Docs
← Back to site

Introduction

3 min readUpdated April 10, 2026

WP WAF Manager is a WordPress plugin that brings your Cloudflare security stack into the WordPress admin. Instead of jumping between WP and the Cloudflare dashboard every time you need to block a country, add a firewall rule, edit a DNS record, or set up email forwarding, you do it all from one place, the site you’re already logged into.

It’s built for site owners, freelancers, and agencies who manage one site or a hundred, and who’d rather not context-switch every time something needs locking down.

What it does#

At its core, WP WAF Manager is a friendly front-end for the parts of the Cloudflare API that matter most for day-to-day site security and operations:

  • WAF Rules Builder — five battle-tested firewall rules (bad bots, login protection, country blocking, and more) that you can toggle on or off per zone, with a country picker built in. The rule patterns are based on the well-known five-rule set originally developed by Troy Glancy and refined by Michael Bourne at wafrules.com.
  • DNS Manager — view and edit DNS records across all 21 supported record types without leaving WordPress.
  • IP Access Rules — block, challenge, or allow individual IPs and ranges across your entire Cloudflare account, not just a single zone.
  • Email Routing — set up catch-all forwarding or specific address rules on any domain you’ve connected to Cloudflare. Free on every Cloudflare plan.
  • Zone Analytics — a clean dashboard view of traffic, threats, and bandwidth per zone.
  • Zone Controls & Cache Purge — toggle development mode, change security levels, and purge cache without opening Cloudflare.
  • Security Events Viewer — inspect recent firewall events filtered by action, time, and source. (Requires a Cloudflare Pro plan or higher on the zone.)
  • Multi-account support — connect multiple Cloudflare accounts and switch between them from a dropdown. Built for agencies managing client sites.

Who it’s for#

If you’ve ever:

  • Wanted to block a country temporarily during a brute-force wave but didn’t want to log into Cloudflare to do it
  • Managed half a dozen client sites and gotten tired of remembering which Cloudflare account each one lives under
  • Needed to set up [email protected] to forward to your inbox in under a minute
  • Wished you could see what your firewall actually blocked today without leaving the WP admin

…then this plugin is built for you.

What you’ll need#

  • A WordPress site (6.0 or later)
  • A Cloudflare account with at least one zone connected
  • A Cloudflare API Token with the right scopes (the docs walk you through creating one)

That’s it. The plugin works with Cloudflare’s Free plan for everything except the Security Events viewer, which Cloudflare itself gates behind their Pro tier.

Free vs Pro#

The full plugin is free and open-source on GitHub. Every feature listed above ships in the free version — there’s no crippled “lite” edition.

The Pro version at wpwafmanager.com is a one-time purchase that adds:

  • Automatic plugin updates directly inside WP Admin (so you don’t have to manually replace the zip every release)
  • Priority support

That’s the only difference. If you’re comfortable updating manually from GitHub, the free version will serve you forever.

Where to next#

Share:

Was this helpful?

This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.

Accept All Accept Required Only