The Powerful WordPress Firewall

Have you ever had unexpected bot traffic that would consume a lot of server resources, bring a bad reputation to your brand website, and downtime for high resource usage? And certainly, you never had an idea about the WordPress firewall?

If yes, it is the right time to battle off non-legitimate traffic. Even if you have experience in excessive bot traffic, I would go and implement the possible security tweaks.

We can’t predict the future whether we would have an attack on wordpress sites or not unless we can guess it would not because we don’t know what happens when. That is why the safest bet is to take precautions to refrain from regretting later.

Let’s talk about why it is necessary now.

Why does your site need a firewall or WordPress Firewall?

WordPress is the most common open-source CMS and likely a soft target for hackers/attackers. A Web application firewall or WordPress Security Firewall usually includes a collection of rules designed to prevent unwanted bot traffic from being limited on the web. Protecting from hacks, attacks by brute force, DDoS attacks, cross-site scripting, and SQL injection.

Hence a firewall is indeed a virtual wall that protects your WordPress site from all unauthorized/non-legitimate traffic.

DNS Level Website Firewall vs Application Level Firewall

There are two possible wordpress firewall rules to safeguard your website. Both levels of protection have their own pros & cons. DNS level firewall is more focused on blocking fraudulent traffic to your website while the wordpress level(or application level) firewall will restrict access to insecure data or code. To make your wordpress more secure, I’ll explain both options and how you can utilize both of them to protect your wordpress website.

DNS Level Website Firewall

You may or may not be aware that the DNS-level website firewall is more advisable to choose from. To understand why: This simple example will help you.

When non-legitimate or bot traffic tries to reach your website, it has to go through the DNS firewall proxy server before reaching your wordpress. Here DNS level firewall wouldn’t let the traffic reach your WordPress website while also saving your hosting server resources. This is the key reason why it is recommended.

I’m using Cloudflare as a DNS level firewall on this article because it is available for free, provides a lot of other security features and you probably can’t find any service comparable to Cloudflare.

Cloudflare Account Setup

I suppose I wouldn’t need to help you to set up a cloudflare account for your domain name. It is quite easy to do so but follow the below steps if you’re not familiar with the sign-up process on Cloudflare.

How to setup cloudflare for your domain name:

• Go to Cloudflare’s official website.
• Click on the signup button.
• Enter your domain name and new password.
• Enter your website URL and click on the Add site button.
• Then you’ll be redirected to select the plan. You can go with any plan of your choice and of course, I’ll be using a free cloudflare plan on this article.
• When you confirm the plan, Cloudflare would scan your DNS records and show them to you, then click on the Continue button.
• You’ll be presented with Cloudflare name servers which you would need to update on your domain registry DNS settings.
• Once the name servers are updated, you’ll have to wait for a couple of hours to propagate DNS globally.

Once your domain/site is proxying traffic through cloudflare, you’re all set. Now we can continue with the next step.

Cloudflare firewall rules:

Here is the screenshot of cloudflare firewall rules. How Cloudflare is helping WPzonify.com to be safe from non-legitimate traffic, and in blocking unauthorized access.

How to setup cloudflare rules for your website:

Cloudflare offers 5 firewall rules on a free plan which covers pretty much everything that I mentioned in this article and you can upgrade at any time to add more.

• Go to the Cloudflare dashboard of the domain >> Navigate to the Firewall tab that you see on the screenshot.
• Click on Create a Firewall Rule button.

Now, let’s jump into the rules that you would need for your wordpress website.

Block Bot Traffic.

This Cloudflare firewall rule will block bad bots scanning your wordpress website and, as I mentioned earlier, it will be blocked at the DNS level to ensure that your wordpress hosting server resources are not consumed.

• Enter the Rule Name: Block Bot Traffic
• And Click on the Edit expression link that I marked on this below screenshot. (You can manually enter each of these but it would take your time.)
• Paste the following code in it.
• And click on the Deploy button.

(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)

Protect Insecure Plugins

We don’t let people go to our bedrooms. Right? Likewise, your wp-content folder is as important as your bedroom. Unfortunately, most of the hackings tend to occur because of vulnerable plugin codes. This Cloudflare firewall will restrict visitors to access /wp-content or search files within your /wp-content directory.

• Click on Create a Firewall button and enter the name “Protect Insecure plugins”
• And Click on the Edit expression link that I marked on the previous screenshot.
• Paste the following code in it.

