When it comes to securing WordPress websites, it is very common to find people assuredly claiming that WordPress firewall plugins provide less protection than web application firewalls (WAFs) from web hosts or cloud security providers, without any evidence to back that up. Take one new WordPress security provider, Snicco, that claims they offer the “only WordPress plugin smashing real security threats overlooked by the WordPress ecosystem”, who made a claim along those lines:

A general-purpose WAF that checks for bad request parameters, SQL injection, or similar offenses is orders of magnitude faster and more effective at the web server level or CDN level.

Recently, the company closely associated with WordPress, Automattic, disclosed a major security failure on their part. They said that customers of two of their hosting platforms, Pressable and WP Cloud, had been hacked and they failed to look into those for over three weeks. That involved a vulnerability in a WordPress plugin named Ultimate Member that was discovered and exploited by a hacker. Both of those hosting platforms have WAFs.

Here is how Pressable’s security is promoted:

The team at Pressable is committed to delivering the highest possible level of security and peace of mind. If we identify a vulnerability, malware, or other threats to your site, we’ll inform you right away. Our expert support team can then help guide you through restoring your site to its normal functionality and securing it against further attacks. Rest assured, our team is here with you every step of the way.

And here is how Pressable’s WAF is promoted:

ll websites hosted by Pressable include a web application firewall (WAF), which is a layer 7 protocol that protects against common attacks by hackers. The WAF monitors, identifies, filters, and blocks malicious activity from a web service but allows other HTTP traffic through with no problem. It protects web applications from many application-layer attacks like XSS or cross-site scripting, cross-site forgery, cookie poisoning, file inclusion, and SQL injection, among others.

Application attacks can get through to your valuable data and are the number one cause of data breaches. With a good Web Application Firewall placed in front of web applications to shield between the applications and the internet, attacks that aim at compromising your system are blocked. In addition, a WAF is a reverse-proxy type that protects servers from exposure since before clients can reach the server, they must pass through the WAF first.

And here is how the security of WP Cloud is promoted:

WP Cloud is incredibly secure and comes with the option to include or sell additional client-facing security features, including real-time backups, anti-spam, and malware scanning.

Automattic’s WAF couldn’t be called effective there since it failed to block the attacks or warn about them. But what about WordPress firewall plugins?

WordPress Firewall Plugins Provided Protection

Earlier today, we released results of testing we did to see if 32 WordPress security plugins protected against how this vulnerability was being exploited. We found that 2 firewall plugins provided protection. Critically, their protection already existed before this vulnerability was known about. So they provided effective protection, while WAFs didn’t. That isn’t surprising considering that by being tied in to a WordPress firewall plugins have access to information that WAFs don’t and can use that offer better protection.

Automattic’s Commitment?

After admitting they didn’t do a good job here, Automattic made this claim about a commitment to security:

We are committed to ensuring your website’s protection against these types of vulnerabilities.

That is hard to square with them using security solutions known to provide less protection than is possible.