Why Choose An Endpoint Firewall Like Wordfence
When choosing a firewall for your WordPress website to protect it against attacks, you have a handful of choices. Wordfence is one of the only effective “endpoint” firewalls available. The alternative is a “cloud” firewall from vendors like Sucuri (now owned by GoDaddy) and Cloudflare.
I’d like to explain the difference between a cloud firewall vs an endpoint firewall like Wordfence. I would also like to explain the risks of choosing cloud versus the peace of mind and simplicity of an endpoint firewall like Wordfence. I will also explain why endpoint firewalls are far more effective at protecting your WordPress website.
The Difference Between Cloud and Endpoint Firewalls
A “cloud” firewall is a server that is located in a remote data center belonging to another company. Your website traffic goes from your visitors to that remote data center and then back out over the internet to your website.
When vendors use the word “cloud” they really mean “our data center”. When you store photos in the Apple’s “cloud”, you are storing photos in Apple’s data center. When you host your website in the “cloud” you are hosting it in some company’s data center.
“Cloud” firewalls are the same. The actual firewall is just located in another company’s data center. The important thing to note is that your traffic passes across the internet from your visitor, to that company’s data center, then back out over the Internet to your website.
Configuring a cloud firewall is a bit more complex because you need to point your domain name away from your own server and at the cloud firewall vendor’s servers. That way your traffic can be routed through their data center.
When we talk about “cloud” firewalls we refer to your website as the “origin server”. Because your origin server is also on the internet, it can still be reached by anyone on the internet provided they have your server IP address. That includes attackers. Here is a diagram to illustrate:
An endpoint firewall like Wordfence is different in that it runs on the actual server it is protecting. That means there is no way to bypass it over the internet. Your traffic is also routed directly from your site visitor to your server. You have total control over your firewall and it is not shared by any other website. You don’t have to point your domain at someone else’s servers or data center.
The diagram below illustrates how an endpoint firewall like Wordfence runs on your server and cannot be bypassed. It also shows how we integrate with WordPress and have “local knowledge” of user access levels via the WordPress API.
The Risks Associated With Cloud Firewalls
The Cloud Firewall Bypass Problem
When you run a cloud firewall, the firewall server lives out on the open internet. That server can be bypassed by an attacker and they can still access your website directly. It is not possible to bypass an endpoint firewall.
We have discussed the Cloud Firewall bypass problem in detail in the past. This problem is a fundamental flaw in cloud firewall design. Unless you move the firewall to the endpoint, as Wordfence does, you can’t get around this issue.
The Cloud Firewall Data Leak Problem
Cloud firewalls use a single server on the internet to provide firewall functionality to hundreds, perhaps thousands of different websites. If I told you 2 years ago that a major cloud provider would accidentally start sending data for one site visitor to other visitors, you would probably say I’m crazy.
That is what happened in February of this year. Cloudflare experienced a data leak over a 5 month period that mixed sensitive data between websites and visitors. A visitor to one website using Cloudflare may have seen data from another website using Cloudflare that was being sent to a completely different site visitor.
If you use a cloud firewall, you are sharing your firewall with many other websites. You trust your vendor to keep your data and configuration information segregated and secure. Vendors are not perfect. They experience bugs and breaches too. By adding a shared firewall to your configuration, you are introducing an additional point of risk and failure.
The Cloud Firewall User Identity Problem
Cloud firewalls run on servers that are on the internet. They are completely separate from your WordPress server. They don’t know who a user is or what access level they have. Cloud firewalls don’t even know if a user is logged in or not.
What this means is that they don’t have identification, authentication and authorization data for any visitor to your website. They can’t use that data in their rules. Cloud firewall vendors may make bold claims, but when their firewall makes decisions about who to grant access to and who to block, those decisions do not take into account who a visitor is, what access level they have and whether they are logged in or not.
In contrast, Wordfence is an endpoint firewall that integrates deeply with the WordPress API. Wordfence knows who a user is, what access level they have and whether they are signed in or not. Wordfence uses this data to make effective decisions on who to allow and who to block.
Cloud Firewalls are Generic and Not Designed for WordPress
In the past we have seen cloud firewalls that have let through some of the best known WordPress attacks. Cloud firewalls run on remote servers and are not designed to integrate with WordPress or to work specifically with WordPress. They usually have a generic rule-set that is not tailored for WordPress specifically.
Wordfence is designed specifically for WordPress. It integrates deeply with the platform and is designed to block well known and emerging attacks that specifically target WordPress.
Cloud Firewalls Break End-to-End Encryption
In order to inspect your web traffic to determine if it is malicious, cloud firewalls have to decrypt your website traffic. That decryption happens on another company’s servers away from your servers and outside of your data center.
Wordfence is a strong supporter of end-to-end encryption on the web. We don’t think that encryption should be intercepted and decrypted in transit. We think that website visitors have a reasonable expectation of privacy and their data should remain secure from their web browsers all the way to the destination server they are communicating with.
