Incapsula Review: Is It The Best Way To Make Your Blog Faster and Safer?

When I first started blogging, security was the last thing on my mind. I figured that hackers were only out to get big sites like Basic Blog Tips and Pro Blogger, but that simply isn’t true.

Hackers try to get into all blogs – big and small – but it wasn’t until my friend Enstine’s blog got hacked that I took action.Incapsula

At this time, I saw that a lot of bloggers were raving about this plugin called Better WP Security which essentially protected your WordPress blog from almost any kind of malicious attack. It blocks out people trying to log into your WordPress dashboard, leave spam comments, access your .htaccess file, or any other kind of hacker-like attack.

About a month ago, I saw Justin of Dragon Blogger talking on Facebook about a new service he was using called Incapsula. I decided to sign up (it’s free) and give Incapsula a try.

What Is Incapsula?

Most bloggers know about content delivery networks such as Cloudflare or Max CDN. Incapsula is essentially the same in regards to their content delivery services, but they also have advanced security features set in place to protect your website from hackers, spammers, and other bad guys.

The best way to visualize Incapsula is to think of it as the “middle man”. Incapsula sits between your server and your reader, so instead of your user’s computer asking your server to deliver your blog’s pages directly, it asks Incapsula and then Incapsula talks to your server. So instead of all kinds of malicious people having direct access to your servers files, they have to go through Incapsula to get the content. If Incapsula thinks the person trying to access your site is malicious, they will lock them out.

In addition to protecting your server, Incapsula also gets rid of some of the server load. Instead of 100,000 people requesting the same exact page directly from the web server, Incapsula will only request it once and then deliver it to those 100,000 people. Depending on the amount of views your website gets, this can drastically decrease the amount of bandwidth you are using up with your web host.

Does Incapsula Actually Work?

After being active for just 7 days on my blog, Incapsula picked up the following statistics:

  • Human Visits (all humans that visit the site): 21,284
  • Bot Visits (all bots including search engine crawlers, Alexa, etc): 8,212
  • Bad Bots (the malicious bots): 568
  • Illegal Resource Access (trying to access files like .htaccess): 6
  • SQL Injection (someone trying to ruin the database): 1
  • Cross-Site Scripting: 1

After looking at these statistics, it scares me somewhat. After just one week, I had 29,496 views (human + bots) on my blog. Although less than 2% of those viewers were bad bots, those are still potentially malicious attacks directed towards my website.

If this were the statistics for a large site like Basic Blog Tips, the percentage would probably be much higher.

Also, Incapsula is showing that they have 2.6GB of my website cached so that’s taking a large amount of server load off my web host.

Setting Up Incapsula

Setting up Incapsula is free and takes only a few minutes.

Unlike Cloudflare, Incapsula requires you to change your DNS settings instead of your name servers, so you will experience absolutely no downtime.

Incapsula works on websites with static HTML pages, WordPress blogs, forums, etc. I am currently using it on a static HTML, CSS, and JavaScript website, two WordPress blogs, and a XenForo-powered forum.

With all the free benefits that Incapsula supplies, it would be silly not to use it.

Have you tried Incapsula, what do you think about it?

About 

My name is Ian Eberle and I have a blog called Omega Web. I live in Crestview, Florida, USA, and I am currently going to college for a degree in entrepreneurship. I spend my time writing on my blogs, perusing the Internet, and making money.

74 Comments (click here to leave a comment)

  1. Well, I am currently using cloudfare on my site and I don’t think that I am going to change it NOW on my main website. But will try to change it on one of my other site. Thanks for the awesome review.

  2. Hi Ian,

    First of all many thanks for the review article on this security plugin. Recently I became two time victim of hacking. Hackers putted some malicious code in my site template which has suffered me a lot to fix.
    I hope this plugin will help me to prevent hackers to hack my site again.

    • If the code was already in your theme template before you installed it (because you downloaded a free theme or something), Incapsula won’t do much help. However, if it’s because you had people breaking into your blog and putting the code there, Incapsula will be wonderful for you… Thanks for stopping by.

      • Kowshik

        The theme was safe and there was no malicious code. I checked the theme with Theme Authenticity Checker plugin before I installed it.

