How to Set Up Cloudflare WAF WordPress (2026 Practical Guide)
Table of Contents
The first time I took Cloudflare WAF WordPress seriously, it wasn’t after reading a checklist. It was after watching my server logs light up at 2:17 a.m. with brute-force attacks, weird query strings, and bots that never sleep. My site still worked, but it felt like leaving the front door unlocked in a busy city.
Cloudflare’s Web Application Firewall (WAF) is the bouncer who stands outside your site, at the edge of Cloudflare’s network, which is more than just a CDN network for assets, and filters traffic before it hits WordPress. Set it up well and your site feels calmer overnight. Set it up sloppy and you’ll block real customers at checkout.
Here’s how I configure it in a way that’s secure, but doesn’t break normal WordPress stuff.
How I think about Cloudflare WAF on a WordPress site
I picture Cloudflare’s Web Application Firewall as a guardrail placed far away from my server. That distance matters, because it means bad traffic gets dropped before my hosting has to deal with it, with DDoS protection kicking in at the edge. The Web Application Firewall checks requests for common patterns, like SQL injection and XSS attacks, then blocks or challenges them.
Before I touch settings, I make sure I have the basics:
- A Cloudflare account and the site added to it
- The domain using Cloudflare nameservers (or you won’t get full protection)
- WordPress admin access, plus hosting access if I need to check server logs
- A quick rollback option (I like having a recent backup, and knowing where “Pause Cloudflare” lives)
One more mindset shift helps: Firewall Rules are like house rules for visitors, and false positives are like an over-eager bouncer. My goal isn’t “block everything,” it’s “block the bad stuff without bothering good users,” using these Firewall Rules to mitigate bot traffic while minimizing false positives. This edge-based approach beats relying on a traditional WordPress security plugin.
Gotcha: If you’re not proxying traffic through Cloudflare (the orange cloud), the WAF can’t protect your WordPress site. DNS-only mode won’t do it.
Step 1: Route traffic through Cloudflare (DNS + proxy)
If Cloudflare isn’t in the path, none of the WAF work matters. So I start with configuring the CDN network proxy through DNS, then I verify the site still loads.
- Add your domain to Cloudflare and follow the wizard.
- Change nameservers at your registrar to the ones Cloudflare gives you.
- In Cloudflare, go to DNS and check the main records:
- Your root domain (
example.com) should point to your origin via A/AAAA (or CNAME if your host uses one). wwwshould usually be a CNAME to the root (or to your host target).
- Your root domain (
- Make sure your web records show the orange cloud (Proxied).
- Leave non-web records alone. For example, mail records should often stay DNS only.
If you’re unsure what good DNS looks like in practice, this Cloudflare DNS configuration guide is a solid reference.
Once Cloudflare is active, I check two things: the homepage loads, and wp-admin loads. Then I watch for instant spam pressure relief, as the firewall examines the URI Path for every request. In many cases, even basic Cloudflare filtering reduces junk traffic. It pairs nicely with WordPress-side steps too; if using a plugin for integration, you’ll need your API Key, like my approach to Cloudflare WAF for blocking comment spam.
Why it matters: if DNS is wrong, you’ll chase “WAF problems” that are really routing problems.
Step 2: Fix SSL/TLS before enabling strict security
A lot of WordPress “Cloudflare broke my site” stories are really SSL mode problems. I set SSL/TLS first, because it keeps logins, cookies, and admin sessions from acting weird.
Here’s what I do in Cloudflare:
- Go to SSL/TLS and set encryption mode to Full (strict).
- Install SSL certificates on your origin (many hosts include this). If needed, use a Cloudflare Origin Certificate.
- Turn on Always Use HTTPS (and confirm WordPress Address and Site Address use
https://). - If you use HSTS, enable it only after you confirm everything works over HTTPS.
After these changes, perform a manual cache purge to ensure everything updates properly.
I avoid “Flexible” mode. It can cause redirect loops and insecure origin traffic, especially around /wp-login.php and /wp-admin/. For extra protection on the wp-admin area, Zero Trust offers strong identity-based security.
At this point, I enable Automatic Platform Optimization as a performance boost for WordPress sites, and consider human logins versus bot logins. If you want a low-friction way to reduce contact form spam, pairing WAF with Turnstile helps. I’ve had good results using a plugin to add Cloudflare Turnstile to WordPress on login and comment forms.
Step 3: Enable Managed Rulesets, bots, and rate limiting
Now I turn on the actual Web Application Firewall protection. Cloudflare’s exact menu names change over time, but the flow is consistent: enable managed protection first, then add targeted Firewall Rules for WordPress hotspots.
