What is a web application firewall and how does it protect your site?

Home / Everything About / Everything About Websites / What is a web application firewall and how does it protect your site?

Automated attack tools hit websites all day long, and they do not stop to check whether a site is big, small, popular, or obscure. A web application firewall is the layer that reads every incoming request before your site does and stops the harmful ones from getting through. What makes it different from other security tools is the level at which it works and what it is actually reading.

Most of the traffic that tries to break into a website is not coming from a person sitting at a keyboard. It is coming from automated tools running through lists of known weak points, sending harmful requests to thousands of sites at once. A web application firewall is designed specifically to catch these. For the full picture of why websites are targeted regardless of size or purpose, see the article on why website security is important.

What is a web application firewall?

A web application firewall, often called a WAF, is a layer of protection that sits between the internet and your website. Every request that arrives at your site passes through the firewall first. The firewall checks each request against a set of rules and decides whether to let it through or block it.

The key difference between a web application firewall and a standard network firewall is what they look at. A network firewall works at the connection level, controlling which servers can talk to each other. A web application firewall looks at the content of the request itself, which is where web-based attacks are hidden. It reads what is being sent, not just where it is coming from.

How does a web application firewall work?

What it reads

  • Every incoming request carries information: the URL being requested, any data being submitted through forms, and the details the browser sends along with the request
  • The firewall reads all of this against a set of rules that describe what harmful requests look like
  • Requests that match a harmful pattern are blocked before they reach the server or your site's code at all

How it decides what to block

  • Firewalls use rule sets that describe known attack patterns. These are updated regularly as new attack methods are discovered
  • Some firewalls also look at behavior over time. A source sending hundreds of requests per second, or probing the site in a pattern that matches a scanning tool, can be blocked even if no single request breaks a specific rule
  • Managed firewall services handle rule updates automatically. A firewall running on old rules is far less effective against the attacks happening today

What types of attacks does a web application firewall stop?

SQL injection

  • SQL injection is one of the most common web attacks. It works by adding harmful database commands into a form field or URL, with the aim of getting the site to run those commands as if they were real instructions
  • A successful SQL injection attack can let an attacker pull every record out of the database, change content, or delete it entirely
  • A web application firewall recognizes the patterns these attacks use and blocks them before they reach the site

Cross-site scripting

  • Cross-site scripting, often called XSS, works by putting harmful scripts into a page that other visitors then load in their browsers
  • Those scripts can steal login sessions, redirect visitors to other sites, or collect information entered into forms without anyone realizing it
  • A firewall blocks requests carrying these attack patterns before any harmful code can reach the page

Bad bot traffic

  • Automated bots make up a large share of website traffic. Some are harmless, like search engine crawlers. Others are built to scan for weak points, test large numbers of passwords at the login page, or scrape content
  • A web application firewall can identify and block bots that match known harmful patterns, cutting off what they are able to find and reducing the load they put on the server

Known attack tools

  • Attackers use tools that send requests in patterns that have been studied and documented. Their signatures are built into firewall rule sets
  • A web application firewall with current rules blocks requests matching these patterns automatically, without any action needed

What a web application firewall cannot stop on its own

A firewall is one layer in a security setup, not a complete answer on its own.

Logins using stolen passwords

  • A web application firewall cannot tell whether a login was made by the real account owner or someone who got hold of the password somewhere else
  • A login using the correct username and password looks like a normal request. The firewall lets it through
  • This is why strong passwords and two-factor authentication are still needed alongside a firewall. For a full look at how these protections work together, see the article on how to protect your website from hackers

New attack methods the rules have not caught up with

  • When a new weak point is found in website software, there is a gap between when attacks start using it and when the firewall's rules are updated to block it
  • During that window, the firewall may let those specific attacks through
  • Keeping website software updated alongside running a firewall closes this gap significantly

Harmful code already on the site

  • A web application firewall filters incoming requests. It does not scan the site's own files for harmful code that may already be sitting there from an earlier attack
  • If something got onto the site before the firewall was in place, or through a method the firewall did not catch, it will not be detected
  • For what harmful code on a site looks like and how to deal with it, see the article on what website malware is and how it affects your site

Network-level versus site-level firewalls

Network-level firewalls

  • A network-level firewall operates at the hosting level, filtering traffic before it reaches individual sites
  • These are typically provided by the hosting company or CDN. They are built to block large-scale attacks, including flood attacks that try to take down servers by sending enormous volumes of traffic at once
  • They work at a broad level and are better at filtering traffic volume and connection patterns than at reading the specific content of individual requests

Site-level firewalls

  • A site-level web application firewall operates closer to the site and reads the actual content of each request, catching attack patterns a network-level firewall may not see
  • These can be set up at the platform level on managed hosting services or added through a plugin or security service on self-managed sites
  • Both types cover different ground and work well together. A hosting provider that includes firewall protection at the network level already handles a large share of automated attacks before any site-level configuration is needed

How a web application firewall fits into a full security setup

A firewall works alongside other protections, each covering a different type of risk.

  • A firewall filters harmful requests. Keeping software updated closes the weak points those requests are targeting. Together, they address the two most common ways attacks get in
  • Strong passwords and two-factor authentication stop access through stolen login details, which no firewall can block on its own
  • Backups are what allow a site to recover quickly when something does get through. See the article on how to back up your website for the full guide

How WEMASY handles firewall protection

WEMASY's hosting includes firewall protection and traffic filtering at the network level. Harmful requests and flood attacks are filtered before they reach individual sites on the platform. This is built into every plan and needs no setup or configuration from site owners.

Software updates are managed at the platform level, keeping sites protected against known weak points without any action required. SSL certificates are included and applied automatically on every site.

See what is included at the WEMASY website builder, or review plan options on the pricing page.

Frequently asked questions

What is a web application firewall?

What attacks does a web application firewall block?

Does a web application firewall replace other security measures?

What is the difference between a network firewall and a web application firewall?

Do I need a web application firewall if my hosting already includes firewall protection?

How often are web application firewall rules updated?