What is a Website Firewall? WAFs and Other Firewalls Explained

If you own a website, you need to protect it. Like personal computers, web servers — and the software running on them — are constantly probed and attacked by hackers and their bots. Because of this, it’s important to keep bad traffic away from your site. And that’s where a website application firewall or WAF steps in. We can call it a “website firewall” to keep it simpler. 

What Exactly is a Website Firewall?

In short, a website firewall is a security filter between a computer or server and the rest of the world. Malicious hackers make a living by breaking into vulnerable servers. Widely used web applications like WordPress and other popular content management systems make a large attack surface. This is why it’s so important for you to secure your WordPress site.

A helpful line of defense against security threats is a website firewall.

There are several different firewall types, so you’ll want to ensure you use the best solution. In this guide, we’ll discuss the different types of firewalls. We’ll explain why you need one to protect your WordPress site and how to set one up.

Let’s dive in.

What Does a Website Firewall Do?

Every time you go to a website, you connect to another computer called a web server. Web servers are as exposed to attacks as any other computer. 

Connecting to a foreign or unknown device directly without a layer of protection between them is unsafe. An insecure connection may allow hackers to infect a  connected device with malware.

Cybercriminals may even launch an all-out Distributed Denial of Service (DDoS) attack on a web server that blindly accepts every request it receives. A million bad requests in 60 seconds may be too much for your server and take it down. If you have a firewall that recognizes bad requests and fake traffic, it will block the bad requests and only respond to legitimate ones.

This is why a firewall is so important. Firewalls stand between your site and all other devices that try to connect with it. In the case of your web server, your host uses firewalls as filters standing between your server and hundreds, thousands, or even millions of connections with other devices every day. In the case of your website, a software-based website firewall added to WordPress will add another layer of protection you can control.

How Does a Website Firewall Work?

A firewall monitors outgoing and incoming traffic, constantly scanning for signs of hacks or other malicious activity. When it detects something unusual, the firewall stops it from reaching its intended destination.

Think of a website firewall as a huge filter for your web server.

When network firewalls were first available in the early 1990s, they were simple packet analyzers that could only block incoming traffic using a very small set of rules. They were, in fact, quite easy for hackers to bypass.

Today, firewalls have become complicated programs that excel at keeping hackers from reaching their goals. With the high volume of daily hacking attempts, hardware firewalls are a key feature of network routers, switches, and web servers. A good host takes care of all this for you. But your website is your responsibility to maintain, and setting up a firewall will cap off these other layers of security.

What Could Go Wrong?

When it comes to web servers, when a hacker gets through, they can quickly deface your entire website. They may embed malware that will infect your site visitors, change WordPress admin passwords to lock you out, or completely take down your website.

If your site lacks a firewall, it may be vulnerable to DDoS attacks. In this attack, an attacker will send thousands (or millions) of fake data packets that overload your server and bring down your website. 

Beyond DDoS attacks, a website firewall will protect your site against:

1. Intrusions — A website firewall prevents unauthorized users from accessing your website. When a hacker enters your site, the sky is the limit on the damage they can do.
2. Malware — Attackers infiltrating your server will most often infect it with malware. They create malware to steal personal and private information, spread it to other devices, and cause damage to computers.
3. Brute Force Attacks — Brute force attacks are hacking attempts where an attacker attempts thousands of username and password combinations to break into your WordPress site’s admin and other user accounts. Like DDoS attacks, hackers use botnets to conduct brute-force attacks. Botnets can test hundreds of different login combinations every minute until they succeed.

Types of Firewalls: Where They’re Installed

As we’ve noted, there are several different types of firewalls. Each of them is designed for a specific situation. Some work great for personal computers. Other firewalls are specially designed for network filtering. Website firewalls protect websites as the last line of defense after these other types of firewalls.

Firewalls are best categorized in terms of where they can be deployed, what they do, and how they do it. 

Each type of firewall is located or installed in a unique position on a network or computing device. They may be embedded in hardware. They may be packaged as software installed on your computer or within a web application like WordPress. Each type of firewall has different features. There are also a variety of techniques firewalls use to filter different types of traffic. 

We’ll briefly cover the main categories, types, and techniques of firewalls to give you a big-picture understanding of them. We’ll discuss how firewalls differ and relate with an eye to understanding where a website firewall for WordPress fits in.

