WordPress · Cloudflare Native

Five rules. One click. Zero compromise.

Deploy battle-tested Cloudflare WAF rules from WordPress. Manage DNS, monitor analytics, purge cache, block IPs, and route email.

Explore Features View Pricing
  • Works on Cloudflare Free
  • WP 6.0+ · PHP 8.0+
WAF Rules Builder

Battle-tested. Live in your dashboard.

Allow Good Bots Active
Block Aggressive Crawlers Active
Block Web Hosts & TOR Active
Challenge Cloud Providers Active
Challenge VPN & wp-login Active
Pro

Get auto-updates, priority support, and lifetime access.

Get WP WAF Manager Pro
Everything you need

Cloudflare,
built into WordPress.

Eight modules that replace your Cloudflare dashboard for day-to-day tasks. Deploy rules, manage DNS, monitor traffic, and route email without ever leaving WP admin.

Module 01 · WAF Rules Builder

Deploy 5 battle-tested rules in one click.

Block bad bots, aggressive crawlers, web hosts, TOR, cloud providers, and VPN abuse.

Allow Good Bots Active
Block Aggressive Crawlers Active
Block Web Hosts & TOR Active
Module 02

DNS Manager

All 21 record types with type-aware forms, proxy toggle, and TTL control.

A AAAA CNAME MX TXT SRV CAA NS +13
Module 03

Zone Analytics

Requests, bandwidth, cache rate, threats powered by Cloudflare GraphQL.

Module 04

Zone Controls

Under Attack Mode, Dev Mode, cache purge, SSL, and per-zone settings.

Under Attack Mode On
Module 05

IP Access Rules

Account-level rules that apply across all zones instantly.

Block203.0.113.42
ChallAS16509
Allow198.51.100.0/24
Module 06

Security Events

Real-time firewall events with filtering and time ranges.

SQLMap scan 2s
VPN exit node 12s
Module 08

Multi-Account Support

Manage every client's Cloudflare account from one install.

Pricing

Pay once.
Own it forever.

No subscriptions. No hidden tiers. Get the full plugin free on GitHub or unlock auto-updates and support with a one-time Pro license.

Free
For tinkerers and self-managed sites
$0
forever
Open source · MIT licensed
Download from GitHub
  • All 8 modules included
  • 5 battle-tested WAF rules
  • DNS Manager (21 record types)
  • Zone Analytics & Controls
  • Multi-account support
  • Community support via GitHub Issues
  • Manual updates via download
Use commercially · MIT licensed
Recommended
Pro
For professionals who want updates and support
$59.95
one-time
⚡ Lifetime license · 1 year of support
Get Pro License
  • Everything in Free, plus:
  • Automatic updates in WP Admin
  • Priority email support for 1 year
  • 14-day money-back guarantee
Pay once · No subscription · No surprises
Feature
Free
Pro
WAF Rules Builder (5 rules)
DNS Manager (21 record types)
Zone Analytics Dashboard
Zone Controls & Cache Purge
IP Access Rules (account-wide)
Security Events Viewer
Email Routing Manager
Multi-account support
Automatic updates in WP Admin
Priority email support (1 year)

Questions about the license or refund policy? See FAQs →

FAQ

Frequently asked
questions.

Everything you need to know before installing or upgrading. Can't find what you're looking for? Just email us.

Getting Started

Yes. WP WAF Manager is a Cloudflare management tool & it connects to your existing Cloudflare account via API and lets you manage WAF rules, DNS, analytics, and more from inside WordPress. You'll need at least one zone (domain) added to Cloudflare before you can use the plugin.

Cloudflare itself is free for the features this plugin uses. Sign up at cloudflare.com if you don't have an account yet.

Yes, almost everything works on Cloudflare's Free plan: WAF Rules, DNS Manager, Zone Analytics, Zone Controls, IP Access Rules, and Email Routing.

The only feature that requires a Cloudflare Pro plan or higher is the Security Events viewer, because Cloudflare's Events API is gated to paid plans. Everything else works on Free.

You have two options. Either method works and the plugin supports both.

Option 1: API Token (recommended). Create a scoped token at Cloudflare with these permissions: Zone → WAF → Edit, Zone → DNS → Edit, Account → Firewall Services → Edit, Account → Email Routing Addresses → Edit. This is the safer option because you can limit access to only what the plugin needs.

Option 2: Email + Global API Key. Use the email address on your Cloudflare account along with your Global API Key. Faster to set up but grants full account access, so use this only if you understand the risks.

They solve different problems. Wordfence and Sucuri scan files on your server and block requests after they reach WordPress. WP WAF Manager deploys rules at Cloudflare's edge, blocking malicious traffic before it ever touches your server.

Many users run both, Cloudflare for edge protection and a server-side scanner for file integrity. They complement each other rather than competing.

Compatibility & Safety

No. The plugin only runs in WP Admin and it has zero front-end footprint. API calls to Cloudflare happen on demand when you visit a settings page or trigger an action. There's no constant polling, no front-end JavaScript, and no impact on Core Web Vitals.

No. The plugin operates entirely in WP Admin and doesn't touch the front-end output, REST API, or page builder rendering. It's tested with Bricks, Elementor, Beaver Builder, and major SEO plugins like Rank Math, Yoast, and SlimSEO.

Your credentials are stored in your WordPress database with base64 obfuscation and the autoload=false flag and they're never loaded on front-end page requests. We strongly recommend creating a scoped API token with only the permissions the plugin needs, rather than using your Global API Key.

Yes. The full plugin source is on GitHub under an MIT license. You can audit every line of code, fork it, modify it, and deploy your own version. There's no obfuscation, no hidden Pro-only modules, and no telemetry.

Deactivating the plugin doesn't remove anything and your Cloudflare rules, DNS records, and all your data remain on Cloudflare. Deleting the plugin keeps all settings by default, so you can safely reinstall later.

If you want a complete uninstall, toggle "Remove all data on uninstall" in Settings before deleting.

Free vs Pro

The plugin is fully featured on Free and every module, every rule, every API integration. Pro adds automatic updates in WP Admin (so you don't have to manually download new versions from GitHub) and priority email support for one year.

Pro is for professionals who don't want to babysit plugin updates and want a real human to email when something goes sideways.

For 12 months from purchase, you get priority email support and automatic updates delivered through WP Admin. After 12 months, your plugin keeps working, and you will keep receive new updates automatically but will not have access to support.

Yes. A single Pro license can be activated on unlimited sites. There are no per-site limits or activation caps.

14-day money-back guarantee, no questions asked. If the plugin doesn't work for you, email us within 14 days of purchase and we'll refund the full amount.

License & Support

Immediately after checkout, you'll receive an email with your license key and download link. Install the plugin, go to WAF Manager → License, paste your key, and updates will start flowing automatically.

Once your Pro license is activated, new versions appear in your WordPress Plugins screen just like any other plugin update. Click "Update now" and you're done. No ZIP files, no FTP, no manual steps.

Both Free and Pro users can submit a request through our support page. Pro license holders get priority responses, typically within one or two business days.

Free users are welcome to use the same form, and we'll get back to you when we can.

Still have questions?
Drop us a line and we'll get back to you quickly.
Contact Support

This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.

Accept All Accept Required Only