A Look At WPMU DEV’s Highly Optimized (free!) WAF

A Look At WPMU DEV’s Highly Optimized (free!) WAF

If a cyberattack targeting your web applications never reaches your website, did the attack even happen? The answer is YES, and it was most likely a WAF that stopped it. In this article learn more about this intuitive firewall that is offered with WPMU DEV’s hosting (for free!).

Today could be the day you meet your brand new head of web security.

And best believe this cyber security guard isn’t your typical “fall asleep on the job” type.

Because he doesn’t just check people’s I.D’s at the door… he checks their address, their height, their eye color, their card expiry date, what they have in their pockets, who they last texted…

You get the point. This fierce protector is ensuring only trustworthy door knockers make it inside your WP doors.

But enough with the small talk, you’ve read the title of this article, and you know the head of security I’m talking about is a Web Application Firewall (WAF).

And today we’ll be covering how to implement the WAF with WPMU DEV.

In this post:

We’ll give you a quick run-through of WPMU DEV’s WAF, which is completely free to use as part of our managed hosting service.

We’re always hard at work testing and fine-tuning this puppy – ensuring it’s giving you the best web application protection possible.

Unlike most in-built security plugin WAFs, ours also forms a protective wall OUTSIDE of your WP borders.

We’ll get into why this is super important later… but first, let’s start with the basics:

What is a WAF?

A Web Application Firewall (WAF) is a specific type of firewall that protects your web applications from malicious application-based attacks.

WAFs act as the middle person, or security guard for your WordPress site.

Standing guard between the internet and your web applications, all the while monitoring and filtering the HTTP traffic that wants to join your bumping party.

Of course, like any raging WP party, there are always gate-crashers to worry about.

The good news is, WAFs use a set of rules (or policies) to help identify who’s actually on your guest list, and who’s just looking to cause trouble.

WAFs act as cyber security guards for your site and web apps
You’re not getting past a WAF unless you can be trusted.

Instead of going over all the details in this article, you can get a 360-degree look at WAFs, including how to implement them, what they help protect against, the different types of WAFs, and more in our article Everything You Need to Know About WAFs.

For now, let’s get to the main attraction…


A while back we introduced our own WAF which is enabled by default for all new users and comes completely FREE with our hosting.

Unlike plugins, our WAF builds a fence on the OUTSIDE of your house as it analyzes all traffic before it hits WordPress.

We’ve done extensive testing and fine-tuning to ensure it will not slow your site down. And we keep it updated with the latest rules, and add any new known vulnerability footprints nightly.

A look at how our WAF works to block attackers
A snapshot of how our WAF works to detect, filter, and block malicious traffic.

It also couldn’t be easier to manage!

To access and activate our WAF (if you’re a member) simply navigate to our Website Hub and click on the website you’d like to set up or manage your firewall on.

Start by selecting the website you'd like to activate your WAF on.

You can then access the firewall through either the “Hosting” or the “Security” tabs. For this example let’s go through Hosting.

Click either hosting or security to access the WAF.

Next, select the “tools” toolbar, and then you should see the “Web Application Firewall” option.

Click web application firewall to begin the process of adjusting your WAF.

Once you’ve clicked through, you’ll be given the option to protect your site with our firewall.


Our best pro WP tools in one bundle

Try free for 7 days
30-day money-back

After you elect to do so, the firewall will activate and begin protecting your site.

Here's where you choose whether to activate the WAF or not.

You’ll also now see the “Allowlist” and “Blocklist” fields that appear below.

We already maintain a set of rules that will identify unsafe traffic – but as mentioned above, admins can Allowlist (allow) or Blocklist (block) IP addresses and user agents as they see fit by filling out these fields.

Choose to block or allow various party's with our WAFs blocklist and allowlist features.

Scroll past the allow listing and blocklisting rules and you’ll find our final WAF feature: The ability to disable specific WAF rule Ids.

This feature can come in handy if specific WAF rules are not compatible with your site, and are causing false alarms.

Simply enter the rule Id that’s causing problems, and it’ll be immediately disabled.

Rule Ids and errors can be found in your “WAF Log.”

If you're running into issues you can also disable a WAF rule if needed.

The WAF log itself can be found under the “Logs” tab, which is in the same toolbar as “Tools” was above.

Use our WAF log to identify attackers and rulesets.

Logs can come in handy when you want to see where attacks are coming from, which requests have been blocked, and what rules those requests triggered.

For example, let’s say you’re performing a valid action on your site, and for some reason, you get blocked.

The logs allow you to understand exactly why this happened, so you can allowlist a particular IP, or disable a specific WAF rule.

After all, you wouldn’t want your security guard kicking your best friends out of the club!

And don’t worry, if this sounds at all complicated, our members get access to 24/7 round the clock support, and someone will always be on hand to help out with any difficulties.

You Can Never Have Too Much WordPress Security

As I touched on earlier, WAFs aren’t the answer to ALL of your security problems.

Doing simple things like installing a Network Firewall, keeping WordPress up to date, ensuring your PHP is up to date, and making sure your sites are constantly backed up – can all go a long way to protecting your sites.

And although we don’t think a WAF belongs inside of a plugin, security plugins still have their place and can be a handy last line of defense.

Speaking of WordPress security plugins, you can’t go past our own Defender.

Our Defender plugin is the added security you need for your sites.
Bots and hackers are no match for our Defender.

Yep, this guy’s as mean as he looks when it comes to fighting off hackers and bots (although he’s a teddy bear outside of the cyber-security ring).

In short, Defender can also help protect you from Brute force attacks, SQL injections, Cross-site scripting XSS, and more!

He also handles operations like malware scans and two-factor authentication login security.

Choose Your Own WAF Path

Don’t you just love it when the conclusion of an article ends with “it depends”?

Well, sorry to be a bummer, but when answering the question of: “Do I need a WAF?”

It does indeed depend on your personal situation!

Do you need one? No. Should you have one? Of course!

The more security layers you can cover, the safer your and your client’s data will be.

Speaking of client data, if your website does collect client data it’s vital that you have extra security measures like WAFs and Network Firewalls in place.

Not just for protection, but to protect your reputation, and to adhere to website security regulations and standards.

This is especially important for eCommerce sites, and sites that handle a ton of monetary transactions every day.

We’re Not Ones To Toot Our Own Horn, But…

As mentioned earlier, we have WAF as part of our hosting service, and we’d love for you to try it at no risk with a WPMU DEV membership free trial.

Finally, if you’re already a WPMU DEV member and you don’t currently host any sites with us, be sure to migrate a site over, or whip up a test site if you want to give our new WAF a no-hassle whirl.

Other than that, stay cyber-safe out there folks!

Had any prior experiences with WAFs? Give us the full spiel on the good and the bad in the comments below... Also, let us know what you think makes a good WAF, and if you think it’s a worthwhile security measure to implement.

Rick Crawshaw

Rick Crawshaw Rick Crawshaw is the head of content at WPMU DEV. Before joining the company and learning the ins and outs of WordPress web development, he worked as a freelance copywriter and marketer. You might also recognize his punny style from our weekly WordPress newsletter The WhiP. Connect with Rick on Twitter and LinkedIn.