WordPress WAF Security by Staq

Our new game-changer security feature that is applied out-of-the-box.

In April 2022, we released Staq Next-Gen CDN which is our Cloudflare & Cloudflare APO replacement for WordPress. Essentially, it loads the HTML in the CloudFront CDN rather than from the server. Not only is this feature a speed performance and load balancer solution for WordPress but also a feature that is connected to AWS Shield, which is a DDoS security feature.

As part of our commitment to WordPress security, Staq has developed the most comprehensive and integrated security service for WordPress. The great thing is, it is applied out-of-the-box to all current and future websites on Staq.

We’ve developed the following features:

Staq Firewall

Staq Firewall

The Staq Firewall is a Web Application Firewall (WAF) service which we call Staq Firewall. It is a complete WordfencePRO replacement. At the time of this email, Wordfence PRO costs approx. $792 USD for a 10-pack licence. The great thing is that it’s applied out of the box to all existing and new websites deployed on Staq for free.

Comments Protection

As part of Staq Firewall, we have now developed an Akismet plugin replacement. This means there’s no need to register for an account and apply the API key to the plugin. It is applied to all Staq hosted sites out of the box.

Forms Protection

This too is an Akismet plugin replacement. Out of the box, websites that use forms, Formidable Forms, Gravity Forms and Contact Form 7 are protected from bots that inject automated emails.

Plugin Vulnerability Alert System

We’ve had a number of previous Kinsta customers move over to Staq recently and they requested a plugin/theme vulnerability alert system. Today, we announce our plugin/theme vulnerability alert system that alerts all Staq Partners of particular themes and plugins that are vulnerable based on third-party data. If you haven’t noticed yet, an automated email is issued with the exact site, plugin/theme and version number that is required to be updated.

How current WordPress security plugins typically work

It’s better to have a security plugin for WordPress compared to nothing but when you assess it against the cost of server performance, then it’ll make you think twice if you’re obsessed with website performance and speed.

These are some of the disadvantages of agnostic based WordPress security plugins:

  • When someone visits your website, your firewall must verify the traffic using your web server/PHP resources.
  • Security plugins do not prevent DDoS attacks (see Mark’s answer at the bottom of Wordfence’s post: https://www.wordfence.com/blog/2018/05/wordfence-wordpress-scanner/)
  • To have some form of firewall, you are required to configure this yourself on the server. Imagine having to do this for every site: https://www.wordfence.com/help/firewall/optimizing-the-firewall/
  • To have maximum protection, plugins like Wordfence encourage you to purchase a licence. A 10-pack licence is around $792USD per year at the time of writing this post.

That means the weakest point of any WordPress security plugins is that it operates only on your server.

Why Cloudflare doesn’t prevent all DDoS attacks

Even though the common perception is that Cloudflare prevents DDoS attacks, there are ways that you can bypass Cloudflare and send the request directly to the server.

Imagine that was the case and considering that security plugins like Wordfence do not stop DDoS attacks, your server will still remain vulnerable.

Why is Staq different and how it is a more superior WordPress security hosting service?

The Staq Firewall is a PHP based WordPress level firewall that filters out malicious traffic to sites hosted on Staq. It is a built-in feature and is part of Staq Hosting Must-Use Plugin, in addition to other optimizations automatically applied on the PHP pool level before the request even reaches WordPress.

The objective of Staq Firewall is to replace third party plugins such as “Wordfence”, “Sucuri”, “iThemes”, etc… and provide a powerful solution that covers all sites without the need to install any plugins.

In addition, being a built-in software, it can easily communicate with the server’s firewall and block unwanted traffic on the server or even on the AWS level, something that third party plugins cannot do, and thus the successive malicious requests will not cost CPU usage time.

What does Staq Firewall protect against

Out of the box, Staq Firewall is configured out of the box and protects against the following:

Brute-Force Protection

Brute-force attacks occur when a certain IP address attempts a large number of combinations to guess your username, password and email with the hopes to get access to your WordPress account.

The Staq WAF has this option enabled by default under Firewall > Advanced.

WordPress Protection

Hackers use automated scripts to scan for WordPress sites that can be exploited due to one leak or another. Staq WAF provides tools that help the site share data less that can be used by such attackers; the less sensitive data the site shares, the safer the site becomes.

The Staq WAF has the following options enabled by default under Firewall > Advanced:

Hide the WordPress version on the site’s HTML

By default, WordPress reveals the version number in the Generator meta tag and in the RSS feeds. This can help everyone who accesses your website know what application you are running and which version. This option removes the WordPress version from the HTML code, and keeps your website safe.

Remove hints on failed login attempts

By default, the WordPress login page shows an error message when someone types in the wrong username or password. These error messages can help hackers guess your username, email address, or password. This option removes the hints in WordPress login error messages which keeps your website safe.

