WAF

From Wordfence Documentation
Jump to: navigation, search

Web Application Firewall settings are located on the Firewall page on the Wordfence menu.


What is the Wordfence Web Application Firewall?

The Wordfence Web Application Firewall is a PHP based, application level firewall that filters out malicious requests to your site. It is set up to run at the beginning of WordPress' initialization to filter any attacks before plugins or themes can run any potentially vulnerable code.

What it Protects Against

The Wordfence Web Application Firewall protects against a number of common web-based attacks:

  • SQL Injection: Unsanitized SQL code that can compromise a database system.
  • Cross Site Scripting (XSS): Unsanitized HTML or JavaScript code used to hijack a user or administrator's browser session and perform actions as the user.
  • Malicious File Upload: Unsanitized files containing malicious code that can be uploaded to and executed by the web server.
  • Directory Traversal: Unsanitized path names that can be used to trick the web server into serving files containing credentials or other potentially sensitive information.
  • Local File Inclusion: Unsanitized path/file names that can be used to execute potentially malicious code available to the web server's file system.
  • External Entity Expansion (XXE): A "feature" of XML that can be used to trick the web server into serving files containing credentials or other potentially sensitive information.

Firewall Setup

The Firewall needs a short setup process in order to prevent certain types of attacks. For help with setup, see the Web Application Firewall Setup page.

How is Learning Mode used?

Details about using Learning Mode are available by clicking here.

Rules

The Wordfence Web Application Firewall has a number of rules that match known attacks, i.e. attacks commonly seen and exploited in the wild. The patterns for these attacks are specific and require minimal processing in determining if the request matches. The WAF also uses a number of generic rules that use pattern matching to determine if the request looks malicious. These are designed to prevent 0-days for known types of attacks from being exploited.

Updating Rules

Wordfence will automatically update the Firewall rules from our servers in our network operations center without having to update Wordfence. As new threats emerge, the rules used by the Firewall to protect you are updated in real-time for Premium members. Premium users receive an additional layer of protection: when new rules are added, our servers will "ping" your site to prompt Wordfence to pull down the latest rules, so you are automatically protected from attackers as new threats emerge. Free users receive the community version of the rules which are updated 30 days later.

Protection Level

The protection level shows whether the default "Basic WordPress Protection" is enabled, which can protect against many attacks, or if "Extended Protection" is enabled after following the optimization steps. Extended Protection allows the firewall to run before WordPress even starts, protecting against additional attacks. Both protection levels are available in the free and premium version. Click here for more details on Protection Levels

Firewall Status

  • Enabled and Protecting: In this mode, the Wordfence Web Application Firewall is actively blocking requests matching known attack patterns, and is actively protecting your site from attackers.
  • Learning Mode: In this mode, the Wordfence Web Application Firewall is whitelisting any requests that would normally be blocked by the firewall. Some requests contain data that may match patterns the firewall uses to detect attacks (such as an article about SQL injection that contains SQL code). While in Learning Mode, these requests will be whitelisted, excluding them from tripping the same rules once the firewall is enabled. Use this mode to prevent false positives on your site.
  • Disabled: In this mode, the Wordfence Web Application Firewall is functionally turned off and does not run any of its rules or analyze the request in any way.

Whitelisted URLs

The WAF uses pattern matching to identify malicious requests, and sometimes the content in the request may mistakenly match one of the rules and trigger the WAF to block the request. This is considered a false positive. Wordfence provides a way to exclude this particular URL and parameter from the WAF rules, so they may be whitelisted. They are typically added while the firewall is in Learning Mode, or by an admin in the Web App Firewall admin menu, or in the blocked response page.

Monitor Background Requests for False Positives:

  • Wordfence loads a script for logged-in admins that watches for background requests that get blocked by the firewall, to alert if you if something was blocked that might not need to be blocked.
  • You can disable this script if you like, by unchecking either or both boxes, for the front end of the site or for the wp-admin section of the site. Disabling the monitoring script does not affect the firewall's protection, but may make it harder to notice false positives (blocking actions that are not actually malicious).
  • See more detail about Blocked Background Requests here.

Advanced Configuration

  • Delay IP and Country blocking until after WordPress and plugins have loaded (only process firewall rules early): If your server has a conflict with blocking by IP, country, or other advanced blocking settings before WordPress has loaded, you can turn on this option to allow WordPress to load first. As of version 6.3.1, locked-out IPs are also blocked before WordPress loads in most cases, for faster performance. Firewall rules will still take effect before WordPress loads as long as Extended Protection is enabled at the top of the Firewall page, as usual.
  • Preemptively block malicious IP addresses: For premium Wordfence installations, this feature blocks all traffic from IPs with a high volume of recent malicious activity, using Wordfence's real-time blacklist. The IPs are blocked by the Web Application Firewall, so if your site has been set up with the firewall's "Extended Protection," this traffic is blocked before WordPress begins loading. Blocking these visits before WordPress loads can improve security by preventing any effects of attacks within WordPress or plugins while loading, while also saving server resources.
  • Remove Extended Protection: You can use this button to remove the Extended Protection, which uses .htaccess and/or .user.ini, depending on your host's configuration. Removing the Extended Protection is recommended before moving the site to a different server, since the file locations may be different on the new server. The process will allow you to download backups of the files to be modified, before they are changed.

Frequently Asked Questions

See the Web Application Firewall FAQ.

More about the Web Application Firewall