Web Application Firewall (WAF)
Our WAF is your first layer of defense preventing cybercriminals from hacking your website’s critical data and information.
What if a targeted cyber attack never reached your site?
A web application security breach can have devastating consequences, often leading to the loss of critical data or theft of confidential information.
The most effective way to avoid these kinds of attacks? Stop the attack from reaching your site in the first place!
This is exactly what a WAF does… building a fence on the outside of your WordPress borders - monitoring, filtering, and blocking malicious HTTP traffic BEFORE it ever hits your server/site.
25% Faster than the leading plugin-based firewall
Unlike many other providers, our WAF is completely free to use with WPMU DEV hosting and is already tuned for WordPress. It also uses fewer server resources by not running in PHP and doesn’t need to touch a line of code - meaning it won’t significantly affect your site’s performance.
In fact, our testing puts it around 25% faster than the leading WordPress plugin-based firewall! Also, many firewalls are not optimized specifically for WP. They either have most rules off by default or cause false alarms.
Another advantage our WAF has over cloud firewalls is that it’s difficult to prevent attackers from bypassing a cloud firewall completely. As a result, most people skip this crucial step, leaving your site vulnerable.
Armed with over 300 highly optimized, managed firewall rules
Our WAF comes armed with a highly optimized, managed ruleset, containing more than 300 firewall rules (or policies). These policies combine rule-based logic, parsing, and signatures, enabling them to detect and prevent a range of web application attacks.
Our firewall is always learning, and updated every day with new rules. Additional rules are added based on the usage and intelligence of our internal network of sites. This means every new threat (or false alarm) allows your WAF to grow smarter and stronger - ensuring optimal protection, and improved accuracy.
OWASP attacks are your WAFs specialty
Included as part of our WAFs 300+ ruleset, is protection against common “OWASP” top 10 attacks - including cross-site request forgeries, cross-site-scripting (XSS), file inclusions, SQL injections, and more.
Intelligent app protection is less than a click away
Our WAF is automatically enabled on all sites hosted with WPMU DEV (excluding Quantum plan sites), meaning protection is literally less than a click away. Of course, if for some reason you need to deactivate the WAF, you can.
You can also do some rule-tuning yourself if needed, and unlike a lot of other complicated firewall options out there, we’ve made this super easy.
You make the rules with block and allowlists settings
Want to sure-up your security even more? Assemble a customized “blocklist” of unwanted IP addresses, or user agents your WAF will automatically block.
On the other side of the coin, you can easily create a “allowlist” of IP addresses and user agents that are allowed. Everything else is denied.
Disable rule IDs and limit false alarms
If any of our in-built WAFs rules trigger false alarms, these can easily be disabled. It’s as simple as entering the rule you're having trouble with into the Disable Rule ID field.
You can find specific rule IDs, as well as additional details about the rules in our WAF Log.
WAF log - learn from every attack, error, and request
Our WAF log shows you exactly where attacks are coming from, which requests have been blocked, and what rules those requests triggered.
This is helpful both to identify attacks, and to prevent future false alarms. The WAF Log can also help you identify whether you need to allowlist a particular IP, or disable a specific WAF rule.
Automatically patch hard-to-detect WP vulnerabilities
Our WAF also takes web app security a level further by deploying “virtual patches” to repair WordPress core, plugin, and theme vulnerabilities when required.
This means if you’re running an old plugin or theme with known security vulnerabilities present in our rule lists, your WAF can identify traffic trying to take advantage of this vulnerability and stop it. All without needing to touch the code on your site.
Meet security compliance requirements and offer extra assurance for clients
If your organization processes or stores sensitive information (credit card details etc.), it’s obviously important you comply with security requirements, and standards such as the PCI, HIPAA, and GDPR.
One of these requirements is: “installing and maintaining a firewall configuration to protect cardholder data.” This makes having a WAF valuable from both a compliance, and a security perspective.
It can also give your clients further assurance that they’re fully protected.
Site security multiplied: easy integration with additional safety measures
Of course, any additional layer of security is invaluable, and our WAF also integrates perfectly with other security measures.
The WAF becomes the second line of defense against plugin/theme/WP vulnerabilities after updates (our Automate solution). It can often detect and block undiscovered or unfixed vulnerabilities.
The WAF and our Defender plugin can also help ensure that, if you are attacked, the attacker won’t gain anything other than hurting the performance of your site or bringing it down.
How our WAF compares
| Features | WPMU DEV | Cloudflare | Wordfence |
|---|---|---|---|
| Blocklist / Allowlist settings | Blocklist / Allowlist settings included | Blocklist / Allowlist settings included | Blocklist / Allowlist settings included |
| Automatic virtual patching | Automatic virtual patching included | Automatic virtual patching included | Automatic virtual patching included |
| Optimized for WordPress | Optimized for WordPress pncluded | Not optimized for WordPress | Optimized for WordPress pncluded |
| Minimal performance hit | Minimal performance hit included | Minimal performance hit included | Minimal performance hit not included |
| WAF Logs | WAF Logs included | WAF Logs included | WAF Logs included |
| Cost | FREE with every hosting plan! | $20 per month, per site | $99 per year, per site |
