How the Wordfence Firewall Works

In April of 2016 Wordfence launched a full featured WordPress firewall. Since then we have released improvements that make Wordfence faster and better at blocking attacks. If you’re not a security professional it may not be clear what the Wordfence firewall does or how it works. In this post I’m going to describe exactly how the firewall works.

Firstly you should know that the Wordfence firewall is also sometimes called the Wordfence WAF. The term WAF is just an acronym that is short for “web application firewall”, which means a firewall that protects web applications.

Wordfence is a firewall that protects the WordPress web application and anything else installed in your WordPress subdirectories. For the sake of this post, I’m going to just refer to it as the Wordfence firewall.

How Wordfence Evolved

The very first version of Wordfence improved your WordPress security by providing functions like:

  • Malware scanning including scheduled scans
  • The scan included (and still includes) a variety of other checks including blacklist checks
  • Brute force protection
  • Two factor authentication
  • Country blocking
  • Protection against aggressive crawlers

Wordfence included several other useful security functions, but it never included a rule based WordPress firewall that filtered attacks as they arrived in real-time.

I started writing the first version of Wordfence back in 2011 and I finished it in 2012. We were a two person company at the time and we wanted to provide something that significantly improved WordPress security. So we picked the best features that were also feasible for a two person team to implement and ended up with the list of features above.

As Wordfence grew and we brought on board senior developers and experienced security professionals, we made the decision in 2015 to add a full-featured rule based firewall to Wordfence. One of our criteria was that it needed to be updated in real-time with new kinds of protection.

We embarked on a 9 month project to create a full-featured rule based firewall for Wordfence. That was released as Wordfence 6.1.1 in April of last year.

How the Threat Defense Feed powers the WordPress firewallAs part of the WordPress firewall release, we also put business processes in place and created a forensic division in the organization to gather the attack data. We needed this data to learn about new kinds of attacks, create new rules to protect against them and deploy them in real-time. That real-time rule feed is part of what we call the Wordfence Threat Defense Feed.

Today Wordfence has a very busy site cleaning operation. That is one of the ways we get forensic data about attacks that are compromising WordPress websites right now.

Once we see a new attack, we immediately develop a new firewall rule, test it and get the rule into production fast, to stop that same attack affecting other customers.

Another way we learn about new kinds of attacks is by aggregating and mining attack data. This allows us to see new attacks as they emerge and before they infect our customer websites.

By combining on-the-ground forensic work with the Threat Defense Feed and a rule based firewall, Wordfence became a robust and enterprise class security product for WordPress.

 

How the Wordfence Firewall Works

So how does the Wordfence firewall actually work? When you enable the Wordfence firewall, we use a technique that tells your web server to run the Wordfence firewall code before any other PHP code on your website. The way we do this is we include a directive in your .htaccess file called ‘auto_prepend_file’. This directive points to Wordfence code and ensures that Wordfence runs before anything else.

Once we have configured your website to run the Wordfence firewall first, any request that arrives, no matter which PHP file it tries to access, will first be processed by Wordfence first to check if it is safe or not. Our WordPress firewall will run the request through it’s ruleset, performing a high performance detailed analysis and will make a decision to block the request or allow it.

The firewall code that makes this decision runs before anything else including WordPress. That means that the WordPress code has not loaded and the database is not yet connected. This makes the Wordfence firewall code incredibly fast. We can block a malicious request before it even connects to your database and before the bulky WordPress code and API environment is loaded up.

WordPress firewall decision diagram

The Wordfence firewall code executes before anything else, including WordPress. But it also has the ability to pass data back to WordPress and to get data from the WordPress API. This allows us to incorporate user identity into our ruleset so that we can make decisions about whether or not to allow a user access, based not just on the content of their request, but who they are and what access level they have within WordPress.

Using this model of high performance execution means that attackers only get to hit the super fast Wordfence firewall and they don’t get any further than that. Friendly site visitors, crawlers and users get to access your full website. This keeps your WordPress website fast and safe.

How Wordfence Became the Most Popular WordPress Firewall

Wordfence has grown into a big team, a sophisticated organization and it has become the most popular security product for WordPress. To date we have had over 22 million downloads of Wordfence. We protect millions of websites and block millions of attacks daily, over 28 million per day.

The early version of Wordfence did a good job of protecting WordPress websites. In 2015 our team agreed that we wanted to get Wordfence to the point where you were crazy if you weren’t using us to protect your website. We had to be that good.

With the 6.1.1 release early last year that included the firewall, Wordfence took a giant leap forward and was doing a great job at securing WordPress websites. We wanted to go even further. Since then we have incorporated the malware scan into the firewall so that traffic is scanned for malware in real-time. We have made the IP blocking code faster and we have made the core scan engine faster too.