(http.request.uri.path contains "/wp-content/" and http.request.uri.path contains ".php" and not cf.client.bot)

Why .php: This rule wouldn’t also let people execute any PHP files in your wp-content folder.

Protect WP Config, JSON and XMLRPC

In my previous secure wordpress website article, I mentioned how wp-config and XMLRPC can be protected by placing the code in your htaccess file but we can prevent accessing these requests from the DNS level which is something you wouldn’t want to miss.

• Click on Create a Firewall button and enter the name “Protect wp config, JSON, XMLRPC”
• And Click on the Edit expression link that I marked on the previous screenshot.
• here you’ll have to make changes to country code. (IN – is for India and if you live in the US, you can replace it with the US instead of IN and you can find a list of country codes in this link]

(http.request.uri.path contains "wp-config") or (http.request.uri.path contains "/xmlrpc") or (http.request.uri.path contains "/wp-json" and ip.geoip.country ne "IN")

[You can create multiple rules for wp config, JSON and XMLRPC separately but I prefer to keep them in rule.]

Prevent wp-Login access

Again, in the previous article, we used the “WPS Hide Login” plugin to modify the wordpress login URL, but you can only allow access to a specific country or Ip address to which you wish to access the wp-login page and other country requests to wp-login page will be blocked.

• Click on Create a Firewall button and enter the name “Protect wp login”
• And Click on the Edit expression link that I marked on the previous screenshot.
• here you’ll have to make changes to country code. (IN – is for India and if you live in the US, you can replace it with the US instead of IN and you can find a list of country codes in this link]

(http.request.uri.path contains "/wp-login" and ip.geoip.country ne "IN") or (http.request.uri.path contains "/wp-admin" and ip.geoip.country ne "IN")

These 4 rules on the firewall should protect your website against most unauthorized access. There are a few more things you can do on cloudflare but since I’m just covering Firewall on this article, I’m going to skip them for now.

Application Level Firewall

This is not the same as the DNS-level firewall, For example,

When non-legitimate traffic tries to reach your website, your firewall plugin/script will evaluate traffic after hitting your website which is not best suited but still prevents from accessing the most sensitive WordPress information or vulnerable code while DNS level firewall wouldn’t help like an application-level firewall.

Backup your site:

The first thing is first because I wouldn’t want you to be disappointed if things go wrong. Taking backups is essential for any website online. Before moving further please have your wordpress site backed-up to an offsite server.

Plugins that I recommend to backup your site: WPvivid and UpDraftPlus

Best Firewall Plugin

There is no such thing as the best or perfect plugin. It’d rely on how we customize the settings and user(your) experience.

But wait, There is something else

I’m the person who doesn’t like to put a plugin that would consume my hosting server resources or you might say that plugin(s) are heavily bloated. I’m going ahead and using NinjaFirewall. This is my personal preference and it does a fantastic job than wordfence.

NintechNet (NinjaFirewall) offers two different firewall editions. One is for WordPress and another is for custom PHP sites or Joomla, other CMS platforms.

• WP Edition(free) & WP+ Edition(paid)
• Pro+ Edition(Free) & Pro+ Edition(paid)

I’m using WP edition on this article as it takes a few clicks to set up the firewall in full. So you won’t have to waste your time downloading the Pro+ version script manually if you don’t have basic knowledge of installation and usage..

Additionally, WP Edition is recommended for wordpress websites even though you like to use Pro Edition as there are a few features that are not included in the Pro version.

Of course, if you have a custom PHP website and you want to use a firewall, it’s recommended to use Pro+ Edition.

Let’s start with the first step.

Install & Activate Firewall Plugin.

Login to your wordpress dashboard, go over to add the plugin and search for “advanced Ninja firewall.” Install the plugin and Activate the same.

Activate Full WAF mode

Once the Ninja firewall plugin is installed, Head-over to Ninja Firewall Dashboard >> Click on Activate Full Firewall button.

Much like the screenshot below, you can see a popup on the screen but the HTTP server and PHP initialization file will be different on your screen because it would be depending on your server.

Do not make any configuration changes, just retain them as recommended. Now right-click on the Finish button.

Clicking the “Finish” button will set up the Ninja firewall and configure it for you. Hang on for a few minutes. You‘re done.

