Dec 222012
 
Share this article...Share on FacebookTweet about this on TwitterShare on Google+Share on RedditShare on LinkedInPin on PinterestShare on StumbleUponShare on TumblrEmail this to someone


I have had most of my blogs protected by Incapsula for the past several weeks and have seen improvement in both performance, reduced downtime and benefited from the increased security of using Incapsula to protect my sites over the past few weeks.

What is Incapsula

Incapsula is a web application firewall, CDN and website optimizer all rolled into one package.  It is a cloud based service that sits in front of your websites or blogs, and all traffic to your blog or website first goes through the Incapsula servers where traffic is screened and cached content is served to reduce the overhead and number of calls to your web hosting provider.

image

Incapsula is similar to Cloudflare which is the closest comparison, but Incapsula offers better security features while Cloudflare gives you more caching features in their comparable free plans.

Why Do I Need Incapsula

Whether you realize it or not, your sites either have been, are being or will be under attack by bots and hackers attempting to exploit everything from older WordPress versions to vulnerable plugin php files.  I realized this extreme within only a few hours of turning on Incapsula and seeing all of the scans against my blog looking for files that have the word thumb and php in them.  These are bots scanning for the TimThumb.php vulnerabilities that exist in many themes and plugins that may be old and outdated not having updated to the latest TimThumb.php to block known security vulnerabilities.  Any theme that has featured images may be using TimThumb.php or a variation so this is important to pay attention to.

image

I realized that my site was under attack nearly constantly, and it was only my secured WordPress installation, .htaccess and Better WP Security that was keeping my site from being hacked.  It was working, but I didn’t like the fact that these attempts were even making it to my web hosting server in the first place.

In just the past week, Analytics from Incapsula showed my site had 52 illegal resource attempts, 2 cross site scripting attempts and Incapsula blocked 2,573 spam comment attempts against my website.  This blocked means the requests never made it to the web server they were stopped at the Incapsula cloud so my site never saw or was affected by the attempts.

image

Testing Incapsula

At first when I test Incapsula it worked fine without issues, but after only a day or two I had users complaining they were getting 403 errors accessing DragonBlogger.com from India or Indonesia.  I later found that WP Better Security WordPress plugin blacklists and blocks some of the Incapsula IP cloud servers, there is no way to whitelist an IP in Better WP Security specifically and even though I removed the DENY statement from the .htaccess some users still had 403 errors so I ended up having to disable Better WP Security.  I was able to reproduce this 403 error with every single blog I put behind Incapsula, so if you are using Better WP Security make sure you have it disabled when you put your blog behind Incapsula.

There were no other issues found at all once the resolution with Better WP Security was found, I have 53 plugins active and run many contests and nothing was hampered by having my site behind the Incapsula cloud so far.

W3 Total Cache and Incapsula

You can still use W3 Total Cache with Incapsula and it is required for MaxCDN integration which I ended up still using for the vastly superior pageload performance which you will see later.  W3 Total Cache still helps serve up some cached content which makes it through the Incapsula cloud and is served from your blog so there is some benefit to having both, though a little less benefit from W3 Total Cache.

Incapsula Blog Performance

I was expecting better pageload performance from Incapsula than I got, but my site is very script heavy and has bad pageload times as a result.  The results between Incapsula and Cloudflare were comparable but Cloudflare performed only about 5% better on initial pageload performance tests being about 2-3 seconds quicker on average for pageload times.  This is with no W3 Total Cache and no MaxCDN.

My site repeatedly fell in the 25-32 second load time mark which is very bad pageload performance.  This was true even behind Incapsula though granted Incapsula takes more time to learn and adapt as it caches more and these tests were done only a week or so after being behind Incapsula.

image

By an additional week later you can see Incapsula learned about the site and was able to cache much more, so after 2 weeks of running just Incapsula and W3 Total Cache my pageload times now averaged about 8-12 seconds which is significantly better than when I first put my site behind the Incapsula cloud.

pingdom129-nomaxcdn

Then came MaxCDN

maxcdn-incapsula

MaxCDN however immediately provided additional benefit the moment I activated it behind Incapsula cloud, I did have to update MaxCDN so it recognized Incapsula as the source IP or else MaxCDN would have errors serving content.  But once I got it all figured out for the most part, the pageload times came way down in the 4 – 7 second range consistently with MaxCDN and Incapsula both active and still using W3 Total Cache plugin on WordPress (which configures to point to MaxCDN as well).

