medium Infrastructure

No Web Application Firewall (WAF)

No Web Application Firewall is detected, leaving the site exposed to SQL injection, XSS, and bot attacks.

Severity
medium
Time to Fix
1-2 hours
Difficulty
easy
OWASP
A05:2021 — Security Misconfiguration

What is No Web Application Firewall (WAF)?

A Web Application Firewall (WAF) sits in front of your website and filters malicious requests — SQL injection, XSS, RCE, bot traffic, and known attack patterns. Without a WAF, every vulnerability in your application code is directly exploitable. A WAF is the first line of defense and can block 80%+ of automated attacks.

Why It Matters to Your Business

Without a WAF, automated bots scan your site 24/7 for vulnerabilities. Even a single unpatched plugin or framework vulnerability can lead to compromise. A WAF dramatically reduces the attack surface and provides logging/alerting for attack attempts.

How to Fix It

Deploy a WAF. Recommended options (free → paid):

1. Cloudflare (free tier includes basic WAF):
   - Sign up at cloudflare.com
   - Change your nameservers to Cloudflare
   - Enable "Proxy" mode (orange cloud)
   - Security → WAF → Enable managed rules

2. AWS WAF (pay per request):
   - Create Web ACL in AWS WAF
   - Attach to your CloudFront distribution or ALB
   - Enable AWS Managed Rules

3. ModSecurity (self-hosted, free):
   - Install mod_security on Apache/Nginx
   - Enable OWASP Core Rule Set (CRS)
   - Configure in DetectionOnly mode first, then Enforcement

4. Sucuri, Wordfence (WordPress-specific)

Technical Classification

OWASP CategoryA05:2021 — Security Misconfiguration
CWE IDCWE-693: Protection Mechanism Failure
Detected Bywaf scanner(s)
Severity Levelmedium

Check if your website has this vulnerability

Our waf scanner checks for this issue automatically.

Scan My Website Free

Related Vulnerabilities