LWS Protect: application firewall for website security

Procédure

Introduction to LWS Protect

The LWS Protect tool, available in the "Security" section of your cPanel control panel, lets you secure your website in just a few easy clicks by customising the security rules in place upstream of the web server of your hosting package.

LWS Protect: application firewall for website security

These security rules take effect as soon as the traffic arrives upstream of the web server, well beyond Apache or PHP, giving you significant resource savings and increased efficiency. HTTP requests are analysed by Fastest Cache's built-in application firewall before they are sent to the web server, long before ModSecurity or even your security plugins.

In addition to the simple security rules offered by ModSecurity, LWS Protect uses external reputation analysis tools and security rules developed in-house in response to attacks identified by our system administrators.

Summary of LWS Protect rules

Description Security level Possible values
Low High
Generic rules
Browser check on current administration pages Disabled Enabled Enabled
Disabled
Block HTTP access on current development folders Enabled Enabled Enabled
Disabled
Block HTTP access to .php files Disabled Disabled Enabled
Disabled
Aggressive anti-DDoS Off Enabled Enabled
Disabled
WordPress
WordPress : xmlrpc.php blocking Enabled Enabled Enabled
Disabled
WordPress: Limit the number of possible requests to /wp-admin and /wp-login.php 20 requests / 10 minutes 5 requests / 10 minutes Disabled
5 requests / 10 minutes
20 requests / 10 minutes
40 requests / 10 minutes
WordPress: block sensitive files Enabled Enabled Enabled
Disabled
Bots
Block/restrict SEO bots Disabled 20 requests / minute Disabled
Block all
5 requests / minute
20 requests / minute
40 requests / minute
Block fake Google Bot Activated Enabled Enabled
Disabled
Block malicious bots Disabled Enabled Enabled
Disabled
Block empty user agents Enabled Enabled Enabled
Off
IP reputation
Block malicious IPs Check browser with captcha Block Block
Check browser with captcha
Disabled
Block Tor network Disabled Enabled Enabled
Disabled

Why choose LWS Protect instead of installing a security plugin?

Unlike the security plugins provided with CMSs, LWS Protect acts upstream of the web server, even before PHP can run. In contrast, CMS security plugins require PHP to be running and at least part of the CMS to have started, which makes each request resource-intensive and therefore negatively affects the performance of other visitors to the site. For a small site, this problem may be discreet and transparent, but on a larger scale, you risk saturating your web hosting package, especially if you have a lot of simultaneous visitors and they are all accessing dynamic elements (= requiring PHP to be running).

LWS Protect solves this problem by filtering requests upstream of the web server, i.e. before PHP is executed and before the CMS is started, even before the web server does anything. So, for example, if you have 1000 simultaneous visitors to your WordPress site and 50% of them are malicious, you avoid 500 executions of your CMS and 500 executions of PHP. You save both RAM and the number of MySQL requests and you prevent these malicious visits from affecting the performance of your real visitors.

LWS Protect rule sets

From the ' LWS Protect ' icon on your cPanel control panel, you can instantly activate a ruleset to apply a generic security profile. LWS currently offers three security profiles:

  • High: intended for websites regularly targeted by attacks
  • Low: intended for normal use (active by default)
  • Disabled: disables all LWS Protect rules

To change the active rule set on a website, click on the security level associated with the domain name concerned (1) and choose a new security level (2) :

LWS Protect: application firewall for website security

Customise LWS Protect security rules

You can also customise LWS Protect security rules individually by clicking on " Customise ":

LWS Protect: application firewall for website security

The security rules offered by LWS Protect are grouped into different categories according to their scope of action:

  • Generic rules apply to all websites
  • WordPress rules have been designed to secure access to a WordPress site
  • The rules grouped in the "Bots" tab affect access to robots and crawling tools
  • IP reputation rules are based on IP address reputation systems

LWS Protect: application firewall for website security

Each security rule has at least two states: active and inactive. By activating certain rules, you can fine-tune their parameters:

LWS Protect: application firewall for website security

The rules are instantly active and are compatible with all our other performance optimisation tools: Fastest Cache, LiteSpeed and Ipxchange.

Browser check on common administration pages

Recommended rule.

This rule implements a preliminary check when accessing common administration pages (wp-admin, administrator, admin*, wp-login.php, etc.) in order to block tools masquerading as a web browser. Verification is carried out by sending a captcha page to ensure that the requests supposedly made by browsers are actually made by humans behind a web browser and not a bot.

Block HTTP access to current development files

Recommended rule.

This rule prevents HTTP access to common development folders, such as .sql files, .git folders, .env files, etc. This prevents information leaks in the event that you forget to delete a backup .sql file, for example, on your website during the design phase.

Block HTTP access to .php files

Activate with caution. Not compatible with WordPress.

This rule blocks direct access to .php files by preventing access to all URLs with the term ".php", which prevents any possible bypass of URL rewrites that you have defined in your .htaccess file.

Aggressive anti-DDoS

Activate with caution.

Aggressive anti-DDoS performs a preliminary check on all HTTP requests made to your website by a web browser. The mechanism, which is identical to the browser verification mechanism in the administrator folders, prevents automated robots from reaching your website.

