Ecommerce, Web Development, Website Maintenance
21 Feb, 2023
It may not surprise you to learn that 88% of small business owners believe their business is vulnerable to cybersecurity threats – and that doesn’t include those that are ignorant of the risks.
The unfortunate truth is that 60% of small to medium-sized businesses go out of business within six months of being attacked.
While data breaches at bigger companies make headlines, it’s often smaller businesses that are most harmed due to a lack of preparation and investment.
Keeping important things like customer data and your website safe requires a firewall for your small business, which should include a web application firewall (WAF).
Of course, once you decide to implement a firewall solution, the hard part is picking the right vendor.
With so many options on the market, making the right choice can feel overwhelming without a technical degree. Like many problems, this can be solved by throwing money at it, though bringing in outside IT resources can quickly make your expenses go out of control.
Since 2010, State Creative has designed and protected award-winning WordPress websites.
We’re here to help you learn about how WAFs protect your web assets and how you can pick the right one for your business at the right price (without putting you to sleep 😴).
A web application firewall monitors and filters HTTP/S traffic that comes to your website over the internet in order to stop cyber-attacks and data breaches.
Essentially, a WAF acts like a well-trained crossing guard, carefully controlling traffic before it reaches your servers for the safety of your business and your customers.
Choosing a great web application firewall is a great step you can take to improve your website security.
Depending on your business, a WAF might range from a smart security measure to a legal requirement. For example, a WAF is required to be PCI compliant if you are an eCommerce business handling sensitive cardholder data.
Regardless of where your business sits on the spectrum, there are two important distinctions that determine how WAFs fit into your technology organization and how they oversee and block traffic: its security model and its deployment model.
So, before we jump into our top picks for WAF providers, let’s be sure to cover these first.
Think of your web application firewall as a club bouncer.
It’s the bouncer’s job to stand at the door and let certain people in while keeping other customers out.
This can be done two different ways – keep a VIP list of names allowed in, or allow everybody in while only keeping questionable guests out.
Your WAF works the same way in terms of protecting your website from illegitimate traffic:
Generally, positive security models are more difficult and expensive to manage because detailed validations and analyses are required ahead of time. However, this method can be more effective compared to a negative security model, which requires constant tweaking.
Often, WAF providers combine both security models to achieve a happy medium or allow customers to choose what is best for their situation.
How you deploy a WAF as part of your technology and security stack is an important consideration as well.
That’s because web application firewalls can be implemented in three different ways:
Since most small businesses are not equipped to maintain their own security hardware, we focused on cloud-based providers to find the best web application firewall for your business.
While handing off responsibility for filtering traffic to a third party may feel somewhat risky, the truth is these organizations are constantly updating their services with the latest threat intelligence and security protocols.
Now, the fun part, comparing options.
Based on our years of experience in web security and a sharp eye for the options out there, we put together a list of top contenders for cloud-based WAFs.
For each provider, we’ll give you a quick summary of the service, its target customer, key features, and why it made our list.
We’ll also give you some insights into potential downsides and a view of pricing so you can make an informed decision.
Let’s dive in.
Here is the complete list of cloud-based WAF vendors we investigated and compared to help your business make the right choice:
|WAF||Best for||Key benefit||Pricing|
|Sucuri||Best for small offices, nonprofits, and eCommerce businesses||Virtual updates and patching to harden security measures||Starting at $9.99 per month with premium packages available|
|Barracuda||Best for larger businesses and eCommerce companies||Protection across websites, web apps, mobile apps, and APIs||Depends on configuration (some customers suggest around $30 per month)|
|Amazon Web Services||Best for highly customized security rules||Highly customizable rulesets||Pay for usage (Usage is billed at $5 per month per list, $1 per month per rule and $0.60 per million requests)|
|Azure||Best for comprehensive security coverage||Detailed pre-configured security rules for out-of-the-box protection||Pay as you go model (fixed usage starts at $0.443 per gateway-hour and capacity usage priced at $0.0144 per capacity unit-hour)|
|Cloudflare||Best for businesses worried about DDoS attacks||Reliable DDoS protection services||Starting at $20 per month with premium packages available|
|Imperva||Best for easy implementation||Great support services||Customized pricing packages starting around $59 per month per site|
|F5 Distributed Cloud||Best for organizations with DevOps and SecOps teams||Artificial Intelligence and machine learning based security logic||Pricing packages starting at $25 per month|
Use the summary table above for quick reference before exploring more detail for each WAF in the sections below.
