Cloudflare WAF Rules: Setup, Best Practices & Examples

Uncategorized
By Azon Vault

You’ve spent months building your website, only to wake up to a barrage of SQL injection attempts, bot scrapers stealing your content, or DDoS attacks slowing your site to a crawl. Sound familiar? That’s where Cloudflare WAF rules come in.

What Are Cloudflare WAF Rules?

Cloudflare’s Web Application Firewall (WAF) is a cloud-based security layer that sits between your site and all incoming traffic. Cloudflare WAF rules are custom or pre-configured criteria you set to allow, block, challenge (via CAPTCHA), or log incoming requests based on specific triggers.

Unlike traditional WAFs that run on your origin server, Cloudflare WAF rules process traffic at the edge of Cloudflare’s global network. This means no added load on your server, and faster filtering of malicious requests before they even reach your site.

Types of Cloudflare WAF Rules

Managed Rules (Cloudflare’s Pre-Built Rulesets)

Managed rules are pre-configured, regularly updated rule sets maintained by Cloudflare’s security team. They cover common threats like the OWASP Top 10, zero-day exploits, and CMS-specific vulnerabilities (e.g., WordPress, Magento).

You don’t need to configure these manually – simply enable the managed rulesets relevant to your site, and Cloudflare will automatically block matching malicious traffic.

Custom WAF Rules

Custom rules are created by you to address site-specific threats. You can set triggers based on IP addresses, country of origin, user agents, request URLs, HTTP headers, request methods, and more.

Examples include blocking requests from known malicious IP ranges, challenging bots trying to access your checkout page, or allowing internal team IPs to bypass all security checks.

Rate Limiting Rules

Integrated with Cloudflare WAF, rate limiting rules throttle or block requests from a single IP address that exceed a set threshold. For example, you can set a rule to block any IP that makes more than 5 login attempts per minute to your /wp-login.php page.

How to Create a Custom Cloudflare WAF Rule (Step-by-Step)

Follow these 8 simple steps to set up your first custom Cloudflare WAF rule:

  1. Log in to your Cloudflare dashboard and select the site you want to protect from the account home page.
  2. Navigate to Security > WAF from the left-hand sidebar menu.
  3. Click the Create rule button, then select Custom rule from the dropdown menu.
  4. Give your rule a descriptive name (e.g., "Block Malicious Login Attempts") to make it easy to track later.
  5. Set your match criteria: Choose a field (e.g., URI Path), operator (e.g., equals), and value (e.g., /wp-login.php). Add additional conditions using AND/OR logic as needed.
  6. Select the action for matching requests: Block, Challenge (CAPTCHA), Log, or Allow.
  7. Set rule priority (lower numbers run first) and toggle the rule status to On.
  8. Click Deploy to activate the rule immediately.

5 Best Practices for Cloudflare WAF Rules

Follow these actionable tips to get the most out of your WAF rules while avoiding false positives:

  • Start with managed rules first: Enable Cloudflare’s pre-built managed rulesets before creating custom ones to cover baseline threats automatically.
  • Test rules in log mode first: Use the "Log" action instead of "Block" when testing new rules to avoid accidentally locking out legitimate users or customers.
  • Use specific match criteria: Avoid overly broad rules (e.g., blocking all traffic from an entire country) unless absolutely necessary. Target specific IPs, user agents, or URL paths instead.
  • Set clear rule priorities: Remember that lower priority numbers execute first. Make sure critical block rules have a higher priority (lower number) than allow rules.
  • Review WAF logs weekly: Check Security > Events to see which rules are triggering, adjust false positives, and update rules as new threats emerge.

Common Cloudflare WAF Rule Examples

You can copy and adapt these ready-to-use rule configurations for your own site:

1. Block SQL Injection Attempts

Match criteria: (URI Path contains "select" OR URI Path contains "union" OR URI Path contains "drop table") AND (Request Method equals GET OR POST)

Action: Block

2. Challenge Bot Traffic to Sensitive Pages

Match criteria: (URI Path equals /checkout OR URI Path equals /wp-admin) AND (User Agent contains "bot" OR User Agent contains "crawler")

Action: Challenge (CAPTCHA)

3. Rate Limit Login Page Requests

Match criteria: URI Path equals /wp-login.php AND Request Method equals POST

Action: Rate Limit, 5 requests per minute per IP, block for 10 minutes

Frequently Asked Questions

Are Cloudflare WAF rules free?
Basic managed rules and custom rules are included in Cloudflare’s free plan. Advanced managed rulesets and higher rate limiting thresholds are available on Pro, Business, and Enterprise plans.
Can WAF rules slow down my site?
No – Cloudflare WAF rules run at the edge of Cloudflare’s global network, so they add no latency to your origin server and only minimal processing time for requests.
How do I fix a false positive from a WAF rule?
Check your WAF event logs to find the blocked request, then either adjust the rule’s match criteria to exclude legitimate traffic, or set an allow rule for the specific IP or user agent triggering the false positive.
Can I import WAF rules from another site?
Yes – Cloudflare allows you to export and import custom WAF rules as JSON files, making it easy to replicate rules across multiple sites you manage.

Conclusion

Cloudflare WAF rules are one of the most powerful, low-maintenance ways to protect your website from common malicious traffic. Start by enabling managed rulesets to cover baseline threats, then create custom rules to address your site’s unique needs.

Always test new rules in log mode first, review your event logs regularly, and adjust your configuration as your site grows. With the right WAF rules in place, you can focus on growing your business instead of fighting off attacks.

Ready to secure your site? Log in to your Cloudflare dashboard today to set up your first WAF rule, or refer to Cloudflare’s official WAF documentation for advanced configuration options. If you’re new to Cloudflare, check out our beginner’s guide to Cloudflare setup (internal link idea 1) for step-by-step onboarding instructions, or our guide to Cloudflare DDoS protection (internal link idea 2) for extra layers of security.

Azon Vault 3329 posts 0 comments
You might also like More from author

Comments are closed, but trackbacks and pingbacks are open.