The PowerSEC WAF inspects every HTTP request to your WordPress site and blocks attacks before they reach your code.
How requests flow
Visitor → Your Server → PowerSEC WAF → WordPress
↓
Block + Log (if attack)
Rule sets
PowerSEC includes:
- OWASP Core Rule Set — covers SQL injection, XSS, RFI/LFI, and other OWASP Top 10 categories
- WordPress-specific rules — blocks known WP exploit patterns (e.g., wp-config.php disclosure attempts, xmlrpc abuse)
- CVE-specific signatures — when a new vulnerability is disclosed, we ship a virtual patch within hours
- Geo-blocking (optional) — block requests from countries you don't serve
Per-site control
For each site you can:
- Set WAF mode: Off | Detect only | Detect & Block
- Enable/disable rule categories
- Whitelist specific IPs (e.g., your office, monitoring tools)
- Whitelist specific URLs (e.g., a custom API endpoint that triggers false positives)
Reading WAF logs
The WAF dashboard shows:
- Total requests inspected in the last 24h / 7d / 30d
- Blocks by rule category — useful for tuning
- Top blocked IPs — patterns of attack
- Top blocked URLs — what attackers are probing
False positives
If a legitimate request gets blocked:
- Find the request in WAF logs (use timestamp + URL)
- Note the rule ID that triggered the block
- Either disable that specific rule, or whitelist your URL/IP
A small number of false positives is the normal cost of a strict WAF. PowerSEC tunes the rule set to minimize them, but plugin combinations vary.
What WAF can't do
- Stop attacks that exploit logic flaws — the WAF inspects HTTP, not your business logic
- Replace patching — keep plugins updated; the WAF is a safety net, not a substitute
- Catch threats that bypass it — direct database access, FTP uploads, etc.
For deeper protection, combine WAF with FIM and malware scanning (all included).