        Thanks

  3. Hi Ian, thanks for your time to review the Incapsula tool. I haven’t tried it but maybe it’s high time i check it out. I had not heard of it before maybe its because i found cloudfare first. Anyway i am going to try it out. Cheers

    • Cloudflare definitely spends more money on marketing so people will know about it. Also, I think Incapsula is a newer service. Anyway, though, it’s still great and worth considering.

  4. Hey Ian, have you been able to run some tests or have any info on visitors getting a false positive and having this software think they are malicious and blocking a legitimate site visitor? That always seems to be the difficult balance. Keeping out the bad guys, without inconveniencing the regular folks just wanting to read your blog.

    • I have not seen anyone that has been locked out when they shouldn’t have been. One thing to mention, however, is that using WP Better Security and Incapsula at the same time can cause issues. WP Better Security will see Incapsula as a threat and try to block out some visitors form foreign countries…

      Please see Justin’s comment below this one.

  5. Thanks for covering, one note I did a FULL review of Incapsula including all baseline testing with pingdom and Google Pagespeed tests before, during, after so can show the clear differences between Incapsula, MaxCDN and Cloudflare. Incapsula has better security protection features than Cloudflare (especially in the free plan) The free plan supports 50GB of bandwidth data per month, I have all of my blogs combined (6 of them) using the free plan without issue.

    MaxCDN will give you better pageload performance times by far than Cloudflare and Incapsula from my testing (but it isn’t free and only serves content, not a security service). I combine Incapsula and MaxCDN myself.

    One other note, you can’t use Better WP Security behind Incapsula, it will put the Incapsula cloud server in your Apache .htaccess deny everytime and block may visitors with a 403 error. There is no workaround I can find, since Better WP Security doesn’t let you whitelist IP’s in the plugin specifically.

    • Not exactly sure what you mean by blocking visitors with a 403 error. There is an Incapsula plugin for WordPress here:
      http://wordpress.org/extend/plugins/incapsula/

      Since all incoming traffic will be from a handful of ips (Incapsula ips) what you get is your visitors all come to your site from a few ip addresses when using Incapsula. If an incoming ip is blocked you could potentially block a lot of visitors because many will be originating on that ip.

      What the Incapsula plugin does is it allows the visitors real ip address, which may help Better WP Security.

      I don’t have Better WP Security on my Incapsula site at the moment, but I had a brute force login plugin that locked me out because without the plugin I had the same ip address as numerous other visitors. After installing the plugin I no longer get blocked.

      Same thing with commenters. Without the plugin a lot of comments show the same ip address (Incapsula’s). After installing the plugin comments show the real ip addresses in WordPress dashboard.

      Anyway, not sure if this would help or be a solution to this. I would have to test it out. Just a thought.

      • One more thought while it’s fresh on my mind. It could also be that since a lot of visitors are originating from a single Incapsula IP address if Better WP Security blocks that IP anyone else visiting from that IP would be blocked and get a 403 error. The Incapsula plugin I mentioned may help with that. It is also possible that Better Security’s Detect settings for 404 Detection is contributing to the 403’s if you have that enabled. If the visitor or a bot hits a lot of 404 pages that don’t exist it will block the ip, which means when using Incapsula it can end up blocking an IP that hundreds of visitors come through to your site. You might try the Incapsula plugin and/or turn off the 404 detection or adjust it. There is also some whitelisting available in this area. I never checked the default Ban list area to see if any of Incapsula IP’s are on that list. I wouldn’t think so, but you never know. Again not sure if this would resolve the issue or not. I have been meaning to add Better Security to a site that is using Incapsula I just haven’t got around to it yet.

        • Ray, I opened a support case with Incapsula and worked with Igal extensively via email about this issue and not once was the Incapsula WordPress plugin mentioned, I didn’t know it even existed until you just mentioned it and yes it was one Incapsula cloud IP that kept getting added as a Deny statement which blocked entire chunks of users who then got 403 errors when hitting my site. I will install/enable this plugin and re-enable Better WP Security on my smaller blogs first to see if it resolves the conflict.

        • Ray, I 100% found the problem, in Better WP Security the moment you enable the default blacklist ban setting. This is step 9, blocking known bad hosts and agents with HackRepair.com’s blacklist..

          In the settings, you Check this box to enable HackRepair.com’s blacklist feature.

