Built in the open.
Every release, every fix, every improvement documented openly.
Rule sync — July 2, 2026
Synced with the July 2, 2026 wafrules.com ruleset date. No structural rule changes — all ASNs, exploit patterns, bot categories, and default states are unchanged from the May 28 sync.
- Rules last updated date — updated to July 2, 2026 in the plugin header.
Profile notes & Cloudflare path fix
Add notes to your WAF rule profiles to record why you set them up and what they allow. Plus a small fix to an outdated Cloudflare dashboard path in the plugin UI.
- Profile notes — a notes field now appears below the profile bar on the WAF Rules tab. Use it to describe what the profile is for, which IPs or services it allows, why certain rules are on or off, or anything else worth remembering. Notes load automatically when you switch profiles and are saved alongside your rule settings when you hit Save. When creating a new profile, whatever is in the notes field is saved with it.
- Cloudflare Security Events path updated — the hint text under Custom User Agents to Allow referenced the old Cloudflare dashboard path Security → Events. It now correctly reads Security → Analytics → Events to match the current Cloudflare dashboard layout.
User Access Control
Agencies can now restrict which WordPress administrator accounts can see and use the plugin. Locked-out users see no trace of the plugin anywhere in their WordPress admin.
- User Access Control — a new User Access section in Settings shows all Administrator accounts on the site as a checklist. Check the users who should have access; uncheck the ones who should not. Users who are removed from the list will no longer see the plugin in their WordPress admin menu, and all AJAX endpoints will reject their requests. Your own account and any Super Admins are always checked and cannot be unticked, so it is impossible to lock yourself out. Saving with all users checked is equivalent to no restriction — all administrators have access, which is the default behavior and is fully backward compatible with existing installs.
- Admin bar button hidden — the Purge quick-action button in the WordPress admin bar is no longer shown to locked-out users.
- Dashboard widget hidden — the WP WAF Manager summary widget no longer appears on the WordPress dashboard for locked-out users.
- Plugin hidden from Plugins screen — locked-out users no longer see WP WAF Manager listed on the Plugins page. From their perspective the plugin does not exist on the site.
- WAF Rules page now loads from active profile — on page load the rule settings UI now reads from the active profile rather than the flat settings option. Previously these could diverge if a user switched profiles without saving and then reloaded the page, causing the UI to show stale settings that did not match the selected profile.
Rule Profiles & Domain Profiles
Two new profile systems designed for agencies managing multiple client sites. Save named presets of your WAF rule configuration and your zone selections, then restore either with one click.
- Rule Profiles — save named snapshots of your entire WAF rule configuration (all five rules, every toggle, every setting) and restore any of them with one click. A profile bar sits at the top of the WAF Rules section with a dropdown, a New Profile button, and a Delete button. The Save button always shows which profile it will write to — for example, Save — WooCommerce Standard — so there is no ambiguity about where changes are going. Profiles are not linked to any zone or account; they are purely saved rule configurations that you load, adjust, and deploy wherever you need. Up to 10 profiles. The Default profile is created automatically on first use from your existing settings, so nothing changes for existing users.
- Domain Profiles — save named selections of zones and restore them with one click. A domain profile bar sits above the zone grid in the Deploy panel. Select your zones, give the selection a name, and save it as a profile. The next time you need to deploy to that same set of client sites, load the profile and all the right zones are checked instantly. Up to 10 domain profiles. Default starts empty. Zone IDs that no longer exist are silently skipped when a profile is applied.
- Zone loading error messages — when zones fail to load, the deploy panel now shows a clear red notice explaining what went wrong. Authentication errors (such as Cloudflare error 9103) are detected automatically and tell the user their credentials are invalid or expired, with a direct pointer to the Accounts section to fix them. Previously the panel showed only a raw error string with no context.
- No credentials state — the empty-state message shown when no Cloudflare account is connected has been rewritten to explain what is missing and what the user needs to add (API Token or Global API Key and email).
Block wp-cron.php option
Adds an optional toggle to block direct HTTP requests to wp-cron.php. Off by default — only enable this if you know how your site handles scheduled tasks.
