Best Firewall Setup for WordPress Servers

1. The Edge Layer: Cloudflare WAF

The best attack is the one that never reaches your server. By using a Web Application Firewall (WAF) at the DNS level, you offload the processing power required to block bots.

• JS Challenges: Force suspicious traffic to complete a non-interactive browser challenge.
• Geoblocking: If your business only operates in one country, block all other traffic at the edge.
• Custom Rules: Create a rule to “Challenge” any request to wp-login.php or xmlrpc.php that doesn’t come from your known IP address.

2. The Network Layer: UFW (Uncomplicated Firewall)

On your Ubuntu VPS, the system firewall should be the ultimate gatekeeper. It operates at the kernel level, meaning it’s incredibly fast and consumes almost zero resources.

• The “Deny All” Strategy: Block everything by default and only open the specific ports you need:
  • 80/443 (HTTP/S): For web traffic.
  • Custom SSH Port: For your management access.
• Command: sudo ufw default deny incoming && sudo ufw allow 443/tcp

3. The Transport Layer: Fail2Ban

Fail2Ban is a “dynamic” firewall. It monitors logs and updates your system’s iptables rules on the fly based on behavioral patterns.

• Automated Banning: If an IP generates too many 403 errors (vulnerability scanning) or failed logins, Fail2Ban drops their packets at the network level.
• Persistence: Set a “Bantime” of 24 hours or more for repeat offenders to permanently reduce the “noise” in your server logs.

4. The Application Layer: ModSecurity (Open-Source WAF)

If you want enterprise-grade security on your own hardware, ModSecurity is the standard. It is a module for NGINX/Apache that inspects the actual content of HTTP requests.

• Feature: It uses the OWASP Core Rule Set (CRS) to detect and block common exploits like SQL Injection, Cross-Site Scripting (XSS), and Local File Inclusion (LFI).
• The Catch: It requires manual tuning. If configured too strictly, it can break WordPress AJAX functionality (like the Block Editor).

5. The “Plugin” Layer: Application Firewall

Only after the layers above are set should you consider a plugin-based firewall (like 7G Firewall or Wordfence).

• The Role: Use these for application-specific rules, such as protecting the /wp-content/ directory from executing PHP or monitoring file integrity.
• Optimization: If using an application-level firewall, ensure it is configured to run via auto_prepend_file in your php.ini so it executes before the rest of WordPress loads.