WordPress Hosting – dropping firewalld

For those keeping tabs on the development of our WordPress Hosting platform, today saw the removal of firewalld from the platform. Firewalld is the main firewall management component which is bundled with Centos7 and was used until today to secure the platform. FirewallD provided a centralised way to interact with the core linux firewall IPTables. However we have removed this component and directly interacting with iptables.

This change came from repeated issues with the firewalld component of our hosting stack. Although firewalld worked for the main part and was fantastic in securing WordPress websites against attack we did encounter some significant long term challenges operationally with the software.

While firewalld was stable when running, anytime a WordPress container need to be restarted, there was a small risk each time that firewalld would not interact with iptables correctly, preventing the hosted website from being accessed by any users.

Most users would never have seen the issue, indeed, we kept very close tabs on restart processes, knowing this issue may crop up. From our viewpoint though, things looked different; with hundreds of sites now using our WordPress platform, all being regularly updated for security and stability, the number of overall failures was simply too high to continue using firewalld.

Over the past few weeks, we’ve invested significant time and energy into debugging exactly why firewalld was functioning inconsistently on our WordPress platform; ultimately the issue stems from a compatibility issue between OpenVZ the container management software the platform uses and firewalld which we aren’t able to resolve, nor do we expect the software vendors to resolve either.

Which is why we took the the decision to remove firewalld and interact directly with iptables. This change has resulted in no feature loss and indeed standardised WordPress hosting with our other products. The update was completed today with minimal disruption to hosted sites, indeed we believe no clients should have seen downtime due to the update.

iptables is a piece of software we have extensive operating experience with and is also still actively maintained and updated to defend against new security threats as they are identified. With that in mind, we make the update confident that relative security should be unchanged, while the overall platform stability should be further increased.