[NEW] Our most popular hosting plan is now 100% free to trial! Learn more

Proudly Australian owned & operated

Web Application Firewall (WAF)

Our WAF is your first layer of defense preventing cybercriminals from hacking your website’s critical data and information.

What if a Targeted Cyber Attack Never Reached Your Site?

A web application security breach can have devastating consequences, often leading to the loss of critical data or theft of confidential information.

The most effective way to avoid these kinds of attacks? Stop the attack from reaching your site in the first place!

This is exactly what a WAF does… building a fence on the outside of your WordPress borders - monitoring, filtering, and blocking malicious HTTP traffic BEFORE it ever hits your server/site.

25% Faster Than The Leading Plugin-Based Firewall (We Tested it!)

Unlike many other providers, our WAF is completely free to use with WPMU DEV hosting and is already tuned for WordPress. It also uses fewer server resources by not running in PHP and doesn’t need to touch a line of code - meaning it won’t significantly affect your site’s performance.

In fact, our testing puts it around 25% faster than the leading WordPress plugin-based firewall! Also, many firewalls are not optimized specifically for WP. They either have most rules off by default or cause false alarms.

Another advantage our WAF has over cloud firewalls is that it’s difficult to prevent attackers from bypassing a cloud firewall completely. As a result, most people skip this crucial step, leaving your site vulnerable.

Armed With Over 300 Highly Optimized, Managed Firewall Rules (Updated Daily)

comes armed with a highly optimized, managed ruleset, containing more than 300 firewall rules (or policies). These policies combine rule-based logic, parsing, and signatures, enabling them to detect and prevent a range of web application attacks.

Our firewall is always learning, and updated every day with new rules. Additional rules are added based on the usage and intelligence of our internal network of sites. This means every new threat (or false alarm) allows your WAF to grow smarter and stronger - ensuring optimal protection, and improved accuracy.

OWASP Attacks Are Your WAFs Specialty

Included as part of our WAFs 300+ ruleset, is protection against common “OWASP” top 10 attacks - including cross-site request forgeries, cross-site-scripting (XSS), file inclusions, SQL injections, and more.

Intelligent App Protection is Less Than a Click Away

Our WAF is automatically enabled on all sites hosted with WPMU DEV, meaning protection is literally less than a click away. Of course, if for some reason you need to deactivate the WAF, you can.

You can also do some rule-tuning yourself if needed, and unlike a lot of other complicated firewall options out there, we’ve made this super easy.

You Make The Rules With Block and Allowlists Settings

Want to sure-up your security even more? Assemble a customized “blocklist” of unwanted IP addresses, or user agents your WAF will automatically block.

On the other side of the coin, you can easily create a “allowlist” of IP addresses and user agents that are allowed. Everything else is denied.

Disable Rule IDs and Limit False Alarms

If any of our in-built WAFs rules trigger false alarms, these can easily be disabled. It’s as simple as entering the rule you're having trouble with into the Disable Rule ID field.

You can find specific rule IDs, as well as additional details about the rules in our WAF Log.

WAF Log - Learn From Every Attack, Error, and Request

Our WAF log shows you exactly where attacks are coming from, which requests have been blocked, and what rules those requests triggered.

This is helpful both to identify attacks, and to prevent future false alarms. The WAF Log can also help you identify whether you need to allowlist a particular IP, or disable a specific WAF rule.

Automatically Patch Hard-To-Detect WP Vulnerabilities

Our WAF also takes web app security a level further by deploying “virtual patches” to repair WordPress core, plugin, and theme vulnerabilities when required.

This means if you’re running an old plugin or theme with known security vulnerabilities present in our rule lists, your WAF can identify traffic trying to take advantage of this vulnerability and stop it. All without needing to touch the code on your site.

Meet Security Compliance Requirements and Offer Extra Assurance For Clients

If your organization processes or stores sensitive information (credit card details etc.), it’s obviously important you comply with security requirements, and standards such as the PCI, HIPAA, and GDPR.

One of these requirements is: “installing and maintaining a firewall configuration to protect cardholder data.” This makes having a WAF valuable from both a compliance, and a security perspective.

It can also give your clients further assurance that they’re fully protected.

Site Security Multiplied: Easy Integration With Additional Safety Measures

Of course, any additional layer of security is invaluable, and our WAF also integrates perfectly with other security measures.

The WAF becomes the second line of defense against plugin/theme/WP vulnerabilities after updates (our Automate solution). It can often detect and block undiscovered or unfixed vulnerabilities.

The WAF and our Defender plugin can also help ensure that, if you are attacked, the attacker won’t gain anything other than hurting the performance of your site or bringing it down.

Want to dive deeper into the world of WAFs? Check out this blog post

How Our WAF Compares With Other Providers:

Features WPMU DEV Cloudflare Wordfence
Blocklist / Allowlist Settings Blocklist / Allowlist Settings Included Blocklist / Allowlist Settings Included Blocklist / Allowlist Settings Included
Automatic Virtual Patching Automatic Virtual Patching Included Automatic Virtual Patching Included Automatic Virtual Patching Included
Optimized For WordPress Optimized For WordPress Included Not optimized for Wordpress Optimized For WordPress Included
Minimal Performance Hit Minimal Performance Hit Included Minimal Performance Hit Included Minimal Performance Hit Not Included
WAF Logs WAF Logs Included WAF Logs Included WAF Logs Included
Cost FREE with every hosting plan! $20 per month, per site $99 per year, per site

Try Our WAF Free With WPMU DEV Hosting! Learn More

Recommended by WordPress web developers

WordPress web developers from all over the world prefer WPMU DEV, with an average rating of 4.9/5, over 5,000 five-star reviews, and winners of thirteen G2 best product awards.

Web Developers Choice

The number one choice of WordPress web developers

Smush image optimization plugin

Back-to-back Torque Plugin Madness winners


Trial free for 7 days

Just $12AU$18.70₹960/m after. Cancel anytime.

Plans & pricing