- Rule 2 — Block wp-cron.php (off by default) — a new optional toggle under WordPress Path Protection blocks direct HTTP requests to
wp-cron.php. When checked, a warning appears explaining the risk: if your site uses a real server-side cron job that callswp-cron.phpover HTTP, enabling this will break scheduled tasks such as scheduled posts, email sending, and plugin maintenance routines. Only enable this if you understand how your site handles WordPress cron — most managed hosts and performance-focused setups already disable the default WP cron trigger and use a proper system cron instead, in which case this is safe to block.
Deploy improvements
Two small quality-of-life improvements to the deploy flow.
- Rule 3 deploy label is now dynamic — the pre-deploy rule summary previously always showed
Block: Block Web Hosts & TORregardless of the saved action setting. It now reflects whatever is actually saved —BlockorManaged Challenge— so the summary matches what will be deployed. - Save reminder before deploying — a notice now appears above the Deploy button reminding you to save any unsaved rule changes before deploying. Deploying always uses the last saved settings, not unsaved UI state.
Rule sync — May 28, 2026
Synced with the May 28, 2026 wafrules.com ruleset update. New optional bot categories in Rule 1, expanded path blocking in Rule 2, and five new exploit URI pattern groups added to Rule 3.
- Rule 1 — Six new optional verified bot categories — Aggregator, AI Assistant, AI Crawler, AI Search, Archiver, and Social Media Marketing are now available as individual opt-in toggles. All are disabled by default. When enabled, they are appended to the
cf.verified_bot_categoryexpression alongside the existing ten default categories. - Rule 2 — WordPress install path expanded — the WordPress install block now also covers
setup-config.phpin addition toinstall.php. - Rule 2 — Sensitive file exposure blocking — a new option blocks requests probing for
.env,.git,composer.json,composer.lock,debug.log,phpunit, andserver-status. Enabled by default. - Rule 3 — Five new exploit URI pattern groups — matching wafrules.com's placement of these patterns alongside Web Hosts and TOR, Rule 3 now includes: Union SQLi probes (
union%20select,information_schema,concat(,load_file(,into%20outfile); expanded LFI and path traversal (../,%2e%2e,etc/passwd,%252fetc,%00); legacy CGI and scanner paths (smb2www.pl,symantec.jsp,webman/info.cgi,printenv); foreign CMS admin probes (/spip/,/symphony/,/sympa/); and reflected XSS patterns (<script,%3cscript,javascript:,onerror=,onload=). All five groups are enabled by default.
Security update
Update immediately.
- Fixed security issues and bugs.
Zone Settings minification error fix
Fixes a crash in Zone Settings caused by a Cloudflare API that no longer exists.
- Zone Settings crashes with "minify is not defined" — Cloudflare deprecated and removed their Minify API in 2024. The Zone Settings section was still attempting to render JS/CSS/HTML minification checkboxes using data that Cloudflare no longer returns, causing a JavaScript error that prevented Zone Settings from loading at all. The minification row has been removed.
Expression size error messaging
When a deploy fails because the rule expression is too large, the error message now tells you exactly what happened and what to do about it.
- Clearer error when expression exceeds Cloudflare's size limit — Cloudflare limits rule expressions to 4096 characters. If you add enough custom IPs to Rule 1 to push past that limit, the deploy fails with a raw API error. The error message now includes a plain-English explanation and directs you to move some IPs from the Custom IP Allowlist to the IP Access Rules module to bring the expression size down. Previously only the raw Cloudflare error code was shown.
IPv6 allowlist fix
Fixes a Cloudflare expression error when adding IPv6 addresses to the custom IP allowlist in Rule 1.
- IPv6 addresses rejected by Cloudflare with "expected IP address character" — Cloudflare's
ip.src in {}expression syntax requires bare unquoted IP addresses. The rule builder was incorrectly wrapping every entry in double quotes — valid for string fields like user agents, but not for IPs. IPv4 happened to pass through on most plans; IPv6 is stricter and surfaced the error. All IP types (IPv4, IPv6, CIDR ranges) now generate the correct unquoted syntax:(ip.src in {2a01:4f8:1c17:d43a::/64 49.12.185.14})
Security hardening & performance pass
A focused internal pass covering security, performance, and dead code. No new features — everything here makes the plugin tighter and faster.
