Which Wordfence Firewall Rules Are Most Effective?
Part of the threat intelligence work we do at Wordfence is to constantly analyze the performance of our own firewall rules to determine what is effective and to identify existing and emerging attack trends. Today I’d like to share with you some of the data that we are seeing. If you are curious which attacks our firewall most commonly blocks, and which firewall rules are most effective, you’re going to enjoy this blog post.
Tracking Our Most Effective Firewall Rules
For this analysis, we took attack data from June 24 to August 22 (two days ago). We calculated the total number of attacks that each firewall rule blocked in the Wordfence firewall. Then we represented that visually, and labeled the rules that were blocking the most attacks.
You can see this data represented below:
This is a stacked chart that shows what percentage of attacks each rule blocked, by day. The total number of attacks represented in this chart over the two-month period is 202,765,759. You read that correctly: over two hundred and two million unique attacks across the sites we protect. Wordfence protects over 2 million websites, which is why this number is so high.
Each stacked area on the chart above represents a firewall rule in the Wordfence firewall that is blocking attacks. There are a large number of rules, and many of them block a low number of attacks, so they are compressed into a single line. The rules that block more attacks occupy a greater area.
As you can see, our “directory traversal” rule blocks a large proportion of attacks. These are simplistic attacks that are very popular among unsophisticated attackers. For this reason, we see a lot of them, and they generate a lot of volume on the chart.
Our SQL injection rule is also a workhorse. That is the orange rule second from the bottom. The Wordfence firewall includes a SQL “lexer and parser.” That means that Wordfence can understand SQL the way a database interpreter does, and it can make intelligent decisions about whether incoming SQL is malicious or not. As you can see, that rule blocks a large number of attacks.
Emerging Attacks Blocked by Malware Scan Integration
One of the most powerful rules in the Wordfence firewall that blocks a large number of emerging attacks is our malware scanner rule. I’ve marked the rule in bright yellow in the chart above, and labeled it “Scanner blocked malware.” In September of last year, the Wordfence team released a new version of the Wordfence firewall that integrates our malware scan with the firewall. That means that in addition to our regular firewall rules, Wordfence uses its malware scan logic to examine incoming requests.
Wordfence currently has 4,628 free and premium malware scan signatures in production. Those are all signatures that identify a unique malware variant or family of malware. By integrating malware scanning into our firewall, it is as though we released over 4,000 distinct firewall rules simultaneously. It has massively improved the detection capability of the Wordfence firewall.
As you can see from the chart above, the malware scan blocks a significant number of attacks. But the real benefit from this firewall-scan integration is that it blocks sophisticated attacks.
For our Premium Wordfence customers, when we release a new malware signature in real time, we also add it to the malware scan. Additionally, we also put the rule into production on your firewall and use it to identify and block the newest attacks.
Premium IP Blacklist Owns the Stats
Wordfence also includes an IP Blacklist which is available only to our premium customers. Our systems track attacks in real time, and we use attack source data to create an IP blacklist, which we update throughout the day. As our algorithms have improved, the number of IP addresses on the blacklist has expanded, and the list now blocks a very large proportion of attacks.
The following chart shows you what percentage of total attacks the Wordfence Premium blacklist blocks when we combine the data.
The blue in the above chart represents the total percentage of attacks the Wordfence Premium IP blacklist blocks. The stacked charts below the blue area represent attacks that all other firewall rules block. This chart is for the same period, June 24 to August 22, 2017.
The total attacks we logged for the period above is 725,248,603. A total of 202,765,759 attacks that our firewall rules blocked. A total of 464,007,181 attacks were blocked by the Premium blacklist.
Keep in mind that Wordfence Premium blocks every request from a blacklisted IP. That helps explain why the number of requests we blocked from known bad IPs is so high. Here are a few of the kinds of requests from blacklisted IPs that we block:
- We prevent them from visiting your home page and detecting WordPress.
