Difference between Perishable Press/GridPane 7G/6G Firewall and Cloudflare WAF

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!

Draft Warning

You’ve reached a draft 🤷‍♂️ and unfortunately, it’s a work in progress.

Introduction

This was posted on the GridPane Community, my response was so long and one that I’ve written many times before that I decided it deserved a blog post. I hope to update quite a few times so it’s perfect 😊

Can anyone give me a rundown of Gridpane WAF (6 or 7) vs the one offered by Cloudflare for an additional $20 a month? Is Cloudflare worth it?

Different types of WAF’s

Cloudflare as a WAF vendor has done a great job of explaining the different WAF’s.

A network-based WAF is generally hardware-based. Since they are installed locally they minimize latency, but network-based WAFs are the most expensive option and also require the storage and maintenance of physical equipment.

A host-based WAF may be fully integrated into an application’s software. This solution is less expensive than a network-based WAF and offers more customizability. The downside of a host-based WAF is the consumption of local server resources, implementation complexity, and maintenance costs. These components typically require engineering time, and may be costly.

Cloud-based WAFs offer an affordable option that is very easy to implement; they usually offer a turnkey installation that is as simple as a change in DNS to redirect traffic. Cloud-based WAFs also have a minimal upfront cost, as users pay monthly or annually for security as a service. Cloud-based WAFs can also offer a solution that is consistently updated to protect against the newest threats without any additional work or cost on the user’s end. The drawback of a cloud-based WAF is that users hand over the responsibility to a third party, therefore some features of the WAF may be a black box to them. (A cloud-based WAF is one type of cloud firewall; learn more about cloud firewalls.)

Perishable Press/GridPane 7G/6G Firewall

The Perishable Press 7G/6G firewall by Jeff Star is used by GridPane and is a set of static firewall rules for Apache/OLS&LSWS/Nginx. It’s considered a host-based WAF but is not susceptible to performance issues because it uses Nginx’s configuration rules, which are performant. The Perishable Press 7G/6G firewall protects against known malicious requests and attacks on your WordPress site or server. You can read more about it here

7G Firewall | Perishable Press
The 7G Firewall is here! 7G is now out of beta and ready for production sites. So you can benefit from the powerful protection of the latest nG Firewall…
perishablepress.com

The 7G Firewall offers lightweight, server-level protection against a wide range of malicious requests, bad bots, automated attacks, spam, and many other types of threats and nonsense.

7G Updates

The 7G firewall hasn’t been updated since 2021-11-03 isn’t updated frequently. For instance, at the time of this article writing, the last update was v1.5 on 2021-11-03, and since then, v1.6 was released on 02-06-2023. So around 3 months between updates, which is good, but not ideal as other solutions are updated more frequently and require no action. With 7G, you must download and implement the new rules. You can see the changelog for 7g at https://perishablepress.com/downloads/7G-Changelog.txt

7G False Positives

Something to consider is false positives that will affect the functions of a WordPress site. This does occur and requires that these functions are allowed past the 7G/6G firewall using the appropriate code. This can require extra care and feeding if you have a site with plugins adding front and backend functionality. Some people maintain bypass rules for the many situations they’ve encountered, which has taken time to create. This might seem like a hurdle, but it’s better than no protection at all, especially on a brochure site, than on an e-commerce site. Every site is unique, and you might find more issues on one than the other. Extending the 7G firewall is possible if you want to get dirty with coding.

8G Firewall Beta

The 8G Firewall beta was released on 02/16/2023 and is available for download.

8G Notes

Any 8G-related notes will be added/updated here..

  • Only use 7G or 8G, not both
  • 8G is modular: each section can be removed/added as desired
  • 8G is designed to work flawlessly with WordPress or any other non-WP site
  • 8G adds new “HTTP COOKIE” rules
  • Please report any strings or user agents that should not be blocked
  • Always test well before going live and report any bugs or issues
  • Other 8G-related notes will be added here..
8G Firewall (Beta) | Perishable Press
The 8th generation of nG Firewall now is available for testing. We’ve got a great team of beta testers already checking things out. Everything going…
perishablepress.com

Cloudflare WAF

Cloudflare is a Cloud-based WAF that has been around since 2009 and protects a large portion of the internet. You can read more about Cloudflare here

Cloudflare is a global network on the edge of the Internet. Cloudflare brings you closer to your customers, employees, and partners by making everything you connect to the Internet secure, private, fast, and reliable.
www.cloudflare.com

Cloudflare works the same; it has its own WAF rules for the free plan, and if you upgrade, you get access to managed rules written by Cloudflare. The Cloudflare rules are static. However, they’re constantly updated and improved and available instantly by Cloudflare. You don’t need to worry about updating, only if there are issues with false positives.

If you do have an issue with a false positive, you can put in a bypass rule to address the false positive. This is done through the web UI versus through scp or SSH in a file that has a specific coding structure like Perishable Press 7G. Granted, the UI does have the option to enter in expressions (code) you most likely will use the UI’s rule builder most of the time. Cloudflare’s WAF allows for custom rules (5 on free), and you can implement significant measures to stop attacks and automated resources-based attacks. We’ve written a great article on how to do just that.

Secure, Protect and Lock Down your WordPress site with Cloudflare Firewall and WAF Rules – Managing WP – All about Managing WordPress
This article stems from assisting someone in the GridPane private Community Forums to lock their site to allow only specific countries and prompt a managed
managingwp.io

We also have several other Cloudflare articles you might be interested in.

The most significant difference that makes Cloudflare stand out is it’s verified bots filter, country detection and connection challenges. Whenever a connection is made to your website by a device, Cloudflare can tell if it’s a verified bot (Google Crawler), from a specific country and ask the device to verify it’s not an automated bot.

This allows for some magical things to happen, you can allow all verified bots, but block bad bots that are potentially utilizing your server resources that could be used for a natural person. You can block everyone outside of your specific website geographical service area, require that they go through the Cloudflare Managed Challenge or Javascript Challenge. Both are explained below.

Managed challenges are where Cloudflare dynamically chooses the appropriate type of challenge based on the characteristics of a request. This helps avoid CAPTCHAs, which also reduces the lifetimes of human time spent solving CAPTCHAs across the Internet.

https://developers.cloudflare.com/fundamentals/get-started/concepts/cloudflare-challenges/

With a JS challenge, Cloudflare presents challenge page that requires no interaction from a visitor, but rather JavaScript processing by their browser. The visitor will have to wait until their browser finishes processing the JavaScript, which should be less than five seconds.

https://developers.cloudflare.com/fundamentals/get-started/concepts/cloudflare-challenges/

This opens up a ton of opportunity, and ultimately allows you to protect your WordPress admin from being automatically brute forced and offloads this to Cloudflare versus using your server’s resources or time spent setting up and maintaining a plugin or service like fail2ban.

Conclusion

If you need protection now and don’t have a Cloudflare setup, the 7G firewall works excellently. If you want to go a step further, Cloudflare provides the best protection available for a WordPress site for free, even upgrading to the Pro plan that includes more Clouldflare-managed WAF rules and APO is a great price for $20/month.

Changelog

  • 03-20-2023 – Updated verbiage in-regards to 7G firewall updates, and added section about 8G Firewall beta.
  • 03-08-2023 – Grammar and visual changes.
  • 09-26-2022 – Published
0 Shares:

You May Also Like

WebWhim Peer Review

Background There is a blog post that has been floating around various WordPress groups from a site called…
Read More

GridPane Caveats

I’ve created this page to track the caveats I’ve found in the GridPane platform. This is an opinion…