Adding Firewalls to Your WordPress Site

Many of us have heard of “firewalls” in terms of hardware or software, and how they protect an asset like a network or a computer from external attack. Well, a web application isn’t exempt from the list of “assets” that one may need to protect when working (or playing) on the Internet.

Essentially, what a WordPress firewall will do is protect the WordPress installation (and in most cases all added files) from 3rd party attack. The software will filter any commands before reaching any executable script in order to ensure integrity. Mostly this involves adding commands to the .htaccess file which is processed before any scripts (including PHP scripts).

There are plugins available that allow you to decide on the various layers of protection that you desire. This is done through a graphical interface in the WordPress dashboard making it so you do not need to understand any complex commands. You simply make your changes using an interface most WordPress users are familiar with and the software will “write” the commands for you.

This is often done in stages because the protection can sometimes block desired commands.

Firewall features of the All-in-one WP Security plugin for WordPress

In the remainder of this article I am going to walk through some of the important firewall features in the All-in-one WP Security plugin plus demonstrate their setup in the embedded video.

Basic Firewall Protection:

At a minimum you should enable the basic file protection with this plugin. This will deny access of scripts modifying the .htaccess and wp-config.php files, will disable the server signature thus preventing display of version information, and also limit file uploads to 10MB.

Separately you can enable pingback protection which disables access to the xmlrpc.php file. Of course, only do this if you are not leveraging the WP XML-RPC functionality already. This, among other things may give you protection against some forms of Denial of Service (DoS) attacks.

Additional Firewall Protection:

This section has some intermediate and advanced firewall settings that can be employed.

It’s a really good idea to do a backup of the .htaccess file before activating any of these features as they can potentially break functionality of other plugins. A lot of times those plugins will have a section in their FAQ to indicate that possibility. This security/firewall plugin makes is simple to backup the .htaccess file so it’s worth performing those couple of clicks to make it happen.

Disable Index Views: A lot of times when a directory (or folder) is viewed on a web site, a list of the files present in that folder can be seen publicly if there isn’t an “index” file in there. WordPress mostly handles this elegantly, but for the situations where it doesn’t, this setting will pick up the slack.

Trace and Track: Disabling trace and track can limit the ability for hackers to use Cross-site Scripting (XSS) which sometimes gives them the ability to steal legitimate users’ credentials or cookie information. While many web browsers help prevent basic techniques for Cross-Site Tracing (XST), there are more advanced methods that the browser can’t currently prevent.

Proxy Comment Posting: This feature can limit comment spam by stopping the ability for proxy servers to post comments on the WordPress site.

Bad Query Strings: Enabling this firewall feature can help prevent attacks that exploit cross-site scripting (XSS) vulnerabilities. These vulnerabilities can allow hackers to steal data, run malicious code, take control of user sessions, among other things. Enabling this can also interfere with legitimate requests therefore it is wise to backup the .htaccess file and test the functionality of the web site after applying. Better may be to read your other plugin’s FAQs to see how they interact with this feature of the all-in-one firewall plugin.

Advanced Character String Filter:

5G Blacklist/Firewall Settings: Finally, you can apply the tried and tested blacklist rules that can help to reduce the number of malicious URL requests that hit your WordPress site. Simply enable the 5G Blacklist firewall protection from perishablepress.com to gain this extra security.