Remove author details from oEmbed

By default, when you share a WordPress post on social media, you might see the author details in the oEmbed preview. This option helps reveal usernames through “/?author=” scans. This option helps remove the author name and author URL from oEmbed in WordPress.

Ban Rules

Apart from the previously mentioned features that protect sites against various attacks, Staq WAF offers a powerful feature that allows adding custom features for additional blocking.

The custom ban rules take security to different levels by allowing smart algorithms learning the site’s traffic and make decisions on the fly to keep a certain site safe, and then apply the gained insights to other sites hosted on Staq, thanks to the Staq WAF Global Blacklist that is continually being updated in the background in accordance with the collected data about malicious traffic attacking the Staq Hosting Infrastructure.

By default, Staq WAF configures rules that are added by default when a site is created. However, with the help of the various log and traffic analysis tools Staq WAF offers, the WordPress administrators may add more rules.

The following are the ban rule types that help protect against possible attacks:

Rate Limiting

Rate Limiting allows limiting how many requests can access your website per seconds from the same IP address. If the requests exceed the configured limits, they will temporarily have their access revoked. Moreover, this feature has advanced options such as inclusion / exclusion of URL(s), origin countries of IPs, etc.

Country Blocking

Country Blocking allows admins to block access to the WordPress site from certain countries. Staq WAF uses the famous geolocation database (GeoLite2).

Blacklist Blocking

Blacklist Blocking automatically blocks IP addresses that are blacklisted by Staq WAF global database.

Pattern Blocking

Pattern Blocking automatically bans IP addresses based on one or more of the following patterns:

    • IP Address / IP Range
    • Browser User Agent
    • Hostname

Default Ban Rules

Blacklist Blocking

This rule is simple; it blocks visitors that are already blacklisted by Staq WAF global database by comparing the current client’s IP with the already blacklisted IPs. If the IP is found, it will be automatically blocked by the Staq WAF.

Same URL Blocking

This rule blocks visitors from countries with infrequent traffic to the AWS region the site is hosted at (e.g. ap-southeast-2) that have visited the same URL, at least 5 times in the past 30 seconds.

Vulnerable URL Blocking

This rule blocks visitors that try to access sensitive links:

  • /.env
  • /wp-config.php
  • /.well-known/(?!acme-challenge)

Client Type Validation

No WAF can guess which traffic is good and which traffic is bad in 100% preciseness. However, some WAFs have access to more data or have more insights which help mitigate false-positive cases which happen when a good IP is blocked.

Staq WAF has a special feature that hooks into the IP address being blocked by the ban rules and performs another layer of validation before proceeding with the ban. Note that this validation runs just after the ban rule decided that an IP should be blocked.

There are couple client types that are considered “good traffic” but can still be prone to be mistakenly identified as “bad traffic” and thus banned by the Staq WAF:

  • Human
  • Safe Bot


There are couple of factors that help us determine whether the IP being banned belongs to a human and therefore should not be banned

    • WP Auth – checks whether the IP being banned was previously connected as an authenticated use. In order to determine whether the user was authenticated, Staq WAF (MU Plugin) keeps a record of all user accesses and in th WordPress level (aside from the PHP-FPM access log) and logs for each IP whether the user is authenticated or not (using WordPress functions such as is_user_logged_in()). The assumption is if a user was previously logged in, then the ban is intercepted and considered a false-positive.


While the internet is full of bots trying to crawl and gather as much information as possible on websites and their hosting platforms, it is fair to categorise them into 3 main types

    • Good / Trusted bots – usually coming from well known search engines such as Google, Bing, Yahoo, etc…
  • Unwanted bots – usually coming from less popular search engines, and while the reason behind crawling the sites might not be malicious, such types of bots can still cause unnecessary burden on the server with no real added value to the sites being hosted. For example: Petal Search – HUAWEI.
  • Bad robots – usually coming from infamous countries (e.g. Russia / China) while having suspicious behaviour (e.g. visiting non-existing pages) and unclear origins (e.g. hostname). In addition, such bots usually do not respect the instructions found inside the “robot.txt” file.

Staq WAF currently checks for “Good / Trusted bots” by comparing the IPs or Hostnames to the ones set by the search engine companies. For example: if the resolved hostname from the bot’s IP ends with “.googlebot.com” then we can tell that the bot belongs to Google and it is safe.


We continue to study and learn the data for the benefit of making further decisions in order to protect websites on Staq.

We continue to evolve to suit the ever-growing complexities of WordPress security.

Sign up with Staq

Are you wanting better and more efficient WordPress security? Sign up today.

Sign Up

Consolidate your WordPress experience in one dashboard.

Sign Up Now