Web Application Firewall (WAF): What It Is And How To Use It

by Luke Odom
Web Application Firewall (WAF): What It Is And How To Use It thumbnail

Ever tried to get into a hot nightclub in Vegas?

Stay with me here.

Even if you haven’t, you’re probably familiar with the concept of bouncers. Among other things, they’re responsible for eyeing the lineup — and kicking out anyone dressed in flip flops, a raggedy tee shirt, or an animal-themed onesie that would not only make them overheat but would definitely overshadow the famous DJ.

Just like those bouncers, web application firewalls (WAFs) review all the traffic trying to reach a web app so that security professionals, as well as regular ol’ website owners and managers, don’t have to worry about any riff-raff making its way in.

Ready to fast-track your WordPress website security by taking advantage of WAFs?

This article will introduce you to the core concepts of WAF and how to bring this security method to your WordPress website.

What Is A Web Application Firewall (WAF)?

Diagram shows how a web application firewall works, with the WAF filtering traffic before it hits the server.

Usually, when someone just says “firewall,” they’re referring to network firewalls. These are security tools that automatically monitor traffic on your network and choose to allow or block visits to/from certain sites and sources based on predetermined security rules.

This kind of firewall is a barrier between trusted networks, like websites a cybersecurity team has already vetted, and untrusted networks, like unknown sites hackers could use to break into your systems and collect data.

DreamHost Glossary


A network is a group of computers that share resources and communication protocols. These networks can be configured as wired, optical, or wireless connections.

Read More

A web application firewall (WAF) is a type of firewall that’s configured to work specifically with web apps.

What’s that mean, exactly? Let’s dive deeper.

How WAF Technology Protects Web Applications

WAFs “watch” bi-directional web-based (HTTP/HTTPS) traffic moving between web applications and the internet, sussing out and shutting down malicious actors before they make it to your web application. WAFs do so via filtering, monitoring, and blocking bad traffic and application layer attacks.

Here are the main methods WAFs deploy to filter through requests and eliminate the worst of them before they hit the web server:

  • Blocklist WAFs: This approach blocks certain types of traffic, not precise sources.
  • Allowlist WAFs: This stops all traffic by default, allowing only approved traffic to pass. Though this can be a more secure approach, it may also hold up unanticipated but totally legitimate traffic.
  • Hybrid WAFs: This WAF model is exactly what it sounds like — it combines elements of both blocklisting and allowlisting simultaneously.

WAFs are helpful against attacks like cross-site forgery, file inclusion, DDoS attacks, SQL injections, cookie manipulation, Man-in-the-Middle (MiTM) attacks, cross-site scripting (XSS), and others.

A trustworthy, modern WAF will help secure apps against the Open Web Application Security Project list of security risks, known as the OWASP Top 10.

WAFs Vs. Next-Generation Firewalls

A next-generation firewall (NGFW) is a type of firewall that combines WAF features with those of traditional network firewalls.

It does this by monitoring incoming network requests and managing traffic on private networks.

While WAFs and NGFWs overlap when it comes to functionality, their core responsibilities and capabilities differ.

WAFs focus wholly on preventing web attacks to secure internet-facing and cloud-native applications.

Next-generation firewalls go a bit further. Yes, they provide antivirus and anti-malware capabilities, but they can also enforce user-based security policies and gather information to aid in decision-making when addressing possible threats.

Get Content Delivered Straight to Your Inbox

Subscribe to our blog and receive great content just like this delivered straight to your inbox.

The 3 Types Of Web Application Firewalls

Types of web application firewalls – hardware-, software-, and cloud-based –are shown with purple icons.

Web application firewalls typically take three main forms:

1. Hardware-Based Web Application Firewall

This type of application firewall is deployed on a physical hardware appliance, which is installed within the local area network (LAN) near your web and application servers.

Advantages: It offers fast speed and performance due to its physical proximity to the server, enabling it to track and filter data packets with minimal latency.

