Using Incapsula to Protect your Websites

I have had most of my blogs protected by Incapsula for the past several weeks and have seen improvement in both performance, reduced downtime and benefited from the increased security of using Incapsula to protect my sites over the past few weeks.

What is Incapsula

Incapsula is a web application firewall, CDN and website optimizer all rolled into one package.  It is a cloud based service that sits in front of your websites or blogs, and all traffic to your blog or website first goes through the Incapsula servers where traffic is screened and cached content is served to reduce the overhead and number of calls to your web hosting provider.

Incapsula is similar to Cloudflare which is the closest comparison, but Incapsula offers better security features while Cloudflare gives you more caching features in their comparable free plans.

Why Do I Need Incapsula

Whether you realize it or not, your sites either have been, are being or will be under attack by bots and hackers attempting to exploit everything from older WordPress versions to vulnerable plugin php files.  I realized this extreme within only a few hours of turning on Incapsula and seeing all of the scans against my blog looking for files that have the word thumb and php in them.  These are bots scanning for the TimThumb.php vulnerabilities that exist in many themes and plugins that may be old and outdated not having updated to the latest TimThumb.php to block known security vulnerabilities.  Any theme that has featured images may be using TimThumb.php or a variation so this is important to pay attention to.

I realized that my site was under attack nearly constantly, and it was only my secured WordPress installation, .htaccess and Better WP Security that was keeping my site from being hacked.  It was working, but I didn’t like the fact that these attempts were even making it to my web hosting server in the first place.

In just the past week, Analytics from Incapsula showed my site had 52 illegal resource attempts, 2 cross site scripting attempts and Incapsula blocked 2,573 spam comment attempts against my website.  This blocked means the requests never made it to the web server they were stopped at the Incapsula cloud so my site never saw or was affected by the attempts.

Testing Incapsula

At first when I test Incapsula it worked fine without issues, but after only a day or two I had users complaining they were getting 403 errors accessing DragonBlogger.com from India or Indonesia.  I later found that WP Better Security WordPress plugin blacklists and blocks some of the Incapsula IP cloud servers, there is no way to whitelist an IP in Better WP Security specifically and even though I removed the DENY statement from the .htaccess some users still had 403 errors so I ended up having to disable Better WP Security.  I was able to reproduce this 403 error with every single blog I put behind Incapsula, so if you are using Better WP Security make sure you have it disabled when you put your blog behind Incapsula.

There were no other issues found at all once the resolution with Better WP Security was found, I have 53 plugins active and run many contests and nothing was hampered by having my site behind the Incapsula cloud so far.

W3 Total Cache and Incapsula

You can still use W3 Total Cache with Incapsula and it is required for MaxCDN integration which I ended up still using for the vastly superior pageload performance which you will see later.  W3 Total Cache still helps serve up some cached content which makes it through the Incapsula cloud and is served from your blog so there is some benefit to having both, though a little less benefit from W3 Total Cache.

Incapsula Blog Performance

I was expecting better pageload performance from Incapsula than I got, but my site is very script heavy and has bad pageload times as a result.  The results between Incapsula and Cloudflare were comparable but Cloudflare performed only about 5% better on initial pageload performance tests being about 2-3 seconds quicker on average for pageload times.  This is with no W3 Total Cache and no MaxCDN.

My site repeatedly fell in the 25-32 second load time mark which is very bad pageload performance.  This was true even behind Incapsula though granted Incapsula takes more time to learn and adapt as it caches more and these tests were done only a week or so after being behind Incapsula.

By an additional week later you can see Incapsula learned about the site and was able to cache much more, so after 2 weeks of running just Incapsula and W3 Total Cache my pageload times now averaged about 8-12 seconds which is significantly better than when I first put my site behind the Incapsula cloud.

Then came MaxCDN

MaxCDN however immediately provided additional benefit the moment I activated it behind Incapsula cloud, I did have to update MaxCDN so it recognized Incapsula as the source IP or else MaxCDN would have errors serving content.  But once I got it all figured out for the most part, the pageload times came way down in the 4 – 7 second range consistently with MaxCDN and Incapsula both active and still using W3 Total Cache plugin on WordPress (which configures to point to MaxCDN as well).

Incapsula Recommended

It is with 100% certainty that I can recommend Incapsula to fellow website and blog owners, the security protections alone are an exceptional feature, the caching gets better with the subscription service and is fairly good once you give it time to adapt but MaxCDN still provides the best benefit for pageload performance and should still be combined with Incapsula so you have the best security and content delivery at the same time.

As a free service every blogger should be using Incapsula, and if you have the budget I would highly recommend considering an Incapsula subscription plan.  Their free service will cover you for up to 50GB per month data, if you have more data than that you will need a subscription plan.

Cloudflare is still a great free service, and I didn’t do specific penetration tests but based on the reports and what I can see in analytics, Incapsula seems to do a better job blocking bots and spammers.  Under Cloudflare I see bots make it into the Apache access log that are blocked and never reach my Apache web server when my site is behind Incapsula.

Sign up for the free Incapsula plan and protect your WordPress blogs from bots, spammers, hackers and more.

Warning:  There are customized instructions for various hosting providers on how to configure Incapsula with them, if your site uses a dedicated IP for your website which I recommend it is easier to configure and setup. I know of one user who has a shared hosting plan and not dedicated IP and lost access to his CPanel after configuring Incapsula so always read the instructions and check with your host and Incapsula support.  

Disclaimer:   I started with the Incapsula free plan, then Incapsula upgraded me to the business plan so that I can test the advanced caching features and compare the free vs business plan.  This article is 100% my opinions and feedback alone based on my testing of the Incapsula service.