Difference Between Hardware and Software Firewalls

Technically, all firewalls are software, but some are embedded in hardware devices like routers and network switches. They may be read-only and unchangeable or require updates that change the software stored in Flash memory or other non-volatile, rewritable memory chips. Firewalls like these are considered hardware firewalls.

A software firewall is a standalone application that runs on top of a computing device’s hardware. It may be part of an operating system or run on top of an operating system, like a personal firewall application, which we’ll discuss further below. 

A software firewall may run on top of a web server’s operating system and serve as a network firewall for many other web servers in combination with network hardware firewalls. 

A software firewall might be added as a component of a content management system, like a WAF for WordPress. A firewall within WordPress stands high on the technology stack with an operating system and middleware between your site and the underlying hardware. As we’ve seen, that’s an example of a web application firewall.

Hardware vs. Software Firewalls: Advantages and Disadvantages

Hardware firewalls provide the same functionality as software firewalls, but they operate upstream on your network, ahead of your computing devices and the web servers hosting your site. They are embedded on a much deeper level of your technology stack.

You may not know it, but you have a hardware firewall in your internet router. While it differs from dedicated hardware firewall devices, it provides similar monitoring and security features. You may use it to limit local network activity to trusted devices within certain hours, or to block certain sites and apps. Parental controls or similar software used by schools or some workplaces are built into network hardware and operating systems. These are firewalls too.

Updates and Adaptability

Software and hardware firewalls stand between your devices and the rest of the world, where they can analyze all connection requests and block the bad ones. A software firewall can be updated to improve its effectiveness and respond to new threads. Hardware firewalls are harder to update.

Network hardware sometimes needs updates to fix bugs and patch vulnerabilities, but this is a rare and difficult task if you don’t have a network support team. It’s also why older network hardware tends to be less secure. Hackers have figured out how to exploit it. You’re relying on your hosting provider to maintain their hardware infrastructure for you — another reason not to go cheap.

Hardware firewalls have some drawbacks like this. They need IT support in any serious business network because they’re quite difficult to update and need continued maintenance to ensure they’re secure. Home and many small business networks tend to be badly configured and insecure.

Accessibility and Performance

Additionally, hardware firewalls can cause speed and performance issues as they examine and filter network traffic. This is especially true when they’re used together with software firewalls. You may get higher security from multiple firewalls working together, but if they all have complex rules, the cost may be to your throughput — the speed of your data transfers on the network.

Also, most hardware firewalls are not intended to block or place restrictions on individual users and devices. That’s not typically in their feature set.

If you have a large network, hardware firewalls can easily protect the entire network and keep working even if the network is compromised. Software firewalls are much more difficult to set up on a large network and are easy for hackers to disable if they break in. Hackers will have a harder time disabling or bypassing a hardware firewall.

Software firewalls are intended to be more user-friendly for people who may not be technical experts. These firewalls offer functionality to block specific applications, manage device users, create logs, and monitor the users on a network. They’re much more difficult to set up in a network setting, but when installed on several devices, they give you more control than hardware firewalls.

Types of Firewalls: Different Techniques They Use

Firewall software constantly evolves, with different techniques emerging for various tasks and situations. 

Today, we have nearly a dozen major types of firewalls defined by the techniques they use to protect you. These are packet-filtering firewalls, circuit-level gateways, application-level gateways or proxy firewalls, stateful multilayer Inspection (SMLI) firewalls, next-generation firewalls (NGFW) including threat-focused NGFWs, network address translation (NAT) firewalls, cloud firewalls, and unified threat management (UTM) firewalls.

We’ll look at just three of these that represent the older, more basic firewall technology and the newest, most cutting-edge developments in network filtering.

Packet Filtering Firewalls

This type of firewall was one of the first that was ever developed. It’s also the simplest kind of firewall.

Packets are data exchanges between a server and a computer. For example, when you upload a file, send an email, or click on a link, you send a packet to a server. When your device loads a webpage, the server sends a packet back to you.

Packet filtering firewalls analyze packets and block them if they break some predefined rules. They can block packets from an IP address, specific servers, or packets trying to reach certain server locations.

