WAF stands for Web Application Firewall, which is a firewall that inspects web traffic and blocks malicious requests. WAFs typically run on the web server software itself and have limited knowledge of the web applications they are protecting. WAFs tend to include and run all firewall rules against all requests, even if it does not apply to the underlying software.
Virtual Patching works a lot like a WAF: blocking known malicious requests but runs within the application itself. Virtual Patching goes a step further, and can take into context information that only the application (such as WordPress) itself is aware of, like user authorization, software versions, etc. Virtual patches tend to be more efficient and cause less resource usage in the application compared to a WAF because the only rules that are enabled are the ones applicable to each website.
Updated 17 days ago