Skip to main content
Blog|
Knowledge base
Knowledge base

Firewall

|
Feb 28, 2026|11 min read
KNOWLEDGE BASEFirewallHOSTNEYhostney.comAugust 21, 2023

The Firewall page is the security command center for your hosting account. It brings together four tools under one roof: the Web Application Firewall (WAF) that blocks attacks against your websites, Bot Protection that fights automated threats, Threat Intel that shows you exactly what’s happening and who’s doing it, and Live Traffic that streams your server activity in real time.

You’ll find the Firewall page in the main navigation. It opens on the WAF tab by default.

Choosing a website#

At the top of the page, select which website you want to manage. The domain dropdown appears across all four tabs, and your selection carries over as you switch between them. If you only have one website, it’s selected automatically.

WAF tab#

The WAF tab controls ModSecurity, the open-source web application firewall that inspects every HTTP request for malicious patterns. Hostney runs ModSecurity with the OWASP Core Rule Set (CRS), a maintained collection of rules that catch SQL injection, cross-site scripting (XSS), remote code execution, local file inclusion, and other common attacks.

ModSecurity settings

Click Configure next to the ModSecurity status to open the settings modal. You have two options:

  • Enabled — ModSecurity actively blocks requests that exceed the anomaly threshold. This is the recommended setting for production websites.
  • Detection only — ModSecurity logs threats but doesn’t block anything. Use this when you’re troubleshooting false positives or first setting up a new website.

The Anomaly threshold controls how sensitive the firewall is. Every incoming request accumulates a score based on which rules it triggers. If the total score reaches the threshold, the request gets blocked. The default is 10, which works well for most WordPress sites. Lower values (like 5) are stricter and may cause false positives. Higher values (up to 100) are more permissive.

Lockdown mode

Below the ModSecurity settings, you’ll see the lockdown status. Lockdown is an emergency measure — when activated, every visitor to your website must solve a proof-of-work challenge before they can access any page.

Click Configure to open the lockdown modal. A warning banner reminds you this is for emergency use only.

When you enable lockdown, an exemptions section appears with three types:

  • Verified bots — Toggle this on to let Googlebot, Bingbot, and other verified search engine crawlers through without a challenge. This keeps your SEO intact during an attack.
  • Country exemptions — Select countries from the dropdown and click Add. Visitors from exempted countries won’t be challenged. Useful when the attack comes from specific regions and you want to keep your primary audience unaffected.
  • IP/CIDR exemptions — Enter individual IP addresses or CIDR ranges (like  10.0.0.0/24 ) and click Add. Your own office IP is a good candidate here.

Each exemption shows as a tag with a delete button so you can remove it when lockdown ends.

Managing exclusions

The bottom of the WAF tab shows your ModSecurity exclusions table. Exclusions tell ModSecurity to skip specific rules for specific pages or IP addresses — the proper fix for false positives.

The table shows:

  • Location — The URL path where the exclusion applies. Shows “Entire website” if set to  / .
  • Match — Either “Exact” (only that specific path) or “Prefix” (that path and everything under it). Only shown when the location is a specific path.
  • Rule ID — The CRS rule number. Hover over it to see the full rule description.
  • IP address — If the exclusion is IP-based instead of rule-based.

Click Add exclusion to open the exclusion form. It has two tabs:

Rule ID tab:

  1. Select the website from the dropdown.
  2. Enter the Rule ID number. You can click the rule explorer button to browse the full OWASP CRS catalog — it’s searchable by ID, description, or category (SQLi, XSS, RCE, LFI, etc.) and shows the paranoia level for each rule.
  3. Optionally enter a location path. Leave it empty to apply the exclusion site-wide.
  4. If you entered a specific path, you can check Exact match to limit the exclusion to that exact URL rather than treating it as a prefix.

IP address tab:

  1. Select the website.
  2. Enter an IPv4 or IPv6 address. The Insert my IP button fills in your current IP automatically.
  3. Optionally enter a location and exact match setting, same as above.

To remove an exclusion, click the dropdown menu on its row and select Delete. You’ll need to type DELETE to confirm.

Tip: If you see ModSecurity blocks in your error logs, you can use the quick-exclude action directly from the error log entry. It pre-fills the rule ID, website, and location path so you don’t have to copy them manually.

Bot Protection tab#

The Bot Protection tab has two per-website toggles:

Bot fight mode

This toggle activates automated detection and blocking of vulnerability scanners. The feature is labeled Sunset — it’s being replaced by the adaptive bot detection system visible in the Threat Intel tab (powered by Ellie, the AI assistant). The toggle still works, but the newer system provides smarter, signal-based detection that learns over time.

AI crawler blocking

When enabled, your website returns a 403 response to known AI training bots including GPTBot (OpenAI), ClaudeBot (Anthropic), and similar crawlers. This prevents AI companies from scraping your content for training data. Enabled by default on all websites.

Threat Intel tab#

The Threat Intel tab is where you see what the bot detection system has been doing. It has two sub-tabs: Threat overview and Whitelisted IPs.

