WAF Not Available with Defender?

Hi @whyknott

I hope you’re well today!

Defender currently doesn’t have WAF built-in, indeed. It might possibly change in future if there’ll be enough demand for it but we don’t have any established plan for it yet. WAF available for sites hosted with us is a server-level solution – it’s not really built-in into Defender only. It works on a server level and filters traffic before it even hits the site.

Any WAF that’s built-in into plugin works – just like a plugin – “inside” the environment that it is expected to protect which makes it less efficient, “sensitive” to overall resource usage (which may be already compromised e.g. by DDoS or similar attacks) and still prone to other vulnerabilities on site.

Just to be clear – I’m not saying that it’s useless or will not work. It’s just way more efficient to have this kind of protection set “outside” or, rather, “in front” of the site.

Nonetheless, if there’ll be more request to include WAF in Defender directly, I’m sure our Defender Team will consider doing so but for non – I’m afraid I’m not able to make any promises at the moment.

Kind regards,
Adam

ok so if I decide to stick with using defender albeit free version or paid, and never having a WAF integrated, is that opening up a door for malware or scammers/spammers to exploit and enter the site? Or will I need to use another plugin to handle the WAF part? CleanTalk offers a web application firewall but I’ve still been getting spam form submissions to my forminator forms. I have Akismet paid version and your defender plugin installed and still getting spam submissions. I’ve even integrated Google ReCaptcha v3. I keep everything 100% up-to date and the clients site is on an InMotion Hosted VPS -Their highest paid VPS package. I was thinking to add some hidden field traps to stop them from submitting. Any other ideas???? My client is getting fed up with the spam submissions.

Hi @whyknott,

Hope this message finds you well.

ok so if I decide to stick with using defender albeit free version or paid, and never having a WAF integrated, is that opening up a door for malware or scammers/spammers to exploit and enter the site?

Without a WAF, your site might be more susceptible to certain types of attacks that could potentially compromise your site’s security, but it will depend on many factors too like if your custom code, legacy plugins/theme, etc. A good alternative is Cloudflare, it adds an extra security layer to the domain as well.

While reCAPTCHA and other spam-blocking tools are valuable in deterring automated spam bots and malicious activities they may not be foolproof in blocking all forms of spam. Spammers are constantly evolving their tactics and finding new ways to circumvent security measures, which can sometimes pose a challenge even with robust protection in place.

Forminator have these other security features:

https://wpmudev.com/docs/wpmu-dev-plugins/forminator/#security
https://wpmudev.com/docs/wpmu-dev-plugins/forminator/#cleantalk-anti-spam
https://wpmudev.com/docs/wpmu-dev-plugins/forminator/#friendly-captcha
https://wpmudev.com/docs/wpmu-dev-plugins/forminator/#simple-cloudflare-turnstile

In addition, we have a few snippets to filter, for example, common domains like this one:

<?php
add_action( 'wp_footer', function() {
	if ( ! is_singular() || ! has_shortcode( get_the_content(), 'forminator_form' ) ) {
		return;
	}
	?>
	<script type="text/javascript">
		(($,d)=>{
			if ( window.wpmudev_forminator_validarte_email_field ) {
				return;
			}
			window.wpmudev_forminator_validarte_email_field = {
				run: function() {
					let field_id 					= 'email-1',
						forbitten_public_emails 	= [ 'gmail', 'yahoo' ],
						form 						= $( 'form.forminator-custom-form' ),
						email_field 				= form.find( <code>#${field_id} input</code> ),
						field_parent 				= email_field.closest( '.forminator-field' ),
						error_markup  				= '<span class="forminator-error-message" aria-hidden="true"></span>',
						error_msg 					= 'Please avoid using gmail, yahoo etc and use a private email instead',
						error_field 				= field_parent.find( '.forminator-error-message' ); //$( '<span />', { 'class' : 'forminator-error-message' } );

					if ( 0 ===error_field.length ) {
						error_field = $( error_markup );
					}

					$(d).on( 'validation:focusout', function(){
						let value = email_field.val();

						for ( let key in forbitten_public_emails ) {

							if( forbitten_public_emails.hasOwnProperty( key ) ) {

								if ( value.includes( <code>@${forbitten_public_emails[key]}</code> ) ) {

									field_parent.addClass( 'forminator-has_error' );
									error_field.html( error_msg );
									$( error_field ).insertAfter( email_field );

									break;
								}
							}

						}

					} );
				}
				
			};
			$(d).ready( function(){
				$(d).on( 'after.load.forminator',function( e, form_id ) {
					wpmudev_forminator_validarte_email_field.run();
				});
			} );
		})(jQuery,document);
	</script>
	<?php
}, 40 );

This is useful if you are using Email field, but it requires some customization:

Replace email-1 with your form email field:

field_id = 'email-1',

Replace gmail, yahoo, with the spam emails you can track

forbitten_public_emails = [ 'gmail', 'yahoo' ]

Replace the error message Please avoid using gmail, yahoo etc and use a private email instead

error_msg = 'Please avoid using gmail, yahoo etc and use a private email instead',

You might need to install it as a mu-plugin following the instructions on this link https://wpmudev.com/docs/using-wordpress/installing-wordpress-plugins/#installing-mu-plugins.

Let us know if you require additional information.

Best regards,
Laura

Hi @whyknott ,

Since we haven’t heard from you for a while. I’ll mark this thread as resolved for now. Please feel free to re-open this thread if you need any further assistance.

Kind Regards
Nithin