          The moment you do this hardening step it adds a slew of Deny IP statements and other bot rewrite statements in the .htaccess file, one of the IP addresses it adds must be Incapsula IP because the moment you enable this config you get a 403 error immediately in my own wp-admin and I effectively can’t even hit my own site until I remove the deny IP statements. If you email me contactme@dragonblogger.com I can send you screenshot and the full list of IP’s and deny statements that get added so you can identify which IP is Incapsula and maybe figure out how to get it not added to the default ban list for this plugin, which appears to just use the hackrepair.com blacklist which may be even more concerning if they are listing an Incapsula IP as a blacklist IP.

    • Thanks for sharing your input and review here, Justin. You’re awesome!

      Also thanks for introducing me to Incapsula in the first place. I’m loving it on my blog!

  6. Hi Ian,

    I never heard abou Incapsula. Using content delivery system is really much important these days, as we all knew speed matters in SERPs.
    Thanks mate for excellent share!

    ~@Khajamoin1

  7. I haven’t tried it on WordPress, but I’ve tested in on Joomla. After many 503 errors, problem with admin dashboard and everything else, I found out that website is loading with about 20sec slower!!! During the time of my test Incapsula website went down 2 times. From my experience with Joomla, I personally can not recommend it!

    • I’m thinking you probably didn’t set something up correctly. Because Incapsula shouldn’t really touch anything in the admin area…

      It only caches pages that people can view publicly.

      • Settings were correct (at least those related to CNAME and A Record). Joomla is different than WordPress and there are component and plugin that need to be installed. My point is that even getting everything to work Incapsula CDN slowed down my website to 20 seconds loading time and this is coming exactly from static cached content which usually is no more than 100kb for my website.

  8. This may sound like a silly question, but how does a blog get hacked? I mean I have a small site, but do hackers just get in and take down your site? What does hacking do to your site if you don’t have any sensitive information?

    • Hackers can get in and post spam links (without you knowing) on all your blog posts, they can delete all your content, they can ruin your blog, they can steal sensitive info… Just think of the worse possible thing that can happen to your website and hackers can probably do it.

  9. I have been using Incapsula for a while now. It has been a good experience. I would mention that with a free account you do not get the xss (cross site scripting), illegal resource, sql injection protection and such. I don’t know if they still give 30 day trials to their business or premium plans or not. They used to, and you get to test these additional features during that time. After 30 days you go back to the free plan and lose those, or you can upgrade. It still has decent protection along with some CDN like caching. I personally prefer Incapsula over Cloudflare.

  10. Hi Ian
    Thank you for covering our services :)

    @Khaja moin – You are correct, but page speed improvement is not the only SEO related benefit we can offer (i.e. manually whitelisted IP ranges, scraping/spam protection and etc)
    I spent 8 years in SEO and recently wrote a blog on the topic, you may want to check it out:
    http://www.incapsula.com/the-incapsula-blog/item/368-cdn-seo-benefits-and-advantages

    @Carl – None of this should happen (ever). I don’t know what was the issue but I`m 100% confident we can solve it. If you are willing to give us another shot, I can offer you my personal assistance. You can reach me at feedbacks@incapsula.com.

    • Thanks for stopping by! It’s so nice to see official representatives of companies leaving comments on reviews and such – it really shows good customer support.

      Anyway, I told Carl the same thing. I hope that he gives you a second chance!

  11. Aasma

    Hi Ian,

    That’s certainly sounds great tool. I would love to try it out on my own website. I know hacking activities has actually increased around the web, so it’s better to prepare for it and give your best shot to secure your website.

  12. Thanks for this awesome review and now i am planning to use the plugin Incapsula in my website to play a safe game and to get rid of the hackers too…….

  13. Many of my friends are using incapsul but I wasn’t sure that It would be help full for my blogging but after your excellent review I feel I need to use it. And most important part is that I am really afraid of hacking kinda staff, so it certainly would help me to get rid of this fear.

    Ronny

  14. Incapsula provides a lot of additional features with better stability. On the other side Cloudfare provides better acceleration speed service, but having the 5% or 6% better speed service does not complete the need of various security options.

    So if you are looking for only fast acceleration speed service, then I think Cloudfare service is for you, but if you want speed plus security, then I would recommend you to choose Incapsula.

    • Why wouldn’t you like speed and security?

      That’s like buying a sports car and saying “If you want speed and safety, go with this car, but if safety isn’t a concern, go with this one that’s 5% faster.”

      Just my two cents :)

    • There’s honestly no configuration besides changing the DNS settings. It literally took me 5 minutes to configure.

