84% of applications tested by Trustwave had one or more vulnerabilities.

With the rise of web threats, any web application needs to have a proper firewall in place to protect from attacks for non-disruptive online business operations.

Having vulnerable files, plugin, software, or misconfiguration on your server can expose to a security risk, which may have the financial and reputational loss.

Multiple online tools can help you to find security vulnerabilities and malware for FREE. However, when it comes to fixing or protecting them, then you got to spend a little bit.

Well, you might have heard about “Mod Security,” which is free Web Application Firewall (WAF), and you may consider using it with your web servers like Apache, Nginx, etc. Mod Security can be good protection to websites, but that requires a significant level of configuration knowledge and continuous maintenance.

If you don’t want to own a maintenance & configuration headache then following Cloud-Based Security Provider (CBSP) will help you to protect your website from online threats automatically.

Cloudflare

Cloudflare is a big player in a CDN with more than 75% market share and provides WAF with PRO plan. Cloudflare WAF safeguards you from OWASP top 10 vulnerabilities and automatically protects from following types of attacks.

  • SQL injection
  • SPAM protection
  • XSS
  • DDoS attacks
  • Application specific vulnerabilities like WordPress, Joomla

You can enjoy Cloudflare Rule Set and OWASP Mod Security Core Rule Set WAF with their Pro plan.

The Rule Set is based on frequent attacks found on their network on following popular applications.

  • Atlassian
  • Drupal
  • Flash
  • Joomla
  • Magento
  • PHP
  • Plone
  • WordPress
  • WHMCS

Along with the above rule set, they have “Cloudflare Special” which can help you with more than 80 attack types including some of the common ones as follows.

  • Empty User-Agent
  • Numbers Botnet
  • SQLi probing
  • ShellShock
  • Block Semalt crawler
  • SVG XSS attempt
  • Null cookie headers
  • Prevent fake search engine (Google, Baidu, Yandex) bots from crawling
  • Brute force attacks

cloudflare-waf

SUCURI

SUCURI has two security services – Website Security Platform and WAF.

If you are just looking for WAF protection, then you can start with Sucuri Firewall basic plan, which covers the following.

  • XSS (Cross Site Scripting)
  • RCE (Remote Code Execution)
  • SQLi (SQL injection)
  • Layer 7 DDoS protection
  • Brute Force protection
  • Intrusion Detection System
  • Intrusion Prevention System
  • HTTP Flood protection
  • 2FA, Captcha and Password protection
  • Black hack attempts

sucuri-waf

SUCURI supports various platforms including WordPress, Joomla, Drupal, Magento, OSCommerce, vBulletin, phpBB.

StackPath

StackPath analyzes all the incoming requests to your site or API and allows only legitimate traffic. It stops all the bad guys, bots, spams and malicious requests at their edge network.

The great thing is you don’t need to know anything to configure. Everything is virtually doable through their easy-to-follow interface. And, as you can see below, it is not just OWASP top 10, but they also got their own inbuilt custom rules.

StackPath also let you create your own custom rules for a complex requirement. For example, you can allow or block based on IP, country, URL/URI. You get to see real-time insights of security events including the following.

  • Top threat origins and action
  • Detailed event with IP, action, country, timestamp, triggered rules

Again, you don’t have to worry about managing the rules to prevent the new vulnerability as this is done periodically by StackPath.

Wondering how much does it cost? Here are quick details on WAF pricing.

Cloud-Based Security Provider Pricing (starting from in USD) per month
SUCURI $9.99
Cloudflare $20
StackPath $10

It’s always wise to check the price on the official website as they might have an offer from time-to-time.

There are many other WAF providers like Incapsula, AKAMAI, F5, Dyn, AWS but they are more suitable for enterprise and above for blogger, small to medium business. Implementing above listed WAF won’t take more than 10 minutes so go ahead and secure your site today!