Unfortunately, packet-filtering firewalls are pretty easy for hackers to work around. They can’t apply any advanced rules. If it’s set up to allow access through a given port, the firewall will let anything go through. Even the traffic that modern firewalls know is not legitimate will make it through packet filtering.

On the upside, packet filtering firewalls are extremely simple and don’t impact performance. They don’t save logs, inspect traffic, or perform advanced functions. But today, these firewalls aren’t intended as your primary source of protection.

Stateful Firewall

Stateful firewalls were introduced after the simple packet filtering firewalls. The idea was revolutionary at the time. Instead of analyzing the packets when they arrive and blocking some with simple rules, a stateful firewall could deploy more dynamic blocking rules while monitoring packets coming through the network.

While simple packet filtering firewalls only block traffic based on static predefined rules, a stateful firewall detects and blocks bad traffic by detecting user patterns and other advanced techniques.

The only downside to a stateful firewall is that it uses more resources than its simpler counterpart. But it’s a solution that can be trusted.

Next-Generation Firewalls

Finally, we have the NGFW or next-generation firewall. NGFWs are enterprise tools that combine many firewall techniques into one solution. Typically, they are cloud-based or part of a Firewall-as-a-Service platform. Cloudflare and Sucuri offer cloud-based WAF features through their Software-as-a-Service (SaaS) platforms in this way.

Some NGFW networking features include application monitoring, intrusion prevention, deep packet inspection, and packet filtering. They may be aware of other applications in the network they’re protecting and be able to control them. NGFWs increasingly use advanced machine-learning (ML) to identify illegitimate network traffic. They can also be updated with new threat intelligence data to respond to the latest attacks as they emerge.

The Types of Firewalls You’ll Use Most

Unless you’re a network administrator or spend time customizing a router or wireless access point in your home, you’ll probably never deal with hardware firewalls. The firewalls you will use run on your computer or website. They’re the most user-friendly and accessible. These are personal and web application firewalls.

Personal Firewalls

Personal firewalls are used on a single computer. They are pre-installed with operating systems — macOS, Windows, and many types of Linux — or with third-party antivirus solutions that may contain a personally configurable firewall.

Personal firewalls work a lot like server firewalls. They reject or allow connections from outside applications, IPs, and devices based on predefined rules. But in their functioning, a personal firewall acts differently than a server firewall.

Personal firewalls will:

• Protect all computer ports that connect to online applications or websites.
• Stop attacks that try to sneak through the network.
• Prevent bad actors from taking over or accessing your devices.
• Analyze all outgoing and incoming traffic for suspicious activity.

In addition, they are application firewalls that monitor your device’s app activity. An effective personal firewall will refuse to allow connections with unknown or unsafe software.

Personal firewalls are easy to employ. If you’re running Windows 10 or higher, a personal firewall is automatically running.

You’ll need to turn on the personal firewall for macOS users to be protected. All you need to do on your machine is navigate to System Settings › Network › Firewall in macOS 14.0 or higher.

Most antivirus programs will come with a firewall as well. Avast Antivirus is one example.

You can buy personal firewalls, but they tend to conflict with the default setup of most machines and aren’t as useful as before computer operating systems had them.

Web Application and Application Firewalls

Web and application firewalls represent today’s most evolved and dynamic firewall security tools.

A traditional network firewall will only monitor the general network traffic. It will struggle or fail to detect the traffic that comes and goes from changing apps, services, and other software used on the network. 

Application firewalls were designed to catch intrusion attempts that probe for and exploit vulnerabilities on a network or within an application. They are embedded in wireless access points and router hardware. They are software bundled with operating systems or security software designed for particular operating systems. 

Network application firewalls are used to set user limits. (Parental controls like Apple’s Family Sharing system use a network application firewall.) Many organizations use them to block access to certain websites and apps. 

A web application firewall works very much like these other application firewalls. What sets it apart is that it runs within the application it protects and is dedicated to it. A WAF is focused on security for just one web app — yours. 

Instead of trying to anticipate and block all possible attacks, Solid Security’s firewall blocks only known active threats from brute force and DDoS sources. It also shields only the known vulnerabilities on your site until you can address them.

Do I Need a Firewall on My Website?

Is a firewall really necessary for your website? Do you truly need one?

