Firewall for Website, VPS & Dedicated Server
Every online business, from a small WordPress blog to a multi-tenant SaaS running on a dedicated server, faces the same reality: attackers scan the internet non-stop, looking for open ports, unpatched software, and weak logins. A firewall is the first line of defense that decides what traffic is allowed in, what is blocked, and what gets flagged for review.
But here is what most guides miss. There is no single firewall that protects everything. A website needs one type of firewall, a VPS needs another, and a Windows dedicated server needs yet another approach. In this guide we walk through all three layers in plain language, with the exact tools we recommend to AEserver clients and step-by-step setup commands you can copy and run.
What Is a Firewall and How Does It Work
A firewall is a security system that monitors incoming and outgoing network traffic and decides, based on a set of rules, whether to allow or block each connection. Think of it as a checkpoint between your server and the rest of the internet: every packet that arrives is inspected, compared against the rules you defined, and either let through or dropped.
Firewalls work at different layers of the network stack. Some only look at IP addresses and port numbers (simple and fast). Others inspect the actual content of requests, for example to detect SQL injection attempts in HTTP traffic (slower but much more powerful). The right choice depends on what you are trying to protect.
Three Layers of Firewall Protection You Actually Need
When clients buy hosting, a VPS, or a dedicated server from us, the security conversation almost always comes down to three distinct layers. Each layer protects something different, and skipping any of them leaves a real gap.
| Layer | What It Protects | Tool We Recommend |
|---|---|---|
| Website (WAF) | Your web application against SQL injection, XSS, bots, DDoS, brute-force logins | Cloudflare + optional WordPress plugin |
| Server OS (Linux) | Ports and services on your VPS or dedicated server (SSH, databases, panel) | UFW or firewalld, plus Fail2Ban |
| Server OS (Windows) | Ports and services on your Windows VPS or dedicated server (RDP, SQL, IIS) | Windows Defender Firewall with Advanced Security |
The rest of this guide walks through each layer in detail.
Part 1: Website Firewall (WAF), Cloudflare and WordPress Plugins
A Web Application Firewall, or WAF, sits in front of your website and filters HTTP/HTTPS traffic. Unlike a server firewall that only looks at ports, a WAF understands web requests: it can detect a SQL injection pattern in a form field, spot a credential-stuffing bot, block a scraper, and absorb a DDoS attack before it ever reaches your origin server.
There are two main ways to deploy a WAF: cloud-based (traffic is routed through an external network like Cloudflare before reaching your site) or plugin-based (the WAF runs on your own server as part of WordPress). Both work, and many of our clients use them together.
🛡️ Cloudflare, Our Recommended Website Firewall
For virtually every website client, we recommend starting with Cloudflare. It is the most widely deployed WAF in the world, it has a generous free tier, and setup takes about fifteen minutes. Here is what you get and how to enable it.
Create a Free Cloudflare Account and Add Your Site
Go to cloudflare.com, sign up, and click “Add a Site”. Enter your domain name (without https:// or www) and pick the Free plan unless you already know you need Pro.
Let Cloudflare Scan Your DNS Records
Cloudflare will automatically detect your existing DNS records (A, AAAA, CNAME, MX, TXT). Review the list carefully and make sure every record is correct. For records that should be proxied through Cloudflare (like your main A record for the website), the cloud icon must be orange. For mail-related records like MX, the icon must stay grey.
Change Your Nameservers at Your Domain Registrar
Cloudflare will give you two nameservers that look something like anna.ns.cloudflare.com and bob.ns.cloudflare.com. Log in to your domain registrar (if your domain is with us, log in to my.aeserver.com) and replace the existing nameservers with the Cloudflare ones. Propagation usually takes a few hours but can take up to 24 hours.
Enable SSL and Turn On the Managed Ruleset
Once Cloudflare is active, go to SSL/TLS and set the mode to “Full (strict)” if you have a valid SSL certificate on your origin server (we install one for free on all our hosting). Then navigate to Security, WAF, and enable the Cloudflare Free Managed Ruleset. Also turn on Bot Fight Mode under Security, Settings.
Add Basic Custom Firewall Rules
Under Security, WAF, Custom rules, we recommend adding at least these rules for any WordPress site: block access to /wp-admin from countries where you do not have users, challenge or block requests to /xmlrpc.php (a common brute-force target), and rate-limit login attempts to /wp-login.php.
🔌 WordPress Firewall Plugins, When You Need a Second Layer
Cloudflare is excellent at the network edge, but some attacks only become detectable once WordPress starts processing the request (for example, a logged-in user abusing their own permissions). That is where WordPress firewall plugins come in. They run inside WordPress or at the server level just before WordPress loads.
We do not recommend installing more than one of these at a time, they will conflict. Pick one based on your needs.
