Incapsula Review – Secure and Accelerate Your WordPress Site

I’m a big geek when it comes to web performance and always love trying out new tools and services. Incapsula is one service I’ve never had a chance to previously try. So today I’ll be taking a deep dive into their CDN features, web application firewall (WAF), and other security features as it pertains to using them on your WordPress site. Check out this Incapsula review and see if you should be using it today.

Imperva Incapsula Review

Incapsula, now Imperva Incapsula, is essentially a fully proxy Security as a Software service (SecAAS) which uses a content delivery network as a delivery platform for its solutions. These guys focus on two things, security+performance, and they do it well! A similar provider, if you were to compare them to someone, would be Akamai.

By full proxy, we basically mean that it sits between your WordPress host and your site. This is how they are able to offer additional security features that some traditional CDN providers aren’t. Some big brands that use Incapsula include Wix, Moz, Trello, Siemens, Hitachi, and Thomson Reuters.

A CDN, short for content delivery network, is a network of servers located around the globe which keep a copy of your content (like images, Javascript, CSS). When visitors hit your website, the content is quickly served up by the CDN from the closest physical location. By decreasing the distance from the content, this, in turn, turbocharges the delivery of your content.

Incapsula CDN global network map
Incapsula CDN global network map

Check out these 10 reasons why everyone should be using a CDN.

Incapsula takes this one step further and those additional layers of security that I mentioned include features such as a web application firewall (WAF), DDoS protection, bot mitigation, advanced IP limiting and blocking rules, etc. Essentially they are a one-stop shop for speeding up your website and keeping it secure.

Features

Let’s first dive into the four primary features that Imperva Incapsula has to offer. Some of these vary based on what plan you choose.

1. Website Security

When it comes to WordPress, website security is very important. WordPress is used by over 28% of all sites on the internet. But this also means it can be more susceptible to attacks since there are thousands of plugins and themes floating around, that are all being patched (or worse, not patched) at different times. And let’s be honest, a lot of users just don’t know the basics of website security. Such as why every site, even blogs, should be using HTTPs. Or users being stupid and using a simple to guess password such as 1234567 for their admin login. While Incapsula won’t help protect against everything, it does its best to provide an all-in-one solution.

Bot Mitigation

They provide bad bot mitigation. Not all bots are bad. Google bot or Bing bot are a couple good ones that come to mind. But most of them are, and they can suck your bandwidth dry if you aren’t watching. A majority of cyber attacks today are non-targeted assaults, carried out by bots to exploit vulnerabilities in bulk. (example: bot that scans the web for WP sites with a plugin which has a recently discovered vulnerability)

Incapsula’s survey showed that over 94% of all websites were exposed to bot attacks. This is the threat the most websites actually face, not hackers in dark rooms but automated scripts that aim to auto exploit a website to inject it with malware that would scrape the database, hijack server resources or/and harm future visitors.

Incapsula lets you create rules to blacklist bad bots immediately. And you can a real-time view of bot traffic in the dashboard. Incapsula also runs one of the largest bot databases on the internet: BotoPedia. So they know their bots!

Web Application Firewall (WAF)

The main feature when it comes to website security is their web application firewall (WAF). Incapsula protects from all application security threats, including SQL injection, cross-site scripting (XSS) and remote file inclusion (RFI), and more. You can see a nice overview of this from the dashboard.

WAF
WAF

You can also choose from different types of actions for the firewall:

  • Alert only
  • Block request
  • Block user
  • Block IP
  • Ignore
Actions for web application firewall
Actions for web application firewall

This might look confusing at first, but trust me, these rules can save you thousands of hours. Another really cool feature is the ability to enable two-factor authentication without installing any software or plugins on any URL that you want. Say for example you want to add two-factor authentication via Google Authenticator app for your /wp-admin URL. You can do that from within the Incapsula dashboard.

