Website security is paramount. Even on a budget, you can significantly bolster your site's defenses using Cloudflare's free Web Application Firewall (WAF). This guide explains how to set it up and get started.

What is a WAF and Why Do You Need It?

A Web Application Firewall (WAF) helps protect your web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.

Cloudflare's Free WAF Tier: What's Included?

While Cloudflare's more advanced WAF features are on paid plans, the free tier still offers valuable protection:

  • Managed Ruleset (Free): Cloudflare provides a free managed ruleset that protects against common, high-impact vulnerabilities.
  • Firewall Rules: You can create up to 5 active firewall rules to block or challenge traffic based on IP address, country, user agent, URI, and more.
  • Rate Limiting (Basic): Protect against denial-of-service attacks, brute-force login attempts by limiting request rates (more advanced rate limiting is on paid plans).
  • Security Level Settings: Adjust overall security levels (Essentially Off, Low, Medium, High, I'm Under Attack!).

Step 1: Add Your Site to Cloudflare

If you haven't already, you need to add your website to Cloudflare. This involves changing your domain's nameservers to Cloudflare's. Follow the on-screen instructions in your Cloudflare dashboard.

Step 2: Navigate to the Firewall Section

Once your site is active on Cloudflare:

  1. Log in to your Cloudflare dashboard.
  2. Select your domain.
  3. Go to the Security > WAF section from the sidebar.

Step 3: Enable the Free Managed Ruleset

Under the WAF section, look for 'Managed rules'. Cloudflare's Free Managed Ruleset should be enabled by default on most new zones. If not, ensure it's toggled on. This ruleset is updated by Cloudflare to protect against widespread vulnerabilities.

Cloudflare WAF Managed Ruleset UI (Illustrative)
Illustrative: Enabling Managed Rulesets in Cloudflare.

Step 4: Create Custom Firewall Rules (Optional but Recommended)

Custom firewall rules give you more granular control. Navigate to Security > WAF > Firewall rules.

Here are a couple of example rules you might create:

  • Block access to sensitive paths: If you have admin areas like /wp-admin or /admin that shouldn't be publicly accessible, you can block or challenge traffic to these paths from non-trusted IPs.
  • Challenge traffic from specific countries: If your audience is geographically limited, you can challenge or block traffic from countries where you don't expect legitimate users.
# Example Firewall Rule Logic (Conceptual)
IF (URI Path CONTAINS "/wp-login.php" AND IP Source Address NOT IN {your_static_ip})
THEN Block

Step 5: Review Security Level Settings

Under Security > Settings, you can adjust the 'Security Level'. For most sites, 'Medium' is a good starting point. If you experience issues with legitimate traffic being blocked, you might lower it. If you're under attack, you can raise it to 'High' or 'I'm Under Attack!' mode.

Step 6: Monitor Events

Cloudflare provides an overview of security events. Check Security > Overview and Events to see what threats have been mitigated and if your rules are triggering as expected. This helps you fine-tune your WAF settings.

Conclusion

Cloudflare's free WAF provides a solid foundation for website security. By enabling the managed ruleset and creating a few strategic custom firewall rules, you can significantly reduce your site's exposure to common web attacks without incurring extra costs. Remember to monitor your security events and adjust your settings as needed.