Securing your WordPress site with Cloudflare’s WAF

In today’s digital world, safeguarding your website from harmful assaults is critical. Web Application Firewalls (WAFs) protect your online assets by screening and preventing dangerous traffic. Among the leading WAF solutions available, Cloudflare’s WAF stands out for its comprehensive features, ease of use, and effective threat detection capabilities.

Getting Started

The WAF operates at the edge of Cloudflare’s global network, providing protection against a range of attacks, including SQL injection, cross-site scripting (XSS), and more. It offers a rule-based system that can be customized to fit your specific security requirements.

To begin utilising Cloudflare’s WAF, I’m assuming you already have a Cloudflare account and that you have a website on it. If not, visit this guide.

The Firewall

After successfully adding your website, navigate to the “Firewall” section via the left hand navigation, Security > WAF. Depending on which plan you have, depends on how many rules you are aloud. For example the free plan, allows 5 rules per website.

Here, you can enable the WAF by selecting the appropriate options for your needs. Cloudflare provides both a managed ruleset and a custom ruleset, allowing you to tailor the level of protection to your specific requirements.

Cloudflare’s WAF offers a pre-configured set of rules designed to protect against common threats. These rules are regularly updated to stay ahead of emerging vulnerabilities by CloudFlare for you.

Firewall Rule Examples

Here are some Cloudflare’s WAF rules, you could use right now to protect your website. If you’re with a managed hosting provider utilising CloudFlare security in their packages, such as Chkserv, then they manage all this for you, with more advance rules.


Once navigated to Security > WAF, click the ‘Create Rule’ then name the rule and copy each code into the expression section, this will save you time manually writing them out.

Block xmlrpc Attacks

					(http.request.uri.path contains "/xmlrpc.php")

Protect Login Page

You can block your WordPress login page ( For example ) by country. You can add multiple countries if required, just by pressing “Or” and then repeat the country field – does not equal entry with each aloud country.

					(http.request.uri.path eq "/wp-login.php" and ne "GB")

Block Countries or Continents

You can block countries or even whole continents from visiting your website altogether, this can be handy if you only service a particular region of the world.

					( eq "RU") or (ip.geoip.continent eq "AS") or (ip.geoip.continent eq "T1")

Fine-tuning your security settings

Cloudflare provides additional security features to enhance your website’s protection. For example, you can enable the “Challenge Passage” mode, which allows suspicious traffic to pass through while still analyzing it. This helps reduce false positives and ensures legitimate traffic is not blocked inadvertently. On your selected website, Navigate on the left navigation area to Security > Settings.


Monitoring and Analyzing WAF Events

Cloudflare’s WAF provides thorough logging and analytics, allowing you to monitor and analyse WAF occurrences. This data may be accessed via the Cloudflare dashboard or integrated with third-party applications for additional analysis. Reviewing WAF events on a regular basis allows you to spot possible dangers and take proactive actions to secure your website.


To Summarize

Cloudflare’s Web Application Firewall provides a robust defense against a wide range of web-based attacks. By following the setup process outlined in this blog post, you can quickly and effectively secure your website, safeguarding it from malicious actors. Remember to regularly review and update your WAF rules and configurations to stay up-to-date with evolving threats.

Share This

Please Donate

If my how-to tutorials helped you, please consider making a donation. ☕ ☕


Need affordable cPanel hosting?

Leave a Reply

Your email address will not be published. Required fields are marked *