Use Cloudflare Free WAF to Protect Your Website

31 Aug, 2023

Cloudflare just released a version of its WAF technology for free to website owners. This has just been announced on the 15th of March 2022. You can learn more about them at WAF for everyone and A new WAF experience.

The Cloudflare WAF is a web application firewall that helps protect websites from attacks, including DDoS attacks. It’s now available to all website owners for free, so it’s a great time to sign up if you’re not already using it.

WAF is important for websites as it adds an extra protection layer to the request coming to your webserver. From malicious requests to vulnerabilities, Cloudflare Free WAF will protect your website better and diminish the risk of your web server going down or being hacked.

If you’re using Cloudflare, you’ll be happy to know that the company is constantly updating its Threat Protection features. This means that your website will be automatically protected from new threats as they emerge. The best part is that you don’t have to do anything – Cloudflare will take care of everything. Some of the new features are automatic blocking of malicious traffic and protection against DDoS attacks.

Additional Features of Cloudflare Free WAF

I’m going to check some of the things that we can configure in Cloudflare’s free WAF and the limitations of the free plan.

Firewall Rules

Cloudflare offers a great deal of protection for free users. You can add up to 5 firewall rules, which gives you some flexibility regarding what you want to block access to. This can be useful if you wish to restrict access to certain pages or cookies or if you’re going to block IPs or countries.

Rate Limiting

Rate limiting is a great way to protect your site or API from malicious traffic. You can protect yourself from various attacks by blocking client IP addresses that hit a URL pattern and exceed a defined threshold.

What kind of attacks can we protect ourselves from? DDoS and brute-force login attacks are two possible types.

Managed Rules

Cloudflare will launch its new Free Cloudflare Managed Ruleset. This ruleset will help you quickly configure and deploy rules built by Cloudflare. These rules are backed by the experience of securing millions of applications.


If you want to block specific IP addresses or ranges of IP addresses, you can do so in this section of your Cloudflare account. You can also choose to block users based on their user agent string. This can be helpful if you notice that a lot of spam is coming from a specific country or region or if you’re getting a lot of traffic from bots or other automated sources.

These features will work using Cloudflare as your DNS and CDN provider. However, suppose you only use Cloudflare as a DNS provider and don’t proxy the traffic through them. In that case, you won’t take advantage of these features.

You tried all those expensive WordPress caching plugins and subscribed to highly-priced managed WordPress or managed VPS services. Still, you can’t see your WordPress website loading within a few milliseconds? Have you lost all hope?

I have written How to Turbocharge Your WordPress Site in 4 Easy Steps guide to help you cut down your hosting subscription cost and make your WordPress website fly like a rocket.

Take these 4 easy steps and boost your WordPress website performance that it deserves. Then cut down on your hosting costs and see your SEO skyrocket.

Protect WordPress Admin Access for Free With Cloudflare

Many attacks are directed at logging in to WordPress, so you may want to protect the admin area access to a specific country or a public IP. This will block the requests made to wp-admin that are not allowed.

In the Cloudflare WAF, you have 5 firewall rules that can help make your WordPress installation more secure. This will help secure your WordPress installation by preventing unauthorized users from accessing the admin area.

Cloudflare Firewall Configuration Basics

So, how do you limit access to the WordPress admin area? Suppose you’re looking to restrict access to your WordPress admin area. In that case, you can do so by limiting access to a specific country and then to a particular IP address. This will block the wp-login.php file, which is the path WordPress will use when you try to log in.

1 – Go to the Cloudflare WAF Page

First, go to the Cloudflare security area and find the WAF. Log in to Cloudflare and navigate to the website you want to restrict access to. Choose Security > WAF.

Cloudflare Free WAF Firewall Tab

To create a firewall rule in the WAF section, click on Create Firewall Rule, as shown in the picture below:

2 – Restrict Access to Your wp-admin and wp-login.php Pages

Cloudflare WAF is a powerful tool that can help protect your website from malicious attacks. This section will add the paths we want to have blocked by Cloudflare WAF. In this case, we will use a combination of wp-login.php and wp-admin.

  • Field: URI Full
  • Operator: equals
  • Value:

Now, click on the OR button and add the following details.

  • Field: URI Path
  • Operator: contains
  • Value: /wp-login.php

Make sure you select Block as Action.

See what shows up in the Expression Preview section.

(http.request.full_uri eq "") or (http.request.uri.path contains "/wp-login.php")

You need to replace with the website you’re using. Here is a screenshot for your reference.

Cloudflare Free WAF Create Firewall Rule

We’ve chosen to block the full path to wp-admin with URI Full. Some plugins and themes use the /wp-admin/admin-ajax.php file, and we don’t want to block it. If you’re going to allow specific paths, you can make a combination of blocks using URI Path and WP-Admin URL. In this case, I’ll use the full URL as it’s safer.

Another rule that we have added to your OR list is blocking any traffic containing the word ‘wp-login.php.’

3 – Allow Access to a Specific IP or Country

We’ve blocked our way into WordPress by telling Cloudflare to restrict logins. We’ll tell Cloudflare what needs to be allowed through in these steps. We need to go into the Tools section of Cloudflare’s Security area and add your country or IP address. This will bypass the previous restriction and allow you access.

Cloudflare Free WAF IP Access Rules

To allow a country, search for it on that screen using the IP, IP range, country name, or ASN dropdown menu.


Cloudflare is a company that provides website security and performance services. They offer a free option that you can use to restrict access to your WordPress website admin area and better secure your website. Suppose you don’t have another way already. In that case, I recommend starting using Cloudflare as it’s free and doesn’t hurt to have an extra layer of protection.

If you’re looking for a premium WordPress hosting service that will help your website reach new heights, give Rovity a try. Our cloud-based infrastructure is specifically tailored to accommodate WordPress websites. Plus, Rovity is India’s fastest WordPress hosting company – and our prices are highly competitive.

Jafar Muhammed

Jafar Muhammed has 10+ years of experience in WordPress, web hosting, domain names, DNS, CDN, server administration, etc. He is an open web advocate. He is the CEO of Rovity, the fastest-growing premium shared hosting startup in India.

Related Posts

Check Out These

We just wanted to let you know that you might find the following related posts interesting. If so, keep reading 😉