This post covers installing and configuring the Web Application Firewall (WAF). The previous post describes how to install the prerequisite CloudFront distribution.

YouTube Walkthrough

Creating the Web Application Firewall

You’ll be happy to find out that entire stack shown below can be created with the click of a button. Click the Launch Solution button. After clicking it you should have something resembling the image.


If you are worried about the price, this is my cost breakdown 13 days into the month. Furthermore my setup includes:

  • EC2 t2.micro instance
  • 3 S3 static file instances (1 of them is the log storage for our WAF)
  • The large stack of WAF mentioned above

Doing the math – $8/13 days into the month * 30 days projected month length = ~$18.50 per month. Which feels quite well priced in retrospect!

Restrict access to wp-admin

A primary reason why I put the firewall in place was to stop people brute forcing their way in with a Username and Password. I created a rule called WordPress Admin which lists a few string match conditions. Go and configure the firewall to block the request if the WordPress Admin rules are met.

Whitelist your IPs

As we have specifically blocked all calls to the above URIs, we need to make an exception to the ruleset by whitelisting any IPs we want to connect to WordPress with for content authoring. When you install WAF with the button above, it will create a Whitelist rule that you can add your IPs to. In the picture below, the Whitelist Rule sits at the top with Order 10 meaning that it gets priority routing over all other conditions.

Update CloudFront to use WAF

Now we are done configuring our Firewall, go back and update CloudFront in the AWS WAF Web ACL field to point to our WAF instance.

Verifying Configuration

Be sure to hit your restricted URIs from your mobile to verify that you cannot access them on an unknown IP address.


Please follow and like us: