Every website needs protection. Just like your personal computer, online servers can be targeted for attack. You need a way to keep out hackers or other sources of illegitimate traffic. That’s where firewalls come in.
What is a firewall, in short? It’s a barrier between a computer and the “outside world”.
Malicious actors can wreak havoc on your server if you leave your website unprotected and that’s why you should do everything you can to secure your WordPress site. Setting up a firewall should be one of your first orders of business.
But there are many different types of firewalls and you might not know where to begin.
Let’s go over all the types of firewalls, when you’ll need one, and how to get one set up on your server.
What Is a Firewall? What Does a Firewall Do?
Whenever you visit a website, you’re basically connecting to another computer: the web server. But because a server is just a specialized kind of computer, it’s susceptible to the same kind of attacks your own PC is.
It’s not safe to connect so directly to another device without any kind of protection in between. Once that connection is established, it’s much easier to infect the other party with malware or launch a DDoS attack.
That’s what a firewall is for. It’s the intermediary between you and any other devices trying to connect to you or, in a web server’s case, between it and the hundreds or thousands of connections it makes with others every day.
So how exactly does a firewall work?
Firewalls simply monitor incoming and outgoing traffic on a device, scanning for any signs of malicious activity. Should it detect something suspicious, it will instantly block it from reaching its destination.
It’s a big filtration system for your computer or server.
When they were first developed, firewalls were very simple packet analyzers that allowed or blocked incoming traffic based on a minimal set of predefined rules. They were very easy to bypass.
Nowadays they’ve evolved into complex pieces of programming that are much better at keeping out-attempted intrusions and are an essential piece of software for all devices.
When You Need a Firewall
You might be wondering: when is a firewall necessary? Do I really need one?
A firewall is required for any machine that connects to the internet. Not just your computer, but your web server, phone, IoT devices, or anything you can think of that has the ability to use the internet.
An unprotected device is easy pickings for intrusions and infections.
This could give hackers the ability to take over your computer, install whatever they want, monitor as you enter sensitive info like bank credentials, or even look through your webcam/camera, and listen through your microphone.
In the case of a web server, if a hacker manages to get through, they could deface your website, embed malware that infects your visitors, change your WordPress admin login credentials, or take down your site entirely.
Without a firewall, your website and even your personal devices are vulnerable to DDoS attacks, an attack vector that sends thousands or millions of fake packets to overload your server and brings your website or internet down.
Not convinced? Here’s what a firewall can protect you or your website against:
- Intrusions: Firewalls prevent unauthorized users from accessing your computer or server remotely and doing whatever they want.
- Malware: Attackers who manage to infiltrate can send malware to infect you or your server. Malware may steal personal information, spread itself to other users, or otherwise damage your computer.
- Brute force attacks: Attempts by hackers to try hundreds of username and password combinations to discover your admin (or other users’) login credentials.
- DDoS attacks: Firewalls (especially web application firewalls) can attempt to detect the influx of fake traffic that occurs during a DDoS attack.
Types of Firewalls
There are many different types of firewalls, each designed for a different situation. Some are better for single computers, while others are made for network-wide filtering.
They all work differently and are better at blocking certain kinds of traffic. If you’re wondering which you should be looking for, we’ll break down all the major types of firewalls.
Here’s a quick summary: unless you’re running your own server stack (providing a website with your own internet), the type of firewall you mainly need to worry about are personal firewalls, software firewalls, and web application firewalls.
These three are the most important. However, read more about the rest if you want to better understand how a firewall works and how they’ve evolved over the years.
Personal Firewall
Firewalls work very differently depending on whether they’re used by single computers, entire networks (such as within a business office), or web servers. A personal firewall is intended for use on just one computer. This is the firewall that comes pre-installed on Windows and Mac machines or with your antivirus software.
While it works similarly to a server firewall — allowing or rejecting connections from other devices, applications, and IPs based on a set of predefined rules — in function it acts a little differently.