Disadvantages: Like most real estate these days, owning and maintaining a physical WAF can be costly because it needs to occupy physical space. Expenses include acquisition, installation, storage, and upkeep.

Best for: Hardware WAF solutions work well for large organizations with high traffic and high budgets. Big companies need efficient speed and performance and can support the associated costs.

2. Software-Based Web App Firewall

Software-based WAFs are installed on a virtual machine (VM) rather than a physical appliance. From there, the actual functionality is similar to hardware-based WAFs. It’s important to remember that users will need to run and maintain the VM to use this solution.

Advantages: It’s flexible. You can use it both in an on-premises setup and in the cloud by connecting to cloud-based servers. It’s also more affordable than hardware-based WAFs.

Disadvantages: Running in a virtual machine naturally results in higher latency, making a software WAF all-around less speedy.

Best for: Software WAFs are a good fit for organizations using cloud-based servers. Additionally, they’re great for small to medium businesses that need cost-effective web application protection but don’t have massive traffic demands.

3. Cloud-Based WAF Deployment

SaaS (software-as-a-service) companies provide and manage the newest iteration of WAFs. The components are entirely in the cloud, requiring no installations.

Advantages: Cloud-based WAFs are quite simple for end users. They simply need to pay for a subscription plan; the service provider handles all ongoing maintenance.

Disadvantages: Limited customization options for users since the service provider manages the WAF technology.

Best for: We recommend WAF via cloud for small and even medium-sized organizations without the space for physical storage or the money or staff to deal with manual maintenance.

Why Use A Web App Firewall?

WAF, or any form of application-focused firewall, is a necessity in our internet-connected era.

Pre-cloud, there were plenty of network firewalls standing between external and internal networks.

Post-cloud, that set up just won’t work. Modern applications don’t operate in isolated, internal networks. Instead, they have to connect to the internet frequently to make their APIs and other integrations work.

WAFs address this issue by screening network traffic while making it fast and easy for applications to connect directly to the internet.

The screen they provide is critical. Per the 2024 Data Breach Investigations Report, web applications were the top path hackers took when initiating data breaches in 2023.

A pie chart shows why WAFs are critical to security. Hackers breach data through web apps 60% of the time.

WAFs can’t resolve the underlying web application security flaws or vulnerabilities, but they can help block malicious code and loss of your sensitive data by stopping probes and shutting down many avenues of attack and rate-limiting requests.

How To Install A WAF Using WordPress In 3 Steps

If you’re a WordPress user who’s new to the WAF concept, we strongly suggest opting for a WordPress plugin to handle your WAF needs.

DreamHost Glossary


WordPress plugins are add-ons that enable you to extend the Content Management System (CMS) functionality. You can use plugins for almost everything, enabling features like e-commerce and SEO tools.

Read More

Why? They usually have a helpful developer behind them, but beyond that, the bigger WordPress community is a great resource for support. Plus, they’re built especially for WordPress to provide the flexibility, security, scalability, and speed most users need.

To get you started, let’s walk through how to select and install the right WAF plugin. 

1. Determine Your Needs

There are hundreds of web application firewall providers.

To narrow them down, start by listing your specific requirements based on your needs.

Consider the following factors when building out this important shopping list:

  • Budget: Are you looking for a free tool, or are you prepared to invest in a premium package with advanced features? Perhaps you’re somewhere in the middle? Determining your budget will help direct you toward a cloud, software, or hardware-hosted solution.
  • Control and customization: What level of control do you need? Do you want to fully  personalize your tool, or do you prefer to just use it as-is straight out of the box?
  • Security: Does the option you’re eyeing maintain tight security so your company’s data, as well as any user data you manage, is safe and private?
  • Maintenance: How much upkeep are you willing to take on?
  • Features: List any advanced WAF features you’d find helpful, such as application profiling, content delivery networks (CDNs), traffic logging, etc.
  • Reviews: How do people who already work with the tool feel about it? Check review sites like G2 and blogs to figure this out.