Turn on Cloudflare Managed Rulesets (OWASP Core Ruleset)
- Open Security (or WAF) in Cloudflare.
- Find Managed Rulesets.
- Enable Cloudflare’s core managed rulesets, then enable the OWASP Core Ruleset if your plan supports it.
- Start with default sensitivity. I only increase it after monitoring real traffic.
Why it matters: These automated managed rulesets catch common attacks that target WordPress plugins and themes, without you writing custom logic. They differ from manual Firewall Rules by handling broad threats out of the box.
Add WordPress-focused Firewall Rules (wp-login and wp-admin)
These are my usual targets:
/wp-login.php(brute-force attacks and credential stuffing)/wp-admin/(admin probing)xmlrpc.php(often abused, sometimes needed)
A simple pattern that works well is to apply a Managed Challenge or Rate Limiting to login endpoints based on URI Path matches, and block XML-RPC if you don’t use it. Filter by User Agent for suspicious patterns too. If you do need XML-RPC (some apps and older workflows do), I don’t block it globally. Instead, I restrict it with tighter rules (like country blocking, ASN, or a small allowlist).
Bot protection and rate limiting
Cloudflare gives you a few layers here, depending on plan:
- Bot protections: I enable the basic bot features first, then tighten if scraping or fake signups from malicious bot traffic keep coming.
- Rate Limiting: I cap repeated hits to
/wp-login.phpand sometimes/xmlrpc.php. Even a modest limit can cut server load and stop brute-force attacks.
Step 4: Add WordPress exceptions, then test and monitor
This is the part that saves the most headaches from false positives. WordPress isn’t just pages, it’s APIs, AJAX, and checkout flows. So I add “skip” rules (Cloudflare calls these exceptions in different ways, similar to fine-tuning settings in a WordPress security plugin) to prevent false positives.
Common skip rules I use (carefully)
- REST API: don’t broadly skip
/wp-json/unless you must. Instead, skip only for known paths or trusted requests using URI Path conditions. - WooCommerce checkout: watch
/checkout/and payment callbacks with Firewall Rules exceptions for specific URI Path patterns. If customers get blocked, you’ll feel it fast. - Admin AJAX:
wp-admin/admin-ajax.phppowers a lot of front-end features. - Comments: monitor
wp-comments-post.phpclosely, as it handles user submissions. - XML-RPC: block if unused, restrict if required, and consider User Agent checks for legitimate bots.
- Trusted access: allowlist a specific IP Source Address for admin tools, and secure third-party integrations with proper API Key validation.
If you skip too much, you build a “secret side door” around the WAF. I keep exceptions narrow, then confirm they fix a real problem.
Testing without doing anything reckless
I test in three passes with granular attention for complex sites:
- Normal user flow: browse, log in, comment via wp-comments-post.php, submit a form, run a checkout test if you sell.
- Safe attack simulation: use harmless test strings in URLs (like obvious XSS-looking input) and confirm Cloudflare logs it and blocks or challenges as expected.
- Monitor Security Events: I open Cloudflare’s Security Events and look for patterns, especially blocks on legitimate endpoints or false positives.
Rollback and troubleshooting (when the bouncer gets pushy)
When something breaks, I move fast:
- First, I find the blocked request in Security Events and note the ruleset.
- Next, I add a targeted exception for that exact endpoint and condition.
- If the site is down, I temporarily pause Cloudflare or set the record to DNS only while I fix rules. Then I re-enable proxying and perform a cache purge to clear any lingering false positives.
Quick setup checklist (copy this into your notes)
- Domain active on Cloudflare, nameservers updated
- DNS web records proxied (orange cloud), mail records not accidentally proxied
- SSL certificates with SSL/TLS set to Full (strict), HTTPS enforced
- Managed Rulesets enabled (include OWASP if available on your plan)
- Custom Firewall Rules added matching URI Path for
/wp-login.php,/wp-admin/, andxmlrpc.php - Bot protection enabled, Rate Limiting applied to login endpoints
- Exceptions added for WooCommerce checkout, REST API needs, and admin-ajax (kept narrow with IP Source Address verification)
- Testing done for login, forms, and checkout
- Security Events reviewed, false positives tuned, rollback plan confirmed
Cloudflare WAF WordPress setup isn’t a one-time switch. Still, once the basics are in place including Firewall Rules, tuning gets easier. This Web Application Firewall rivals a robust WordPress security plugin, unlocking static HTML caching while cutting bot traffic for quieter logs and a WordPress site that stays open for real people as bots bounce off the door.