Wordfence, the Most Popular WordPress Firewall
With over four million active installs, Wordfence is the most widely used WordPress security plugin. It combines an endpoint WAF, a malware scanner, login security, and real-time traffic analytics. The free version is generous, rule updates are delayed by 30 days compared to the premium version.
Best for: site owners who want a single plugin for firewall plus malware scanning and do not mind a slightly heavier plugin.
Sucuri Security, Enterprise-Grade DNS Firewall
The free Sucuri Security plugin handles auditing, integrity monitoring, and basic hardening. The real power is the paid Sucuri Firewall (a cloud-based WAF that works similarly to Cloudflare), which includes malware cleanup and blacklist removal if your site gets hacked.
Best for: business sites and e-commerce stores where a post-incident cleanup SLA matters.
All-In-One Security (AIOS)
All-In-One WP Security and Firewall is a free plugin with a broad feature set: login lockdown, user enumeration blocking, file permission checks, a .htaccess-based firewall, and more. It is lighter than Wordfence but lacks deep malware scanning.
Best for: users who want solid free hardening without paying for premium features.
Solid Security (formerly iThemes Security)
Solid Security focuses on hardening rather than a full WAF. It is backed by StellarWP (Liquid Web family) and gets regular updates. The free version covers the basics, Pro adds vulnerability patching, two-factor authentication enforcement, and more.
Best for: those who prefer a hardening-first approach and are willing to pair it with Cloudflare for WAF duty.
NinjaFirewall, Server-Level Protection
NinjaFirewall takes a different approach. Instead of loading as a plugin after WordPress starts, it sits in front of WordPress and inspects all incoming HTTP traffic at the PHP level before any WordPress code runs. This makes it much harder for malicious requests to ever touch your site.
Best for: developers and power users who want fine-grained control.
Cloudflare WordPress Plugin
The official Cloudflare plugin is not a firewall itself, it is a helper that integrates your WordPress site with your Cloudflare account. It handles automatic cache purging, IP restoration (so WordPress sees real visitor IPs, not Cloudflare IPs), and one-click WAF presets optimized for WordPress.
Best for: every Cloudflare user running WordPress, this plugin is a no-brainer add-on.
Quick Comparison
| Plugin | Type | Free Version |
|---|---|---|
| Wordfence | Endpoint WAF + malware scanner | Generous, 30-day delayed rules |
| Sucuri Security | Auditing plugin (paid cloud WAF) | Auditing only |
| AIOS | Hardening + basic firewall | Full features |
| Solid Security | Hardening | Basics included |
| NinjaFirewall | Server-level WAF (pre-WordPress) | Solid free version |
| Cloudflare (plugin) | Integration helper for Cloudflare | Fully free |
Part 2: Linux VPS and Dedicated Server Firewall
When you rent a Cloud VPS or a Dedicated Server from us and install Linux, you get full root access and full responsibility. That includes configuring a host-based firewall to control which ports are open to the internet. Every production Linux server should have a firewall running from day one.
Under the hood, modern Linux uses netfilter (iptables or its successor nftables) as the actual packet-filtering engine. But you rarely touch those directly. Instead, you use a friendlier front-end: UFW on Ubuntu/Debian, or firewalld on CentOS, AlmaLinux, Rocky Linux, and RHEL.
📋 UFW for Ubuntu and Debian
UFW stands for Uncomplicated Firewall, and the name is accurate. It is a simple command-line tool that generates iptables rules from human-readable commands. UFW is pre-installed on Ubuntu and available in the default Debian repositories. The official documentation lives at the Ubuntu UFW wiki.
Install and enable UFW on Ubuntu/Debian:
sudo apt update sudo apt install ufw -y
Set sensible defaults (deny all incoming, allow all outgoing):
sudo ufw default deny incoming sudo ufw default allow outgoing
Allow SSH before enabling the firewall (critical step):
sudo ufw allow 22/tcp
If you use a non-standard SSH port (which we recommend), replace 22 with your actual port number.
Allow web traffic for your site:
sudo ufw allow 80/tcp sudo ufw allow 443/tcp
Allow a specific IP to access MySQL only from your office:
sudo ufw allow from 203.0.113.45 to any port 3306 proto tcp
Enable the firewall:
sudo ufw enable
Check status and listed rules:
sudo ufw status verbose sudo ufw status numbered
Delete a rule by number (useful when cleaning up):
sudo ufw delete 3
Rate-limit SSH (UFW will temporarily block an IP after 6 connection attempts in 30 seconds):
sudo ufw limit 22/tcp
📋 firewalld for CentOS, AlmaLinux, Rocky Linux, and RHEL
If your VPS or dedicated server runs CentOS, AlmaLinux, Rocky Linux, or Red Hat Enterprise Linux, the default firewall manager is firewalld. It uses a zone-based model: each network interface is assigned to a zone (public, trusted, dmz, etc.), and each zone has its own rules. Full documentation is on the firewalld project site.