Personal firewalls can protect the ports you use to connect to websites and online applications (stealthing them so attackers can’t see that they’re open), defend against attacks that slip through the network, prevent people from accessing and taking over your computer, and analyze all incoming and outgoing traffic.
They also act as application firewalls, monitoring the activity of apps on your device and refusing to allow a connection to be established with unsafe or unknown software.
These days, obtaining a personal firewall is fairly easy. If you use any modern version of Windows, there should already be one running by default.
Mac computers also come with one, though you need to turn it on yourself. To do so, navigate to System Preferences, click Security & Privacy, then click Firewall:
Antivirus software often comes with its own too. An example is Avast antivirus: its software firewall is compatible with Windows and serves as a second layer of defense.
Paid third-party personal firewalls also exist, but these can conflict with your default setup.
Hardware vs Software Firewall
Firewalls come in two distinct shapes: hardware and software firewalls. Software firewalls are downloadable programs for your computer, monitoring it all from a central control panel. Hardware firewalls provide similar functionality, but they’re physically installed in the building.
You might not know it, but you probably have a form of hardware firewall in your house: your router, the device that allows you to connect to the internet. While it isn’t exactly the same as a dedicated hardware firewall device, it provides similar functions of monitoring and allowing or denying connections.
Both software and hardware firewalls sit between your computer and the outside world, carefully analyzing any connections that try to slip through. You can have either or both of them running on your network.
There are a few downsides to hardware firewalls, however. They’re hard to set up and require ongoing maintenance, so they’re not generally suitable for single computers or very small businesses without an IT department. They can cause performance issues, especially when stacked with a software firewall. And they’re not suitable for blocking applications on a device, or user-based restrictions.
On the other hand, a hardware firewall will protect your entire network of computers easily, while setting up software for that is a more difficult task. And while an attacker can disable software if they manage to get in, they can’t tamper with a physical device.
Software firewalls are, as their name implies, better at working with programs on a computer. Blocking applications, managing users, generating logs, and monitoring users on your network are their specialty. They’re not as easy to configure network-wide, but when installed on multiple devices, they allow finer control.
Packet Filtering Firewall
The simplest type of firewall, and among the first ever developed, is the packet filtering firewalls. A packet is the data exchanged between your computer and a server. When you click a link, upload a file, or send an email, you send a packet to the server. And when you load a webpage, it sends packets to you.
A packet-filtering firewall analyzes these packets and blocks them based on a set of predefined rules. For instance, you could block packets originating from a certain server or IP address, or those trying to reach a certain destination on your server.
The downside: These types of firewalls are simple and easy to trick. There’s no way to apply advanced rules. If you allow traffic to flow through a certain port, the packet filtering firewall will let anything through, even traffic that to modern firewalls is obviously not legitimate.
The only upside to these is that they’re so simple that they have almost no impact on performance. They don’t inspect traffic, save logs, or execute any advanced functions. These days, packet filtering firewalls should be avoided or at least used alongside something more advanced, as there are much better solutions.
Stateful Firewall
After the “stateless”, simple packet filters came stateful firewall technology. This was revolutionary because instead of just analyzing packets as they come through and rejecting based on simple parameters, stateful firewalls handle dynamic information and continue monitoring packets as they pass through the network.
A simple packet filtering firewall can only block-based on static info like IP address or port. Stateful firewalls are better at detecting and blocking illegitimate traffic because they recognize patterns and other advanced concepts.
Compared to stateless firewalls, the downsides are that they’re more intensive due to storing packet data in memory and analyzing them more rigorously, plus keeping logs of what gets blocked and what passes through. But they’re a much better solution.
Web Application Firewall
While stateful technology is still used today, it alone is no longer enough to effectively keep a network safe. Application and Web Application Firewalls were the next big step.