- Email rule update handler hardened — the handler that toggles email forwarding rules was previously merging raw POST JSON directly into the Cloudflare API payload without validation. It now extracts and sanitizes each field individually (
name,matchers,actions) before passing anything to the API. Action types are validated against an allowlist; matcher values run throughsanitize_email. - Update notifier constants made private — internal class constants (remote URL, transient keys, external links) were declared without a visibility modifier, making them publicly accessible. Marked
private. - SureCart Updater.php updated to SDK v1.1.2 — the bundled updater was casting plugin update data to
(array)before storing it in the WordPress update transient. WordPress core expects an object and accesses it via property syntax ($update->slug,$update->new_version,$update->package), causing PHP warnings on the Updates page and silently breaking automatic updates for Pro users on the previous version. The SDK v1.1.2 removes the incorrect cast.
- Settings reads cached in-request —
WPWAF_Settings::all()previously calledget_option()on every invocation. It's called multiple times per admin page load (menu registration, asset enqueuing, dashboard widget setup, capability checks). It now caches the result in a static property for the lifetime of the request, matching the pattern already used byWPWAF_Accounts. - IP access rule pagination converted to iterative — the rule list endpoint paginated via recursion, calling itself for each additional page. Converted to an iterative loop, eliminating the stack overhead and any risk of hitting PHP's recursion limit on accounts with large rule sets.
- Removed unused
get_zone_settings()method — this method made 8 separate serial Cloudflare API calls to fetch individual zone settings one at a time. It was never called anywhere in the codebase —get_all_zone_settings()already handles this in a single request. The method has been removed.
- Dead error-check block removed in security events handler —
get_security_events()had an identical duplicateif ( ! empty( $decoded['errors'] ) )block that could never be reached because the first block always returned before it. The unreachable block also declared a$pathvariable that was never used. Both have been removed.
Custom user agents & update notifier
Two quality-of-life additions: a custom user agent allowlist for Rule 1 so you can skip WAF rules for any tool not on the built-in list, and a dashboard notice that lets free users know when a new version is available on GitHub.
- Rule 1 — Custom User Agents allowlist — a new textarea field in the Allow Good Bots rule lets you enter user agent strings one per line to always skip all WAF rules. Uses Cloudflare's
http.user_agent containssubstring match. Stored separately from the base rules so it survives future wafrules.com ruleset updates without any changes needed. Same pattern as the existing custom IP allowlist. To find blocked user agents, check Security → Events in your Cloudflare dashboard. - Update notifier for free users — when a new version is available on GitHub, free users see a notice on the WordPress dashboard with two links: download the new version for free, or upgrade to Pro for automatic WP admin updates. Pro users with an active license see nothing — SureCart handles their update flow. The notice is dismissible and refreshes daily so it keeps nudging until the site is updated.
Rule sync — May 1, 2026
Synced with the May 1, 2026 wafrules.com ruleset update. Three rule areas updated: new attack-pattern blocks in the Aggressive Crawlers rule, an expanded VPN provider list, and additional web hosting ASNs.
- Rule 2 — Time-delay / blind SQLi patterns — blocks query strings containing
pg_sleep,sleep(,benchmark(,dbms_pipe,receive_message, and threewaitfor delayvariants (%20,+,%09). These patterns appear almost exclusively in automated injection probes and are safe to block for the overwhelming majority of sites. - Rule 2 — Encoded LFI / path traversal patterns — blocks URIs containing encoded traversal sequences:
%2fetc%2fpasswd,%2fetc/passwd,%5c..%5c,%2e%2e%2f, and%2e%2e%5c. Legitimate traffic essentially never contains these strings. - Rule 4 — VPN provider list expanded — IPVanish (AS46253), QuadraNet (AS8100, AS62639), OVH France (AS16276), Internet Utilities (AS206092, 206074, 206164, 206150, 210277), PrivateLayer (AS51852), and Mullvad (AS216025, AS39351) are now individually named toggles. All are enabled by default — no behavior change for existing deployments.
- Rule 5 — Additional web hosting ASNs — HostRoyale (AS207990) and Cloudvider (AS62240) added as new named options. LeaseWeb expanded to 6 ASNs (60781, 205544, 27411, 7203, 30633, 395954) and GoDaddy expanded to 3 ASNs (398101, 31815, 26496). All new entries are enabled by default.
Plugin update page fix
Removes an unsupported field from the update metadata that was causing an error on the WordPress plugin update page.
- Plugin update page error — the
installationkey inrelease.jsonis not part of SureCart's supported update metadata schema. Its presence caused an error when WordPress rendered the plugin update screen. The field has been removed.
