Website Security provides a number of different options to help tailor the security of the firewall to your website.
Advanced Security Options | ||
---|---|---|
Admin panel restricted to only Whitelisted IP addresses | Most popular content management systems have an administrative panel. Example: /wp-admin on WordPress or /administrator on Joomla. If you set it to On, only whitelisted IP addresses will be able to access those directories. | |
XMLRPC, Comments and Trackbacks blocked | If your site doesn't allow comments (or trackbacks/pingbacks), or if you use an external commenting system (like Disqus or Facebook comments), you can block any comment attempt, since it's likely to be spam. | |
Stop unfiltered HTML from being sent to your site | This option prevents users from inserting or sending unfiltered HTML content to your site. It will block things like iframes and script calls from being used. If you have a forum or membership site and you allow your users to send messages and post open content, don't enable this option. Whitelisted IP addresses are not affected by this setting. | |
Stop upload of PHP or executable content | This option will prevent anyone from uploading PHP, Perl or executable content to your site. We recommend enabling this option unless you do allow users to do uploads. Note that whitelisted IP addresses are still allowed to do uploads. | |
Enable Emergency DDOS protection | The HTTP flood protection will prevent anyone using a browser without JavaScript enabled from visiting the site (except major search engines). This is very useful when the site is under DDOS. You can turn off this option once things normalize. | |
Block anonymous proxies and the top three attack countries | Enabling this option will prevent anyone from China, Russia or Turkey from interacting with your site. They are still able to view all content but cannot register an account, submit comments or attempt to login. The same restriction applies to users using anonymous proxy services to hide their IP addresses. | |
Aggressive bot filter | This setting blocks invalid user agents that do not match real browsers such as empty user agents, user agents that start with PHP/ and improper user agents from common browsers. | |
Force passing the hostname via TLS/SSL | This option will force passing the hostname during the SSL/TLS handshake. | |
Advanced evasion detection | This option will enable our advanced evasion detection signatures. We recommend keeping it on, but if your site supports URL’s with non-ascii characters (like Japenese, Hindi, Russian, etc.) you may need to disable it. |