Prevent Web Application Firewall (WAF) bypass
If someone knows your hidden Hosting IP, they can bypass your Web Application Firewall (WAF) and try to access your website directly. It's not common or easy to do, but for additional security, we recommend only allowing HTTP access through your WAF. You can limit access to your website by adding a restriction to your .htaccess
file.
- Go to your GoDaddy product page.
- For Website Security and Backups, select Manage All.
- For the site you want to configure, select Details under Firewall.
- Select Settings.
- Select Security and scroll down to Preventing Firewall Bypass.
- Select your server type. For Apache servers, add the code to your
.htaccess
file. For NGINX, you'll need to add the code to your NGINX configuration file.
Common IP address-based rules
The best way to prevent hackers from bypassing the firewall is by limiting their access to your web server. Below you can find commonly used IP address-based rules to help restrict access to your web server.
Apache 2.4
# BEGIN Website Firewall Bypass Prevention <FilesMatch ".*"> Require ip 208.109.0.0/22 Require ip 192.88.134.0/23 Require ip 185.93.228.0/22 Require ip 66.248.200.0/22 Require ip 2a02:fe80::/29 Require ip 173.245.48.0/20 Require ip 103.21.244.0/22 Require ip 103.22.200.0/22 Require ip 103.31.4.0/22 Require ip 141.101.64.0/18 Require ip 108.162.192.0/18 Require ip 190.93.240.0/20 Require ip 188.114.96.0/20 Require ip 197.234.240.0/22 Require ip 198.41.128.0/17 Require ip 162.158.0.0/15 Require ip 104.16.0.0/13 Require ip 104.24.0.0/14 Require ip 172.64.0.0/13 Require ip 131.0.72.0/22 Require ip 2400:cb00::/32 Require ip 2606:4700::/32 Require ip 2803:f800::/32 Require ip 2405:b500::/32 Require ip 2405:8100::/32 Require ip 2a06:98c0::/29 Require ip 2c0f:f248::/32 </FilesMatch> # END Website Firewall Bypass Prevention
If the website you want to protect contains addon domains or subdomains within the document root, and the site uses Apache 2.4, use the following code instead of header-based bypass prevention.
# BEGIN Website Firewall Bypass Prevention <If "%{HTTP_HOST} == 'coolexample.com' || %{HTTP_HOST} == 'www.coolexample.com'"> Require ip 208.109.0.0/22 Require ip 192.88.134.0/23 Require ip 185.93.228.0/22 Require ip 2a02:fe80::/29 Require ip 66.248.200.0/22 Require ip 173.245.48.0/20 Require ip 103.21.244.0/22 Require ip 103.22.200.0/22 Require ip 103.31.4.0/22 Require ip 141.101.64.0/18 Require ip 108.162.192.0/18 Require ip 190.93.240.0/20 Require ip 188.114.96.0/20 Require ip 197.234.240.0/22 Require ip 198.41.128.0/17 Require ip 162.158.0.0/15 Require ip 104.16.0.0/13 Require ip 104.24.0.0/14 Require ip 172.64.0.0/13 Require ip 131.0.72.0/22 Require ip 2400:cb00::/32 Require ip 2606:4700::/32 Require ip 2803:f800::/32 Require ip 2405:b500::/32 Require ip 2405:8100::/32 Require ip 2a06:98c0::/29 Require ip 2c0f:f248::/32 </If> # END Website Firewall Bypass Prevention
Apache 2.2
# BEGIN Website Firewall Bypass Prevention <FilesMatch ".*"> Order deny,allow Deny from all Allow from 208.109.0.0/22 Allow from 192.88.134.0/23 Allow from 185.93.228.0/22 Allow from 2a02:fe80::/29 Allow from 66.248.200.0/22 Allow from 173.245.48.0/20 Allow from 103.21.244.0/22 Allow from 103.22.200.0/22 Allow from 103.31.4.0/22 Allow from 141.101.64.0/18 Allow from 108.162.192.0/18 Allow from 190.93.240.0/20 Allow from 188.114.96.0/20 Allow from 197.234.240.0/22 Allow from 198.41.128.0/17 Allow from 162.158.0.0/15 Allow from 104.16.0.0/13 Allow from 104.24.0.0/14 Allow from 172.64.0.0/13 Allow from 131.0.72.0/22 Allow from 2400:cb00::/32 Allow from 2606:4700::/32 Allow from 2803:f800::/32 Allow from 2405:b500::/32 Allow from 2405:8100::/32 Allow from 2a06:98c0::/29 Allow from 2c0f:f248::/32 </FilesMatch> # END Website Firewall Bypass Prevention
If the standard bypass prevention code doesn't work, you can try the following code, which requires the Sucuri WAF header.
# BEGIN Website Firewall Bypass Prevention RewriteEngine On RewriteCond %{HTTP:X-SUCURI-CLIENTIP} ^$ RewriteCond %{HTTP:X-SUCURI-COUNTRY} ^$ RewriteRule ^(.*)$ - [F,L] ErrorDocument 403 Forbidden # END Website Firewall Bypass Prevention
The alternate code will check if the X-SUCURI-CLIENTIP and X-SUCURI-COUNTRY headers are present and, if they're not, return the 403 Forbidden response status code.
Managed Wordpress
If your account appears as WPaaS hosting, the HAproxy or openresty server may not be passing the proper IP addresses in the request. Use the following code to fix the problem.
# BEGIN Website Firewall Bypass Prevention RewriteEngine On RewriteCond %{HTTP_HOST} ^(www.)?coolexample.com$ RewriteCond %{HTTP:X-SUCURI-CLIENTIP} ^$ RewriteCond %{HTTP:X-SUCURI-COUNTRY} ^$ RewriteRule ^(.*)$ - [F,L] ErrorDocument 403 Forbidden # END Website Firewall Bypass Prevention
Make sure to replace coolexample.com with the actual domain name. Be sure to also clear the Managed WordPress varnish cache before testing the firewall bypass prevention, as you might still get a 200 OK cached response. This can be done in the WordPress Admin Dashboard or by accessing SSH (Secure Shell) via WP-CLI, the command line tool for managing WordPress sites.
If you need assistance enabling firewall bypass prevention, please feel free to request website security help.
More info
- If you're using IIS, instructions vary between versions - IIS 7, IIS 8, and IIS 9/10. You can also try to use web.config file to prevent bypass.
- Are you getting a 500 error code after adding the bypass prevention rules? Remove the line referring to IPv6 from the bypass prevention code and see if the error is gone. It can take a few minutes for the 500 error to clear after removing that line.