How to Set Up Cloudflare WAF for WordPress

Cloudflare's WAF provides excellent protection for WordPress sites against common attacks like SQL injection, cross-site scripting (XSS), and brute force login attempts.

This guide walks you through the complete setup process, from adding your domain to Cloudflare to configuring WordPress-specific security rules.

Prerequisites

A WordPress website hosted on any web server
Access to your domain registrar to change nameservers
A Cloudflare account (free tier works) Learn more

Step-by-Step Guide

1

Add Your Domain to Cloudflare

Log into your Cloudflare dashboard and click "Add a Site". Enter your domain name (without www) and click "Add Site".

Cloudflare will scan your existing DNS records. Review them to ensure all your subdomains and mail records are included.

Tip: Make sure your WordPress site's A record is listed and set to "Proxied" (orange cloud icon).

2

Update Your Nameservers

Cloudflare will provide you with two nameservers. Log into your domain registrar and replace your current nameservers with the Cloudflare ones.

DNS propagation can take up to 24 hours, but usually completes within a few hours.

Warning: Do not delete your old DNS records until the new nameservers are active.

3

Enable Cloudflare WAF

Once your domain is active on Cloudflare:

Go to Security > WAF in your Cloudflare dashboard
Enable the Cloudflare Managed Ruleset
Enable the OWASP Core Ruleset

Tip: Start with the WAF in "Log" mode for a few days to see what requests would be blocked before switching to "Block" mode.

4

Configure WordPress-Specific Rules

Create custom rules to protect WordPress-specific endpoints:

Go to Security > WAF > Custom Rules
Create a rule to protect wp-login.php from brute force attacks
Consider blocking access to xmlrpc.php if not needed

text

# Block xmlrpc.php (if you don't use it)
Rule Name: Block XML-RPC
Expression: (http.request.uri.path eq "/xmlrpc.php")
Action: Block

5

Install Cloudflare Plugin (Optional)

Install the official Cloudflare WordPress plugin for better integration:

Go to Plugins > Add New in WordPress
Search for "Cloudflare"
Install and activate the official Cloudflare plugin
Connect it with your Cloudflare API token

Tip: The plugin helps restore real visitor IPs and enables one-click cache purging.

6

Test Your Configuration

After setup, test that your site works correctly:

Visit your site and verify it loads properly
Test logging into WordPress admin
Check that comments and forms still work
Monitor the Cloudflare dashboard for any blocked requests

Conclusion & Next Steps

Your WordPress site is now protected by Cloudflare's WAF. The managed rulesets will automatically block most common attacks, and your custom rules provide additional WordPress-specific protection.

Next steps:

Monitor the Security > Events page regularly to review blocked threats
Consider upgrading to Cloudflare Pro for additional WAF features
Enable Bot Fight Mode for additional bot protection

Troubleshooting

Site shows SSL errors

In Cloudflare SSL/TLS settings, set encryption mode to "Full" if your origin has an SSL certificate, or "Flexible" if it doesn't.

Forms or login not working

Check Security > Events for blocked requests. You may need to create an exception rule for legitimate traffic.

Site is slow after setup

Enable Cloudflare's caching features and consider enabling Rocket Loader for JavaScript optimization.

Frequently Asked Questions

Is Cloudflare WAF free?

Yes, the basic Cloudflare WAF is included in the free plan. It includes managed rulesets that protect against common attacks. More advanced features like custom firewall rules and detailed analytics are available on paid plans.

Will Cloudflare slow down my WordPress site?

No, Cloudflare typically makes WordPress sites faster by caching static content and serving it from edge locations closer to your visitors. The WAF inspection adds minimal latency (usually less than 1ms).