Install + Configure WordPress Varnish Cache 4.x Firewall

configure-varnish-4.x-firewall-4.xThe Varnish Cache Firewall is a Web Application Firewall that can protect WordPress. It is an open source project by comotion to integrate the modsecurity web application firewall into Varnish and will help protect WordpPress against SQL injections, XSS attacks and other web attacks. This Varnish firewall tutorial is specifically for Debian but is easily adaptable to Ubuntu, CentOS, Fedora and other Linux systems. Ubuntu.

The Varnish firewall works with Varnish 4.1 only, if you are still on Varnish 3 you can use this guide. This how to assumes you already have Varnish 4.1 configured with WordPress for which there is a tutorial here for nginx and Apache. You need to have shell terminal access to your server or VPS in order to compile the required Varnish 4.1 vmods which add the firewall functionality using clever vcl files.

For Varnish 4.1 and later

Attention: this should be tested thoroughly on a development environment

VPS Provider
Hard Drive
US, EU, Asia
768 MB
100 Mbps
$5 / month
Digital Ocean
US, EU, Asia
512 MB
100 Mbps
$5 / month
US, UK, China, Australia
768 MB
20 GB
1-10 Gbps
$15 / year

Install WordPress Varnish Cache 4.x Firewall

Install Varnish vmod building dependencies

sudo apt-get update
sudo apt-get install libvarnishapi-dev dpkg-dev pkg-config build-essential git autotools-dev automake libtool python-docutils -y

Build Varnish 4.1 and later VSF vmod which autobuilds the other required vmods.

cd ~
git clone
cd VSF/libvmod-vsf
cd ..
sudo make
make install

The Varnish Security Firewall has placed the required vcl files into /usr/lib/varnish/vmods and the vcl rules are in /etc/varnish/security/rules in case you need to change anything like undoing false positives.

Open your Varnish vcl to add the VSF code.

sudo nano /etc/varnish/default.vcl

In your Varnish default.vcl you can add this before sub vcl_recv begins or after it ends.

Add the red line so it matches below. Alternatively, you can add the red line after your sub vcl_recv section if you are getting a lot of false positives.

} # sub vcl_recv ends
include "/etc/varnish/security/vsf.vcl";

Test your Varnish firewall configuration will load

varnishd -C -f /etc/varnish/default.vcl

Monitor your Varnish 4.1 log for anything that is caught by the firewall and to check for false positives. You can disable the rules that are triggering false positives in the vcl files in the /etc/varnish/security/rules folder.

varnishlog -c -q VCL_Log

You can test a basic WordPress SQL injection attack like this and see that the Varnish Security Firewall prevents it

HTPC' OR 1=1 OR 'Guides

Here is a simple XSS WordPress attack, replace my homepage URL with your own.<script>alert('HTPC Guides Varnish Firewall Example')</script>

You should find that both attacks result in this error message demonstrating the Varnish firewall is working to protect WordPress.


This concludes the Varnish cache firewall tutorial for WordPress and now you should be a safer from attacks.