- Blacklisted IPs get blocked from all content, comments and comment-posting.
- We block them from attempting a brute force attack.
- We block them from accessing XMLRPC.
- They are completely blocked from crawling your site.
- We prevent them from accessing any PHP script in your WordPress installation directly, even if they try to bypass WordPress.
When you upgrade to Wordfence Premium, you receive new malware scan rules in real time. As I explained above, these are also used in the Wordfence firewall. You also receive new firewall rules in real time. But one of the biggest benefits that many users are not even aware of is that Wordfence Premium enables the Wordfence IP Blacklist in your firewall. And as you can see, this blocks a large number of attacks – it blocks attackers from even accessing your site.
Wordfence Free Is Awesome. Premium Is Next-Level.
My personal goal for several years has been to make Wordfence “so good that you are crazy if you aren’t using it to protect your site.” Today I can say with confidence that our team has achieved that goal. If you aren’t using the free version of Wordfence to protect your site, you are missing out on the best available free protection for WordPress.
With Wordfence Premium, we have taken that protection to the next level with real-time scan signatures, real-time firewall rules and the extremely effective real-time IP blacklist.
As always, you are most welcome to post your comments below, and I will be around to reply where needed.
Mark Maunder – Wordfence Founder/CEO.
Special thanks to Wordfence team members Dan Moen, for producing the data behind this post, and Andie La-Rosa for editing.
Once an IP address is blocked, how long do you block it for?
As long as it keeps attacking it stays blocked. Unblock times vary based on past history.
I love wordfence, I would totally date it, if it wasn't illegal to date software in my state.
I truly feel that Wordfence has been a true force in the protection of my WordPress installation.
I actually feel safe with WordFence, almost every day I drop down to the wordfence menu section of my admin panel and look at the live traffic and what is being blocked.
And me personally, I really enjoy the ability to block certain browser strings and tor exit nodes.. I have found that 90% of the tor exit nodes are trying to hurt me.
(this is based on what I have identified as tor exit nodes)
So I just set them and forget them, letting WordFence take care of it for me.
I would completely recommend that, if you don't have the premium version, that you upgrade to it. it's not that expensive as compared to what could happen.
I actually like this software, and I am very happy that I did upgrade, It just kicks butt.
We love Wordfence- the amount of information you provide on your blog and the value that it provides is impressive. The tool itself is wonderful. We have a high level of attack attempts due to our prominence in our segment and it is great peace of mind to see so many being blocked so successfully.
The one functionality I would love to have though, is to take people who are blocked by country blocking for the login page to become automatically permanently blocked. We only have admins in the US, so this would be an easy way to permanently block any bad actors since there is no reason for anyone outside the US to be hitting that page.
Great piece, Mark, and a great piece of software too. All my clients utilize Wordfence, both free and premium versions.
Quick side note: Does WAF extended protection live ahead or behind .htaccess? In other words, if we're blocking countries with WF is there any reason to do so with .htaccess?
Many thanks to the WF team for their enduring efforts every day.
The WAF extended protection is a prepend directive that lives in .htaccess so it runs before any other PHP on your site including WordPress core.
Gotcha. I did not see the prepend in all .htaccess files, so will double-check and add as needed. Thanks for the G2.
WordFence is truly AMAZING! I had a few customers paying (lots $$ tons $$) to other security scanners / firewalls that I won't mention by name and the FIRST day I canceled it WordFence found issues immediately that were getting skipped.....
Thank you for the amazing plugin and oh yes this BLOG by WordFence is my favorite security blog anywhere > keep up the great work and thank you for making me feel that my clients sites are safe ;-) !!!
Wordfence does offer a lot for a free plugin.
Does the purchased WORDFENCE PREMIUM plugin have a WEBSITE LIMIT??
i..e., does the purchase of plugin allow its use for all sites owned by purchaser?
It is for a single WordPress website. Please see my reply to Steve for additional detail.