No, a firewall is not strictly necessary for your website, but it will considerably improve your site’s security.

You can always benefit at a low (or no) cost from a firewall running in front of your website as part of a cloud firewall or Firewall-as-a-Service platform like Cloudflare.

Your hosting company probably also uses several network firewalls built into their hardware. They may also apply or encourage you to use a cloud-based firewall, like Cloudflare. That is the most performant way to put a security gate between your WordPress site and the world. Because it’s in the cloud, it won’t use up any of your hosting resources. Just be sure to secure, harden, and properly maintain your site. You can’t rely on a firewall for all your security needs.

If you are not using reliable Managed WordPress hosting, a higher risk and burden of responsibility for security falls to you, the website owner, and your server performance may not be ideal. In this case, a cloud WAF is a very practical choice. It’s one reason we recommend Liquid Web and Nexcess for WordPress hosting. Their built-in WAF will stop denial-of-service and ICMP attacks.

Solid Security Pro’s Firewall is the Most Performant WAF Option

Additionally, you can add a firewall for your website as part of a WordPress security feature plugin or addon. Just be careful how it’s configured, or you may see your site load very slowly.

Every website will pay a performance cost if it hosts a WAF and filters incoming requests while responding to them. A CMS like WordPress must use server resources to execute its code, access databases, and construct pages. For this reason, we’re hesitant to recommend most plugin-based firewalls instead of (or in addition to) upstream edge network solutions like Cloudflare.

However, Solid Security Pro now offers a unique and performant WAF with local and network brute force protection as well as virtual patching provided by Patchstack.

Instead of trying to anticipate and block all possible attacks, Solid Security’s firewall shields only the known vulnerabilities on your site until you can address them. It also blocks only suspicious and known malicious requests from user agents that have been observed attacking other Solid Security users participating in SolidWP’s brute force protection network.

An attack on one of our users results in protection for all.

Firewalls For WordPress: What To Know

To protect yourself and your WordPress site, you need a firewall that keeps hackers on the outside looking in.

When it comes to a personal firewall on your computer, you normally don’t need to install your own. The built-in firewalls in modern operating systems work quite well without needing any further setup. When coupled with the application firewall that rides on antivirus software and your router’s packet filter, your devices should be protected from someone breaking into them and getting access to all your online accounts.

But what about your WordPress site?

Combining a Firewall with Solid Security Pro

That’s an entirely different story. Websites can be attacked directly across the web, and even if you’re using high-quality hosting with good network security, some attacks will always get through. When that happens, the last layer of defense is the primary one you can control as a website owner or administrator. It’s your responsibility and yours alone to secure and harden your website.

The first step to WordPress site security is to download and install a powerful WordPress security plugin. Solid Security Pro is the perfect solution for this.

The Solid Security Pro plugin is easy to use, provides lock-down security protocols for your site, and will keep hackers and malicious attacks at bay 24/7/365.

The next step is to employ a web application firewall. The simplest and most effective way is with a remote, cloud-based WAF from Cloudflare or Sucuri. Since their Firewall-as-a-Service runs on their hosting infrastructure, not yours, there’s no performance cost to your site — which would be the case if you used a WordPress security plugin with a firewall. Within minutes, you can have a cloud WAF up and running, fully protecting your site alongside the Solid Security Pro plugin, focusing on foundational security hardening for your WordPress site and user authentication.

Beyond that, choose a Managed WordPress web host that properly maintains its servers. Many other benefits come with a hosting company that’s present in and focused on the WordPress community of users and professionals. We recommend Liquid Web and Nexcess for all your WordPress hosting needs. 

Cheap WordPress hosts often lack proper security protocols, which can cause big problems with your site.

It’s Your Job To Protect Your WordPress Site

There’s nobody but you who will make sure your WordPress site stays safe from hackers and malicious attacks. And the best way to do that is by using the one-two punch of a web application firewall combined with the Solid Security Pro plugin.

And because there is no 100% foolproof way to ensure that a skilled hacker will never break into your site and cause damage, a WordPress backup plugin is an absolute must. 

When you use a backup plugin such as Solid Backups, you can immediately restore your site to working condition, even if it’s damaged or taken down during a hack.

It’s a plugin you’ll hope you never need to use, but you will be glad you have it if you need it.