LWS Protect: application firewall for website security

Procédure

Introduction to LWS Protect

The LWS Protect tool, available in the "Security" section of your cPanel control panel, lets you secure your website in just a few easy clicks by customising the security rules in place upstream of the web server of your hosting package.

These security rules take effect as soon as the traffic arrives upstream of the web server, well beyond Apache or PHP, giving you significant resource savings and increased efficiency. HTTP requests are analysed by Fastest Cache's built-in application firewall before they are sent to the web server, long before ModSecurity or even your security plugins.

In addition to the simple security rules offered by ModSecurity, LWS Protect uses external reputation analysis tools and security rules developed in-house in response to attacks identified by our system administrators.

Summary of LWS Protect rules

Description	Security level		Possible values
	Low	High
Generic rules
Browser check on current administration pages	Disabled	Enabled	Enabled Disabled
Block HTTP access on current development folders	Enabled	Enabled	Enabled Disabled
Block HTTP access to .php files	Disabled	Disabled	Enabled Disabled
Aggressive anti-DDoS	Off	Enabled	Enabled Disabled
WordPress
WordPress : xmlrpc.php blocking	Enabled	Enabled	Enabled Disabled
WordPress: Limit the number of possible requests to /wp-admin and /wp-login.php	20 requests / 10 minutes	5 requests / 10 minutes	Disabled 5 requests / 10 minutes 20 requests / 10 minutes 40 requests / 10 minutes
WordPress: block sensitive files	Enabled	Enabled	Enabled Disabled
Bots
Block/restrict SEO bots	Disabled	20 requests / minute	Disabled Block all 5 requests / minute 20 requests / minute 40 requests / minute
Block fake Google Bot	Activated	Enabled	Enabled Disabled
Block malicious bots	Disabled	Enabled	Enabled Disabled
Block empty user agents	Enabled	Enabled	Enabled Off
IP reputation
Block malicious IPs	Check browser with captcha	Block	Block Check browser with captcha Disabled
Block Tor network	Disabled	Enabled	Enabled Disabled

Why choose LWS Protect instead of installing a security plugin?

Unlike the security plugins provided with CMSs, LWS Protect acts upstream of the web server, even before PHP can run. In contrast, CMS security plugins require PHP to be running and at least part of the CMS to have started, which makes each request resource-intensive and therefore negatively affects the performance of other visitors to the site. For a small site, this problem may be discreet and transparent, but on a larger scale, you risk saturating your web hosting package, especially if you have a lot of simultaneous visitors and they are all accessing dynamic elements (= requiring PHP to be running).

LWS Protect solves this problem by filtering requests upstream of the web server, i.e. before PHP is executed and before the CMS is started, even before the web server does anything. So, for example, if you have 1000 simultaneous visitors to your WordPress site and 50% of them are malicious, you avoid 500 executions of your CMS and 500 executions of PHP. You save both RAM and the number of MySQL requests and you prevent these malicious visits from affecting the performance of your real visitors.

LWS Protect rule sets

From the ' LWS Protect ' icon on your cPanel control panel, you can instantly activate a ruleset to apply a generic security profile. LWS currently offers three security profiles:

• High: intended for websites regularly targeted by attacks
• Low: intended for normal use (active by default)
• Disabled: disables all LWS Protect rules

To change the active rule set on a website, click on the security level associated with the domain name concerned (1) and choose a new security level (2) :

Customise LWS Protect security rules

You can also customise LWS Protect security rules individually by clicking on " Customise ":

The security rules offered by LWS Protect are grouped into different categories according to their scope of action:

• Generic rules apply to all websites
• WordPress rules have been designed to secure access to a WordPress site
• The rules grouped in the "Bots" tab affect access to robots and crawling tools
• IP reputation rules are based on IP address reputation systems

Each security rule has at least two states: active and inactive. By activating certain rules, you can fine-tune their parameters:

The rules are instantly active and are compatible with all our other performance optimisation tools: Fastest Cache, LiteSpeed and Ipxchange.

Browser check on common administration pages

Recommended rule.

