WP WAF Manager, a new WordPress plugin from Nahnu Plugins, allows site owners, developers, freelancers, and agencies to manage Cloudflare tools directly from the WordPress admin dashboard. The plugin connects to Cloudflare through the Cloudflare API and supports WAF rules, DNS records, zone controls, IP access rules, security events, analytics, email routing, and multiple Cloudflare accounts from one WordPress interface.
For WordPress agencies, WP WAF Manager solves a common workflow problem. Managing Cloudflare across multiple client sites often requires logging into separate dashboards, repeating rule updates, and switching between accounts. WP WAF Manager brings the most-used Cloudflare controls into the WordPress admin area, where agencies already manage client websites. This consolidation reduces friction and potential errors, allowing teams to enforce security policies consistently across all sites.
The plugin helps WordPress site owners improve edge-level security by deploying Cloudflare WAF rules before traffic reaches the WordPress server. It includes five tested firewall rules based on the open-source wafrules.com ruleset. These rules help address bad bots, SQL injection attempts, path traversal, VPN traffic, web hosting ASN traffic, and other common attack patterns. By blocking malicious traffic at the edge, the plugin reduces server load and mitigates attacks before they can exploit WordPress vulnerabilities.
WP WAF Manager separates custom IP and user agent allowlists from the base WAF ruleset. This allows users to update the main ruleset without losing their own custom allowlist settings. For agencies managing client sites, this reduces the risk of overwriting important access rules during security updates, ensuring that legitimate traffic is not inadvertently blocked.
In addition to WAF management, the plugin includes Cloudflare DNS management from inside WordPress. Users can manage Cloudflare DNS records, zone controls, cache purge, Under Attack Mode, Development Mode, SSL settings, IP access rules, security events, and email routing without leaving the WordPress dashboard. This integration simplifies site administration and reduces context switching for developers and site managers.
Security is a key consideration in the plugin's design. WP WAF Manager uses scoped Cloudflare API tokens as the recommended connection method. Scoped tokens allow users to grant only the permissions the plugin needs, giving site owners and agencies better control than using a full Cloudflare Global API Key. This approach minimizes the risk of unauthorized access to Cloudflare settings.
WP WAF Manager works with Cloudflare Free for most supported features. The Security Events viewer, however, requires Cloudflare Pro or higher because it depends on Cloudflare Events API access. This limitation may affect smaller sites on free plans, but the core WAF and DNS management features remain accessible.
The plugin is available as a free, open-source plugin through GitHub under the MIT license. A Pro license is available for users who want automatic plugin updates inside WordPress admin and priority email support. For agencies and developers, the open-source nature allows for customization and auditability, while the Pro option provides convenience for those managing multiple sites.
WP WAF Manager addresses a real gap in the WordPress ecosystem: the need for integrated edge security management. By bringing Cloudflare controls into the WordPress dashboard, it lowers the barrier to implementing robust WAF rules and streamlines site management for professionals. As threats continue to evolve, tools that simplify security without sacrificing control are increasingly valuable for businesses relying on WordPress for their digital presence.
