The best protection for your WordPress website against hacks is prevention, as cleaning up your site takes time, effort, and money. Not to mention the downtime caused by hacks which cost you customers and credibility. 

The most effective way to prevent hacks is to install a WordPress firewall plugin on your site.

WordPress firewalls keep out bad traffic, repel bad bots, and protect the website from being exploited by hackers. But how do you know which one to install? 

The trouble with WordPress firewalls is that you can’t tell how effective they are from a list of features. A firewall is effective only if it manages to keep out threats, but it is difficult to test that out before deciding on which one to install. 

So we’ve done that for you. We have tested several WordPress firewall plugins and posted our findings here. 

TL;DR: MalCare’s WordPress firewall is the best one we found. It comes bundled with the security plugin; together with a malware scanner and an auto-clean feature, it makes a formidable case for WordPress security. 

What is a WordPress firewall?

A WordPress firewall is a filter for your website that blocks out bad traffic based on a list of pre-programmed rules. There are different types of firewalls, which we will explain later in the article. For now, if you are looking for a firewall for your WordPress website, you are looking for a web application firewall. 

Why you need a WordPress firewall plugin

There are several advantages of a WordPress firewall plugin. Some of them are:  

• Provides login protection
• Protects vulnerabilities from being exploited
• Protection from bad IPs
• Bot protection from bad bot traffic
• Reduces load on the website server by keeping out bad bot traffic; makes websites faster as result

The difficulty, though, lies in choosing the right firewall for your WordPress website. It is really tough, if not downright impossible, to test out a firewall on your own. That’s why we’ve put together this list of best WordPress firewall plugins to help you make that decision easily, knowing that we have put each firewall through a battery of tests.

Recommendations at a glance

• Best WordPress firewall plugin: MalCare
• Best value for money: MalCare
• Best firewall protection for free: Wordfence
• Best standalone firewall plugin: NinjaFirewall

9 Best WordPress firewall plugins reviewed

1. MalCare

The best WordPress firewall plugin you can possibly find is MalCare, as it comes bundled with a malware scanner and cleaner. It is a powerful web application firewall that has strong login security, effectively blocks out brute force attacks, malicious bots and bad IPs, while making sure good bots and legitimate visitors are allowed through. MalCare’s firewall doesn’t load server resources, so your website performance will not suffer; on the contrary, it might just improve! 

Pros

• Protection against all kinds of threats
• Brute force protection
• Global IP protection
• Intelligent learning system
• Proactive protection from bad IPs
• Firewall rules updated every 5 minutes
• Whitelisting options
• Geoblocking capabilities
• Vulnerability protection
• Traffic logs
• No alerts

Cons

• Free version is at a plugin level

Pricing

Starts at $99 a year per site for firewall, malware scanner and cleaner

Verdict [5/5]

Along with an immensely powerful firewall, MalCare has a malware scanner and cleaner in the same plugin, on the same plan. Quite a few other entries on this list fall short in those areas, and the costs tend to add up considerably.

2. Wordfence

Wordfence’s firewall comes packaged with their security plugin. So you get an above-average scanner and rudimentary automatic cleanups as a part of the package. 

Pros

• Protection against most kinds of threats
• Brute force protection
• Global IP protection
• Firewall rules updated in real-time for premium version
• Whitelisting options
• Geoblocking 
• Vulnerability protection
• Traffic logs

Cons

• Uses tremendous amounts of server resources 
• Free version is at a plugin level
• Free firewall receives updates later than the premium version
• Too many alerts

Pricing

Starts at $99 a year per site for firewall, malware scanner and cleaner

Verdict [4/5]

Wordfence is arguably the best free WordPress firewall plugin. For the amount you are spending on it—which is zero—it is pretty darn great. Wordfence, although a strong contender on this list, lost out to MalCare for a few reasons. One is that the free version of the firewall gets updates much later than the premium version. And secondly, Wordfence themselves rank their free firewall protection at 35%. This doesn’t fill anyone with confidence. The worst part about Wordfence though is that it consumes a ton of server resources, and slows down website performance considerably.

