No single security component can completely protect your website. A WAF, or web application firewall, is a valuable form of cybersecurity protection, but it's not a full solution. It deals well with some attacks but isn't designed to stop others. That's why Quttera's ThreatSign website security service includes not only a WAF but regular website monitoring.
A WAF guards a site against attacks that use HTTP requests. That's a common way to get in, but it's not the only way. While a WAF stops many incoming attacks, it can't find threats that have already made their way into the server.
What a WAF is Good At Doing
A WAF is a smarter descendant of the traditional firewall. Unlike a regular firewall, it's application-aware. It recognizes types of requests that could exploit vulnerabilities in the site. Examples include:
- SQL injection
- Repeated login attempts
- Directory traversal
- Uploads with disguised file types
- Malformed URL parameters and form fields
- Requests from untrusted IP addresses
- Denial of service attacks
Threats That a WAF Doesn't Catch
If an attack uses a vector other than an HTTP request, it's outside the WAF's area of website protection. Here are some of the ways an attacker can penetrate a site without worrying about the WAF.
Stolen Administrative Credentials
Criminals who get ahold of the admin account and password for a website have all the keys to it. As far as the WAF is concerned, the administrator is just working on the site. It can't tell legitimate changes from criminal ones. The WAF will stop access from a known malicious IP address, but that's no guarantee of protection.
Other protections, such as multi-factor authentication, will make it hard for outsiders to get into an admin account, but the WAF won't help. Theft of the account credentials allows the installation of malware. External and internal website monitoring is the best way to catch anything that was installed without authorization.
Malicious Plugins and Themes
Most websites use a content management system such as WordPress or Drupal. They generally supplement it with additional software to do anything they need. A theme controls the site's appearance, and plugins enhance the functionality.
Downloading a theme or plugin from an untrustworthy site is risky. It could be not just buggy, but actively hostile. There is even software to generate malicious plugins. Occasionally, malicious software finds its way onto trusted download sites. A WAF isn't suited to catch such plugins, since it looks for hostile incoming traffic, not misbehaving software on the server.
In 2013, the Social Media widget plugin was popular for a while. The WordPress plugin repository made it available, and it got over 935,000 downloads. It performed a legitimate function, showing social media links in the sidebar, but injected unauthorized "payday loan" links into sites that used the plugin. This may have been a case where a legitimate developer's source code repository was hacked.
More recently, a WordPress plugin called SiteSpeed seemed to be legitimate, but it installed unauthorized ads on websites using it. It created a secret account allowing unauthorized access, so it could keep causing trouble even if it was deactivated.
"Nulled" themes — a polite term for pirated themes — are not only illegal, but they're also dangerous. More often than not, they're loaded with malware. If you install one thinking you'll save a bit of money, your site will start misbehaving in all kinds of unpleasant ways, your search rank will collapse, and you'll lose visitors. Sometimes administrators install them by mistake, thinking they're legitimate themes.
Shared Hosting Risks
Shared hosting is cheaper than using a dedicated host, but it presents more security risks. Configured properly, each site should be isolated from all the others, but errors are possible. If the user permissions aren't sufficiently restricted, an infected site can traverse the directory tree to access and modify all the other sites on the same volume.
All of these sites, possibly hundreds of them, would be infected with malware, even though the owners' only security error was to trust the host to do a better job. Again, a WAF isn't equipped to detect the problem. The incoming Web traffic wasn't the cause, and that's all that the WAF looks at.
The Benefits of Website Monitoring
Monitoring comes in two flavors: external and internal. Each kind has its advantages in website malware detection. External monitoring examines a site's incoming and outgoing traffic from a separate system that sits in front of the network. It looks for anomalous behavior, patterns that suggest malware, and communication with blacklisted IP addresses. It will keep running even if the network fails and report the outage.
Internal website monitoring runs behind the network firewall, often on a separate appliance. It takes more work to install, but it can gather more information. It could be vulnerable if the network is penetrated. If the whole network fails or is isolated, it can't report anything. A big advantage of internal website monitoring is that it can detect lateral movement — attempts to move malware from the more easily hit user devices to the servers where the valuable information is.
Malicious software typically reaches out to command-and-control servers to download additional malware and upload stolen data. A monitoring system can detect and report such activity. The affected system can be quarantined, giving time to identify and remove the infection.
A WAF is very good at certain types of website protection. However, it won't help against dangers such as stolen passwords, malicious add-on-software, and bad shared hosting configurations. Web application firewalls and website monitoring systems are complementary technologies. A WAF keeps many kinds of attacks from reaching the server. Monitoring provides website malware detection and catches threats that have penetrated the system, regardless of how they got there.
Defense in depth is a basic principle of network security. That's why ThreatSign Website Security Monitoring & Protection includes both a WAF and server-side and external monitoring in most of its plans. In addition, it provides SSL certificate support, virtual patching, and website hardening. With ThreatSign, you can be confident your site is well protected and you'll present visitors with a reliable, safe site.