Threat overview

The top of the page shows six stats cards summarizing the last 24 hours:

  • Suspicious — IPs flagged for unusual behavior but not yet blocked (yellow)
  • Challenged — IPs that were served a proof-of-work challenge (orange)
  • Banned — IPs blocked entirely (red)
  • Requests stopped — Total requests that were blocked or challenged (gray)
  • Unique IPs — Distinct IP addresses that triggered at least one signal (cyan)
  • Total threats — Combined count of all threat categories (orange)

Threat distribution

Below the stats, a horizontal bar shows the breakdown of traffic over the last 24 hours. Each segment is color-coded:

  • Clean (green) — Normal traffic
  • Suspicious (amber) — Triggered some signals but below the action threshold
  • Malicious (orange) — High enough score to be challenged or banned
  • Blocked (red) — Actively blocked from accessing your website

Geographic charts

Two horizontal bar charts show where threats are coming from:

  • Top attacking countries — Ranked by unique IP count, with country flags
  • Top attacking datacenters — Ranked by unique IP count, showing datacenter/ASN names

These help you spot patterns. If most of your attacks come from datacenters rather than residential IPs, you’re dealing with automated bots. If a specific country dominates and you don’t serve customers there, a country-level lockdown exemption might make sense.

Recent threats table

The main table lists every IP that has triggered the bot detection system. Columns:

  • IP address — Click any public IP to open a drawer with detailed IP information (location, ASN, abuse contacts).
  • Country — Flag and country name.
  • Score — The threat score out of 100. If the ML model overrode the rule-based score, an “ML” badge appears.
  • Classification — Color-coded label: clean, suspicious, malicious, or blocked.
  • Targets — How many distinct websites on your account this IP has targeted.
  • Action — What enforcement action is currently in effect: Banned, Challenge, Rate limited, Whitelisted, or none.
  • Last seen — Timestamp of the most recent activity.

The table is searchable and sorted by score (highest first) by default. Pagination shows 10 entries per page.

IP actions

Click the dropdown menu on any row for these options:

View details opens the bot details modal with a full signal breakdown:

  • Threat score — Large display showing the current score out of 100 with classification.
  • Ellie AI assessment — If the ML model has an opinion, it shows whether Ellie considers the IP a likely bot or likely human, with a confidence percentage. When the ML score differs from the rule-based score, both are shown.
  • Signal breakdown — Lists every detection signal with its current value and maximum possible points. Each signal has a progress bar colored by intensity (red above 80%, orange above 50%, amber for any value). Signals include:
    • Honeypot trap (25 pts) — Accessed hidden trap URLs like  /.env  or  /.git
    • Rate limit hits (25 pts) — Excessive request rate
    • Edge rate spike (20 pts) — Sudden burst detected at the edge
    • Scanner patterns (20 pts) — Vulnerability scanning behavior
    • Path scanning (15 pts) — High 404 rate with diverse paths
    • Blocklist hit (15 pts) — IP found on threat intelligence blocklists
    • Cookie absent (15 pts) — Never sends the sentinel cookie back
    • Multi-target spread (15 pts) — Targets multiple websites on the account
    • Repeat offender (15 pts) — Has been flagged before
    • Login targeting (15 pts) — Focused on login/admin pages
    • User agent quality (13 pts) — Missing or suspicious user agent string
    • Subnet concentration (12 pts) — Many flagged IPs in the same /24 subnet
    • Datacenter IP (10 pts) — Originates from a known datacenter, not residential
    • Regional traffic patterns (10 pts) — Unusual for the website’s typical audience
    • No referer (8 pts) — Never sends a Referer header
    • VPN IP (8 pts) — Uses a known VPN provider
    • Response anomaly (5 pts) — Unusual response patterns
    • No interaction (5 pts) — Loads pages but shows no signs of actual browsing
    Click “Show more” to expand the full list.
  • Activity stats — Expandable section showing total incidents, times banned, requests blocked, targets attacked, challenge statistics (served, solved, failed), and edge escalation data.
  • Score history — Timeline of the last 10 score changes, showing how the IP’s classification evolved over time.

Whitelist opens a modal to add the IP to your account’s whitelist. For IPv4 addresses, you can check Whitelist entire /24 subnet to cover all 256 addresses in the range. The modal shows the computed subnet (e.g., 1.2.3.0/24 — 256 addresses ). If the IP is already whitelisted, the option changes to Remove whitelist with a confirmation step.

Admin-only actions (visible only to account administrators):

  • Report as bot — Submits the IP as a confirmed bot to train the ML model
  • Report as legitimate — Submits the IP as a confirmed human to train the ML model
  • Revoke report — Removes your most recent feedback label (previously trained data cannot be untrained, but the label is removed from future training)

Whitelisted IPs

The second sub-tab shows all IPs and subnets you’ve whitelisted across your account. Whitelisting means the bot detection system won’t take enforcement action against the IP on any of your websites, though scoring still happens in the background.

You can add IPs or /24 subnets and remove them from this tab. This is the same whitelist accessible from the threat table’s dropdown actions.