Credential encryption & wp-config support
API credentials are now encrypted at rest using libsodium. Adds optional wp-config.php constant support for teams who prefer credentials to never touch the database — with full multi-account and mixed-auth support.
- Credentials encrypted at rest — API tokens and Global API Keys are now encrypted using
sodium_crypto_secretboxwith a 256-bit key derived from your site'sAUTH_KEYconstant. Previously credentials were stored as base64, which is obfuscation only. Existing accounts are re-encrypted automatically on next save — no manual action required.
- wp-config.php constant support — define credentials as PHP constants to bypass database storage entirely. Supports a single account via
WPWAF_API_TOKEN/WPWAF_API_LABEL, or multiple labeled accounts viaWPWAF_ACCOUNTS. API Token and Email + Global Key auth can be mixed freely within the same array. Constant-defined accounts appear as read-only in the plugin UI and take priority over any database-stored account.
- v1.0.0 security note updated — the v1.0.0 changelog entry noted credentials were stored with base64 obfuscation. That is no longer the case as of this release.
Destination address sync fix
Fixes destination addresses failing to load in the Email Routing module for users with scoped API tokens.
- Destination addresses not syncing — the plugin was resolving the Cloudflare account ID by calling the
accountsendpoint, which requiresAccount → Accounts → Read— a permission most scoped tokens don't include. The plugin now resolves the account ID directly from the selected zone (Zone → Zone → Read), which is always available with a standard token setup.
Rule sync — April 24, 2026
Two additions synced from the latest WAFRules.com ruleset update: a new individual allowlist entry for Usercentrics, and Internet Utilities split into its own toggle separate from OVH France.
- Rule 1 — Usercentrics added —
Usercentricsbotis now available as an individual opt-in under Website Monitoring Services. Disabled by default. - Rule 5 — Internet Utilities split from OVH France — Internet Utilities (ASNs 206092, 206074, 206164, 206150, 210277) is now its own toggle, separate from OVH France (ASN 16276 only). Both remain enabled by default — no change in behavior for existing deployments.
Bug fixes & deploy improvements
Two targeted fixes addressing deploy behavior and the VPN toggle. Clean deploys now work as expected, and the Challenge All VPN Connections checkbox properly selects and deselects all providers.
- Clean deploy — deploying rules now deletes all existing rules on the target zone before writing the new set. Previously, rules were merged with whatever was already on Cloudflare, which could leave stale or duplicate rules behind after rule changes.
- Challenge All VPN Connections toggle — checking the master toggle now selects all individual VPN providers; unchecking it now deselects all of them. Previously, unchecking re-enabled the individual checkboxes but left them checked, causing unintended rules to be included on the next deploy.
🎉 Hello, world.
The first public release of WP WAF Manager. Everything starts here with eight modules, five battle-tested rules, and a dashboard that finally puts Cloudflare inside WordPress where it belongs.
- WAF Rules Builder — deploy 5 battle-tested rules in one click, based on the open-source
wafrules.comruleset - DNS Manager — full management for all 21 Cloudflare DNS record types with type-aware form fields, proxy toggle, and TTL control
- Zone Analytics — Cloudflare GraphQL API integration with 6 metrics per zone, configurable WP-Cron auto-sync, and a zone picker
- Zone Controls — Under Attack Mode (per zone or all zones), Development Mode, cache purge, SSL settings, and per-zone configuration
- IP Access Rules — account-level rules for IP, IP range, country, or ASN with Allow / Block / Challenge actions
- Security Events — real-time firewall event viewer powered by Cloudflare GraphQL (Pro plan zones)
- Email Routing — manage destination addresses, forwarding rules, and catch-all rules without leaving WordPress
- Multi-Account Support — connect unlimited Cloudflare accounts with labels and switch instantly
- Admin Bar Quick Purge — purge any zone's cache from the WordPress admin bar
- Dashboard Widget — quick-glance summary of connected accounts, zones, and sync status
- Settings page with role-based access control, menu visibility toggles, and uninstall behavior
- SureCart Pro licensing with auto-update support via the WordPress Plugins screen
- Automatic Free plan compatibility for WAF rules — gracefully handles Cloudflare Free plan limitations
- API credentials stored with
autoload=false— never loaded on front-end requests - Configurable credential expiry for compliance and rotation policies
- Recommends scoped API tokens over Global API Keys in setup flow