Docs
← Back to site

Quick Start

7 min readUpdated April 10, 2026

This guide walks you through getting WP WAF Manager fully deployed to a Cloudflare zone in about ten minutes. By the end, all five WAF rules will be live, tuned to your site’s actual stack.

This assumes you’ve already installed the plugin and connected it to Cloudflare.

A quick mental model#

WP WAF Manager isn’t a free-form rule editor. It ships with five pre-built WAF rules developed and refined over years on real production sites. You toggle them on, tick the boxes for the services you actually use, and deploy the whole set to your zones. The plugin handles the rule order automatically — Allow rules fire before Block rules, Block before Challenge — so the rules work together cleanly.

The five rules are:

  1. Allow Good Bots — whitelists search engines, monitoring tools, image optimisers, backups, and other legitimate services so the rules below don’t accidentally block them.
  2. Block Aggressive Crawlers & WP Paths — blocks scrapers, scanners, and known WordPress attack paths.
  3. Block or Challenge Web Hosts / TOR — handles traffic from datacenter ranges and TOR exit nodes.
  4. Challenge Large Providers / Country — country-level filtering and challenges for traffic from large cloud providers.
  5. Challenge VPN Connections & wp-login — challenges VPN traffic, especially against your login page.

The most important rule to get right is Rule 1, because it’s what tells Cloudflare which services are allowed through before the blocking rules even run. If you skip something here that you actually use — your backup plugin, your uptime monitor, your image optimiser — the later rules might block it. So we’ll spend most of the time on Rule 1.

Step 1 — Open the WAF Manager dashboard#

In WP admin, click WAF Manager in the sidebar. You’ll land on the main dashboard, which shows your connected Cloudflare account at the top followed by the five rule cards stacked down the page.

If your zones don’t appear, your API credentials probably aren’t quite right — head back to Connecting to Cloudflare and double-check the token permissions.

Step 2 — Turn on all five rules#

Scroll down the page and flip the toggle in the top-right corner of each rule card to on. Don’t worry about configuring anything yet — just enable all five. Each card will expand to show its options.

This might feel aggressive, but the rules are designed to work as a set. Rule 1 protects the services you actually use; Rules 2–5 handle the bad traffic. Turning on the blocking rules without Rule 1 is what causes false positives, not turning them all on together.

Step 3 — Tune Rule 1 to your stack#

This is the most important step. Scroll back up to Rule 1 — Allow Good Bots and walk through the categories, ticking every service you actually use on this site. The categories are organised to make this quick:

  • Backups — tick whatever you use to back up the site (BackupBuddy, BlogVault, UpdraftPlus, etc.)
  • Uptime monitoring — BetterStack, GTmetrix, Pingdom, StatusCake, UptimeRobot, and others
  • Image optimisers — Imagify, ShortPixel, EWWW, TinyPNG, FlyingPress, ExactDN, etc.
  • SEO crawlers — Ahrefs, SEMrush, Moz Rogerbot, Screaming Frog, Majestic
  • Security scanners — Sucuri, Wordfence, SiteLock, VirusTotal
  • Social previews — Facebook, LinkedIn, Twitter/X (tick these if you share links to your site on social media)
  • WordPress management — Jetpack, MainWP, ManageWP, WP Umbrella, GoDaddy Uptime Monitor
  • Let’s Encrypt verification — leave this on if your SSL is issued by Let’s Encrypt (which it almost certainly is)

A good way to do this: open your Plugins → Installed Plugins page in another tab and tick anything in Rule 1 that matches a plugin you have installed and active. Then think about external services — what monitors your uptime? What does your hosting dashboard or your SEO tooling? Tick those too.

If you’re not sure whether you use something, leave it ticked. The cost of allowing a bot you don’t strictly need is basically zero. The cost of forgetting to allow one you do need is a broken integration.

Step 4 — Glance at Rules 2–5#

Each of the other four rules has its own set of options inside the card. The defaults are sensible for most WordPress sites, so you don’t need to touch them on your first deploy. But it’s worth scrolling through each one to see what’s there:

  • Rule 2 lets you choose which aggressive crawlers to block — Yandex, Sogou, Baidu, generic “bot” / “crawl” / “spider” user-agents, and security scanners like Nikto and SQLMap.
  • Rule 3 handles datacenter and TOR traffic, with options for what to do with each.
  • Rule 4 is where the country picker lives. If you only do business in a specific list of countries, this is where you tighten that down. If you’re global, leave the defaults.
  • Rule 5 challenges VPN traffic and adds an extra layer of protection on wp-login.php.

You can come back and tune any of these after the first deploy. For now, leave them at defaults unless something jumps out at you.

Step 5 — Preview the generated expressions#

Scroll down to the Generated Rule Expressions section near the bottom of the page. As you toggled options on, this section updated in real time to show the actual Cloudflare firewall expressions that will be deployed. This is exactly what gets pushed — no hidden magic. If you’ve ever written WAF expressions by hand, this is a nice sanity check.

Step 6 — Deploy#

Scroll to the Deploy Rules to Your Sites section at the bottom. You’ll see all the zones from your Cloudflare account listed with checkboxes.

For your first deploy, pick one zone — ideally a low-stakes site or your own personal site rather than a high-traffic client production zone. Tick its checkbox and click Deploy.

The plugin pushes all five rules to Cloudflare in the correct order. You’ll get a green confirmation in a second or two.

Step 7 — Verify the rules are live#

You can confirm the deploy worked in two ways:

Inside the plugin — click the View Zone Rules tab at the top of the dashboard and select the zone you just deployed to. You should see all five rules listed with their full expressions.

Inside Cloudflare — log into Cloudflare, open the zone, and go to Security → WAF → Custom rules. Your five new rules should be sitting at the top of the list in the right order.

Step 8 — Watch the Security Events log for a day#

For the next 24–48 hours, keep an eye on Cloudflare’s Security → Analytics → Events view for the zone, or use the plugin’s Security Events page if your Cloudflare plan is Pro or higher. You’re watching for two things:

  • Blocked traffic that should have been allowed — a backup that suddenly fails, an uptime monitor that starts alerting, an SEO crawl that stops returning results. If you see this, come back to Rule 1, tick the missing service, and redeploy.
  • Actual attacks being blocked — login brute-force attempts, vulnerability scans, scrapers hammering your pages. This is the rules doing their job.

Most sites need a small amount of tuning in the first day or two, then settle in and run quietly forever.

Rolling out to more zones#

Once you’re confident the configuration works for one zone, deploying to the rest is trivial: come back to the Deploy Rules to Your Sites section, tick all the zones you want to update, and click Deploy. The same configuration pushes to all of them at once.

If you manage client sites with very different stacks, you may want to maintain separate configurations — or just deploy the same conservative Rule 1 baseline everywhere and tighten per-client only when needed.

Where to next#

Share:

Was this helpful?

This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.

Accept All Accept Required Only