Login protect
Login protect

2. Global CDN

Whenever your discussing CDNs, the more locations the better! Incapsula’s CDN includes 38 different data centers (also sometimes referred to as POPs) with over 3.5 Tbps capacity. They take advantage of top-tier peering relationships and providers such as Level (3) and Equinix to provide fast speeds over the internet. They support HTTP/2, GZIP compression, and the paid plans include a free SSL cert (issued by GlobalSign).

Current America CDN locations include:

  • Atlanta
  • Dallas
  • Ashburn
  • Los Angeles
  • Miami
  • Newark
  • Chicago
  • Seattle
  • San Jose
  • Toronto
  • São Paulo
  • Vancouver

Current Europe and Middle East locations include:

  • Amsterdam
  • Dubai
  • Madrid
  • Milan
  • Paris
  • Frankfurt
  • Stockholm
  • London
  • Tel Aviv
  • Zurich
  • Warsaw
  • Moscow

Current Asia and Pacific locations include:

  • Auckland
  • Sydney
  • Melbourne
  • Hong Kong
  • Singapore
  • Tokyo
  • Osaka
  • Delhi
  • Mumbai

Incapsula’s CDN provides you with the ability to cache both static and dynamic content. This is one advantage of choosing a full proxy service CDN over that of a typical pull CDN.

Incapsula caching mode
Incapsula caching mode

Additional features include:

  • Ability to instantly purge cache
  • Custom caching rules
  • Compression of HTML, CSS, and JavaScript files
  • Image compression (both lossy and lossless)
  • Code minification

Some advanced features include session reuse and TCP connection pre-pooling. All of these features can easily be enabled or disabled from within th dashboard.

Incapsula content optimization
Incapsula content optimization

Under their performance tab, you can see some important stats, such as accumulated saved bandwidth.

Saved bandwidth
Saved bandwidth

3. DDoS Protection

Some of you may remember the large DDoS attack against Dyn back in 2016. I remember the day very well as it seemed like almost half the internet went down! DDoS attacks are growing in volume and can easily take a WordPress site down in a few minutes leaving you wondering what you could have done to prevent it. Well, one of the only ways to protect yourself is to invest in DDoS mitigation. Essentially Incapsula helps block these attacks by re-routing traffic and complex rules they have built up the years.

DDoS traffic
Traffic (Humans, bots, blocked)

Their high-capacity global network holds over 3.5 Tbps (Terabits per second) of on-demand scrubbing capacity and can process 30 billion attack packets per second. Different types of services can be targeted by attackers, and that is why they offer three unique types of DDoS protection:

  1. Website DDoS protection
  2. Name Server protection
  3. Infrastructure protection

They can mitigate any type of attack, down to layer 7, including:

[lgc_column grid=”33″ tablet_grid=”33″ mobile_grid=”100″ last=”false”]

  • TCP SYN+ACK
  • TCP FIN
  • TCP RESET
  • TCP ACK
  • TCP ACK+PSH
  • TCP
  • Slowloris

[/lgc_column]

[lgc_column grid=”33″ tablet_grid=”33″ mobile_grid=”100″ last=”false”]

  • Spoofing
  • ICMP
  • IGMP
  • HTTP Flood
  • Brute Force
  • Connection Flood
  • DNS Flood

[/lgc_column]

[lgc_column grid=”33″ tablet_grid=”33″ mobile_grid=”100″ last=”true”]

  • NXDomain
  • Mixed SYN + UDP or ICMP + UDP Flood
  • Ping of Death
  • Smurf
  • Reflected ICMP & UDP

[/lgc_column]

4. Load Balancing

Load balancing is one of Incapsula’s higher-end features. This ensures that your site stays up at all times, no matter what the circumstance. Your traffic is always re-routed if something goes down. This includes the following:

  • Real-time server health and performance monitoring
  • Performance-based load balancing, re-routing traffic to the data center with the best connection time
  • Automatic site failover
  • Application delivery rules
  • Real-time dashboards

Pricing

Incapsula has plans for all types of WordPress users, including a free plan! The free plan includes the CDN & Optimizer, IPV6 support, login protect, access control, and bot protection. This can be a great way to dive into some of their features and try it out on your site before upgrading to a higher plan.