Endpoint firewalls like Wordfence do not break end-to-end encryption. Your data stays encrypted and secure from your site visitor all the way to your website.
Secure Your Site At The Endpoint
Securing your website using an endpoint security product like Wordfence has many advantages over a cloud product. Wordfence provides a robust endpoint firewall that is continuously updated. Wordfence Premium customers receive firewall rules in real-time and free users receive new rules 30 days later.
Wordfence includes a malware scanner. Cloud firewalls only provide firewall functionality – they do not have the ability to scan your website for malware. Wordfence Premium customers receive malware rules that are updated in real-time as new threats emerge.
Wordfence also provides a range of other features like two factor authentication, brute force protection, country blocking and more. Our Premium customers also benefit from an IP blacklist that is updated in real-time. Because we only protect WordPress websites, our attack data is specific to WordPress. We know who is targeting WordPress websites and we can block them on your website, immediately.
Install the free version of Wordfence today to immediately secure your website at the endpoint. Then consider upgrading to Wordfence Premium to receive real-time firewall rule updates, real-time malware signature updates and protection by our real-time IP blacklist.
Note: All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Wow, that was a great explanation. I've often wondered about this. And thanks for the diagrams too. Best simple way to explain this I've seen.
I have WF Premium. What if I run CloudFlare -and- WF? Does CF make WF any less effective? (I run CF for the data redundency and distribution: we serve lots of photos.)
Wordfence runs just fine alongside cloudflare if you're using, as in your case, their CDN.
This is extremely helpful to know and one reason I've always trusted Wordfence more than Cloudflare. I was always cautious with cloud firewalls because it seems obvious to me that the server itself is still open. If a hacker wants to get around the firewall and go straight to the server what would stop them?
Anyway, I do use Cloudflare also in addition to Wordfence but I have the firewall settings turned down all the way. Would this not be recommended at all? Seems this would still protect my server because Cloudflare would just have cached static pages right?
Many of our customers use content distribution networks (CDNs) and use Cloudflare for that functionality. Wordfence works great with any CDN, including Cloudflare.
As I've said in the past: "I don't actually think the cloud WAF business should exist and the industry is clearly moving in that direction. What I think will eventually happen is the current cloud WAF providers will just become CDN's with analytics thrown in and basic security. The heavy lifting, as is the case with enterprise firewalls now, will be done way closer to the network that is being protected."
While much of what you say regarding cloud vs. endpoint is correct not all cloud WAF systems are created equal (nor are all endpoint solutions either).
We use Wordfence a a default on all our customer WordPress installs, it's mandatory if you want to be a customer.
We also use a cloud based WAF for Wordpress and non WordPress sites we build. We've used CloudFlare and Incapsula and our way of implementing these mitigates many of the issues you raise especially the one of attackers going for the IP address directly.
By using standard methodology we can set up a server or more likely the infrastructure that the server (usually a VM) is running on, to accept incoming traffic only from the cloud waf infrastructure or other whitelisted IP addresses (e.g. development). This mitigates entirely the "side-door" attack.
Admittedly this isn't possible for everyone perhaps running a single instance of WP in a VPS but for those considering true multi layer security finding a hosting or development partner that can take care of this kind of infrastructure design and set-up is both possible and a must have.
Keep up the good work and the educational blogs. Great stuff.
Thanks Robert. Great to hear Wordfence is mandatory. We're very happy to have you as a customer.
actually the real choice is between server level firewall software and Wordpress level - the right answer is still to do both..
Thanks for shedding light on this vita issue. The terms have been confusive but not anymore:) I will also assume that cloud firewall will somehow affect site speed since the page loading time will increase.
I have been using WordFence for some time and I like having the protection. My hosting company (GoDaddy) tells me I need to pay them to scan my website for malware. I told them I already have WordFence, they tell me that doesn't help with malware on my website.
Can you comment? How many services do I need from how many vendors to secure a simple WordPress website?
Wow, that's unfortunate. Wordfence is the best malware scanner available. We have thousands of signatures and 95% of them are completely free. We also catch a bunch of 0day and new stuff because we have generic signatures. So basically, if they said that, they're lying. Sorry about that.
No problem, GoDaddy calls often to try to sell more stuff. Can you confirm that since I'm already using Wordfence I do not need any other malware scanner for my website?
Wordfence has a very high detection rate and is the most comprehensive and well maintained WordPress specific malware scanner available. I doubt you'll find anything we miss and another malware scanner detects.
Thanks for your replies. What I find confusing is this...my website is Wordpress...is there anything that needs to be scanned for malware that WordFence is not scanning? Does GoDaddy's malware scanning look at some part of my website that WordFence does not?
I don't understand if there is any difference between my Wordpress site and my website.
Could malware be located somewhere on my website that isn't part of Wordpress?
The short answer is: All you need is Wordfence.
The longer answer is: Wordfence by default scans everything in your WP root install directory and all subdirs. If you have other directories, we have a "scan outside my WordPress installation" scan option that you need to enable to activate that. That will scan other applications if they are installed outside your Wp installation directories.
Hope that helps.