Sucuri is our top choice for a WAF because it combines state-of-the-art network security with an affordable price point, making it the best web application firewall for small businesses by our analysis.
Sucuri’s WAF blocks malware attacks and hackers attempting to compromise your website by managing traffic before it is sent to your hosting server, only allowing legitimate traffic through.
Sucuri also emphasizes website performance and is designed to speed up load times and ensure the high availability of your website.
Pros and Cons:
As of January 2023, Sucuri’s basic WAF plan starts at just $9.99 per month. The company suggests this plan is perfect for small site owners needing occasional cleanups with ongoing security scans.
Their Pro firewall option starts at $19.98 per month for more advanced support.
You can see full details of their pricing packages here.
Barracuda’s WAF scans and protects traffic traveling in both directions to and from your web server. It does this so it can both prevent cyber attacks and data loss.
The WAF also leverages a combination of positive and negative security models in order to block hackers while still allowing valid access.
On top of these configurations, Barracuda’s WAF has auditing and reporting functionality built-in. which makes it a great choice for large eCommerce companies that don’t want to stress about staying PCI Data Security Standard-compliant.
Pros and Cons:
As of January 2023 Barracuda does not offer out-of-the-box pricing and requires customers to go through a sales configuration process. However, from user accounts, the average price suggested was around $30 per month.
The exact cost for your business will vary, so check out their pricing configurations here.
The AWS WAF is offered by Amazon and protects your website and web applications from common security gaps and malicious bots.
Amazon’s service is focused on keeping your web properties secure and available so that your business is not impacted.
Plus, its firewall software allows you to create highly customized security rules and logic to further refine your web traffic and content filtering.
If your business desires greater control over the cybersecurity process, the AWS WAF may be the right choice for you.
Pros and Cons:
As of January 2023, AWS bills customers for their WAF on a pay-per-usage basis.
Instead of paying a subscription fee each month, you are invoiced depending on the number of control lists, security rules, and web requests your organization uses.
Costs vary somewhat but generally follow the structure seen below.
You can also see a detailed explanation of the AWS WAF pricing here.
Azure’s WAF is offered by Microsoft as a cloud-native service that protects your website and web applications from common attacks and security gaps.
The service is easy to deploy with preconfigured rulesets that cover the Open Web Application Security Project’s Top 10 security risks. Custom rules can also be added or modified for additional protection.
You can rest easy with this choice because Azure’s firewall protection is backed by the cybersecurity investments and expertise at Microsoft.
Pros and Cons:
As of January 2023, Azure bills for their WAF on a pay-as-you-go basis.
Fixed usage starts at $0.443 per gateway-hour, and capacity usage is priced at $0.0144 per capacity unit-hour, as shown below:
Costs for your organization will vary, and you can see additional details about pricing here.
Cloudflare is a large content delivery network and DDoS mitigation company that also offers a security firewall.
They’re a great choice as a security service because their WAF learns from the experience of processing 2 trillion requests across their global network daily.
Cloudflare’s WAF comes with preconfigured rulesets for out-of-the-box protection and is simple to get up and running. Their cloud-based service does not require deployment or professional services and can be managed from one control panel.
Pros and Cons:
As of January 2023, Clouflare’s WAF starts at $20 per month for the basic or “Pro” plan with a Business plan upgrade available at $200 per month.
The main differences include more robust support options, bot protection, and uptime guarantees at the higher level.
You can see further details on Cloudflare’s pricing here.
Imperva’s WAF protects your website from security threats that can intercept transactions and steal sensitive customer data.
Imperva’s WAF is simple to implement and is highly effective. The company prides itself on limiting false positives, so you don’t block legitimate traffic to your business or constantly need to reassess security measures.
