Update (Sep. 2019): There is now a Free Test of the Sucuri Firewall available
Why the Sucuri Web Application Firewall is topic our first review ever on this website
A Web Application Firewall (WAF) can really save your WordPress based business from suffering serious damage. When it comes to security, WordPress users should take precautions early. Otherwise, they will sooner or later learn it the hard way: As WordPress is the by far most widely used Content Management System on the web, there are countless automated attacks. Hackers are trying to find known security holes, which is especially relevant if WordPress installs are not patched on a regular basis. But there is also a permanent dangers that new (zero-day) exploits occur. In these cases, even regular updating of your WordPress install does not prevent these bad guys from gaining access to your installation.
Can hacking attacks ruin your business?
Of course. Here is my own example: Many years ago, back in 2011, I experienced an attack myself. Hackers had gained access to my webhosting package and had uploaded photographs to my hosting server. These were images from a stock photo service which were not licensed and showed copyright watermarks. It is not hard to imagine what could have happened if I had not recognized the attack in time. It could basically have ruined my business in its early days if I had been sued by that stock photo agency.
So no matter how your website is to your business or to you personally: It is your obligation to protect it from hacking attempts. Because if you do not care, hackers do.
The WAF is your second line of defense
As soon as you have a dynamic CMS like WordPress on a webserver, you can take several steps like a basic hardening of your installation or, if available, activating a local firewall on your webserver like ModSecurity for Apache. In my opinion it is absolutely necessary to do so, but not sufficient. I believe that it makes sense to have a second layer of protection instead of only one line of defense.
This can be achieved by the integration of an external Web Application Firewall (WAF). The Sucuri WAF acts as an instance in the middle between your actual web server and the public internet. You configure your DNS records to point to the firewall IP addresses instead of your own server’s addresses. The firewall handles all requests from the public and fetches responses and content from your webserver. The aim is that only the good, legit requests go through while requests that are abusive get identified and blocked.
Sucuri’s Web Application Firewall is implemented by changing the A and AAAA records
This service of an external Web Application Firewall is exactly what Sucuri, Inc. offers, and I am using their firewall service as a customer since many years now – with many websites. Setup of the service is easy, there is a step-by-step guidance of the steps which are necessary to implement the service. In contrast to some similar services like Cloudflare’s CDN and Web Application Firewall, it is not even necessary to change your domain’s name servers. It is necessary to change the respective A records and AAAA records. For those interested: Changing the nameserver itself is also possible, if you want to use Sucuri’s DNS server, this is possible aswell.
Basic security can be implemented very quickly – more detailed options available
Defining the right settings is quite easy in the first place. Sucuri’s dashboard offers a good overview and explainations of all the different settings which can be made. It is also positive that you can implement basic security very quickly without spending hours with the initial configuration. Later, you can get into more detail. In most cases I got brilliant support whenever I had any questions concerning the configuration settings.
Server-side scanning for malware
Included with the service are audit logs and realtime information about blocked requests and allowed requests made to your website. Depending on the plan you choose, you will also gain access to the possibility of server-side scanning for malware. By installing a single PHP file on your host you can have greater peace of mind concerning the question if there are any malicious files on your webspace. Despite the fact that I have been using this scanning feature with a whole bunch of websites for several years now, I rarely got false positives, and if, I was able to clear things with Sucuri’s support. They took a more detailed look at the specific file which caused the alert, identified it as a false positive and removed the signature from their malware database.
When operating a website together with a team, especially if this team is a distributed one with many different work locations, the two-factor-authentification your Sucuri firewall can (and should) place in front of your WordPress login and backend can have some learning curve. I experienced that people failed to pass the 2FA (which can be based on a second password or an app-generated QR code) and then were locked out. This can lead to automated blacklisting of the IP address they were using. In these cases, you have to perform some manual steps and give support to your users in order to re-enable them to login.
On the other hand, you can hand over secret API links to people you trust. By clicking them, they can whitelist their own current IPs themselves. Such API links also exist for the purpose of clearing the website cache (the firewall service also acts as a CDN for better performance) and viewing the firewall’s audit logs.
Of course, depending on your settings, an external Web Application Firewall for your WordPress install can have some impact on your own work, especially in some cases. If, e.g., you work with plugins which enable you to do editing of CSS or a huge bunch of code in your WordPress backend, it can happen that the WAF is blocking you because for the firewall, this looks like a hacking attempt. But honestly: If I compare the trouble caused by this with the trouble of an actual hack, I know which scenario I would definitely be preferring.
The Sucuri WAF comes at a price – but it is worth it
Pricing is a tough topic. Web Application Firewalls are nothing you can get for a few bucks per year. The smaller plan for one website will cost you roughly 20 USD per month, Sucuri’s plan which includes server side scanning and also malware removal after an infection is 300 USD per year (mid-2018). I have done some comparisons from time to time, especially because I was not amused that this pricing refers to one domain (A record) without any subdomains. In order to protect several subdomains, you will have to pay the same price for each of them. But besides that: As I believe that I have some overview in this market I think that Sucuri’s pricing is fair (not cheap, but fair), and: They really deliver what they promise and have a service team that replies within a relatively short time frame and quite precisely if you have a question. At least in most cases.
* Links marked with an asterisk (*) are so-called affiliate links. If you click on such an affiliate link and buy via this link, we get a commission from the respective online shop or provider. For you, the price doesn’t change.