3. Sucuri

Sucuri’s firewall is a classic example of a DNS-based firewall, which means you need to set your nameservers to point to their firewall IP for it to work. [We’ve included notes below, in case some of those terms are unfamiliar or confusing.]

Once you’ve installed Sucuri’s firewall, it filters out all the bad traffic, and then redirects only the legitimate traffic to your website. 

Pros

• Protection against most kinds of threats
• Brute force protection
• Global IP protection
• Protection from bad IPs
• Whitelisting options
• Geoblocking
• Vulnerability protection
• Traffic logs
• Custom firewall block page
• No alerts

Cons

• Tricky installation for beginners
• Some configuration is necessary
• There is no free version of the firewall

Pricing

Starts at $199 a year per site for firewall, malware scanner and manual cleanups

Verdict [3/5]

Overall, Sucuri’s firewall keeps out a bunch of threats from attacking the website. However, the big beef we had with their firewall was the setup. It was a nightmare. Our test site doesn’t have a domain, so we couldn’t easily get the nameservers to point to Sucuri’s firewall server. Granted, this is not a problem most people will face, however, if you want to change over your domain names, or want to set up on a staging site first? You’re going to have to get a technical assist on this one. 

Other than that, we couldn’t find out how often the firewall rules were updated. This is a fairly important metric for any firewall, because threats keep evolving and we want to be sure that our website firewall is up to the task of keeping them out.

4. Cloudflare

Cloudflare comes up a lot in the WordPress ecosystem. It is a commonly used web application firewall for WordPress, and does come packaged with a bunch of features. Cloudflare filters out bad traffic and spam bots as well. This is over and above what other firewalls on this list are able to do.

We did come across some issues, like false positives and negatives, and a complicated setup, but were mostly able to work around those by tweaking the configuration. 

Pros 

• Blocks against SQL injection and XSS attacks
• DDoS protection
• Bot protection
• Real-time firewall updates
• Relatively simple to set up 
• Firewall logs
• Analytics dashboard for reports
• Customisable rulesets
• Free firewall is powerful on its own

Cons

• Doesn’t block all threats

Pricing

Free

Verdict [3/5]

Our biggest issue with Cloudflare is that it doesn’t block out all threats, just the major ones. One could argue that those are the most important, but that doesn’t invalidate the danger of less common threats. On top of that, there is the issue of false positives and false negatives; the former is when legitimate visitors are kept out, and the latter is when threats are allowed in. False positives are annoying and frustrating at worst, but false negatives mean that your website is in danger. And even though we’ve put ‘simple to set up’ in the list of pros, it still takes a considerable time longer than installing a plugin. 

On the other hand, Cloudflare is designed for more than just WordPress, so you can customise the firewall’s behaviour depending on what you want to block. The free tier is powerful to stand on its own as well. If you already have a security plugin installed, Cloudflare may be a good option.

5. NinjaFirewall

NinjaFirewall (WP Edition) says it is a true web application firewall, which sits in front of WordPress. What that means is that NinjaFirewall installs like a plugin, but it loads before WordPress does. Load order is an important factor for firewalls, which we have covered in a later section. Suffice to say that loading before WordPress is a huge point in NinjaFirewall’s favour. 

Pros

• Blocks all major threats: SQL injections, XSS, RCE and more
• Brute force attack protection
• DDoS protection
• Loads before WordPress 
• Blocks all attacks before they reach the site
• Protects XML-RPC function 
• Multisite compatible
• Saves bandwidth 
• Installs like a plugin
• Stellar support

Cons

• Occasionally has errors that require complex debugging
• Steep pricing for just a firewall

Pricing

Plans start at $69 per domain per year, with a sliding scale for more sites

Verdict [4/5]

NinjaFirewall is a great firewall, which loads before WordPress and blocks out the majority of threats. It can also be used with multisite installations without additional configuration, which is pretty good. The best part about NinjaFirewall is that it is complex tech that is completely beginner-friendly. It installs like a plugin but stops threats at an application level. That’s great. 

The only caveat we have is that NinjaFirewall is a standalone security product for WordPress, and therefore $69 is a little steep. Since it doesn’t have a malware scanner or cleaner, those functions need to be added separately via another plugin. Otherwise, NinjaFirewall has our unequivocal stamp of approval.