Considering these factors beforehand will simplify the comparison process. You’ll have a clearer idea of what you’re seeking, helping you rule out options that won’t meet your needs.

2. Choose Your Plugin

Now, it’s time to shop WordPress plugins for your right-fit solution.

First, you’ll visit the WordPress.org Plugin directory or WordPress.com Plugin library. Type in “WAF” or “web application firewall” to start your search. This is how you’ll find the most information on each plugin, so you can learn about all your options.

You’ll soon notice that there are many plugins available! To make your selection, use that requirements list you just created, as well as this quick breakdown of some of the most common web application firewall tools:

  • All-In-One Security (AIOS): This is a popular and comprehensive security-focused WordPress plugin. It includes features such as a free web application firewall (WAF), along with brute force protection, IP blocking, user activity tracking, login security, and much more.
  • Sucuri: Compatible with various platforms in addition to WordPress (Magento, Drupal, and Joomla), Sucuri is a well-rounded option that offers a cloud-based WAF (premium), which scans and blocks malicious traffic through its cloud proxy servers to protect your web applications from online threats.
  • Wordfence: This security-focused plugin features a built-in application-level firewall that defends against threats. It boasts a dedicated team and paid and free features that seamlessly integrate with WordPress to maintain encryption integrity and ensure data security.
  • Cloudflare: This plugin from a leader in website security and performance includes a powerful WAF (paid) that was tailor-made to mitigate WordPress-specific threats in seconds.
  • MalCare: MalCare offers a free web application firewall and cloud malware scanner. You can also add features like instant malware handling and personalized support for a fee.

3. Install And Configure Your New Web Application Security

Once you’ve decided on a WAF plugin, it’s time to install it and get it running on your WordPress site.

We’ll walk through that using the AIOS plugin.

In the left sidebar of your WordPress editor, find Plugins > Add New Plugin.

The Plugins menu appears. The options are 'Installed Plugins' and 'Add New Plugin,' which has a purple box around it

Use the Search bar to find AIOS, and then click the Install Now button. Wait a few seconds while that runs, and then click Activate.

At this point, it’s installed!

The next step is somewhat of a “choose your own adventure.”

Head back to the left-hand WordPress sidebar, find WP Security, and select Settings.

The WP Security menu is shown. The second option, 'Settings,' is highlighted

Here, you should see several prompts, including ones advising you to set up your firewall and back up your website.

The Settings box introduces the 'All In One WP Security and Firewall.' Click the blue button to 'Set up now.'

We recommend backing up your website by clicking each link and following the instructions. Then, hit that Set up now button, and your firewall is on.

Finally, click through each tab to ensure everything is set to your liking. At the time of this writing, the default settings (two-factor authentication, etc.) are a great place to start.

There are eight tabs of settings to give you control over your security

Take Application Security To Another Level With DreamShield

Since their earliest conceptualization in the 1990s, WAFs have instilled and protected peace of mind for web app owners and builders seeking refuge from the world’s bad actors.

Now, you can take advantage of the same coverage by following a relatively simple process in your WordPress site.

Got that on lock and want to upgrade your WordPress security even further?

Then you’re a great candidate for DreamShield.

DreamShield identifies and disables most threats, automatically checks your website for issues every day, blocks malware, and keeps you up to date on your website’s health.

If your website is suffering from an unknown or suspicious malady you just can’t shake, contact our smart, trustworthy support team, and we’ll get you sorted out.

Pro Services – Website Management

We’ll Handle the Technical Stuff

Bring enterprise-grade performance and reliability to your website. Leave the backend to the experts – you focus on your business.

See More

Luke is the Director of IT Operations. He is responsible for the teams that keep operations running smoothly... In his free time, he enjoys reading fantasy/sci-fi and hanging out with his wife and 4 kids. Connect with Luke on LinkedIn: https://www.linkedin.com/in/luke-odom-039986a/