How to Set Up a Web Application Firewall (WAF)

A Web Application Firewall (WAF) sits between your website and incoming traffic, inspecting each request and blocking those that match known attack patterns - like SQL injection, XSS, and exploit attempts. It's one of the most effective layers of defence you can add to your site.

Option 1: ModSecurity (Built into cPanel)

dotCanada servers include ModSecurity, a powerful open-source WAF that runs at the server level. To enable it:

1. Log in to cPanel.
2. Go to Security › ModSecurity.
3. Toggle it On for your domain(s).

ModSecurity uses rule sets (like OWASP CRS) to block common attack vectors automatically, with no configuration needed on your part.

Option 2: Cloudflare WAF

Cloudflare offers a free WAF as part of its content delivery network (CDN). To use it:

1. Create a free Cloudflare account and add your domain.
2. Update your domain's nameservers to point to Cloudflare.
3. In the Cloudflare dashboard, enable the WAF under the Security section.

Cloudflare's WAF handles threats at the edge before traffic even reaches dotCanada's servers. The free plan includes essential protection; the paid plans offer more advanced rule customization.

Option 3: WordPress Plugin WAF

For WordPress sites, Wordfence includes a built-in application-layer firewall that learns from your traffic and blocks attacks targeting WordPress specifically.

Combining Layers

For the strongest protection, use ModSecurity at the server level and Cloudflare at the network edge together. Questions about WAF configuration? Contact our support team.