      And trust me, Incapsula is worth 5 minutes of your time.

  15. Thanks, Ian.

    A couple of questions. Did you see decreases in load time after installing it? Also, do you use any cacheing plugins like WP-Supercache and does it work in conjunction with them or should they be disabled before using Incapsula?

    Thanks for the heads up on what looks like a good security solution.

    Cheers!
    –Sean

    • You can use cache plugins, but there really isn’t a need for them anymore. As for security plugins like Better WP Security, these need to be disabled.

      And yes, I have seen a difference in speed. However, Incapsula caches more over time so you have to give it time to work to its full extent.

  16. very nice post it is beneficial for blog provide good security and earn more money i have listen first time thanks for sharing..

  17. Now I also use incapsula. It is not 100% secure website to be, but at least all the bad bots, many are blocked :D . And of course the CPU resource usage of hosting to be reduced .

  18. Good information. I did not use to think about bad bots too much until it happened to me. I had left the security on my site wide open and the database had been filled with unwanted content.

  19. Incapsula – looks great to be protected from hackers. Should have to try out this one. Thanks for sharing a valuable information.

  20. Hi Ian,

    This is a great tool for me as a blogger

    This Information is freshly new to me, I never heard about this. Reading this review is such a great information, especially that I own a blog site. There are lots of hackers on the web nowadays, so it’s better to be secure and I love to try this on my own.

    Thanks for sharing your ideas!

  21. Hi Ian,
    I guess Incapsula is just something like cloudflare. I used cloudflare for some time and it was a decent experience. The site accelerated and they too provided security from harmful bots and attacks on your site.

  22. The thing is a majority of people think that blogging is get quick rich thing but the truth is that success in blogging requires dedication, hardwork, patience and right direction. IF a bloggers has all the 4 things than no one can stop him/her from earning money from his/her blog.

  23. Good points about security you brought up Ian, and I for one can not stress enough the need for not only “speed” but also WordPress security. My blog gets hack attempts daily that goes way above 100 times and mind you, I have got a pretty good amount of defences up and running, those being ClouFlare and Better WP. They do work well in tandem.

    Incapsula, IMO is a great service and I myself wrote a review recently about it. The standard free version is more than good enough to provide basic protection while enhancing a sites performance. I use their service and I am very happy with it. Igal is a great guy and their support is equally great. Very sound advice :)

  24. a few months earlier i started my blog and hacked twice in no time then i start using wordfence which works good for me but lets how incapsula will work i am going to give it a try thanks for the review Ian Eberle…

  25. I always gave importance to Security but never really did anything until some one tried to hack my blog. Thank you Ian for your post and reminding me the importance of security.

  26. As Ian mentioned, I have done a massive Incapsula review and direct comparisons to Cloudflare, MaxCDN and Amazon S3 before. Incapsula provides the best security of the 3 (you get none with MaxCDN and Amazon S3) but combining MaxCDN with Incapsula gives you the best security and performance. One note, for any user who uses Better WP Security you cannot use this plugin with Incapsula, it will put Incapsula IP’s in your deny list and users will get 403 errors from various locations. I found no workaround so I wound up having to disable Better WP Security. Incapsula replaces most of the security features, but the enforce strong passwords and disable after X number of logins was nice.

  27. I just recently installed incapsula on my website because many of the websites that I work on were getting attacked. We’ve taken the appropriate measures and hopefully we don’t have any more problems with those. I was especially worried about my own site. When the url titles and whatnot started changing I knew I had to act fast. I installed incapsula, changed all the passwords to the account and i’m doing fine now.

  28. One month ago my blog was attacked by hackers, fortunately I was able to fix my blog with support my hosting provider. I think this is the best way to choose Incapsula to avoid something like that. Thanks so much Ian Eberle for your tips.

  29. Thanks for sharing! I never care about blog security, especially I never heard about his plugin. That great and amazing, I should try some time to learn more about this plugin

  30. Yes the same for me, at first security is the last thing for me. But when I got my websites hacked and second time got malware injected. Now I will try Incapsula. I was looking for a good security.

  31. seems a great tool for bloggers. i have used Cloudflare and it had a great impact in my site speed. but i had some issues with it so i dont use any CDN now

  32. Hey Ian,
    Nice post and Thanks for sharing this important service with us as security is the first concern of all of us. This service really seems very interesting and I surely gonna try this.