← HeatShield Docs

What is a WordPress WAF?

A Web Application Firewall (WAF) is a tool that looks at the information in an HTTP request and blocks the request if it is malicious. This prevents malicious requests that are trying to exploit vulnerabilities in applications such as WordPress from being able to reach the vulnerable code.

Firewall Engine and Rules

There are two major components in a WAF: the engine (or library) and the rules. Firewalls are designed with the engine separate from the rules so rules can be easily updated.

If the rules were built into the engine, the firewall code itself would need to be modified and updated any time a rule is changed or added. In the case of a WordPress plugin, that would require updating the plugin any time a rule changes.

Firewall rules specify patterns to look for in various parts of a request. If the pattern or set of patterns in a rule matches an incoming request, the request is blocked. These patterns are usually written as regular expressions. Regular expressions are a flexible and universal language for expressing patterns in software.

It takes many different rules each focused on specific attacks to keep a WordPress site secure. A collection of rules that work together is known as a rule set.

ModSecurity and the OWASP Core Rule Set

HeatShield uses ModSecurity as its WAF engine. ModSecurity is the world's most popular and trusted WAF engine. ModSecurity was originally written for the Apache web server in 2002 but is now a standalone library that is used by applications other than Apache.

There are many rule sets that exist for ModSecurity. However, not all rule sets are equal. There are two ways that firewall rule sets fail: false negatives and false positives.

  • A false negative is where a rule set considers an incoming request safe and lets it through even though the request is actually malicious.
  • A false positive is is where a rule set considers an incoming request malicious and blocks it even though the request is safe and legitimate.

HeatShield uses the Open Web Application Security Project (OWASP) Core Rule Set for its firewall rules. This rule set has extremely low false positives and false negatives. The OWASP Core Rule Set is also the most popular and trusted rule set and is used by enterprise firewalls such as Google Cloud Armor and Cloudflare's WAF. No firewall is perfect, but by using the industry's best rule set with the industry's best firewall engine, HeatShield brings enterprise security to WordPress.

Advanced security for your WordPress sites