Cloudflare Free plan limitations
WP WAF Manager works on Cloudflare’s Free plan, but there are platform-level restrictions that apply regardless of the plugin. These are Cloudflare’s limits, not plugin bugs — understanding them upfront saves a lot of troubleshooting.
WAF rule expression size
Cloudflare limits each firewall rule expression to 4,096 characters. If you add a large number of custom IPs to Rule 1’s IP allowlist, you can push past this limit and the deploy will fail with an expression size error. The plugin will tell you when this is the cause.
The cleanest workaround is to move the bulk of your service IPs to the IP Access Rules module instead. Account-level IP access rules live outside the WAF expression entirely and don’t count toward the limit. Keep only the IPs that truly need Rule 1’s full-skip treatment (bypassing every Cloudflare check) in the IP Allowlist field.
Security Events
The Security Events module — which shows real-time firewall activity — requires a Cloudflare Pro plan or higher. On the Free plan, Cloudflare does not expose the GraphQL analytics endpoint that powers this feature. The module will show an error if your zone is on the Free plan. Everything else in the plugin works normally.
Managed Lists
Cloudflare’s Managed Lists feature (Account > Configurations > Managed Lists) is available on the Free plan and lets you maintain a reusable list of IPs that can be referenced in firewall expressions with ip.src in $list_name. This is a good solution if you have more IPs than the 4,096-character expression limit can accommodate. WP WAF Manager does not currently manage these lists, but you can create and maintain them directly in Cloudflare and reference them alongside the plugin’s rules.
Bot Fight Mode
Cloudflare’s free Bot Fight Mode can interfere with legitimate bots and monitoring services even when they are allowlisted in Rule 1. If you notice services being blocked despite being in your allowlist, check whether Bot Fight Mode is enabled under Security > Bots in your Cloudflare dashboard. Rule 1 includes a Super Bot Fight Mode skip action for Pro plan zones, but the Free plan version of Bot Fight Mode behaves differently and may require disabling it entirely for affected services.
Summary
| Feature | Free | Pro+ |
|---|---|---|
| WAF Rules (Rules 1–5) | Yes (4,096 char limit) | Yes (higher limits) |
| Custom IP Allowlist | Yes (counts toward limit) | Yes |
| IP Access Rules | Yes | Yes |
| Security Events | No | Yes |
| Super Bot Fight Mode skip | No | Yes |
| Managed Lists | Yes | Yes |
If you are hitting limits that affect core functionality, upgrading to Cloudflare Pro resolves most of them.
Was this helpful?
Thanks for your feedback!
✓ Feedback received. Thank you!