Prevent Web Application Firewall (WAF) bypass
If someone knows your hidden Hosting IP, they can bypass your Web Application Firewall (WAF) and try to access your website directly. It's not common or easy to do, but for additional security, we recommend only allowing HTTP access through your WAF. You can limit access to your website by adding a restriction to your .htaccess file.
- Go to your Secureserver.net Domain Name Web Hosting product page.
- For Website Security and Backups, select Manage All.
- For the site you want to configure, select Details under Firewall.
- Select Settings.
- Select Security and scroll down to Preventing Firewall Bypass.
- Select your server type. For Apache servers, add the code to your
.htaccessfile. For NGINX, you'll need to add the code to your NGINX configuration file.
Common IP address-based rules
The best way to prevent hackers from bypassing the firewall is by limiting their access to your web server. Below you can find commonly used IP address-based rules to help restrict access to your web server.
Apache 2.4
# BEGIN Website Firewall Bypass Prevention
<FilesMatch ".*">
Require ip 208.109.0.0/22
Require ip 192.88.134.0/23
Require ip 185.93.228.0/22
Require ip 66.248.200.0/22
Require ip 2a02:fe80::/29
</FilesMatch>
# END Website Firewall Bypass Prevention
If the website you want to protect contains addon domains or subdomains within the document root, and the site uses Apache 2.4, use the following code instead of header-based bypass prevention.
# BEGIN Website Firewall Bypass Prevention
<If "%{HTTP_HOST} == 'coolexample.com' || %{HTTP_HOST} == 'www.coolexample.com'">
Require ip 208.109.0.0/22
Require ip 192.88.134.0/23
Require ip 185.93.228.0/22
Require ip 2a02:fe80::/29
Require ip 66.248.200.0/22
</If>
# END Website Firewall Bypass Prevention
Apache 2.2
# BEGIN Website Firewall Bypass Prevention
<FilesMatch ".*">
Order deny,allow
Deny from all
Allow from 208.109.0.0/22
Allow from 192.88.134.0/23
Allow from 185.93.228.0/22
Allow from 2a02:fe80::/29
Allow from 66.248.200.0/22
</FilesMatch>
# END Website Firewall Bypass Prevention
If the standard bypass prevention code doesn't work, you can try the following code, which requires the Sucuri WAF header.
# BEGIN Website Firewall Bypass Prevention
RewriteEngine On
RewriteCond %{HTTP:X-SUCURI-CLIENTIP} ^$
RewriteCond %{HTTP:X-SUCURI-COUNTRY} ^$
RewriteRule ^(.*)$ - [F,L]
ErrorDocument 403 Forbidden
# END Website Firewall Bypass Prevention
The alternate code will check if the X-SUCURI-CLIENTIP and X-SUCURI-COUNTRY headers are present and, if they're not, return the 403 Forbidden response status code.
Managed Wordpress
If your account appears as WPaaS hosting, the HAproxy or openresty server may not be passing the proper IP addresses in the request. Use the following code to fix the problem.
# BEGIN Website Firewall Bypass Prevention
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www.)?coolexample.com$
RewriteCond %{HTTP:X-SUCURI-CLIENTIP} ^$
RewriteCond %{HTTP:X-SUCURI-COUNTRY} ^$
RewriteRule ^(.*)$ - [F,L]
ErrorDocument 403 Forbidden
# END Website Firewall Bypass Prevention
Make sure to replace coolexample.com with the actual domain name. Be sure to also clear the Managed WordPress varnish cache before testing the firewall bypass prevention, as you might still get a 200 OK cached response. This can be done in the WordPress Admin Dashboard or by accessing SSH (Secure Shell) via WP-CLI, the command line tool for managing WordPress sites.
If you need assistance enabling firewall bypass prevention, please feel free to request website security help.
More info
- If you're using IIS, instructions vary between versions - IIS 7, IIS 8, and IIS 9/10. You can also try to use web.config file to prevent bypass.
- Are you getting a 500 error code after adding the bypass prevention rules? Remove the line referring to IPv6 from the bypass prevention code and see if the error is gone. It can take a few minutes for the 500 error to clear after removing that line.