Install and start firewalld (usually already installed on RHEL-family systems):
sudo dnf install firewalld -y sudo systemctl enable --now firewalld
Check which zone your network interface is in:
sudo firewall-cmd --get-active-zones
See the rules of the default (public) zone:
sudo firewall-cmd --zone=public --list-all
Allow SSH (most RHEL images already have this open, but verify):
sudo firewall-cmd --permanent --zone=public --add-service=ssh
Allow HTTP and HTTPS:
sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https
Allow a custom port (for example, 8080 for a development server):
sudo firewall-cmd --permanent --zone=public --add-port=8080/tcp
Reload rules so changes take effect:
sudo firewall-cmd --reload
Remove a rule:
sudo firewall-cmd --permanent --zone=public --remove-port=8080/tcp sudo firewall-cmd --reload
Block a specific IP using a rich rule:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="198.51.100.42" drop' sudo firewall-cmd --reload
📋 iptables, the Low-Level Backbone
Both UFW and firewalld ultimately produce iptables (or nftables) rules. You can also edit those rules directly, but we only recommend this for advanced administrators who need capabilities the high-level tools do not expose. A typical raw iptables command to block an IP looks like this:
sudo iptables -A INPUT -s 198.51.100.42 -j DROP
The downside: iptables rules are not persistent by default on most distributions. You need the iptables-persistent package (Debian/Ubuntu) or equivalent to save them across reboots. For 99% of servers, stick with UFW or firewalld.
🚨 Fail2Ban, Your Intrusion Prevention Companion
A firewall only blocks traffic based on static rules. It cannot react to behavior. That is where Fail2Ban comes in: it watches your log files in real time, and when it spots repeated failed login attempts from the same IP (on SSH, WordPress login, Nginx auth, and more), it automatically adds a temporary ban to your firewall. Every Linux server we manage runs Fail2Ban alongside the firewall. The project is hosted at github.com/fail2ban/fail2ban.
Install Fail2Ban:
# Ubuntu/Debian sudo apt install fail2ban -y # CentOS/AlmaLinux/Rocky/RHEL sudo dnf install epel-release -y sudo dnf install fail2ban -y
Enable and start the service:
sudo systemctl enable --now fail2ban
Create a local configuration (never edit jail.conf directly, always override in jail.local):
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo nano /etc/fail2ban/jail.local
Recommended SSH jail settings inside jail.local:
[DEFAULT] bantime = 3600 findtime = 600 maxretry = 5 ignoreip = 127.0.0.1/8 ::1 YOUR_OFFICE_IP_HERE [sshd] enabled = true port = ssh logpath = /var/log/auth.log maxretry = 3 bantime = 86400
This blocks an IP for 24 hours after 3 failed SSH attempts within 10 minutes. Replace YOUR_OFFICE_IP_HERE with your real admin IP so you never ban yourself. On CentOS/RHEL, change logpath to /var/log/secure.
Restart Fail2Ban to apply the config:
sudo systemctl restart fail2ban
Check which IPs are currently banned:
sudo fail2ban-client status sshd
Manually unban an IP (for example, if a real user got locked out):
sudo fail2ban-client set sshd unbanip 203.0.113.45
Part 3: Windows VPS and Dedicated Server Firewall
If you run a Windows VPS or dedicated server (common for ASP.NET applications, MSSQL databases, or workloads that need Remote Desktop), you have a powerful built-in firewall: Windows Defender Firewall with Advanced Security. It is enabled by default on all supported Windows Server versions and covers inbound, outbound, and connection-security rules. Microsoft’s official documentation is at Microsoft Learn.
You can manage Windows Firewall in three ways: the GUI (wf.msc), the modern PowerShell cmdlets (NetSecurity module, recommended by Microsoft), and the legacy netsh advfirewall command. We show PowerShell first because it is what Microsoft now recommends for automation, followed by netsh for reference.
💻 Windows Firewall with PowerShell (Recommended)
Open PowerShell as Administrator. All commands below assume elevated privileges.