Traditional firewalls only monitor general traffic on a network. They struggle or completely fail to detect traffic coming or going from an app, service, or other software. Application firewalls were designed to work with these programs, catching intrusion attempts that take advantage of software vulnerabilities to slip past older firewalls.
They could also function as a parental control system for a business, blocking access to certain apps and websites entirely.
Web application firewalls work similarly, but they monitor web apps instead of programs on a computer. Examples of web apps are third-party form or shopping cart plugins, which can sometimes be hijacked to send malware to your server. Without a WAF, you’re vulnerable to these attacks.
Many WAFs are cloud-based, which means you don’t need to make any radical changes to your server to set them up. But they can also exist on hardware or server software.
If you need a firewall service to protect your website, look for a cloud-based WAF like Cloudflare or Sucuri. These can be installed without having to fiddle with sensitive web host settings or set up expensive hardware.
Next-Generation Firewall
Last is the Next-Generation Firewall (NGFW), one of the most recent inventions to come out of this generation of security technology. These enterprise-grade tools are like all of the above combined into one. Deep packet filtering, intrusion prevention, and application monitoring are just a few of their huge range of networking features.
Next-generation cloud firewalls do exist as a service online, but WAFs are far more common and provide similar functionality. But if you want the absolute most advanced firewall technology available, with a full suite of security protection in one program, look for a NGFW.
How to Get a Firewall
To protect yourself and your website, you need a high-quality firewall that will keep intruders out.
As far as personal firewalls go, it’s not usually necessary to go out of your way to get one. Windows’ built-in firewall works very well with no configuration at all. And between the application firewall that often comes with your antivirus software, and the packet filter on your router, your computer is usually more than protected.
Just make sure your firewall is activated, you have a good antivirus installed, and your router is configured properly. The same thing can be said for macOS users.
But what if you have a website that needs protection?
It’s a lot different then. There’s not as many built-in tools to protect you, and often it’s up to you to secure your website. For instance, if you’re running WordPress, there’s no firewall or anything to protect your server and security plugins are one of the most common options.
WordPress developers do their best to keep the code optimized, but when vulnerabilities do arise, you have nothing to prevent intrusions.
Every site can benefit from a WAF. Online services like Sucuri, Wordfence, Cloudflare can get one set up on your server in minutes.
In addition to installing a firewall yourself, you should choose a web host that takes care of their servers properly. Too many cheap hosts don’t bother with security and it can cause huge problems if your site comes under fire.
Kinsta’s Cloudflare Integration
If your site is hosted on Kinsta, you don’t have to worry about setting up a WAF manually. All sites on our infrastructure are automatically protected by our free Cloudflare integration, which includes a secure firewall with custom rulesets and free DDoS protection. In addition to our Cloudflare integration, we also implement other security measures like brute force detection, SFTP-only file access, Google Cloud Platform VMs, a comprehensive malware removal pledge, and more.
Summary
On a modern personal computer, you don’t usually have to do much since a firewall comes pre-installed with most operating systems. As for your website, too many hosts just don’t care about securing their servers, so it becomes your job to protect yourself.
If you’re looking for a web host with reliable security infrastructure that can support a site of any size, consider Kinsta. With our free Cloudflare Integration and security guarantee, you know that you won’t fall victim to hacking. And on the rare chance they breakthrough, we’ll take steps to get rid of the malware for free.
Even if you do choose a reliable host that puts a lot of stock in security, it’s a good idea to install a web application firewall as a second line of defense. Find a good service like Sucuri, or download a WordPress security plugin, and you’ll be good to go.
Head of Content at Kinsta and Content Marketing Consultant for WordPress plugin developers. Connect with Matteo on Twitter.
The post describes Wordfence as a cloud-based firewall. That’s not accurate. Wordfence is an endpoint solution.
Thanks Adrian, we’ve updated the post.
What about smartphone apps using these tools also and on the go? How can it keep me and my logged on phone safe from home, especially with all my accounts and apps!?