6. All in One WP Security & Firewall

We’re fans of complete security plugins, so we thought All in One WP Security & Firewall would be higher up on this list. However, although there are a ton of features, they don’t all have the same impact on security. For the purposes of this article though, we’ll stick to reviewing the firewall features. 

Pros

• Brute force login protection
• Protects against XSS attacks
• Bot protection; specifically fake Googlebots
• Comment spambot protection 
• Blacklist and whitelist capabilities
• Free firewall and security features; paid cleanups only

Cons

• Can’t always tell the difference between real and fake Googlebots
• Advanced features can break site 
• Doesn’t keep out all threats
• Causes frequent lockouts

Pricing

Free firewall

Verdict [1/5]

There are several serious problems with All in One, which can really be encapsulated in a pro-con list. For instance, one of their biggest brags about the firewall is that it keeps out fake googlebots that have malicious intent, but have the name ‘googlebot’ in the useragent. This implies that the firewall is able to gauge signals of bots to ascertain whether they are malicious or not. This is a really tall order, and apart from MalCare, no other WordPress firewall plugin we’ve seen does this effectively. Sure enough, you’ll find tons of complaints about the site getting unindexed and organic traffic plummeting from All in One users. 

Secondly, no security plugin should break your website. There are tons of so-called WordPress hardening features that are just poor advice. For example, don’t do any of these things: change your database prefix; hide your login page; password protect your core files. 

Finally, we saw a ton of complaints about lockouts. The thing is that, even if you whitelist your device IP, it doesn’t mean that you won’t be locked out. That’s because device IPs are dynamic and can change. You can whitelist a range of IPs so that you aren’t locked out, but that sort of defeats the purpose of whitelisting, so don’t do it. A competent firewall will keep out threats without this configuration.

7. WP Cerber

WP Cerber is a freemium security plugin, with a bundled malware scanner, and file integrity checker as well. The firewall, which we are interested in for this article, is very much part of the paid plans. They call the feature the Traffic Inspector, which, fair play. That’s a good name for a firewall.

Pros

• Brute force login protection
• Bot protection 
• Anti spam features
• Firewall logs
• Whitelisting feature
• Customisable firewall rules

Cons

• Blocks search engine bots indiscriminately while claiming not to
• Support is not adequate or helpful
• Doesn’t block all threats
• Affects website performance

Pricing

Starts at $99 a year per site

Verdict [1/5]

We can’t see any real reason to install WP Cerber, and frankly are confused with how many people think it is a great security plugin. Bot protection is very important for WordPress websites, but the distinction between good and bad bots is crucial. There are countless disgruntled WP Cerber users that have seen their search engine rankings take a hit because of this plugin. They’re not wrong; blocking search engine bots is a catastrophe for organic traffic. Definitely not recommended.

8. SiteLock

SiteLock has a web application firewall that claims to keep out cyber attacks like hackers and bad bots. In fact, their website says that the firewall keeps out all of the OWASP’s top 10 cyber threats. That is some claim.

Pros

• Brute force login protection
• Bot protection 
• Bundled CDN
• Anti spam features
• Traffic stats and reports
• SSL integration

Cons

• Support is terrible from the looks of it
• Predatory pricing policies

Pricing

Pro plan with firewall is a whopping $249 a year per site

Verdict [1/5]

Give this one a miss. We don’t even recommend trying it out, because the sheer number of subscription complaints we’ve seen online are horrifying. No one should be held hostage because of predatory pricing policies. 

9. BulletProof Security

BulletProof Security is a unique security plugin in 2 ways: firstly, it has a one-time fee for security; and secondly, it is a rare security plugin that has vulnerabilities in its own code. Oh, the irony. 

Pros

• Lifetime pricing
• Firewall logs
• Login security
• Plugin-level firewall
• Anti spam features

Cons

• Terrible customer service (seriously, read the reviews on WordPress repo)
• Plugin crashes site
• Lots of errors
• No clear indication of what threats are blocked

Pricing

$69.95 one-time fee

Verdict [0/5]

Not only does BulletProof Security fail as a security plugin, we were horrified by their customer support. And that’s just the publicly available conversations. Yikes. If we were even slightly inclined to give them a pass for a below-average security plugin, the responses to 1-star reviews killed that inclination. Hopefully, we don’t get nasty emails in our inbox.

