When choosing a firewall for your WordPress website to protect it against attacks, you have a handful of choices. Wordfence is one of the only effective “endpoint” firewalls available. The alternative is a “cloud” firewall from vendors like Sucuri (now owned by GoDaddy) and Cloudflare.
I’d like to explain the difference between a cloud firewall vs an endpoint firewall like Wordfence. I would also like to explain the risks of choosing cloud versus the peace of mind and simplicity of an endpoint firewall like Wordfence. I will also explain why endpoint firewalls are far more effective at protecting your WordPress website.
The Difference Between Cloud and Endpoint Firewalls
A “cloud” firewall is a server that is located in a remote data center belonging to another company. Your website traffic goes from your visitors to that remote data center and then back out over the internet to your website.
When vendors use the word “cloud” they really mean “our data center”. When you store photos in the Apple’s “cloud”, you are storing photos in Apple’s data center. When you host your website in the “cloud” you are hosting it in some company’s data center.
“Cloud” firewalls are the same. The actual firewall is just located in another company’s data center. The important thing to note is that your traffic passes across the internet from your visitor, to that company’s data center, then back out over the Internet to your website.
Configuring a cloud firewall is a bit more complex because you need to point your domain name away from your own server and at the cloud firewall vendor’s servers. That way your traffic can be routed through their data center.
When we talk about “cloud” firewalls we refer to your website as the “origin server”. Because your origin server is also on the internet, it can still be reached by anyone on the internet provided they have your server IP address. That includes attackers. Here is a diagram to illustrate:
An endpoint firewall like Wordfence is different in that it runs on the actual server it is protecting. That means there is no way to bypass it over the internet. Your traffic is also routed directly from your site visitor to your server. You have total control over your firewall and it is not shared by any other website. You don’t have to point your domain at someone else’s servers or data center.
The diagram below illustrates how an endpoint firewall like Wordfence runs on your server and cannot be bypassed. It also shows how we integrate with WordPress and have “local knowledge” of user access levels via the WordPress API.
The Risks Associated With Cloud Firewalls
The Cloud Firewall Bypass Problem
When you run a cloud firewall, the firewall server lives out on the open internet. That server can be bypassed by an attacker and they can still access your website directly. It is not possible to bypass an endpoint firewall.
We have discussed the Cloud Firewall bypass problem in detail in the past. This problem is a fundamental flaw in cloud firewall design. Unless you move the firewall to the endpoint, as Wordfence does, you can’t get around this issue.
The Cloud Firewall Data Leak Problem
Cloud firewalls use a single server on the internet to provide firewall functionality to hundreds, perhaps thousands of different websites. If I told you 2 years ago that a major cloud provider would accidentally start sending data for one site visitor to other visitors, you would probably say I’m crazy.
That is what happened in February of this year. Cloudflare experienced a data leak over a 5 month period that mixed sensitive data between websites and visitors. A visitor to one website using Cloudflare may have seen data from another website using Cloudflare that was being sent to a completely different site visitor.
If you use a cloud firewall, you are sharing your firewall with many other websites. You trust your vendor to keep your data and configuration information segregated and secure. Vendors are not perfect. They experience bugs and breaches too. By adding a shared firewall to your configuration, you are introducing an additional point of risk and failure.
The Cloud Firewall User Identity Problem
Cloud firewalls run on servers that are on the internet. They are completely separate from your WordPress server. They don’t know who a user is or what access level they have. Cloud firewalls don’t even know if a user is logged in or not.
What this means is that they don’t have identification, authentication and authorization data for any visitor to your website. They can’t use that data in their rules. Cloud firewall vendors may make bold claims, but when their firewall makes decisions about who to grant access to and who to block, those decisions do not take into account who a visitor is, what access level they have and whether they are logged in or not.
In contrast, Wordfence is an endpoint firewall that integrates deeply with the WordPress API. Wordfence knows who a user is, what access level they have and whether they are signed in or not. Wordfence uses this data to make effective decisions on who to allow and who to block.
Cloud Firewalls are Generic and Not Designed for WordPress
In the past we have seen cloud firewalls that have let through some of the best known WordPress attacks. Cloud firewalls run on remote servers and are not designed to integrate with WordPress or to work specifically with WordPress. They usually have a generic rule-set that is not tailored for WordPress specifically.
Wordfence is designed specifically for WordPress. It integrates deeply with the platform and is designed to block well known and emerging attacks that specifically target WordPress.
Cloud Firewalls Break End-to-End Encryption
In order to inspect your web traffic to determine if it is malicious, cloud firewalls have to decrypt your website traffic. That decryption happens on another company’s servers away from your servers and outside of your data center.
Wordfence is a strong supporter of end-to-end encryption on the web. We don’t think that encryption should be intercepted and decrypted in transit. We think that website visitors have a reasonable expectation of privacy and their data should remain secure from their web browsers all the way to the destination server they are communicating with.
Endpoint firewalls like Wordfence do not break end-to-end encryption. Your data stays encrypted and secure from your site visitor all the way to your website.
Secure Your Site At The Endpoint
Securing your website using an endpoint security product like Wordfence has many advantages over a cloud product. Wordfence provides a robust endpoint firewall that is continuously updated. Wordfence Premium customers receive firewall rules in real-time and free users receive new rules 30 days later.
Wordfence includes a malware scanner. Cloud firewalls only provide firewall functionality – they do not have the ability to scan your website for malware. Wordfence Premium customers receive malware rules that are updated in real-time as new threats emerge.
Wordfence also provides a range of other features like two factor authentication, brute force protection, country blocking and more. Our Premium customers also benefit from an IP blacklist that is updated in real-time. Because we only protect WordPress websites, our attack data is specific to WordPress. We know who is targeting WordPress websites and we can block them on your website, immediately.
Install the free version of Wordfence today to immediately secure your website at the endpoint. Then consider upgrading to Wordfence Premium to receive real-time firewall rule updates, real-time malware signature updates and protection by our real-time IP blacklist.
Note: All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.