Docs
← Back to site

Zone Controls

6 min readUpdated April 10, 2026

The Zone Controls page is your at-a-glance management panel for every Cloudflare zone you have access to. From a single screen you can flip Under Attack Mode, toggle Development Mode, purge cache, and tweak common per-zone settings — all without opening Cloudflare.

It’s the page you’ll come back to most often once your WAF rules are deployed and humming along.

Opening the page#

In WP admin, go to WAF Manager → Zone Controls. The page loads a card for every zone in your connected Cloudflare account.

At the top of the page you’ll see:

  • A search box for filtering zones by name (handy if you manage dozens)
  • An Enable on All Zones button for Under Attack Mode (more on this below)

Each zone gets its own card showing the zone name, its toggles, the cache purge controls, and an expandable settings panel.

Under Attack Mode#

Cloudflare’s Under Attack Mode is the nuclear option for when your site is under active DDoS or aggressive attack. It challenges every visitor with an interactive Cloudflare interstitial before they can reach your site. Real users get through with a few seconds of delay; bots and automated tools usually can’t.

Each zone card has its own Under Attack toggle. Flip it on when something’s happening, flip it off when the attack subsides.

The Enable on All Zones button at the top of the page is the panic button. One click and every zone in the account goes into Under Attack Mode. Use this when you’re under coordinated attack across multiple sites and need to lock everything down fast. To turn it back off you’ll currently need to flip each zone’s individual toggle, so don’t reach for the master button casually.

Under Attack Mode adds friction for every visitor. Don’t leave it on long-term — your bounce rate will suffer. Use it as an emergency response, then turn it off once the attack passes and let your WAF rules do the steady-state work.

Development Mode#

Cloudflare’s Development Mode temporarily bypasses Cloudflare’s edge cache for three hours, so you can see your changes immediately while you work. Useful when you’re editing CSS, debugging a layout issue, or troubleshooting a caching bug.

Flip the toggle on the relevant zone card. After three hours Cloudflare automatically turns it back off — you don’t have to remember.

While Development Mode is on, your origin server gets every request directly. If you turn it on for a high-traffic site and forget, you’ll feel the load. Three hours is usually enough; if you need longer, just flip it on again when the timer expires.

Cache purge#

Each zone card has cache purge controls. Two modes:

Purge Everything — clears the entire Cloudflare cache for the zone. Use this after a major site update, theme change, or when you’ve broken something and need a clean slate. There’s no undo — Cloudflare will rebuild the cache from your origin as visitors hit pages.

By URL — clears specific URLs only. Click By URL to reveal a textarea, paste in one URL per line (full URLs including https://), and click Purge. Use this when you’ve updated a single page or post and don’t want to invalidate the whole cache.

The plugin gives you a green confirmation toast when the purge succeeds, or an error message if Cloudflare rejects the request.

A practical workflow: when you update a blog post, purge just that post’s URL plus the home page and any category/tag pages it appears on. This is much friendlier to your origin than purging everything.

Per-zone settings panel#

Each card has a Settings accordion at the bottom. Click it to expand the panel — the plugin fetches the current settings for that zone from Cloudflare and renders them as a list of toggles and dropdowns.

The settings exposed:

🔒 SSL Mode#

How traffic between Cloudflare and your origin server is encrypted.

  • Off — no SSL. Don’t use this.
  • Flexible — encrypted between visitor and Cloudflare, plain HTTP from Cloudflare to your origin. Use only if your origin can’t do SSL at all.
  • Full — encrypted end-to-end, but Cloudflare doesn’t validate your origin’s certificate. Acceptable if your origin uses a self-signed cert.
  • Full (Strict) — encrypted end-to-end with full certificate validation. This is the right choice for almost everyone.

If you’re not sure which one is set, check before changing. Switching from Flexible to Full Strict on a misconfigured origin can take your site down briefly until the cert is sorted.

↗ Always Use HTTPS#

Forces every HTTP request to redirect to HTTPS. Should be on for any modern site.

⚡ Security Level#

How aggressively Cloudflare challenges suspicious visitors. Options:

  • Essentially Off — minimum interference
  • Low
  • Medium — Cloudflare’s default and a sensible balance
  • High — challenges more aggressively; may produce false positives

Note that this dropdown shows your non-attack security level. If the zone is currently in Under Attack Mode, that’s controlled by the toggle at the top of the card, not by this setting.

🗄 Cache Level#

How aggressively Cloudflare caches static content.

  • Bypass — don’t cache anything
  • Basic — cache static file extensions only
  • Simplified — ignore query strings when caching
  • Aggressive (default) — full caching with query string awareness
  • Cache Everything — cache literally every response, including HTML. Powerful but can break dynamic sites — use Page Rules for this on most setups.

⏱ Browser Cache TTL#

How long visitors’ browsers should cache resources before re-fetching them. Options run from 30 minutes all the way up to 1 month. Longer is better for performance, shorter is better when you’re iterating.

🚀 Rocket Loader#

Cloudflare’s async JavaScript loader. Can improve perceived load time on JS-heavy sites but occasionally breaks scripts that don’t expect to load asynchronously. Test before leaving it on in production.

Blocks other sites from embedding your images directly. Saves bandwidth if hotlinking is a problem; otherwise leave off.

✉ Email Obfuscation#

Hides email addresses on your pages from scrapers by replacing them with JavaScript that reveals them only to real browsers. Useful if your site exposes contact emails publicly.

📦 Minification#

Three checkboxes — JS, CSS, HTML — for Cloudflare’s edge minification. Tick whichever asset types you want minified at Cloudflare’s edge before delivery. Most sites should leave HTML off (it can break inline scripts) and only enable JS/CSS if your build pipeline isn’t already minifying.

Search and multi-zone management#

The search box at the top of the page filters zones by name in real time. If you manage 30 client sites, type the client name and you’ll narrow the cards down instantly.

There’s no bulk action support beyond the Enable on All Zones Under Attack button — for everything else (purging, settings changes, dev mode) you work one zone at a time. This is intentional: most of these actions are destructive enough that you want to make them per-zone deliberately.

Share:

Was this helpful?

This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.

Accept All Accept Required Only