Already have a Web Application Firewall (WAF) configured within Azure Front Door, managing security through two different firewalls (Wordfence and Front Door WAF) can sometimes lead to overlapping or redundant protections. Here’s an analysis to help you decide:
1. Relying Fully on Azure Front Door WAF
- Why?
- Azure Front Door WAF already protects your application at the network edge, before requests reach your server. This offloads security processing from WordPress itself.
- If the Front Door WAF is configured to handle common threats (e.g., SQL injection, XSS, bad bots), the Wordfence Firewall may be redundant.
- Recommended Action:
- Disable Wordfence’s firewall entirely and rely on Azure Front Door WAF for security.
- Keep Wordfence enabled only for login protection, malware scanning, and real-time traffic monitoring.
When to Set Wordfence Firewall to Learning Mode
1. Avoiding Conflicts During Transition
- Why?
- If you’re transitioning to using Azure Front Door WAF as the primary security layer, setting Wordfence to Learning Mode ensures it does not block legitimate requests while it adapts to your traffic patterns.
- Recommended Action:
- Set Wordfence to Learning Mode temporarily (e.g., for 7 days) to analyze traffic.
- Afterward, you can either turn it off completely or switch to “Basic Protection” mode, which is lighter.
When to Keep Both Firewalls Enabled
1. Layered Security Approach
- Why?
- Having multiple firewalls provides an additional layer of security. For instance:
- Azure Front Door WAF blocks threats at the network edge.
- Wordfence Firewall provides application-specific rules for WordPress (e.g., protecting plugins and admin paths).
- Having multiple firewalls provides an additional layer of security. For instance:
- Drawbacks:
- Higher resource usage on your WordPress server, as Wordfence processes requests after they pass through Front Door.
- Potential conflicts if the two firewalls block the same requests.
Recommended Setup for Dual Firewalls:
- Configure Azure Front Door WAF as the primary defense:
- Handle general web application threats (e.g., SQL injection, XSS).
- Block known bad bots and malicious IPs.
- Use Wordfence Firewall for application-specific rules:
- Protect admin paths (
/wp-admin,/wp-login.php). - Monitor file changes and detect malware.
- Protect admin paths (
Key Configuration Recommendations
If Disabling Wordfence Firewall:
- Turn Off Only the Firewall:
- Go to Wordfence > Firewall > Manage Firewall.
- Disable the firewall but leave other features (e.g., login protection, malware scans) active.
- Ensure Azure Front Door WAF is Properly Configured:
- Enable Azure WAF managed rulesets for:
- OWASP Core Rule Set.
- Bot Protection.
- Custom rules for WordPress paths (e.g.,
/wp-admin,/wp-json).
- Enable Azure WAF managed rulesets for:
If Keeping Wordfence Firewall in Learning Mode:
- Switch to Learning Mode:
- Go to Wordfence > Firewall > Manage Firewall.
- Set the mode to Learning Mode.
- Monitor for false positives or overlapping protections.
- Exclude Front Door Traffic:
- Add Azure Front Door’s IP ranges to Wordfence’s Allowlist to avoid blocking legitimate requests:
- Go to Wordfence > Firewall > Blocking.
- Add Azure Front Door IPs as trusted sources.
- Add Azure Front Door’s IP ranges to Wordfence’s Allowlist to avoid blocking legitimate requests:
Testing the Configuration
- Perform Admin Actions:
- Log in to
/wp-adminand verify no blocks or delays occur.
- Log in to
- Simulate Attacks:
- Test both Front Door WAF and Wordfence by simulating bad requests (e.g., SQL injection).
- Confirm which firewall blocks the attack.
Recommended Path Forward
Retain Wordfence for features like malware scanning, login protection, and file integrity monitoring.
If Azure Front Door WAF is configured effectively, it is best to disable the Wordfence Firewall to reduce redundancy and resource usage.
Let us know if you’d like guidance on fine-tuning Azure WAF rules or Wordfence settings! the KloudStack team are here to help 😊
Leave a Reply