This rule implements a preliminary check when accessing common administration pages (wp-admin, administrator, admin*, wp-login.php, etc.) in order to block tools masquerading as a web browser. Verification is carried out by sending a captcha page to ensure that the requests supposedly made by browsers are actually made by humans behind a web browser and not a bot.

Block HTTP access to current development files

Recommended rule.

This rule prevents HTTP access to common development folders, such as .sql files, .git folders, .env files, etc. This prevents information leaks in the event that you forget to delete a backup .sql file, for example, on your website during the design phase.

Block HTTP access to .php files

Activate with caution. Not compatible with WordPress.

This rule blocks direct access to .php files by preventing access to all URLs with the term ".php", which prevents any possible bypass of URL rewrites that you have defined in your .htaccess file.

Aggressive anti-DDoS

Activate with caution.

Aggressive anti-DDoS performs a preliminary check on all HTTP requests made to your website by a web browser. The mechanism, which is identical to the browser verification mechanism in the administrator folders, prevents automated robots from reaching your website.

WordPress: block xmlrpc.php

Activate with caution. May cause problems with some WordPress plugins.

Systematically blocks access to the xmlrpc.php file with a 403 error. A file that used to be used to make API requests to WordPress, it is now largely replaced by wp-admin/admin-ajax.php. However, it is kept for backward compatibility with tools that still rely on xmlrpc.php.

WordPress: Limit the number of possible requests to /wp-admin and /wp-login.php

Recommended and active by default at 20 requests/10 minutes

This rule limits the number of requests an IP address can make to wp-admin and wp-login.php. The request counter is the same for all the websites in our park, only the blocking threshold is specific to each website. This makes it possible to block two types of attack with a single rule: bruteforce attacks targeting a single website, and bruteforce attacks targeting a large number of websites.

As the counter is common, you will need to adjust this blocking threshold according to the number of sites you host and access simultaneously. If you have several sites and you open the dashboard simultaneously on a single PC, it is highly likely that you will have to adjust the blocking threshold to avoid being blocked.

A 403 error is displayed when blocking is effective, and unblocking takes place as soon as the number of requests made by the IP address over the last 600 seconds falls below the blocking threshold again.

WordPress: block sensitive files

Recommended and active by default

This rule prevents access to sensitive WordPress files and paths. Among other things, it prevents the execution of .php files in the WordPress upload folder and in the wp-includes folder, thus reducing the risk of damage following an intrusion or virus infection on your site.

Blocking/limiting SEO robots

Block or limit the number of requests per minute that SEO robots such as Ahrefs, Semrush and Majestic can make. Bots are identified by their User-Agent and/or IP address.

Block fake Google Bot

Recommended.

Allows you to block fake Google Bot. Fake Google Bot is detected using its IP address, the User-Agent supplied and reverse DNS. The data is then compared with the information provided by Google itself about its bots, and if any element is inconsistent, blocking is displayed with a 403 error.

Block malicious bots

Blocks malicious bots listed on public bot blacklists. Robots are identified as malicious or not by their IP address and/or User-Agent. A 403 error will then be displayed.

Block empty User-Agent

Recommended.

Block the request when the HTTP "User-Agent" header is empty. This often occurs with the default configurations of vulnerability scanning tools used by hackers. A 403 error will then be displayed.

Block malicious IPs

Recommended and active by default on "Check browser with a captcha".

This rule blocks access to the website by IP addresses reported as malicious. We use several public databases to identify malicious IP addresses. The reputation of an IP address is kept in our records for up to 24 hours. A captcha check will be performed if the IP address has a bad reputation, or a block with 403 error, depending on your blocking choice.

Block the Tor network

This rule blocks access to your website from the Tor network. The Tor network is detected by identifying the IP address in the public database of Tor Exit Nodes. A 403 error will be displayed if the IP address is on the list.

View blocking history

To view the blocks made by LWS Protect, go to LWS Protect and click on the " Block History " button associated with the domain name concerned:

You can then filter the events according to your needs:

• Host name / domain
• Date/time range
• Blocked IP address
• HTTP request
• Message

Once you have clicked on "Search", the logs are updated, taking into account the filters that have been set up: