I’m a big geek when it comes to web performance and always love trying out new tools and services. Incapsula is one service I’ve never had a chance to previously try. So today I’ll be taking a deep dive into their CDN features, web application firewall (WAF), and other security features as it pertains to using them on your WordPress site. Check out this Incapsula review and see if you should be using it today.
Imperva Incapsula Review
Incapsula, now Imperva Incapsula, is essentially a fully proxy Security as a Software service (SecAAS) which uses a content delivery network as a delivery platform for its solutions. These guys focus on two things, security+performance, and they do it well! A similar provider, if you were to compare them to someone, would be Akamai.
By full proxy, we basically mean that it sits between your WordPress host and your site. This is how they are able to offer additional security features that some traditional CDN providers aren’t. Some big brands that use Incapsula include Wix, Moz, Trello, Siemens, Hitachi, and Thomson Reuters.
Check out these 10 reasons why everyone should be using a CDN.
Incapsula takes this one step further and those additional layers of security that I mentioned include features such as a web application firewall (WAF), DDoS protection, bot mitigation, advanced IP limiting and blocking rules, etc. Essentially they are a one-stop shop for speeding up your website and keeping it secure.
Let’s first dive into the four primary features that Imperva Incapsula has to offer. Some of these vary based on what plan you choose.
1. Website Security
When it comes to WordPress, website security is very important. WordPress is used by over 28% of all sites on the internet. But this also means it can be more susceptible to attacks since there are thousands of plugins and themes floating around, that are all being patched (or worse, not patched) at different times. And let’s be honest, a lot of users just don’t know the basics of website security. Such as why every site, even blogs, should be using HTTPs. Or users being stupid and using a simple to guess password such as 1234567 for their admin login. While Incapsula won’t help protect against everything, it does its best to provide an all-in-one solution.
They provide bad bot mitigation. Not all bots are bad. Google bot or Bing bot are a couple good ones that come to mind. But most of them are, and they can suck your bandwidth dry if you aren’t watching. A majority of cyber attacks today are non-targeted assaults, carried out by bots to exploit vulnerabilities in bulk. (example: bot that scans the web for WP sites with a plugin which has a recently discovered vulnerability)
Incapsula’s survey showed that over 94% of all websites were exposed to bot attacks. This is the threat the most websites actually face, not hackers in dark rooms but automated scripts that aim to auto exploit a website to inject it with malware that would scrape the database, hijack server resources or/and harm future visitors.
Incapsula lets you create rules to blacklist bad bots immediately. And you can a real-time view of bot traffic in the dashboard. Incapsula also runs one of the largest bot databases on the internet: BotoPedia. So they know their bots!
Web Application Firewall (WAF)
The main feature when it comes to website security is their web application firewall (WAF). Incapsula protects from all application security threats, including SQL injection, cross-site scripting (XSS) and remote file inclusion (RFI), and more. You can see a nice overview of this from the dashboard.
You can also choose from different types of actions for the firewall:
- Alert only
- Block request
- Block user
- Block IP
This might look confusing at first, but trust me, these rules can save you thousands of hours. Another really cool feature is the ability to enable two-factor authentication without installing any software or plugins on any URL that you want. Say for example you want to add two-factor authentication via Google Authenticator app for your /wp-admin URL. You can do that from within the Incapsula dashboard.
2. Global CDN
Whenever your discussing CDNs, the more locations the better! Incapsula’s CDN includes 38 different data centers (also sometimes referred to as POPs) with over 3.5 Tbps capacity. They take advantage of top-tier peering relationships and providers such as Level (3) and Equinix to provide fast speeds over the internet. They support HTTP/2, GZIP compression, and the paid plans include a free SSL cert (issued by GlobalSign).
Current America CDN locations include:
- Los Angeles
- San Jose
- São Paulo
Current Europe and Middle East locations include:
- Tel Aviv
Current Asia and Pacific locations include:
- Hong Kong
Incapsula’s CDN provides you with the ability to cache both static and dynamic content. This is one advantage of choosing a full proxy service CDN over that of a typical pull CDN.
Additional features include:
- Ability to instantly purge cache
- Custom caching rules
- Image compression (both lossy and lossless)
- Code minification
Some advanced features include session reuse and TCP connection pre-pooling. All of these features can easily be enabled or disabled from within th dashboard.
Under their performance tab, you can see some important stats, such as accumulated saved bandwidth.
3. DDoS Protection
Some of you may remember the large DDoS attack against Dyn back in 2016. I remember the day very well as it seemed like almost half the internet went down! DDoS attacks are growing in volume and can easily take a WordPress site down in a few minutes leaving you wondering what you could have done to prevent it. Well, one of the only ways to protect yourself is to invest in DDoS mitigation. Essentially Incapsula helps block these attacks by re-routing traffic and complex rules they have built up the years.
Their high-capacity global network holds over 3.5 Tbps (Terabits per second) of on-demand scrubbing capacity and can process 30 billion attack packets per second. Different types of services can be targeted by attackers, and that is why they offer three unique types of DDoS protection:
- Website DDoS protection
- Name Server protection
- Infrastructure protection
They can mitigate any type of attack, down to layer 7, including:
[lgc_column grid=”33″ tablet_grid=”33″ mobile_grid=”100″ last=”false”]
- TCP SYN+ACK
- TCP FIN
- TCP RESET
- TCP ACK
- TCP ACK+PSH
[lgc_column grid=”33″ tablet_grid=”33″ mobile_grid=”100″ last=”false”]
- HTTP Flood
- Brute Force
- Connection Flood
- DNS Flood
[lgc_column grid=”33″ tablet_grid=”33″ mobile_grid=”100″ last=”true”]
- Mixed SYN + UDP or ICMP + UDP Flood
- Ping of Death
- Reflected ICMP & UDP
4. Load Balancing
Load balancing is one of Incapsula’s higher-end features. This ensures that your site stays up at all times, no matter what the circumstance. Your traffic is always re-routed if something goes down. This includes the following:
- Real-time server health and performance monitoring
- Performance-based load balancing, re-routing traffic to the data center with the best connection time
- Automatic site failover
- Application delivery rules
- Real-time dashboards
Incapsula has plans for all types of WordPress users, including a free plan! The free plan includes the CDN & Optimizer, IPV6 support, login protect, access control, and bot protection. This can be a great way to dive into some of their features and try it out on your site before upgrading to a higher plan.
The Pro plan starts at $59/month, the Business at $299/month, and Enterprise plans are custom (click image below to view larger).
How to Setup Imperva Incapsula in WordPress
It’s fairly easy to get setup and running on Incapsula. I’ll walk you through the process below and some recommended settings for performance and security.
The first thing you will need to do is add your website. Input your domain (without the HTTP or HTTPS) and click on “Add Website.”
It will scan your website’s records and get some information. Then click on “Continue.” Don’t worry if something shows up wrong, you can modify all of this later. You can either setup your SSL during this process or after the fact. I am going to do it after.
After the scans it will give you the DNS information (IP addresses, etc) that you will need to point your site over to Incapsula.
So I need to first update my A records to point over to the IP address Incapsula is giving me. I am using free Cloudflare DNS on this domain.
Note: They give you two different IP address which you will need to add. The second is for redundancy. So when your done, you should have two A records pointing at two unique Incapsula IPs.
Next, I need to update/add my CNAME record to point over to the IP address Incapsula is giving me.
You can then run a check in the Incapsula dashboard to make sure your DNS is working correctly. Depending on your DNS provider, this may take a few hours. In my case with Cloudflare DNS, the changes were instant.
If you were running with HTTPS on a previous provider or with your host and you didn’t configure SSL during the setup above, you will most like encounter the following “ERR_SSL_UNRECOGNIZED_NAME_ALERT” error. This is because an SSL certificate actually needs to be issued by Incapsula.
So I go into settings for my domain, click on “General” and then on “Configure” under SSL support.
It will then email you a confirmation. You will most likely get two emails, one for your *domain.com and one for your www.domain.com. This depends on how you set it up of course. Note: Mine took about 30 minutes or so to come through, so don’t be alarmed if you don’t see them right away.
After clicking the link in the email it will approve the SSL certificate application.
Once that is up and running I also recommend enabling both the Strict-Transport-Security (HSTS) header and HTTP/2. The HSTS header will force encrypted connections and you will want HTTP/2 for performance reasons.
And that’s about it! Incapsula should now be running on your site. I don’t have time to dive into all the dashboard features in this review, but I can tell you they’ve done a really good job. The UI is easy to navigate, and there are still hundreds of advanced options for those that need them.
After you let Incapsula run for a few days you can then analyze all of your traffic in their detailed dashboard.
Imperva Incapsula CDN Speed Tests
I then ran some speed tests to compare the CDN functionality. I ran multiple tests from each location, without a CDN, with KeyCDN, and then with Imperva Incapsula to see how they stack up against each other.
This is a fairly lightweight site, but I always like to see a comparison. Sometimes on smaller sites, it is actually easier to compare services like these as you don’t have to worry about limiting or ignoring all the third-party dependencies that might impact the speed tests.
forgemedia.io Without CDN
I first ran 5 speed tests without a CDN via the San Jose Pingdom test location and took the average.
I then ran 5 speed tests without a CDN via the Melbourne test location and took the average.
I then ran 5 speed tests without a CDN via the Stockholm Pingdom test location and took the average.
forgemedia.io With KeyCDN
I then ran 5 speed tests with KeyCDN enabled via the San Jose Pingdom test location and took the average.
I then ran 5 speed tests with KeyCDN enabled via the Melbourne Pingdom test location and took the average.
I then ran 5 speed tests with KeyCDN enabled via the Stockholm Pingdom test location and took the average.
forgemedia.io With Imperva Incapsula CDN
I then ran 5 speed tests with Incapsula enabled via the San Jose Pingdom test location and took the average.
I then ran 5 speed tests with Incapsula enabled via the Melbourne Pingdom test location and took the average.
I then ran 5 speed tests with Incapsula enabled via the Stockholm Pingdom test location and took the average.
Here is a summary of the speed tests.
|San Jose||0.619 seconds||0.343 seconds||0.284 seconds|
|Melbourne||2.29 seconds||0.89 seconds||0.939 seconds|
|Stockholm||1.31 seconds||0.546 seconds||1.08 seconds|
|Avg Load Time||1.41 seconds||0.59 seconds||0.76 seconds|
While at first glance it appears that KeyCDN is beating Incapsula. However, you have to remember that Incapsula has a lot more going on here behind the scenes than a traditional pull CDN. A fully proxy service allows you to have a WAF and additional layers of security, which sometimes add a little load/latency. Also, geographical distance impacts the speed tests since KeyCDN and Incapsula have POPs in different locations. I was super impressed with Incapsula’s load time in the United States! Under 300 ms from San Jose, impressive.
The important part here is to compare it to the no CDN numbers! Incapsula decreased load times on average across the board by 46.1% compared to not using a CDN. This is why I always urge everyone to look into these services. You won’t find optimizations of any kind that offer these kinds of speed increases across geographical locations.
I only dealt with their support briefly during a little hiccup I had on setup. But their ticketing system is easy to use and their response times were fairly quick. So all in all, no issues on the support side of things.
Overall I was impressed with Incapsula. I have personally been a victim of a DDoS attack before. One of my sites, wpcoupons.io, got over 5 million requests in a period of seven days. When it is at that magnitude, there is no way to filter through everything manually and block it. Pretty much the only way to stop immediately is to move it to a service like this.
If your constantly battling bot traffic, bandwidth issues, or simply need some performance improvements from a well established CDN, then I recommend giving Incapsula a look.
And remember, there is a free plan. So you can easily throw it up on a test site, try out some of the core features, and then upgrade later.
Do any of you already use Incapsula? If so, I would love to hear your thoughts below.