A Web Application Firewall (WAF) for WordPress filters malicious traffic before it reaches your site, blocking common attacks like SQL injection, XSS, and brute-force login attempts.
Wordfence Security (Plugin WAF)
Wordfence is the most popular WordPress security plugin. Install it from the plugin directory. It adds a WAF, malware scanner, login protection, and firewall rules that auto-update based on emerging threats. The free version is comprehensive; the Premium tier adds real-time rule updates.
Cloudflare WAF
Cloudflare's WAF (available on Free and paid plans) filters traffic at the network edge before it reaches your server. The free plan includes basic managed rules. Paid plans include OWASP core ruleset and WordPress-specific rules.
Recommended WAF Configuration
- Block known bot signatures
- Rate-limit login page (
/wp-login.php) to 5 requests per minute per IP - Block XML-RPC if not needed (
/xmlrpc.php) - Enable IP reputation blocking