Docs
← Back to site

Settings Page

7 min readUpdated April 10, 2026

The Settings page is where you customise how WP WAF Manager looks and behaves inside WordPress. Most people set it up once after installing the plugin and never touch it again, but it’s worth a quick walkthrough so you know what’s available.

In WP admin, go to WAF Manager → Settings. The page is divided into four sections, each with a save bar at the bottom. Click Save Settings when you’re done — changes don’t apply until you save.

Admin Bar Quick Purge#

Adds a one-click cache purge button to the WordPress admin bar at the top of every page. When you’re editing posts or testing changes, this saves a lot of clicks.

Enable admin bar button#

Toggle to show or hide the button. When off, the admin bar stays clean. When on, you get a Cloudflare icon up top that purges cache without leaving whatever page you’re on.

Zone to purge#

Pick which Cloudflare zone the button targets. The dropdown lists every zone in your connected accounts.

If you only manage one site, pick that zone. If you manage multiple, pick whichever one you find yourself purging most often. Leave it blank if you’d rather have the button just open the Zone Controls page so you can pick a zone manually each time — that’s what the — Open Zone Controls page — option does.

Click action#

Two choices for what happens when you click the button:

  • Purge everything instantly (AJAX) — purges the entire cache for the selected zone immediately, with no confirmation. Fastest workflow but be sure that’s what you want.
  • Open Zone Controls page — opens the Zone Controls page where you can purge by URL, change settings, or pick a different zone. Safer if you sometimes want to purge selectively.

If you picked “Open Zone Controls page” in the Zone setting above, this dropdown is effectively forced to that behaviour.

Zone Analytics#

Controls how the plugin fetches and displays Cloudflare analytics data on the Zone Status page.

Auto-sync#

When enabled, WP-Cron automatically pulls fresh analytics from Cloudflare on a schedule, so the Zone Status page always has up-to-date data without you having to refresh manually.

When disabled, analytics only update when you explicitly load the page. This uses fewer API calls and reduces load on WP-Cron, which can be a good choice on sites where you rarely look at analytics.

Sync interval#

Only relevant when auto-sync is on. Choose how often the background sync runs:

  • Every 5 minutes
  • Every 15 minutes
  • Every 30 minutes
  • Every hour
  • Every 6 hours
  • Every 24 hours

Shorter intervals mean fresher data but more API calls. For most sites, every hour is a good balance — you get reasonably current data without hammering Cloudflare’s API or your WP-Cron.

If you have a very busy WordPress site where WP-Cron is already under load, bump this up to every 6 or 24 hours.

Default time range#

How many days of analytics to display when you first land on the Zone Status page. Options:

  • Last 24 hours
  • Last 7 days
  • Last 14 days
  • Last 30 days

This is just the initial view — you can always change the range from the page itself.

Access Control#

Decides who in WordPress can see and use the plugin, and what happens to the plugin’s data if you ever uninstall it.

Minimum role#

Pick the lowest WordPress role that should have access to WP WAF Manager. Anyone with this role or higher will see the menu and be able to use every feature.

The five WordPress roles, in order of privilege:

  • 🛡 Administrator — full site admin access (default and recommended)
  • ✏️ Editor — can manage all posts and pages
  • 📝 Author — can publish their own posts
  • 👤 Contributor — can write but not publish
  • 👁 Subscriber — registered users only

The plugin marks every option below Administrator with a ⚠ Not recommended for security plugins warning, and that warning is there for a reason. WP WAF Manager controls your firewall rules, your DNS records, your email routing, and your Cloudflare API credentials. Granting that level of access to anyone below Administrator is rarely a good idea.

The one legitimate use case: a small team where you trust your Editors with site-wide changes and want them to be able to purge cache or add IP rules without bothering you. Even then, leave it at Administrator unless you have a specific reason not to.

Keep data on uninstall#

Controls what happens if you delete the plugin from WordPress.

  • On (Keep data) — all plugin data (connected Cloudflare accounts, settings, cached zone info) is preserved. If you reinstall the plugin later, everything’s still there exactly as you left it. Useful when troubleshooting or migrating.
  • Off (Delete data on uninstall) — every trace of the plugin is wiped from your database when you uninstall. Use this if you’re decommissioning a site or you want a clean slate.

The default is off because most uninstalls are intentional and people don’t want orphaned data sitting in their database. But if you’re reinstalling the plugin frequently or moving things around, flip this on first so you don’t lose your configuration.

Test connection#

A button that pings Cloudflare with your active credentials and tells you whether the connection is working. Use this when:

  • You just rotated your API token and want to confirm the new one works
  • The dashboard suddenly stops loading zones and you’re not sure if it’s a credential problem
  • You changed a token’s permissions in Cloudflare and want to verify the plugin can still authenticate

A green result means everything’s healthy. A red result tells you what went wrong — usually an expired token, a missing permission, or a typo. From there you can head back to Connecting to Cloudflare and fix it.

Lets you customise what shows up in the WordPress admin to keep things clean.

Dashboard widget#

Toggles a WP WAF Manager summary card on the main WordPress dashboard (the page you land on when you first log in to WP admin). The widget shows a quick overview of your zones and recent activity.

Useful if you check WP admin frequently and want a glance at what Cloudflare is doing. Off if you’d rather keep your dashboard uncluttered.

Hide Security Events#

Hides the Security Events menu item entirely. This is here because Security Events requires a Cloudflare Pro plan or higher — if every zone you manage is on the Free plan, the page can’t show you anything useful, so you may as well hide it.

Toggle on to remove the menu item. Toggle off to bring it back.

Hide Email Routing#

Hides the Email Routing menu item. If you don’t use Cloudflare’s email forwarding (because you have Google Workspace, Microsoft 365, Fastmail, or similar on your domains), you’ll never need this page, so you can hide it to declutter the menu.

Toggle on to remove the menu item. Toggle off to bring it back.

Saving#

The Save Settings button is at the bottom of the page. Click it to commit your changes. A small confirmation message appears next to the button when the save succeeds.

If you navigate away without saving, your changes are lost — there’s no auto-save here.

A sensible default setup#

If you don’t want to think about this page at all, here’s a configuration that works well for most sites:

  • Admin Bar Quick Purge — on, set to your main zone, click action set to “Open Zone Controls page” so you don’t accidentally nuke the cache with a misclick
  • Zone Analytics — auto-sync on, every hour, default 7 days
  • Access Control — Administrator only, delete data on uninstall, test connection once after setup
  • Menu Display — dashboard widget on, hide Security Events if you’re on Free plans only, hide Email Routing if you don’t use it

That’s the configuration most people land on after a few weeks of using the plugin anyway.

Share:

Was this helpful?

This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.

Accept All Accept Required Only