Cloudflare WAF

Security and performance are linked: abusive traffic consumes CPU, reduces cache hit rates, and can make the origin unstable. A good WAF configuration blocks the obvious bad traffic early while leaving legitimate users and good bots (search engines) alone.

Goals

• Block common WordPress abuse patterns (/wp-login.php, /xmlrpc.php abuse)
• Rate-limit sensitive endpoints
• Avoid breaking REST API routes and legitimate checkout traffic

Recommended Baseline Rules

• Enable Cloudflare managed rules.
• Block or challenge repeated hits to wp-login.php.
• Block /xmlrpc.php if you do not need it.
• Rate limit login endpoints.

caution

Do not block /wp-json/ broadly. Many plugins (and WooCommerce) rely on REST endpoints.

Verification

Check /xmlrpc.php (expected behavior depends on your rule):

curl-test-xmlrpc.sh

curl -I https://example.com/xmlrpc.php

Review firewall events in Cloudflare to confirm the rule is matching intended traffic.

Common Mistakes

Mistake	What Happens	Fix
Over-aggressive rules	Legit users blocked	Start with challenge/rate limits, then tighten
Blocking REST API	Broken editor/checkout features	Narrow the rule scope
Rate limits too low	Customers blocked at checkout	Increase thresholds and scope by endpoint

What's Next

• SSL/TLS
• APO Configuration
• Tiered Cache Routing
• CDN Checklist