We use the Sucuri WAF on several of our sites. It takes some finagling to get it set up but in general it works. The worst thing is that there’s no way to automatically generate the Let’s Encrypt SSL on Sucuri until the site DNS records point there, so if the site is already on HTTPS and you point it to the firewall, there will be some SSL downtime while the Let’s Encrypt one is being generated. There is a manual way around this though. If you open a ticket, their support team can generate a custom GoDaddy SSL and install that on the firewall so that there’s no downtime after changing the DNS records. Then when the custom SSL expires in a year, it should revert back to Let’s Encrypt (we still have yet to see how smooth of a process that is).
I suggested that they implement a system like Pantheon where you can generate a TXT record for the domain that will allow Let’s Encrypt to verify the domain even if it’s not pointing at the firewall yet. (See: Terminus Acme Plugin) They thought it was a good idea but no word on if/when they will implement that.
Also, we make sure to turn off the default caching in the Sucuri WAF because it’s hard to clear when you make changes to the site.
It’s pretty good at blocking unwanted traffic and is pretty configurable, but you have to make sure your and your clients’ IP addresses are whitelisted or it may sometimes block certain admin actions. Let me know if you’re interested. Maybe I can write up a post with how we set everything up in Sucuri. They do have an excellent support team, though they can be a little slow to respond. They also have settings to allow you to use an external CDN but we haven’t tried that yet.