We have also gotten better at collecting threat intelligence in the form of new exploits and malware samples and quickly turning those into rules that get tested and deployed in real-time.

The number of malware samples we have in our repository is now enormous and our WordPress firewall ruleset has grown significantly. We have also grown the team that works on the Threat Defense Feed and continue to improve our processes.

Today we are confident in saying we have achieved our objective of making Wordfence so good that you are crazy if you are not using it to protect your WordPress website.

We’re Not Stopping Here…

At Wordfence our team has never modeled ourselves on competitors or imitated others. We have always been leaders and innovators in WordPress security. That is why, for example, we chose to create a WordPress firewall that integrates directly with WordPress websites and is not a cloud service – even when the cloud was the hip new thing that everyone was selling.

We realized early on that cloud firewalls don’t have data like user identity and therefore can’t use that data in their decision-making. If you don’t even know if a user is an administrator, how can you decide if they are bad or not? We realized that by doing things our own way we could better serve our customers.

Our team continues to innovate. Later this year we have a very exciting release on the roadmap for Wordfence that will be as significant as the 6.1.1 Wordfence release that included the first firewall version. It’s a surprise for now, but it is incredibly innovative and will make it even more difficult for attackers to target any WordPress site protected by Wordfence.

Thanks!

We are proud to have you as our customers and to have many of you as Premium Wordfence customers. Thank you for your support over the years. We continue to work hard to support Wordfence and to discover new ways to better protect your website. As always, I welcome your feedback in the comments.

Mark Maunder – Wordfence Founder/CEO.

Did you enjoy this post? Share it!

Comments

38 Comments
  • i, for one, am a very grateful user of this great tool that is wordfence.
    i have been able to detect and cleanup one of my sites when it was actually hacked because it was unattended for a while had outdated plugins.
    with wordfence, i was able to find out it had been infected when on the surface it didn't even show.

    thank you mark and the wordfence team. you have my trust and loyalty. you make a difference with your labor of love and ethics.

  • Thank you so much for explanation. And even more, thank you for Wordfence!!!!

    • You're very welcome Carol!!

  • Hi Mark, thanks for the low-level explanation of your firewall, and thank you for the Wordfence plugin. As these firewall "rules" build up over time, is there any concern that the firewall will slow down?

    "The number of malware samples we have in our repository is now enormous and our WordPress firewall ruleset has grown significantly."

    Semi-related follow-up, do you have any insights into how Wordfence affects site performance overall? I have read insinuations that your plugin slows down sites, without hearing any details how. I'm wondering if you have tips on which options may affect performance, which don't, etc.

    • Wordfence is super fast now and the posts you're reading are probably old.

      We benchmarked the firewall with 30,000 rules and it was still fast enough. We aren't even close to that. The firewall is also smart in that it only activates rules for a request that are relevant. So for example, if a request doesn't contain any SQL markers, we don't perform deep SQL injection analysis on it. That keeps things very fast.

      Mark.

  • How does this work with static caching plugins like W3 Total Cache that direct web requests at the .htaccess level? Does the firewall process those requests first and pass them along to the .htaccess cache processing rules if they are not malicious in nature?

    • Hackers target PHP files. Caching plugins add rules that redirect some requests to static HTML files that they generate. So if you have a caching plugin, Wordfence ignores the requests to static files (which aren't hackable) and still protects your PHP files.

      Mark.

  • While, I do like wordfence, I don't particularly want to pay for features that I don't need, such as country blocking and 2FA. A more flexible pricing setup, that includes the wordfence firewall getting real-time updates, but not the other features I mentioned, would IMO be interesting for a large group of people who do want the protection but don't need to block certain countries.

    • Hi Roland,

      Unfortunately that is not feasible for us or any software company. We don't incur our costs per feature. We have built an organization around Wordfence which includes great customer service (one of our higher costs - we don't 'offshore'), engineering, software quality assurance, operations and so on.

      Regards,

      Mark.

  • If it's so important why doesn't it come embedded in the wordfence plugin and we have to go through some unknown installation process to set it up?
    To this day I haven't enabled it on my sites because I like simple and easy stuff. Complicated stuff are not for me. Since I already installed the wordfence plugin, any additional feature should automatically be applied without me having to go through another config process.

    Thanks

    • Hi Viv,

      The firewall modifies your .htaccess file which is a significant change. So we chose to make it an 'attended' installation. That means we wanted you to be present and aware of the changes we're making for the safety of your website. It's a very easy process to enable the firewall and we guide you through every step of the way.

      Regards,

      Mark.

      • Our hosting packages automatically include Wordfence, and some packages include Wordfence Premium. That represents 100s of sites currently, and dozens more on the Theme Surgeons side if our business. We always enable WAF, and we've never experienced a problem with it. It's well worth the attended installation, to keep a backup copy of the .htaccess files that often contain other custom rulesets, just in case. But in the hundreds we've installed we've never experienced a single instance where we needed to revert the backup file. And the protection the WAF affords us is not just unique to a single site, rather there is a utility in that the more WAFs deployed, the better the security gets for everyone.