Incapsula Recommended

It is with 100% certainty that I can recommend Incapsula to fellow website and blog owners, the security protections alone are an exceptional feature, the caching gets better with the subscription service and is fairly good once you give it time to adapt but MaxCDN still provides the best benefit for pageload performance and should still be combined with Incapsula so you have the best security and content delivery at the same time.

As a free service every blogger should be using Incapsula, and if you have the budget I would highly recommend considering an Incapsula subscription plan.  Their free service will cover you for up to 50GB per month data, if you have more data than that you will need a subscription plan.

Cloudflare is still a great free service, and I didn’t do specific penetration tests but based on the reports and what I can see in analytics, Incapsula seems to do a better job blocking bots and spammers.  Under Cloudflare I see bots make it into the Apache access log that are blocked and never reach my Apache web server when my site is behind Incapsula.

Sign up for the free Incapsula plan and protect your WordPress blogs from bots, spammers, hackers and more.

Warning:  There are customized instructions for various hosting providers on how to configure Incapsula with them, if your site uses a dedicated IP for your website which I recommend it is easier to configure and setup. I know of one user who has a shared hosting plan and not dedicated IP and lost access to his CPanel after configuring Incapsula so always read the instructions and check with your host and Incapsula support.  

Disclaimer:   I started with the Incapsula free plan, then Incapsula upgraded me to the business plan so that I can test the advanced caching features and compare the free vs business plan.  This article is 100% my opinions and feedback alone based on my testing of the Incapsula service.


Share this article...Share on FacebookTweet about this on TwitterShare on Google+Share on RedditShare on LinkedInPin on PinterestShare on StumbleUponShare on TumblrEmail this to someone
Justin Germino
Working in the IT Industry for over 13 years and specializing in web based technologies. Dragon Blogger has unique insights and opinions to how the internet and web technology works. An Avid movie fan, video game fan and fan of trying anything and everything new.
Justin Germino

@dragonblogger

Technology, Gaming and Wordpress blogger who runs gadget giveaways, helps others with blogging tips, monetization, earning and more!
Love the new Hootsuite look, look http://t.co/W94CWJC1Go this is my favorite tool which I find indispensable for... http://t.co/hGL0g9Fzi6 - 1 hour ago
Justin Germino
  • Tom@San Diego Colleges

    Never seen anything like this. Wow, I was always wondering how many bots access my website. You can’t see that with Google Analytics, which I normally use, so this is a nice add on. This site is full of great tools!

    • http://www.dragonblogger.com Justin Germino

      Yeah the tool has a great ability to break out the types of traffic, I am surprised at how often bad bots are hitting even my smaller sites.

  • Yoav1987

    So you can combine Incapsula and MaxCDN? It’s woriking fine?

    • http://www.dragonblogger.com Justin Germino

      Yes, I use Incapsula, W3 Total Cache with MaxCDN configured and all is working fine.

      • Yoav1987

        Fine! I’ll try that for my own community ^^ Thank you for your article.

  • Mike Johnson

    What did you have to do inside MaxCDN specifically to make it work with W3 and Incapsula? Wondering as I currently use MaxCDN with W3, but would like to add Incapsula for testing versus Cloudflare.

    I had to stop using Cloudflare as it was blocking valid visitors all the time on my blogs.

    • http://www.dragonblogger.com Justin Germino

      I didn’t really have to make changes in MaxCDN just make sure source URL is DNS name and not iP address of hosting provider anywhere since that would change when Incapsula takes over the IP.
      If you run into issues, contact MaxCDN and have them give you the IP’s to whitelist in Incapsula.

      The issues I ran into early on turned out to be from Better WP Security and not MaxCDN, so I had disabled MaxCDN while troubleshooting and also left it disabled while testing Incapsula performance alone.