies offer an ‘automated’ fix if they detect malware on your website. When we first heard about this we viewed the concept with deep skepticism. If malware is detected on a website, it has been compromised. The definition of a ‘compromised’ site is that someone unauthorized has gained access to the site.

Incident response is a complex field. We have certified forensic investigators on our team who have developed our site cleaning process. To get an idea of how the a typical incident response process works, you can reference NIST publication 800-61 “Computer Security Incident Handling Guide” [PDF].

In general, forensic analysts will divide incident handling into three phases:

  1. Detection and Analysis: This includes analyzing attack vectors, documenting the incident, prioritization and notification.
  2. Containment, eradication and recovery: This includes evidence gathering, identifying what has been attacked and evidence gathering.
  3. Post incident activities: In this phase forensic data is analyzed, evidence is retained and the data is used to prevent future incidents.

There are several different approaches to incident response and you can visit OWASP to learn more about how they tackle the problem.

If a site is compromised, an automated fix would leave out many of these steps. For example, it would not be able to determine how an attacker gained access and so the site may be repeatedly hacked.

We currently recommend that you avoid products that claim an automated fix is possible for a compromised website. Instead we suggest that you use a security analyst trained in incident response to help fix your hacked website. One of our human analysts would be glad to assist you.

The post 5 Things to be Aware of When Buying WordPress Security appeared first on Wordfence.