WordPress: block xmlrpc.php

Activate with caution. May cause problems with some WordPress plugins.

Systematically blocks access to the xmlrpc.php file with a 403 error. A file that used to be used to make API requests to WordPress, it is now largely replaced by wp-admin/admin-ajax.php. However, it is kept for backward compatibility with tools that still rely on xmlrpc.php.

WordPress: Limit the number of possible requests to /wp-admin and /wp-login.php

Recommended and active by default at 20 requests/10 minutes

This rule limits the number of requests an IP address can make to wp-admin and wp-login.php. The request counter is the same for all the websites in our park, only the blocking threshold is specific to each website. This makes it possible to block two types of attack with a single rule: bruteforce attacks targeting a single website, and bruteforce attacks targeting a large number of websites.

As the counter is common, you will need to adjust this blocking threshold according to the number of sites you host and access simultaneously. If you have several sites and you open the dashboard simultaneously on a single PC, it is highly likely that you will have to adjust the blocking threshold to avoid being blocked.

A 403 error is displayed when blocking is effective, and unblocking takes place as soon as the number of requests made by the IP address over the last 600 seconds falls below the blocking threshold again.

WordPress: block sensitive files

Recommended and active by default

This rule prevents access to sensitive WordPress files and paths. Among other things, it prevents the execution of .php files in the WordPress upload folder and in the wp-includes folder, thus reducing the risk of damage following an intrusion or virus infection on your site.

Blocking/limiting SEO robots

Block or limit the number of requests per minute that SEO robots such as Ahrefs, Semrush and Majestic can make. Bots are identified by their User-Agent and/or IP address.

Block fake Google Bot

Recommended.

Allows you to block fake Google Bot. Fake Google Bot is detected using its IP address, the User-Agent supplied and reverse DNS. The data is then compared with the information provided by Google itself about its bots, and if any element is inconsistent, blocking is displayed with a 403 error.

Block malicious bots

Blocks malicious bots listed on public bot blacklists. Robots are identified as malicious or not by their IP address and/or User-Agent. A 403 error will then be displayed.

Block empty User-Agent

Recommended.

Block the request when the HTTP "User-Agent" header is empty. This often occurs with the default configurations of vulnerability scanning tools used by hackers. A 403 error will then be displayed.

Block malicious IPs

Recommended and active by default on "Check browser with a captcha".

This rule blocks access to the website by IP addresses reported as malicious. We use several public databases to identify malicious IP addresses. The reputation of an IP address is kept in our records for up to 24 hours. A captcha check will be performed if the IP address has a bad reputation, or a block with 403 error, depending on your blocking choice.

Block the Tor network

This rule blocks access to your website from the Tor network. The Tor network is detected by identifying the IP address in the public database of Tor Exit Nodes. A 403 error will be displayed if the IP address is on the list.

View blocking history

To view the blocks made by LWS Protect, go to LWS Protect and click on the " Block History " button associated with the domain name concerned:

LWS Protect: application firewall for website security

You can then filter the events according to your needs:

  • Host name / domain
  • Date/time range
  • Blocked IP address
  • HTTP request
  • Message

LWS Protect: application firewall for website security

Once you have clicked on "Search", the logs are updated, taking into account the filters that have been set up:

LWS Protect: application firewall for website security

Rate this article :

5/5 | 1 opinion

This article was useful to you ?

Article utileYes

Article non utileNo

Vous souhaitez nous laisser un commentaire concernant cet article ?

Si cela concerne une erreur dans la documentation ou un manque d'informations, n'hésitez pas à nous en faire part depuis le formulaire.

Pour toute question non liée à cette documentation ou problème technique sur l'un de vos services, contactez le support commercial ou le support technique

MerciMerci ! N'hésitez pas à poser des questions sur nos documentations si vous souhaitez plus d'informations et nous aider à les améliorer.


Vous avez noté 0 étoile(s)

Similar articles

1mn reading

How do I use the IP refusal manager in cPanel?

0mn reading

How do I activate a Let's Encrypt SSL certificate on cPanel?

0mn reading

How can I easily install a paid SSL certificate on cPanel?

0mn reading

Secure your website with ModSecurity on your cPanel package


Questions sur l'article
Sandy Il y a 360 days
Comment l'utiliser j'arrive pas à ouvrir je comprends pas
See the
1 answers
Jordan-LWS - Il y a 357 days

Bonjour,


Si vous n'êtes pas en capacité d'ouvrir la section LWS Protect, je vous invite vivement à ouvrir une demande d'assistance technique depuis votre espace client afin que l'un de nos techniciens vous apporte une réponse dans les plus brefs délais afin d'analyser votre problème.

Dans le cas où vous souhaiteriez contacter notre assistance technique, je vous inviterais à suivre cette documentation guidant dans l'ouverture d'une demande.

Je vous remercie pour votre attention et reste à votre disposition pour toutes autres demandes ou interrogations complémentaires à propos de nos services.

Cordialement, L'équipe LWS.

Utile ?

Ask the LWS team and its community a question