Security plugins without firewalls

In lists about WordPress firewall plugins we see online, we are surprised to see some popular names come up. Let’s be very clear: all security plugins are not built the same, and they most certainly don’t have firewalls. 

• Jetpack
• iThemes Security
• CleanTalk

So, if you see any of these names show up in a list of WordPress firewalls, know that the writer hasn’t done any real research. None of these plugins have firewalls.

How a firewall works

When your website receives traffic, it comes in the form of requests from the visitor’s browser to your website’s server. The firewall analyses every request, checking for the following things: 

• Is the IP blacklisted?
• Does the IP come from a blocked country? 
• Does the request contain malicious data (known as a payload)? 
• Is the request bad? 

And so on. These checks are enforced by rules, which is why you will always hear about firewalls being “rule-based”. 

What features make a WordPress firewall plugin effective

There are a few ways in which firewalls protect your website from attack. 

• Block bad IPs: Suppose you installed MalCare’s firewall, it would analyse the traffic coming to your website to understand the good from the bad. If there are repeated hack attempts or bot attacks from an IP, the firewall marks that IP as a bad one and blocks it from your website altogether. 

• Global IP protection: Continuing on from the previous point, once MalCare has learned that a particular IP is bad, it can send that information to all the other websites it is installed on. The bad IP then cannot access any of the sites where the MalCare firewall is installed. Since the MalCare firewall is installed on over 100,000 WordPress sites, it learns in a similar way from all of them. Therefore your site gets this global IP protection as a part of the MalCare firewall network.
  
  
• Bot protection: Around 25% of all web traffic isn’t human. Bots are small programs that perform certain tasks repetitively and repeatedly. While this sounds relatively benign—and there are such things as good bots—bots can cause considerable damage to a website. Bots are used to hammer login pages with credentials to gain access. Alternatively, they can fill up forms with junk; or even scrape valuable data from your website. You definitely want to keep those off your website. On the other hand, there are good ones like search engine bots. They crawl your website to index them.
  
  The problem is to differentiate the good from the bad, and block the bad effectively. A good WordPress firewall plugin, like MalCare, will take care of that for you.
  
  
• Prevention of exploits: Vulnerabilities are security lapses in your website’s code: in the core WordPress files, the plugins or the themes. These lapses allow hackers to gain unauthorised access to your website. The best way to protect your website from vulnerabilities is to keep all the code updated, but sometimes things fall through the cracks. That’s when a best WordPress firewall plugin comes to the rescue. A firewall will block bad IP traffic and bots, and therefore protect your website’s vulnerabilities from being exploited, until you can address them.
  
  
• Geoblocking: It is possible to block visitors from entire countries using the firewall. Each country has a range of IPs, although these are not always perfect. The IP range is blacklisted, and so the firewall won’t let those requests through. We advise against geoblocking, until the website is hyperlocal in focus, because it is an imperfect mechanism and can block out legitimate visitors and bots. 

Along with a malware scanner and cleaner, a WordPress firewall is a key piece in your security puzzle. Make sure not to compromise here, because it is the forcefield that protects your website from harm.

Different types of firewalls

If you have searched for which WordPress firewall you should install, the information can be quite bewildering. There are many different words to contend with: web application firewalls, cloud-based firewalls, DNS ones, networks ones, etc. Firewalls are categorised by factors such as when they load, how they load, what they protect, how they protect what they protect, and so on. 

What you need to be aware of is a web application firewall. This is what you need for a WordPress site. A web application firewall (WAF) is a filter that sits between a website and the rest of the internet. It analyses all incoming traffic requests for threats, and stops unwanted or malicious requests from ever reaching the website. It is called a web application firewall, because it is designed specifically for websites and web apps, as opposed to computers. 

