Tag Archives: Web Application Firewall (WAF)

3 Oct 2023

Malcare Marketing Highlights Common False Claims Made About WordPress Firewall Solutions

Last week we looked at one way a WordPress security named MalCare markets their service with false claims. In that case, it was through made up stats of their service, which led them, when you added things up, to claim that a fifth of their customers are getting hacked every year. That is despite claiming to have a “deeply integrated, real-time WordPress Firewall to block the most sophisticated attacks”. The marketing for that firewall is filled with common false claims you run across over and over from less than honest security providers marketing firewall solutions for WordPress.

Below we do quick breakdowns of why some of those claims are false. Understanding that can help to cut through the BS to find solutions that really work. [Read more]

12 Sep 2023

A Proxy Based WAF Provides Limited Protection Against WordPress Plugin Vulnerabilities

When it comes to protecting WordPress based websites against the threat of plugin vulnerabilities, there are a lot of options available. Like security solutions in general, most of them are not going to do a very good job of what they are possibly capable of. If they did, then security would be in much better shape than it is. Making things worse, oftentimes security solutions are treated as if they are a solution for problems they are not. Recently we had someone mention to us that a client of theirs had chosen a proxy based WAF over using our service for protecting against WordPress plugin vulnerabilities, which is odd since the two things are quite different. A proxy based WAF isn’t a good alternative to a service like ours for a variety of reasons.

What is a proxy based WAF? WAF is short for web application firewall. Like a lot of security terminology, the term is often misused. An actual WAF is a security system that is separate from the software running on a website. So a WordPress firewall plugin wouldn’t be a WAF, though, those are often mislabeled as WAFs. A proxy based WAF means that website’s traffic runs through the WAF before reaching the website. That tries to stop attacks before they reach the website. These days when someone just says WAF, they are talking about a proxy based WAF. [Read more]

6 Jun 2023

Akamai Warns Their Web Application Firewall (WAF) Doesn’t Protect WordPress and WooCommerce Websites

So often, what passes for security journalism misses the important details in claims made by security providers that are the sole source for stories. Take, for instance, a recent story that popped up a Google News alert we have to alert us to stories about WordPress plugin vulnerabilities. That story, by Roger Montti at the Search Engine Journal, claimed that the ecommerce platforms WordPress and WooCommerce were being targeted by a hacking campaign (no explanation was provided for classifying WordPress and WooCommerce as being separate platforms). Nothing in the story suggests what would have made this hacking campaign noteworthy, but it did mention a recommendation that is noteworthy. It said that it is recommended to use a web application firewall (WAF) to protect against this hacking campaign, but the sole source for their story, Akamai, itself said those don’t work against attacks:

Generally, these attacks cannot be detected by popular methods of web security, such as web application firewalls (WAFs), and are executed on the client side. [Read more]