The Hub - Tools - Web Application Firewall (WAF)

Our Web Application Firewall (WAF) monitors the IP addresses and user agents attempting to access your site and filters out traffic that is known to be unsafe or that you have identified as unwanted.

The key distinction between our WAF and typical site security protocols is that a security plugin protects a site at the point of attack, whereas a WAF prevents unwanted traffic from ever reaching its intended target in the first place (learn more about how WAFs work).

Our WAF protects sites from attacks such as cross-site request forgeries, cross-site-scripting (XSS), file inclusions, and SQL injections.

Additional Protection

For additional steps in protecting your site, use Defender Pro provided by SWS as part of your hosting plan.

NOTE

When enabled, the WAF will intercept any files with filenames that contain single quote characters (e.g., file-‘name’.jpg), and will block them from being uploaded to prevent potential security exploits. More information about invalid special characters in WordPress can be found here.

Configuring your WAF

A WAF protects against vulnerabilities and filters out attacks and malicious traffic by requiring all traffic to pass a set of rules before it ever reaches your WordPress site. WPMU DEV has a custom set of WAF rules and allows you to add your own, as follows:

• IP Allowlist
• IP Blocklist
• User Agent Allowlist
• User Agent Blocklist
• URL Allowlist
• URL Blocklist
• Disable Rule IDs

Click On/Off in the Web Application Firewall row to enable/disable the feature.

Then click the toggle switch in the popup to access the configuration panel.

SWS maintains a set of rules that will identify and block known, unsafe traffic, but admins can allowlist or blocklist IP addresses and user agents as they see fit using this configuration panel.

IP Allowlist/Blocklist

The IP or Internet Protocol address is a unique number that is linked to all online activity for a given user. You can block or grant access to specific machines, locations or users with the IP Allowlist/Blocklist fields.

You can Allowlist or Blocklist an IP address by entering it into the fields provided or by entering an IP range in CIDR notation. This is done by specifying the number of bits used for the network portion of the address in the following format: start of IP address range/number of network bits. For example, entering the range from 192.168.100.0 to 192.168.103.255 should be written as 192.168.100.0/22 and 192.168.100.0 to 192.168.101.255 would be 192.168.100.0/23. More information on this can be found in this DigitalOcean article or on the Petri site.

Enter only one IP address or range per line, and click Save to save.

This makes it easy to block attacks quickly before they reach your server or allowlist your own IP or team member’s IP so they can bypass the WAF.

Adding IP ranges

Note that if you need to add a range of IP addresses in either list, it must be added in CIDR Notation. For more info on that, see this Wikipedia article. And here’s a handy CIDR conversion tool to make your job a bit easier.

User Agent Allowlist/Blocklist

The user agent is the system information being used to access your site, including:

• The browser application name and version
• The host operating system and language

Often this information can be used to block a botnet that is originating from too many IPs to block but is using the same User Agent for its attack. You can view visitor User Agents in your access log.

Use the Allowlist field if you need to allow a good bot that doesn’t use specific IPs to bypass firewall rules. Remember, User Agents can easily be spoofed by bots, so allowlisting them should be done only when you can’t allowlist by IPs.

You can Allowlist or Blocklist a user agent by entering it into the fields provided. An example of a correctly formatted user agent to enter into the field is Mozilla/5.0 (Linux; Android 9; moto e(6s)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36. Enter only one agent per line, and click Save to save.

URL Allowlist/Blocklist

In the unlikely event that any site URLs get blocked, possibly due to embedded content, you can add them to the URL Allowlist as relative URLs.

You can also explicitly block any relative URL by adding it to the URL Blocklist.

Disabled Rule Ids

You can also disable specific firewall rule IDs that appear in the WAF log under the Logs tab (see below).

Remember, when activating, deactivating or editing rules in the WAF, click the Save button to save your changes.

WAF Logs

WAF Logs for a specific site can be found in Hosting under the Logs tab.

Logs can be used to see where attacks are coming from, what requests were blocked, what rules those requests triggered, and changes that can be made to minimize false alarms. For example, if you are performing a valid action on your site and get blocked, you can find information on why in the WAF log and perhaps allowlist the IP or disable a specific firewall rule ID. 

Allowing Legitimate Requests

Occasionally, legitimate requests from plugins or page builders may be blocked by the WAF, which can result in HTTP client errors when interacting with them. To prevent this, the relevant WAF rule(s) can be disabled in the WAF settings.

To disable a problematic WAF rule, you’ll first need to identify the Rule ID. To do so, navigate to the Logs tab in The Hub’s Hosting module, and click WAF Log.

Then, identify and make a note of the Rule ID in the most recent related log entry.

Next, navigate to the Tools tab in the The Hub’s Hosting module, and open the Web Application Firewall settings.

At the bottom of the settings window, enter the Rule ID identified earlier into the Disabled Rule Ids field, and click Save.

Repeat this process as needed for all WAF rules that are blocking legitimate requests, and then verify that the affected plugins work as expected.

Occasionally, the Hub may not be able to accurately detect the Rule ID and will label it “0”. But you can always find the Rule ID by downloading the waf.log file and locating the corresponding entry.

IMPORTANT

While not always possible, it is more secure to whitelist relevant user agents, IP addresses, or URLs as a means to allow certain blocked requests than it is to disable WAF rule IDs. Even so, keep in mind that adding any exclusion has the potential to make the WAF less secure.