Part of the threat intelligence work we do at Wordfence is to constantly analyze the performance of our own firewall rules to determine what is effective and to identify existing and emerging attack trends. Today I’d like to share with you some of the data that we are seeing. If you are curious which attacks our firewall most commonly blocks, and which firewall rules are most effective, you’re going to enjoy this blog post.
Tracking Our Most Effective Firewall Rules
For this analysis, we took attack data from June 24 to August 22 (two days ago). We calculated the total number of attacks that each firewall rule blocked in the Wordfence firewall. Then we represented that visually, and labeled the rules that were blocking the most attacks.
You can see this data represented below:
This is a stacked chart that shows what percentage of attacks each rule blocked, by day. The total number of attacks represented in this chart over the two-month period is 202,765,759. You read that correctly: over two hundred and two million unique attacks across the sites we protect. Wordfence protects over 2 million websites, which is why this number is so high.
Each stacked area on the chart above represents a firewall rule in the Wordfence firewall that is blocking attacks. There are a large number of rules, and many of them block a low number of attacks, so they are compressed into a single line. The rules that block more attacks occupy a greater area.
As you can see, our “directory traversal” rule blocks a large proportion of attacks. These are simplistic attacks that are very popular among unsophisticated attackers. For this reason, we see a lot of them, and they generate a lot of volume on the chart.
Our SQL injection rule is also a workhorse. That is the orange rule second from the bottom. The Wordfence firewall includes a SQL “lexer and parser.” That means that Wordfence can understand SQL the way a database interpreter does, and it can make intelligent decisions about whether incoming SQL is malicious or not. As you can see, that rule blocks a large number of attacks.
Emerging Attacks Blocked by Malware Scan Integration
One of the most powerful rules in the Wordfence firewall that blocks a large number of emerging attacks is our malware scanner rule. I’ve marked the rule in bright yellow in the chart above, and labeled it “Scanner blocked malware.” In September of last year, the Wordfence team released a new version of the Wordfence firewall that integrates our malware scan with the firewall. That means that in addition to our regular firewall rules, Wordfence uses its malware scan logic to examine incoming requests.
Wordfence currently has 4,628 free and premium malware scan signatures in production. Those are all signatures that identify a unique malware variant or family of malware. By integrating malware scanning into our firewall, it is as though we released over 4,000 distinct firewall rules simultaneously. It has massively improved the detection capability of the Wordfence firewall.
As you can see from the chart above, the malware scan blocks a significant number of attacks. But the real benefit from this firewall-scan integration is that it blocks sophisticated attacks.
For our Premium Wordfence customers, when we release a new malware signature in real time, we also add it to the malware scan. Additionally, we also put the rule into production on your firewall and use it to identify and block the newest attacks.
Premium IP Blacklist Owns the Stats
Wordfence also includes an IP Blacklist which is available only to our premium customers. Our systems track attacks in real time, and we use attack source data to create an IP blacklist, which we update throughout the day. As our algorithms have improved, the number of IP addresses on the blacklist has expanded, and the list now blocks a very large proportion of attacks.
The following chart shows you what percentage of total attacks the Wordfence Premium blacklist blocks when we combine the data.
The blue in the above chart represents the total percentage of attacks the Wordfence Premium IP blacklist blocks. The stacked charts below the blue area represent attacks that all other firewall rules block. This chart is for the same period, June 24 to August 22, 2017.
The total attacks we logged for the period above is 725,248,603. A total of 202,765,759 attacks that our firewall rules blocked. A total of 464,007,181 attacks were blocked by the Premium blacklist.
Keep in mind that Wordfence Premium blocks every request from a blacklisted IP. That helps explain why the number of requests we blocked from known bad IPs is so high. Here are a few of the kinds of requests from blacklisted IPs that we block:
- We prevent them from visiting your home page and detecting WordPress.
- Blacklisted IPs get blocked from all content, comments and comment-posting.
- We block them from attempting a brute force attack.
- We block them from accessing XMLRPC.
- They are completely blocked from crawling your site.
- We prevent them from accessing any PHP script in your WordPress installation directly, even if they try to bypass WordPress.
When you upgrade to Wordfence Premium, you receive new malware scan rules in real time. As I explained above, these are also used in the Wordfence firewall. You also receive new firewall rules in real time. But one of the biggest benefits that many users are not even aware of is that Wordfence Premium enables the Wordfence IP Blacklist in your firewall. And as you can see, this blocks a large number of attacks – it blocks attackers from even accessing your site.
Wordfence Free Is Awesome. Premium Is Next-Level.
My personal goal for several years has been to make Wordfence “so good that you are crazy if you aren’t using it to protect your site.” Today I can say with confidence that our team has achieved that goal. If you aren’t using the free version of Wordfence to protect your site, you are missing out on the best available free protection for WordPress.
With Wordfence Premium, we have taken that protection to the next level with real-time scan signatures, real-time firewall rules and the extremely effective real-time IP blacklist.
As always, you are most welcome to post your comments below, and I will be around to reply where needed.
Mark Maunder – Wordfence Founder/CEO.
Special thanks to Wordfence team members Dan Moen, for producing the data behind this post, and Andie La-Rosa for editing.