Live Traffic tab#

The Live Traffic tab streams your server activity in real time using Server-Sent Events (SSE). If streaming isn’t available, it falls back to polling every 60 seconds. A green pulsing Live indicator in the corner confirms the stream is active.

Select a website from the subdomain dropdown to focus the view.

Stats cards

Four cards across the top show current metrics:

  • Requests/sec — Current request rate (blue)
  • Unique IPs — Distinct visitors in the window (cyan)
  • Avg response time — In milliseconds (green)
  • Bandwidth — Formatted in KB, MB, or GB (gray)

Time-series charts

Three charts show the last 5 minutes of activity, all synchronized so hovering on one highlights the same timestamp across all three:

  • Requests over time — Blue area chart showing request volume
  • Response time — Orange area chart showing average response time in milliseconds
  • Status codes — Stacked area chart breaking down responses by status code category: 2xx (green), 3xx (blue), 4xx (yellow), 5xx (red)

Geographic distribution

A horizontal bar chart shows which countries your traffic is coming from, ranked by request count with country flags.

Top IPs

A collapsible list (5 shown by default, click to expand) showing the most active IP addresses with their country flag, country name, and request count. Click any public IP to open the IP info drawer.

Top paths

A collapsible list showing the most requested URL paths with their average response time and request count. Each entry has a copy button to grab the path to your clipboard. Response times shown are for uncached requests only, giving you a better picture of actual server load.

Common workflows#

A rule keeps blocking legitimate form submissions

  1. Check your error logs for the ModSecurity rule ID that’s triggering.
  2. Use the quick-exclude action from the error log, or go to the WAF tab and click Add exclusion.
  3. Enter the Rule ID and the specific path where the form lives (e.g.,  /contact/ ).
  4. Check Exact match if you only want the exclusion on that specific page.
  5. Consider setting ModSecurity to Detection only temporarily while you test.

Your website is under attack

  1. Go to the WAF tab and enable Lockdown mode.
  2. Add exemptions for your own country, office IPs, and verified search engine bots.
  3. Check the Threat Intel tab to monitor the attack — the stats cards and geographic charts help you understand the scope.
  4. Once the attack subsides, disable lockdown mode. The regular bot detection system will continue protecting your website.

You notice a legitimate service being flagged

  1. Find the IP in the Recent threats table on the Threat Intel tab.
  2. Click View details to check the signal breakdown — this tells you exactly why it was flagged.
  3. If it’s legitimate, click Whitelist from the dropdown menu.
  4. If you’re an admin, you can also click Report as legitimate to help train the ML model.

Monitoring your website during a traffic spike

  1. Open the Live Traffic tab and select your website.
  2. Watch the response time chart — if it’s climbing, your server may need attention.
  3. Check the status codes chart for 5xx spikes that indicate server errors.
  4. Use the Top IPs section to identify whether the spike is from a single source or distributed.
  5. If it’s an attack, switch to the WAF tab and enable lockdown mode.
Previous

SSL certificates

Next

How to Set Up and Manage Cron Jobs

Related articles

KNOWLEDGE BASEIs WooCommerce free? What youactually pay forHOSTNEYhostney.comMarch 17, 2026
Knowledge base
Is WooCommerce free? What you actually pay for
KNOWLEDGE BASESFTP vs FTP vs FTPS: WhichShould You UseHOSTNEYhostney.comMarch 17, 2026
Knowledge base
SFTP vs FTP vs FTPS: Which Should You Use
KNOWLEDGE BASEWhat is SFTP and how does itworkHOSTNEYhostney.comMarch 17, 2026
Knowledge base
What is SFTP and how does it work
KNOWLEDGE BASEWordfence and Server-LevelSecurity: Why You Need BothHOSTNEYhostney.comMarch 16, 2026
Knowledge base
Wordfence and Server-Level Security: Why You Need Both
KNOWLEDGE BASEWhat Is IPv6 DNS and How DoesIt WorkHOSTNEYhostney.comMarch 16, 2026
Knowledge base
What Is IPv6 DNS and How Does It Work
KNOWLEDGE BASEWhat Is DNSSEC and Why Does ItMatter for Your WebsiteHOSTNEYhostney.comMarch 16, 2026
Knowledge base
What Is DNSSEC and Why Does It Matter for Your Website
KNOWLEDGE BASEWordPress multisite hosting:what you need to knowHOSTNEYhostney.comMarch 15, 2026
Knowledge base
WordPress multisite hosting: what you need to know
KNOWLEDGE BASEWhy WordPress pluginvulnerabilities are out ofcontrolHOSTNEYhostney.comMarch 15, 2026
Knowledge base
Why WordPress plugin vulnerabilities are out of control
KNOWLEDGE BASEMySQL vs MariaDB: Which ShouldYou UseHOSTNEYhostney.comMarch 14, 2026
Knowledge base
MySQL vs MariaDB: Which Should You Use
KNOWLEDGE BASENginx vs Apache: Which One IsBetter for WordPressHOSTNEYhostney.comMarch 14, 2026
Knowledge base
Nginx vs Apache: Which One Is Better for WordPress