The Pro plan starts at $59/month, the Business at $299/month, and Enterprise plans are custom (click image below to view larger).

Incapsula pricing plans
Incapsula pricing plans

How to Setup Imperva Incapsula in WordPress

It’s fairly easy to get setup and running on Incapsula. I’ll walk you through the process below and some recommended settings for performance and security.

Step 1

The first thing you will need to do is add your website. Input your domain (without the HTTP or HTTPS) and click on “Add Website.”

Add website to Incapsula
Add website to Incapsula

Step 2

It will scan your website’s records and get some information. Then click on “Continue.” Don’t worry if something shows up wrong, you can modify all of this later. You can either setup your SSL during this process or after the fact. I am going to do it after.

Incapsula scan records
Incapsula scan records

After the scans it will give you the DNS information (IP addresses, etc) that you will need to point your site over to Incapsula.

Incapsula DNS records
Incapsula DNS records

Step 3

So I need to first update my A records to point over to the IP address Incapsula is giving me. I am using free Cloudflare DNS on this domain.

Incapsula A record IP Address
Incapsula A record IP Address

Note: They give you two different IP address which you will need to add. The second is for redundancy. So when your done, you should have two A records pointing at two unique Incapsula IPs.

Step 4

Next, I need to update/add my CNAME record to point over to the IP address Incapsula is giving me.

Incapsula CNAME record
Incapsula CNAME record

You can then run a check in the Incapsula dashboard to make sure your DNS is working correctly. Depending on your DNS provider, this may take a few hours. In my case with Cloudflare DNS, the changes were instant.

DNS is fully configured
DNS is fully configured

Step 5

If you were running with HTTPS on a previous provider or with your host and you didn’t configure SSL during the setup above, you will most like encounter the following “ERR_SSL_UNRECOGNIZED_NAME_ALERT” error. This is because an SSL certificate actually needs to be issued by Incapsula.

ERR_SSL_UNRECOGNIZED_NAME_ALERT
ERR_SSL_UNRECOGNIZED_NAME_ALERT

So I go into settings for my domain, click on “General” and then on “Configure” under SSL support.

Incapsula configure SSL
Incapsula configure SSL

It will then email you a confirmation. You will most likely get two emails, one for your *domain.com and one for your www.domain.com. This depends on how you set it up of course. Note: Mine took about 30 minutes or so to come through, so don’t be alarmed if you don’t see them right away.

SSL confirmation email from Incapsula
SSL confirmation email from Incapsula

After clicking the link in the email it will approve the SSL certificate application.

GlobalSign SSL approved
GlobalSign SSL approved

Step 6

Once that is up and running I also recommend enabling both the Strict-Transport-Security (HSTS) header and HTTP/2. The HSTS header will force encrypted connections and you will want HTTP/2 for performance reasons.

Incapsula HSTS header and HTTP/2
Incapsula HSTS header and HTTP/2

And that’s about it! Incapsula should now be running on your site. I don’t have time to dive into all the dashboard features in this review, but I can tell you they’ve done a really good job. The UI is easy to navigate, and there are still hundreds of advanced options for those that need them.

After you let Incapsula run for a few days you can then analyze all of your traffic in their detailed dashboard.

Traffic statistics
Traffic statistics

Imperva Incapsula CDN Speed Tests

I then ran some speed tests to compare the CDN functionality. I ran multiple tests from each location, without a CDN, with KeyCDN, and then with Imperva Incapsula to see how they stack up against each other.

This is a fairly lightweight site, but I always like to see a comparison. Sometimes on smaller sites, it is actually easier to compare services like these as you don’t have to worry about limiting or ignoring all the third-party dependencies that might impact the speed tests.

forgemedia.io Without CDN

I first ran 5 speed tests without a CDN via the San Jose Pingdom test location and took the average.

Website speed test with no CDN (San Jose, California)
Website speed test with no CDN (San Jose, California)

I then ran 5 speed tests without a CDN via the Melbourne test location and took the average.