So what are all the other things we mentioned? Here is a quick explainer of each type of firewall:

• How requests are blocked
  
  
  1. Allowlist firewall: As the name implies, allowlist firewalls only allow pre-approved traffic requests. If the incoming traffic request is from an IP on the allowlist, it is permitted to pass through the firewall to the website. Otherwise, it is blocked. 
     
     
  2. Blocklist firewall: This type is a little more liberal, and analyses the traffic request for known threats. If it detects a threat, the request is blocked. 
     
• Where the firewall is located
  
  
  1. Network firewall: A network firewall is usually at the server level, because it is a hardware-based firewall. Web hosts typically have network firewalls, which sit at the point at which their internal system meets the Internet. It is called a network firewall because it protects the entire network from bad requests. Kinsta, for instance, uses Google Cloud Platform’s enterprise firewall to protect websites hosted with them.  
     
     
  2. Host-based firewall: A host-based firewall is installed on each web server, and filters traffic requests to that device. Host-based firewalls consume a lot of server resources though, which affects the performance of websites hosted on that server. 
     
     
  3. Cloud-based firewall: Usually a third-party firewall, not hosted on the website server. This is an important distinction because host-based firewalls consume a ton of server resources, and the user rarely has any control over them. A cloud-based firewall is typically updated more often, and it is far more lightweight for a website. 
     
     
     • DNS firewall: One of the ways that cloud firewalls are implemented is through the use of DNS. All incoming traffic to a website is first directed to the cloud firewall, and only good requests then go forward to the actual website. DNS firewalls are set up using the nameservers of a domain registrar. 
       
  4. Application firewalls: These firewalls are installed on the web application or the website, and filter the traffic requests to that particular website. 
     
     
     • Plugin-based firewalls: Most WordPress firewall plugins are application firewalls. They are effective at filtering traffic just as well; the only consideration being when they load onto the website. We’ve covered load order in the next section.

Hopefully, this short explainer has demystified firewalls for you.

Which firewall should you choose? 

On top of all this arcane jargon, there is also the difficulty of figuring out whether a firewall does what it says it does. If a firewall fails to protect your website, you will have malware on it. Or a brute force attack will be successful. It could happen many months down the line, and you wouldn’t even know your firewall ought to have kept out that particular bot or attack. 

Therefore, we set up a bunch of tests for the WordPress firewall plugins available. Here are the factors to consider when choosing a firewall for your website: 

• Threats blocked: Not all of them block everything. Some of the ones in this list failed dismally at blocking out exploits. Some of the vulnerabilities that a firewall can protect your website from: 
  • Brute force attacks
  • Cross-site scripting attacks (XSS)
  • SQL injections
  • Cross-site request forgery attacks (CSRF)
  • File upload vulnerabilities
    
• Load order: The place where the firewall falls in the WordPress load order determines its efficacy. For instance, if it loads before WordPress, at the php level, it is the most effective. At the plugin level, it is significantly less effective; although still better than no firewall. The firewall will still block bad traffic from most of the site, just not all of it. 
  
  
• Update frequency: Firewalls are rule-based filters, and learn from traffic that websites receive. Therefore, the more data it gets, the better it is able to protect a website. However, how often does a firewall receive these rule updates? This is not an insignificant question. 
  

As you can see, we put the firewall through a ton of tests. This article is a result of those findings.

Conclusion

Choosing a WordPress firewall plugin can be a daunting task, because you cannot know if it works the way it says it does, unless it fails to stop a malware attack. Additionally, a firewall is only one part of your website’s defence against hackers. The other necessary components are a malware scanner and a cleaner. It is much simpler to have one plugin that does all of these things, rather than find a mix of plugins for security. MalCare is by far your best choice. 

FAQs

Do I need a firewall for my WordPress site?

Yes, you need a firewall to protect your WordPress website from hackers. A firewall keeps out bad bots, bad IPs and various types of attacks that can breach your website, and steal from you. 

What is a WordPress firewall?

A WordPress firewall is a filter for traffic that comes to your website. It lets the good traffic, including visitors and good bots, through, while keeping out anything that could harm your website and steal your data. 

A WordPress firewall is built on the same principles as an ordinary firewall, but it is built specifically for web applications. Therefore, you will often find the term web application firewall when looking for a WordPress firewall.