How the Wordfence Firewall Works
In April of 2016 Wordfence launched a full featured WordPress firewall. Since then we have released improvements that make Wordfence faster and better at blocking attacks. If you’re not a security professional it may not be clear what the Wordfence firewall does or how it works. In this post I’m going to describe exactly how the firewall works.
Firstly you should know that the Wordfence firewall is also sometimes called the Wordfence WAF. The term WAF is just an acronym that is short for “web application firewall”, which means a firewall that protects web applications.
Wordfence is a firewall that protects the WordPress web application and anything else installed in your WordPress subdirectories. For the sake of this post, I’m going to just refer to it as the Wordfence firewall.
How Wordfence Evolved
The very first version of Wordfence improved your WordPress security by providing functions like:
- Malware scanning including scheduled scans
- The scan included (and still includes) a variety of other checks including blacklist checks
- Brute force protection
- Two factor authentication
- Country blocking
- Protection against aggressive crawlers
Wordfence included several other useful security functions, but it never included a rule based WordPress firewall that filtered attacks as they arrived in real-time.
I started writing the first version of Wordfence back in 2011 and I finished it in 2012. We were a two person company at the time and we wanted to provide something that significantly improved WordPress security. So we picked the best features that were also feasible for a two person team to implement and ended up with the list of features above.
As Wordfence grew and we brought on board senior developers and experienced security professionals, we made the decision in 2015 to add a full-featured rule based firewall to Wordfence. One of our criteria was that it needed to be updated in real-time with new kinds of protection.
We embarked on a 9 month project to create a full-featured rule based firewall for Wordfence. That was released as Wordfence 6.1.1 in April of last year.
As part of the WordPress firewall release, we also put business processes in place and created a forensic division in the organization to gather the attack data. We needed this data to learn about new kinds of attacks, create new rules to protect against them and deploy them in real-time. That real-time rule feed is part of what we call the Wordfence Threat Defense Feed.
Today Wordfence has a very busy site cleaning operation. That is one of the ways we get forensic data about attacks that are compromising WordPress websites right now.
Once we see a new attack, we immediately develop a new firewall rule, test it and get the rule into production fast, to stop that same attack affecting other customers.
Another way we learn about new kinds of attacks is by aggregating and mining attack data. This allows us to see new attacks as they emerge and before they infect our customer websites.
By combining on-the-ground forensic work with the Threat Defense Feed and a rule based firewall, Wordfence became a robust and enterprise class security product for WordPress.
How the Wordfence Firewall Works
So how does the Wordfence firewall actually work? When you enable the Wordfence firewall, we use a technique that tells your web server to run the Wordfence firewall code before any other PHP code on your website. The way we do this is we include a directive in your .htaccess file called ‘auto_prepend_file’. This directive points to Wordfence code and ensures that Wordfence runs before anything else.
Once we have configured your website to run the Wordfence firewall first, any request that arrives, no matter which PHP file it tries to access, will first be processed by Wordfence first to check if it is safe or not. Our WordPress firewall will run the request through it’s ruleset, performing a high performance detailed analysis and will make a decision to block the request or allow it.
The firewall code that makes this decision runs before anything else including WordPress. That means that the WordPress code has not loaded and the database is not yet connected. This makes the Wordfence firewall code incredibly fast. We can block a malicious request before it even connects to your database and before the bulky WordPress code and API environment is loaded up.
The Wordfence firewall code executes before anything else, including WordPress. But it also has the ability to pass data back to WordPress and to get data from the WordPress API. This allows us to incorporate user identity into our ruleset so that we can make decisions about whether or not to allow a user access, based not just on the content of their request, but who they are and what access level they have within WordPress.
Using this model of high performance execution means that attackers only get to hit the super fast Wordfence firewall and they don’t get any further than that. Friendly site visitors, crawlers and users get to access your full website. This keeps your WordPress website fast and safe.
How Wordfence Became the Most Popular WordPress Firewall
Wordfence has grown into a big team, a sophisticated organization and it has become the most popular security product for WordPress. To date we have had over 22 million downloads of Wordfence. We protect millions of websites and block millions of attacks daily, over 28 million per day.
The early version of Wordfence did a good job of protecting WordPress websites. In 2015 our team agreed that we wanted to get Wordfence to the point where you were crazy if you weren’t using us to protect your website. We had to be that good.
With the 6.1.1 release early last year that included the firewall, Wordfence took a giant leap forward and was doing a great job at securing WordPress websites. We wanted to go even further. Since then we have incorporated the malware scan into the firewall so that traffic is scanned for malware in real-time. We have made the IP blocking code faster and we have made the core scan engine faster too.
We have also gotten better at collecting threat intelligence in the form of new exploits and malware samples and quickly turning those into rules that get tested and deployed in real-time.
The number of malware samples we have in our repository is now enormous and our WordPress firewall ruleset has grown significantly. We have also grown the team that works on the Threat Defense Feed and continue to improve our processes.
Today we are confident in saying we have achieved our objective of making Wordfence so good that you are crazy if you are not using it to protect your WordPress website.
We’re Not Stopping Here…
At Wordfence our team has never modeled ourselves on competitors or imitated others. We have always been leaders and innovators in WordPress security. That is why, for example, we chose to create a WordPress firewall that integrates directly with WordPress websites and is not a cloud service – even when the cloud was the hip new thing that everyone was selling.
We realized early on that cloud firewalls don’t have data like user identity and therefore can’t use that data in their decision-making. If you don’t even know if a user is an administrator, how can you decide if they are bad or not? We realized that by doing things our own way we could better serve our customers.
Our team continues to innovate. Later this year we have a very exciting release on the roadmap for Wordfence that will be as significant as the 6.1.1 Wordfence release that included the first firewall version. It’s a surprise for now, but it is incredibly innovative and will make it even more difficult for attackers to target any WordPress site protected by Wordfence.
We are proud to have you as our customers and to have many of you as Premium Wordfence customers. Thank you for your support over the years. We continue to work hard to support Wordfence and to discover new ways to better protect your website. As always, I welcome your feedback in the comments.
Mark Maunder – Wordfence Founder/CEO.