  • hi, i discovered your plugin only a few months ago, after being hacked time after time. I must say, it made my life a lot easier, no more blocked accounts! thanks for this great plugin.

    I never enabled the WAF because I did not know what it really was or how it worked and the standard wordfence mechanisms already provide much higher level of security than without wordfence. Having read this blog post, i feel i can safely enable it now :)

    cheers

    • That's great to hear! The WAF will significantly improve the level of protection you have.

  • God bless, Wordfence.

  • Thumbs up to you guys at Wordfence...

  • Hi Mark, we are super impressed with what you guys deliver and have accomplished in such an efficient way for us users. Thanks for this update.

    In future posts, I would love to hear and learn more from you, how you are working with Total Cache, MAXcdn, Cloudflare, Cloudfront and other solutions to better and faster delivery content securely without too many conflicts.

    Also... I would love to learn more about your thought around reverse IP-lookup and how we can deal with that, since many of the IP addresses, we accidentally and unintentionally block belong to the CDNs and other ISPs which we really don't want to block.

    Thanks

    • Thanks Kristian, will give that some thought.

      Unfortunately you can't rely on reverse IP lookup - also known as a PTR record in DNS. The reason is because anyone can change their own IP's PTR record to anything that they want. So I can get a machine at Linode and call it trusted-host.cloudflare.com if I want to.

      Instead you can use tools like whois to determine who really owns an IP.

      Mark.

  • Love your product. But i can't afford premium, could you arrange for donation via paypal for the free version.

    • The free version is completely free. We don't accept donations. Thanks.

  • While I'm pretty happy with Wordfence overall (we have around 15 premium licenses and this will probably double by the end of the year), I do have one request as a developer.

    Would it be possible to change your plugin to use SemVer (Semantic Versioning)?

    Wordfence is a critical plugin on most sites, and the impact of updates should be very obvious.

    For example 6.2.8 (which removed the Falcon Cache) would be considered a "breaking change". I would have preferred this to be released as Wordfence 7.0.0 because it requires major additional work to upgrade (1-2hrs per website).
    6.2.9 (which I think was all bugfixes) would be 7.0.1, a safe update with little effort required.

    This is just a request, but it would have made it easier for me to say to the team "don't upgrade Wordfence to version 7 if Falcon Cache is enabled until we've finished documenting the migration process".

    Again, only a minor request. Apart from that everything is working flawlessly!

    Thanks again

    • Thanks Chris. Have posted this in our internal dev channel.

      Mark.

  • Great post, thank you, Mark.

    Mark, what's the reason behind why you don't enable the 'move' login page function in Wordfence? One of my sites got so many brute force attacks that though Wordfence was doing its job, it wasn't preventing this. As such, I installed another security plugin to enable me to do it - the attacks stopped.

    I'd appreciate your take on this and your recommended best approach.

    Many thanks,
    Russ

    • We don't like security through obscurity, it adds complexity and it adds risk. Also the firewall is now very fast when an IP is blocked so the issue of CPU usage is less.

      Mark.

  • Thank you for another thorough and very interesting explanation! Because CloudFlare is mentioned in the comments once or twice, and I'm also a happy CloudFlare user, I did suspect that you used a method relatively similar to theirs (i.e. with a centralised database with all the rules), while, of course, the major difference is that CloudFlare runs a cloud service (which is the whole point of their system, after all). While they definitely block a lot of attacks, your reasoning is sound: CloudFlare, or any other firewall protection at the web server level, has no concept of how WordPress, the application, works. You can stop way more attacks because of that. And the truth is that even though I just run low-traffic websites, it's exactly those that get hit so often by hackers (because they tend to be more sloppily maintained...). So far, since I first tried WordFence for the first time, I have not had a single attack, even though I had a few scares (with some outdated 'freemium' themes that still had links to websites now present in some black lists...).

    Ironically enough, I switched to WordFence from one of your competitors mostly because you used to have the Falcon Engine — that way, I could do two different things with just one plugin :-) Since then, you have abandoned the Falcon Engine (bummer!) but kept the WAF, which your competitor's plugin didn't have. So I still get two different functionalities with the same plugin — hooray! :-)

    Nice work. I agree, these days it's really insane not to use WordFence... it's incredible how some of my websites get occasionally targeted by hackers attempting over and over again to penetrate through WordFence's defenses to no avail. Creepy. On the other hand, I imagine that most attacks come from script kiddies — the problem is that even script kiddies can get access to an unprotected website, and while they might not be able to do much harm, they can always pass along the information to serious teams of hackers. In these days where there are cyberwars between countries, and who knows what is really going on out there, it's better to be safe than sorry...