Now Navigate to Dashboard, you’ll see “NinjaFirewall is running in Full WAF mode.” Now the full WAF is activated.

Monitor last modified file or Monitor file changes

You might notice that I always suggest people to monitor the last modified files. If your site ever gets hacked, it lets you find the conflict quickly. You can easily track your last modified files with the help of the Ninja firewall plugin.

Now, Go to Ninja Firewall >> Monitoring.

You will need to create the current snapshot of your files here and then Ninja will start monitoring these files.

Create a snapshot of all files stored in that directory: This is your root directory path.
Exclude the following files/folders: You can exclude files and folder from monitoring. [/wp-content/nfwlog/, /wp-content/cache/ ]

Once you click on the “Create Snapshot” button, you will see something like this. You may schedule the last modified files to be checked automatically, or do manually when needed.

Files changes Monitoring – Test

For me, testing whether this feature works or not is important. I can help you to understand how this function will be beneficial to you by testing it.

Test: Adding a new file to wordpress files and adding a few more lines of code to core wordpress files.

I added a small line of text to my index.php file, as you can see in this screenshot below, and additionally, I uploaded a new file called “NewFile.php”. Upon verifying the changes to the file(s) on the Ninja firewall, you could see that those logs were successfully tracked.

Brute force attack protection

Ninja Firewall provides yet another great feature to address the brute force attack. You will be given the option to allow login protection and Captcha image for directory protection as well. You may recall I mentioned setting up HTTP Auth security to your /wp-admin folder in my previous post. Ninja firewall provides something similar here.

To enable Brute Force Attack Protection, Head over to “Login Protection” and enable “Brute force protection.”

Enter brute force attack protection: Enabled
Type of protection: Captcha image
When to enable the protection: Always Enabled
Enable bot protection: Yes
Save Login Protection

You can read the detailed comparison between iThemes Security, Wordfence, Jetpack, Simple Security Firewall/Shield, and NinjaFirewall on this article.

Tweaking firewall policies

By default, the Ninja firewall is designed to enable a few security tweaks that need to be enabled for wordpress websites but I would prefer to tweak a few more to ensure that my wordpress website is safer.

Navigate to Firewall Policies page and enable one by one based on your wordpress.

Block direct access to any PHP file located in one of these directories: Enable */cache/*

Protect against username enumeration:
through the author archives – Enable
through the login page – Enable
through the blog feed – Enable
through the WordPress REST API – keep it as it is.

Block POST requests in the themes folder /wp-content/themes: Yes
Disable the plugin and theme editor: Yes

Save Firewall Policies.

These are the basic security rules for the Ninja firewall which you should keep enabled. Looking at the WP+ edition, it does have amazing features, but for me, the free version is more than sufficient for moderate traffic sites.

Without Firewall Plugin and My WP Security setup

7G Firewall rewrite rules

I’ve already covered Ninja firewall and Cloudflare firewall rules on this blog, so you might wonder what 7G firewall is and how to use it.

Let me explain, 7G firewall is a lightweight htaccess rewrite rule developed by PerishablePress’ Jeff Starr. From his website:

7G is an easy-to-use, cost-effective way to secure your site against malicious HTTP activity. It helps to protect against evil exploits, ill requests, and other nefarious garbage, such as XSS attacks, code injections, cache poisoning, response splitting, dual-header exploits, and more.

I’ve been using these on client websites. I am pretty sure how effective these rules are, once being created, and how simple they are to use.

How to install 7G firewall on website:

Login to your FTP, cPanel, any control panel that you have access to. Open .htaccess file on your code editor and paste the code that you can find on perishablepress website. (Direct download link)

Please keep copy of your htaccess file before making any changes including your website backup.

My WP Security setup on the website(s).

When I published my previous article, I recall clients and people asking me which wordpress security setup and security plugin do I use on WordPress instances that I manage. I thought I should answer it in this article.

1. Common sense.
2. Cloudflare and CF Firewall rules.
3. 7G Firewall.
4. VirusDie software.

Final Words

That’s all. Now your wordpress website is protected, secured with Cloudflare Firewall rules, and Ninja Firewall but keep in mind that the “Ninja firewall” or “Cloudflare firewall rules” would not guarantee that your wordpress website will be secured. This is more like another wordpress security layer to your wordpress website. Apart from these firewall tweaks, please consider looking into my other article(s) on how to secure wordpress websites.