Website speed test with no CDN (Melbourne, Australia)
Website speed test with no CDN (Melbourne, Australia)

I then ran 5 speed tests without a CDN via the Stockholm Pingdom test location and took the average.

Website speed test with no CDN (Stockholm, Sweden)
Website speed test with no CDN (Stockholm, Sweden)

forgemedia.io With KeyCDN

I then ran 5 speed tests with KeyCDN enabled via the San Jose Pingdom test location and took the average.

Website speed test with KeyCDN (San Jose)
Website speed test with KeyCDN (San Jose, California)

I then ran 5 speed tests with KeyCDN enabled via the Melbourne Pingdom test location and took the average.

Website speed test with KeyCDN (Melbourne, Australia)
Website speed test with KeyCDN (Melbourne, Australia)

I then ran 5 speed tests with KeyCDN enabled via the Stockholm Pingdom test location and took the average.

Website speed test with KeyCDN (Stockholm, Sweden)
Website speed test with KeyCDN (Stockholm, Sweden)

forgemedia.io With Imperva Incapsula CDN

I then ran 5 speed tests with Incapsula enabled via the San Jose Pingdom test location and took the average.

Website speed test with Incapsula (San Jose)
Website speed test with Incapsula (San Jose)

I then ran 5 speed tests with Incapsula enabled via the Melbourne Pingdom test location and took the average.

Website speed test with Incapsula (Melbourne Australia)
Website speed test with Incapsula (Melbourne Australia)

I then ran 5 speed tests with Incapsula enabled via the Stockholm Pingdom test location and took the average.

Website speed test with Incapsula (Stockholm Sweden)
Website speed test with Incapsula (Stockholm Sweden)

Here is a summary of the speed tests.

No CDNKeyCDNIncapsula
San Jose0.619 seconds0.343 seconds0.284 seconds
Melbourne2.29 seconds0.89 seconds0.939 seconds
Stockholm1.31 seconds0.546 seconds1.08 seconds
Avg Load Time1.41 seconds0.59 seconds0.76 seconds

While at first glance it appears that KeyCDN is beating Incapsula. However, you have to remember that Incapsula has a lot more going on here behind the scenes than a traditional pull CDN. A fully proxy service allows you to have a WAF and additional layers of security, which sometimes add a little load/latency. Also, geographical distance impacts the speed tests since KeyCDN and Incapsula have POPs in different locations. I was super impressed with Incapsula’s load time in the United States! Under 300 ms from San Jose, impressive.

The important part here is to compare it to the no CDN numbers! Incapsula decreased load times on average across the board by 46.1% compared to not using a CDN. This is why I always urge everyone to look into these services. You won’t find optimizations of any kind that offer these kinds of speed increases across geographical locations.

Support

I only dealt with their support briefly during a little hiccup I had on setup. But their ticketing system is easy to use and their response times were fairly quick. So all in all, no issues on the support side of things.

Email response times Incapsula
Email response times Incapsula

Summary

Overall I was impressed with Incapsula. I have personally been a victim of a DDoS attack before. One of my sites, wpcoupons.io, got over 5 million requests in a period of seven days. When it is at that magnitude, there is no way to filter through everything manually and block it. Pretty much the only way to stop immediately is to move it to a service like this.

If your constantly battling bot traffic, bandwidth issues, or simply need some performance improvements from a well established CDN, then I recommend giving Incapsula a look.

Visit Incapsula

And remember, there is a free plan. So you can easily throw it up on a test site, try out some of the core features, and then upgrade later.

Do any of you already use Incapsula? If so, I would love to hear your thoughts below.

author bio
Brian Jackson

I craft actionable content and develop performance-driven WordPress plugins. Connect on X, subscribe to my newsletter (once a month), or buy me coffee.

2 thoughts on “Incapsula Review – Secure and Accelerate Your WordPress Site”

  1. Outstanding post, thanks for the hard work. Https protocol is extremely important and I also use the “Simple SSL” Plugin to ensure the protocol remains active. But after activation, one must also update the property in Google Search Console.

    Reply

Leave a Comment

5