Check whether all firewall profiles are enabled:
Get-NetFirewallProfile | Format-Table Name, Enabled
Enable the firewall on all profiles (Domain, Private, Public):
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Allow inbound HTTP and HTTPS for a web server:
New-NetFirewallRule -DisplayName "Allow HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow New-NetFirewallRule -DisplayName "Allow HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
Restrict Remote Desktop (RDP) to a specific admin IP:
New-NetFirewallRule -DisplayName "RDP from office" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 203.0.113.45 -Action Allow
Block outbound Telnet (Telnet is insecure and should never be used):
New-NetFirewallRule -DisplayName "Block Outbound Telnet" -Direction Outbound -Program "%SystemRoot%\System32\telnet.exe" -Protocol TCP -LocalPort 23 -Action Block
List all enabled inbound rules:
Get-NetFirewallRule | Where-Object { ($_.Enabled -eq $True) -and ($_.Direction -eq "Inbound") } | Format-Table DisplayName, Action, Profile
Disable a rule by display name:
Disable-NetFirewallRule -DisplayName "Allow HTTP"
Remove a rule permanently:
Remove-NetFirewallRule -DisplayName "Allow HTTP"
💻 Windows Firewall with netsh advfirewall (Legacy)
The netsh advfirewall context still works on all modern Windows Server versions and is useful for scripts that need to run on older systems. Microsoft has indicated netsh for firewall management may eventually be deprecated, but it is widely used in production today.
Turn on the firewall for all profiles:
netsh advfirewall set allprofiles state on
Set default policies (block inbound, allow outbound):
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
Add a rule to allow inbound HTTPS:
netsh advfirewall firewall add rule name="Allow HTTPS" dir=in action=allow protocol=TCP localport=443
Add a rule to allow RDP only from a specific IP:
netsh advfirewall firewall add rule name="RDP from office" dir=in action=allow protocol=TCP localport=3389 remoteip=203.0.113.45
Show all rules:
netsh advfirewall firewall show rule name=all
Delete a rule by name:
netsh advfirewall firewall delete rule name="Allow HTTPS"
Export the full firewall configuration to a backup file:
netsh advfirewall export "C:\Backup\firewall-config.wfw"
Restore from backup:
netsh advfirewall import "C:\Backup\firewall-config.wfw"
🛡️ Additional Windows Server Hardening
Beyond the built-in firewall, Windows Server users should consider: changing the default RDP port, enabling Account Lockout Policy, installing an intrusion prevention tool (RdpGuard or EvlWatcher are popular options for Windows equivalents of Fail2Ban), and running Windows Update on a regular schedule. For production workloads, we also recommend pairing the OS firewall with an edge WAF like Cloudflare in front of any public-facing web service.
How to Combine All Three Layers (Defense in Depth)
A well-protected online business uses every layer simultaneously. Here is how the pieces fit together for a typical WordPress site running on a Linux VPS.
| Traffic Path | What Inspects It |
|---|---|
| Visitor connects to your domain | Cloudflare DDoS protection and WAF filter the request at the edge |
| Request reaches your VPS IP on port 443 | UFW or firewalld allows the connection; all other ports are blocked |
| Repeated failed login attempts | Fail2Ban bans the attacker’s IP temporarily |
| Request is processed by WordPress | Optional Wordfence or NinjaFirewall adds final inspection |
Each layer catches attacks the layer before it missed. A bot blocked by Cloudflare never loads your server. A scanner probing SSH is blocked by UFW. A brute-force attempt that slips through is banned by Fail2Ban. An exploit targeting WordPress is caught by Wordfence. The more layers, the smaller the chance that any single weakness gets exploited.
Summary
- Three layers, not one. Your website needs a WAF, your server needs an OS firewall, and both need intrusion prevention. Skipping any layer leaves a gap attackers will find.
- For websites, start with Cloudflare Free. It gives you DDoS protection, a basic WAF, free SSL, and a global CDN at no cost. Upgrade to Pro when you handle payments or sensitive data.
- Add a WordPress firewall plugin only if you need on-site scanning. Wordfence is the most popular, Sucuri is best for managed incident response, NinjaFirewall is best for server-level protection.
- On Linux, use UFW (Ubuntu/Debian) or firewalld (RHEL family). Both are wrappers around iptables/nftables with friendlier syntax. Always allow SSH before enabling the firewall.
- On Linux, pair the firewall with Fail2Ban. Firewalls block static rules, Fail2Ban blocks behavior. Together they stop brute-force attacks automatically.
- On Windows Server, use Windows Defender Firewall with Advanced Security. Manage it with PowerShell for scripts and automation, or the GUI for quick changes. Never leave RDP open to the world.
- Test before you enable. A firewall that locks you out of your own server is worse than no firewall. Always allow your admin IP and SSH/RDP access first.
- Review logs regularly. UFW, firewalld, Windows Firewall, and Fail2Ban all keep detailed logs. A quick weekly review tells you who is trying to get in.
- Pair firewalls with other security basics. SSL certificates, strong passwords, two-factor authentication, regular updates, and off-site backups matter just as much.
- Ask for help when you need it. Our support team is available 24/7 and has configured thousands of Linux and Windows servers. If you are unsure, open a ticket before making changes.
If you are looking for a hosting partner in the UAE that takes security seriously, explore our Managed WordPress Hosting, Cloud VPS in Dubai, and Dedicated Servers. Every plan includes free SSL, and our managed services include full firewall and Fail2Ban configuration out of the box.