Their cloud-based service maintained by a team of experts also ensures new security threats are recognized and patched in real-time.
Pros and Cons:
As of January 2023, Imperva does not provide pricing guidance but allows you to begin with a free trial. Imperva could be your choice if you’re looking to test a network firewall before committing to it.
Based on previous pricing standards, Imperva might cost around $59 per month per site for their Professional Plan with an upgrade to $299 per month per site for their Business Plan.
You can see accurate details of their security feature packages here.
F5’s cloud-based WAF is the company’s security-as-a-service solution that allows your organization to grow and move quickly while still maintaining proper cybersecurity measures.
The WAF is simple to deploy and manage across different locations and web assets while giving you access to helpful security data with intuitive interfaces and analysis.
While F5 keeps non-technical users in mind, this is generally a better choice for larger organizations with some technology and cybersecurity infrastructure already.
Pros and Cons:
As of January 2023, F5’s cloud-based WAF has three pricing tiers, including an entry-level free plan. After that, prices rise to $25 per month for the Individual tier and $200 per month for the Team tier.
You can see more details about their pricing packages here, and if your organization requires advanced capabilities, the company can provide a custom package.
How did we narrow down our list of the top web firewall vendors? Good question.
Without bogging you down in jargon you don’t need, we considered providers that scored well across six key areas of research:
Here’s a quick explanation of the selection criteria above, including important considerations to keep in mind as you do further research for your business needs.
Unfortunately, hackers are sneaky and invent new modes of attack daily, including zero-day exploits that software providers might not be able to patch until it’s too late.
Unless you’re a white hat hacker and cybersecurity expert yourself, it’s probably best to leave security measures to a well-respected provider.
Ultimately, the types of cyber attacks a WAF protects against vary depending on how it is designed, so each vendor will be different.
However, we looked for strong protection across the most common vulnerabilities, including:
Your business is bound to use technology that is susceptible to these kinds of attacks, so it’s important to pick a WAF with a great security reputation and a provider that invests in keeping products up to date.
As the referee of internet traffic, the WAF you choose can also have implications on the performance of your website.
For your business to function as normal, WAFs need to ensure your website has high availability and uptime as well as protect you from security threats.
The best WAFs consider website performance and speed a core part of their offering and may offer bolt-on services such as:
We made sure to consider vendors that focused on benefits beyond security as well.
Earlier, we covered our rationale for focusing on cloud-based WAFs for small businesses because of their relative ease versus other deployment models. However, taking hardware out of the equation isn’t the end of this consideration.
We also evaluated how easy or difficult each WAF provider is to set up and the expertise needed on your team to move forward and make the most out of your choice.
Things go wrong, and questions arise. That’s a fact of business and technology.
When the inevitable road bump occurs, you want a WAF that has robust documentation and reliable support services.
Different vendors provide different levels of support, and we’ve made sure to call out who delivers on that or not.
Some WAF vendors give you powerful dashboards and analytics at your fingers, while others make it difficult to discern patterns in your security data or make changes.
We looked for providers that embed analytics and had positive customer reviews when it came to deriving security insights from their business data.
Unfortunately, some providers make it difficult to gauge pricing without speaking to a sales representative or having a clear handle on your unique business needs.
However, where possible, we favored WAF choices with competitive pricing in relation to the quality of their service.
With our guide in hand, we’re confident you can find a web application firewall that fits your unique needs.
That way, your website and data stay secure and available, so there are minimal disruptions to your business.
After choosing your WAF, we hope you can breathe a sigh of relief, but don’t get too comfortable.
In reality, keeping your website secure requires a suite of security tools and procedures that keep bad actors at bay.
A WAF should be just one part of your total security system that includes traditional hardware firewalls and training for your employees.
Other providers that offer hardware firewall consoles include Cisco Meraki, SonicWall, Fortinet, Sophos, Palo Alto Networks, and Ubiquiti.
Of course, if all of this security talk is stressing you out or leaving you scratching your head, don’t be afraid to reach out to us at State Creative.
We are experts on the subject of website maintenance and are waiting to help.