Contents
In addition to filtering traffic by IP address, Plesk provides an integrated Web Application Firewall (WAF) feature via Apache mod_security.
Requests served only by Nginx (e.g. via Serve static files directly by nginx or Process PHP by nginx options) cannot be filtered by the WAF
Rather than simply looking at the IP address originating a request to your server, a WAF analyses each HTTP/HTTPS request for potentially malicious patterns. For example, querystring parameters shouldn't usually contain things that look like an SQL injection attack, so if a WAF spots a request of that form it can block it for you.
The WAF is an advanced feature, so it's turned off by default to avoid potentially blocking legitimate traffic (see below).
It can be enabled, server-wide, via Plesk under Tools & Settings > Security > Web Application Firewall (ModSecurity).
There are 3 modes:
After enabling server-wide, a Web Application Firewall option is added to each domain within Plesk. Here, you can set the desired WAF mode for the domain, view related logs, and configure exceptions.
The per domain WAF mode cannot be more restrictive than the server-wide mode (e.g. if server-wide is detection only, per domain may be off or detection only, but cannot be on).
As you might imagine, crafting WAF rules in such a way that blocks malicious requests but otherwise stays out of your way and lets legitimate traffic flow freely is a difficult and time consuming task.
Although you can define a custom rule set if you wish, it's not recommended - the rules need to be carefully crafted and refined on an ongoing basis: think of it like anti-virus signatures for web requests.
Instead, there are various (free and commercial) rule sets available to you. The 2 most popular options are both provided by Atomic; their free and paid options are compared below:
| Basic ModSecurity | Advanced ModSecurity Rules | |
|---|---|---|
| Price | Free | £9.99 / $14.99 per month |
| Vulnerability | ||
| SQL injection | ||
| Cross-site scripting (XSS) | ||
| Remote file inclusion (RFI) | ||
| Local file inclusion (LFI) | ||
| Command injection | ||
| Virtual patching | Limited | |
| Malware | ||
| Advanced protection for WordPress, Joomla, Drupal, and Magento | ||
| Malicious website code suppression | ||
| Web shell blocking | ||
| Brute force protection | ||
| PCI-DSS compliance | ||
| Data loss protection | ||
| Bot protection | ||
| Malicious bots | ||
| Comment form spam | ||
| False positives | ||
| Advanced false positive prevention | ||
| Real time correction to false positive rules | ||
| Search engine spider whitelist | ||
| Anti-evasion protection | ||
| Manual override (whitelisting) | ||
| Updates | ||
| Real time blacklists | ||
| Crowd sourced threat intelligence | ||
| Rules updated multiple times per day |