As your website becomes successful, you need to start getting more paranoid about its safety. The first thing you do is to backup your website, preferably on an offsite location. NameHero uses the JetBackup system to store offsite copies of your site, so that’s already taken care of. The second thing to do is ensure that your site is being constantly scanned for malware and that it’s always up-to-date and secure. After taking basic security measures like this, you need to start considering a Web Application Firewall – or a WAF.
What is a Web Application Firewall?
A WAF is a specialized firewall for your site that’s constantly updated by the service provider to counter a host of threats. These go way beyond mere IP blocking or country restrictions. For example, you can implement a firewall rule to block XMLRPC requests. But this is something you do manually. It doesn’t take into consideration evolving threats, new vulnerabilities, and new vectors of attack. A WAF is a firewall that you don’t have to specifically configure, but which stands between your site and the rest of the world.
WAFs are Specialized Services
NameHero does a lot for you. It keeps your website clear of malware, and ensure that you always have your data backed up to a secure location, in addition to strong security that always keeps your OS updated, among other things. But it doesn’t have a WAF because that’s a specialized service. Maintaining a WAF is hard work, and requires an entire suite of human resources and software, as well as the capability of handling and filtering millions of requests in real-time, without a noticeable slow down to your site.
For this reason, a WAF is usually implemented outside your site via a reverse proxy, or through the web host’s dedicated infrastructure. Your site is simply not strong enough to mitigate attacks and is susceptible to DDoS threats.
Example of a WAF in Action
I’d earlier written about Cloudflare’s Pro plan, and whether or not it was worth it. One of the benefits was Cloudflare’s state of the art WAF. For example, here’s a screenshot of the WAF report for my site WP-Tweaks.com for the past 24 hrs:
As you can see, Cloudflare has blocked almost 300 visits to my site in the past day alone. Each of these fell into some category that was defined as “bad”. Either a simulated Googlebot, or a brute force attempt, or some request meant to target outdated versions of WordPress, etc.
There are so many different types of threats, that it’s impossible to keep up with all of them. That’s why we hand over the task to a specialized service provider. And Cloudflare is one of the best. But you also have other players in the market like Sucuri, which do the same thing.
Hedging Against Tail Risk
Things like backups and security systems are part of “tail risk management”. They protect against several highly unlikely events, but any one of which is enough to destroy your site. Ever since my site WP-Tweaks.com started lifting off the ground, I’ve found it worthwhile to invest in solutions that allow me to sleep at night – even if the things I’m protecting against happen very rarely. A WAF might only block 200 attacks a day – a minute number in the grander scheme of things. But if those attacks weren’t blocked, any one of them could exploit a vulnerability in something as simple as an outdated plugin, gain control of your site, and then boom! The consequences are severe.
So while you don’t need to invest in a WAF right away, you should seriously consider it once your site is secure and you have something to lose. Trust me – the peace of mind is worth it.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!