Many of us have heard of “firewalls” in terms of hardware or software, and how they protect an asset like a network or a computer from external attack. Well, a web application isn’t exempt from the list of “assets” that one may need to protect when working (or playing) on the Internet.
Essentially, what a WordPress firewall will do is protect the WordPress installation (and in most cases all added files) from 3rd party attack. The software will filter any commands before reaching any executable script in order to ensure integrity. Mostly this involves adding commands to the .htaccess file which is processed before any scripts (including PHP scripts).
There are plugins available that allow you to decide on the various layers of protection that you desire. This is done through a graphical interface in the WordPress dashboard making it so you do not need to understand any complex commands. You simply make your changes using an interface most WordPress users are familiar with and the software will “write” the commands for you.
Basic Firewall Protection:
At a minimum you should enable the basic file protection with this plugin. This will deny access of scripts modifying the .htaccess and wp-config.php files, will disable the server signature thus preventing display of version information, and also limit file uploads to 10MB.
Separately you can enable pingback protection which disables access to the xmlrpc.php file. Of course, only do this if you are not leveraging the WP XML-RPC functionality already. This, among other things may give you protection against some forms of Denial of Service (DoS) attacks.
Additional Firewall Protection:
This section has some intermediate and advanced firewall settings that can be employed.
It’s a really good idea to do a backup of the .htaccess file before activating any of these features as they can potentially break functionality of other plugins. A lot of times those plugins will have a section in their FAQ to indicate that possibility. This security/firewall plugin makes is simple to backup the .htaccess file so it’s worth performing those couple of clicks to make it happen.