Web Application Firewall (WAF)

In addition to filtering traffic by IP address, Plesk provides an integrated Web Application Firewall (WAF) feature via Apache mod_security.

Requests served only by Nginx (e.g. via Serve static files directly by nginx or Process PHP by nginx options) cannot be filtered by the WAF

Rather than simply looking at the IP address originating a request to your server, a WAF analyses each HTTP/HTTPS request for potentially malicious patterns. For example, querystring parameters shouldn't usually contain things that look like an SQL injection attack, so if a WAF spots a request of that form it can block it for you.

How to enable

The WAF is an advanced feature, so it's turned off by default to avoid potentially blocking legitimate traffic (see below).

It can be enabled, server-wide, via Plesk under Tools & Settings > Security > Web Application Firewall (ModSecurity).

There are 3 modes:

  • Off (default)
  • Detection only - bad requests are logged but not blocked; useful to evaluate potential service impact from activating a WAF rule set
  • On - bad requests are blocked

Per domain

After enabling server-wide, a Web Application Firewall option is added to each domain within Plesk. Here, you can set the desired WAF mode for the domain, view related logs, and configure exceptions.

The per domain WAF mode cannot be more restrictive than the server-wide mode (e.g. if server-wide is detection only, per domain may be off or detection only, but cannot be on).

WAF Rule sets

As you might imagine, crafting WAF rules in such a way that blocks malicious requests but otherwise stays out of your way and lets legitimate traffic flow freely is a difficult and time consuming task.

Although you can define a custom rule set if you wish, it's not recommended - the rules need to be carefully crafted and refined on an ongoing basis: think of it like anti-virus signatures for web requests.

Instead, there are various (free and commercial) rule sets available to you. The 2 most popular options are both provided by Atomic; their free and paid options are compared below:

Basic ModSecurity Advanced ModSecurity Rules
Price Free £9.99 / $14.99 per month
SQL injection
Cross-site scripting (XSS)
Remote file inclusion (RFI)
Local file inclusion (LFI)
Command injection
Virtual patching Limited
Advanced protection for WordPress, Joomla, Drupal, and Magento
Malicious website code suppression
Web shell blocking
Brute force protection
PCI-DSS compliance
Data loss protection
Bot protection
Malicious bots
Comment form spam
False positives
Advanced false positive prevention
Real time correction to false positive rules
Search engine spider whitelist
Anti-evasion protection
Manual override (whitelisting)
Real time blacklists
Crowd sourced threat intelligence
Rules updated multiple times per day