  • I've used WordPress for building about 500 sites. I went years without being hacked. I finally did have a hacker install some malware on my site. I woke up and realized I needed to protect my clients, so I tried several security solutions. I have found Wordfence to be the best solution I've tried. With WordPress being used on up to 25% of all the websites in the world, I think you'll have a growing market.

    Since I've been using Wordfence, I've not had a single bad incident with hackers.

    Thank you for helping the WordPress community; you stand out among the competition and your frequent communication with us has been helpful.

  • Hi Mark,
    5 of my Wordpress sites were recently hacked and I started looking for answers and protection for my sites.
    I came across Wordfence and have been very impressed.
    Thank you so much for taking the time and interest to develop this outstanding product.
    I enjoy and welcome the informative posts that help to explain your product and broaden my understanding of the threats.
    Well done and thanks again....

  • Wow! That's a lot. I just happy I found you guys. By installing your plug-in I don't have to worry about trying to figure out all the security stuff. You guys have that covered. And very well done.

  • Hi Mark. I have experienced problems previously when trying to migrate a WordPress site that has WordFence Firewall enabled and so am reluctant to use it on a Dev site that will be moved to Live, thus not being fully protected on the Dev site. Is there a set procedure that one can follow that will ensure there are no problems if the Firewall is enabled and I migrate from Dev to Live?

    Thank you for a wonderful product!

    • I second Paul's comment. What is the step by step process to migrate a site that has WAF enabled?

      • Install your new site, move your data, enable the WAF. It's easy.

  • Thanks Mark for giving us insight into how the WAF works, it always good to know what makes the engine tick.

    I have been using WordFence for about 3 years now, it's one of the first plugin I install on every WP Install I do, for me it is a "must have" and the security WordFence provides is one of the features I tell potential customer about when I'm doing a pitch for website development work.

    I'm looking forward to the next milestone

    Lee

  • I use WordFence on all sites we develop. The number of brute force attacks has sky rocketed. One, brand new site endured 1,895 brute force attacks in one day and was going at several attacks a minute. It has slowed down, but other of our sites have endured a lot of brute force attacks. Most in the hundreds per day. WordFence handled them all. None of them succeeded.

    So, thank you guys, you're doing fine work.

    David

  • First thanks for this great plugin and all your efforts to keep up and improve it!

    Second is firewall has any negative impact on page speed and why not? :)

    • It has no impact. The core firewall engine is built to be incredibly fast.

  • Hi Mark,
    Let me say a big big big thank you for bringing this fantastic add-on to the Wordpress community.
    Your constant efforts to keep the system working better and better is really appreciated.
    I have been hacked one time by Iran bandits. One is enough, I guess as I had to rebuild my site piece by piece, including the database.
    Since I installed the free Wordfence version, I was able to watch the incredible number of various and vicious attacks that are taking place on the net.
    If this is not a jungle, then what is it ? Once again, a fantastic technical thing -the internet- is used the worst way by humans !

    My site is very simple, a free site, about exchange of stuff in the theatrical domain, very often free stuff, some jobs offering in the arts domain also. We also run a diaporama with theater posters. But all essentially in French, in the province of Quebec, Canada. So the scope is somewhat limited, I have to admit.

    When I realized how many attacks came from countries or people who have nothing to do on the site (i.e. they are absolutely not on the site in order to learn French !!) , I decided to switch to the premium version of Wordfence for two years, just to try it. So I left the system in learning mode for 2 weeks or so, then activated it.
    In a few words : Let me say that I have never been so happy to pay for something !
    I immediately activated the country blocking feature and ticked so many countries that you couldn't believe. After all, this is a french speaking site with a very limited geographic scope.
    In fact, french speaking people visiting Sri Lanka won't be able to connect to Troc Theatre and the so what ? They will connect when they come back home.

    Heck, what a job your Wordfence is doing ! The firewall works fine too. I am not sure if the firewall doesn't slow down the site a bit, but I don't mind too much if the site can live in peace.
    Day after day, after updating the plugins that need it, I read the Live Traffic report and every time I am stunned about the number of attacks or attack trials from everywhere on the planet.
    One attempt, one line or two lines maximum and zap, bandits are kept out of my garden, thanks to you guys.
    So I cannot recommend more your plug-in to all people who are hesitating, take the premium version. Peace of mind has so a little price.

    Thanks again Mark and all your team for bringing this fantastic tool to life.
    Michel Hanse, Montreal, Canada
    Admin and Editor of www.troctheatre.com

    • Thanks Michel for the kind feedback.

  • I use wordfence on all my wp websites. I really appreciate the plugin and your service. Wish you had something for opencart also. Keep the good work guys. Thank you.