A Quick Look at the Security Settings for Sucuri Firewall for the Non-Geek

A lot of my clients opt to use the excellent Sucuri Web Application Firewall (WAF) with their Small Business, Business or Premium Plans. Just yesterday I had a new client request we set up a call to talk about the security options before turning on the firewall on his account. I think that’s an excellent idea (one most clients don’t inquire about) and as a result, I’m writing this post to help me get the details into an easy-to-understand format.

So here we go… first, the Sucuri WAF acts like a barrier between your site visitors and your website. It has two modes – High and Paranoid. What Sucuri says about High:

It will enable all our default security checks to prevent SQL injections, Cross site scripting, RFI, LFI, security scanners and a myriad of attacks from ever reaching your site. It will also enable our Virtual patching so if you are ever using an outdated software, it can’t be used to hack your site.

‘Paranoid’ does all that and also prevents anyone from POSTing anything to your site (it’s also called ‘lockdown mode’ ).

Some of the advanced options are a bit confusing, so here’s an attempt at simplification…

  • Restrict the admin panel to whitelisted IP addresses – this is great if you’re not running a membership or ecommerce site where you allow visitors to sign up and login. Basically, you supply a list of IP addresses for legitimate backend users. You can get a URL that will instantly add the user’s IP address to the whitelist (distribute this with care).
  • XMLRPC, Comments and Trackbacks blocked – if you don’t allow comments or use an external comment system like Disqus, turn this on. It will block any comment attempts.
  • Stop upload of PHP or executable content – as long as you don’t allow uploads of scripts or code, turn this on. It will block those attempting to load scripts on your site.
  • Enable Emergency DDoS protection – if your site’s experiencing a DDoS attack you can turn this on temporarily, it prevents anyone not using Javascript from reaching your site.
  • Block anonymous proxies and the top three attack countries (China, Russia and Turkey) – if your logs show repeated visits from these three countries, turn this on (unless of course you sell to or are in these countries). Visitors from them can see all content but can’t create an account or login.

Other things you can do with WAF security settings:

  • Protect individual pages with a password or 2-factor authentication (like mobile phone authentication).
  • Block visitors from specific countries. You can allow them to view content but not login or post, or can prevent them from seeing the site at all.

All WP Minder Plans except the Starter Plan include Sucuri Antivirus for malware scanning and the option to use Sucuri WAF. To learn more about what WAF does, check out this page.

And for an honest review of Sucuri and its services included WAF, take a look here. I really like Sucuri, I use them myself for my own sites and feel very good about offering it to clients as an integral part of my WordPress maintenance services.

Leave a Reply

Your email address will not be published. Required fields are marked *