Nahnu Plugins has released WP WAF Manager, a WordPress plugin that enables site owners, developers, freelancers, and agencies to manage Cloudflare tools directly from the WordPress admin dashboard. The plugin connects to Cloudflare through the Cloudflare API and supports WAF rules, DNS records, zone controls, IP access rules, security events, analytics, email routing, and multiple Cloudflare accounts from one WordPress interface.
For WordPress agencies, WP WAF Manager solves a common workflow problem. Managing Cloudflare across multiple client sites often requires logging into separate dashboards, repeating rule updates, and switching between accounts. WP WAF Manager brings the most-used Cloudflare controls into the WordPress admin area, where agencies already manage client websites. This centralization can save time and reduce the risk of misconfiguration.
The plugin helps WordPress site owners improve edge-level security by deploying Cloudflare WAF rules before traffic reaches the WordPress server. WP WAF Manager includes five tested firewall rules based on the open-source wafrules.com ruleset. These rules help address bad bots, SQL injection attempts, path traversal, VPN traffic, web hosting ASN traffic, and other common attack patterns. By blocking malicious traffic at the edge, the plugin can reduce server load and protect against attacks before they reach the WordPress installation.
A key feature of WP WAF Manager is the separation of custom IP and user agent allowlists from the base WAF ruleset. This allows users to update the main ruleset without losing their own custom allowlist settings. For agencies managing client sites, this reduces the risk of overwriting important access rules during security updates, providing greater control and stability.
WP WAF Manager also includes Cloudflare DNS management from inside WordPress. Users can manage Cloudflare DNS records, zone controls, cache purge, Under Attack Mode, Development Mode, SSL settings, IP access rules, security events, and email routing without leaving the WordPress dashboard. This comprehensive integration means that routine tasks like adding a DNS record or purging the cache can be done alongside content updates, streamlining site management.
The plugin uses scoped Cloudflare API tokens as the recommended connection method. Scoped tokens allow users to grant only the permissions WP WAF Manager needs, giving site owners and agencies better control than using a full Cloudflare Global API Key. This approach enhances security by limiting potential damage if a token is compromised.
WP WAF Manager works with Cloudflare Free for most supported features. However, the Security Events viewer requires Cloudflare Pro or higher because it depends on Cloudflare Events API access. Users on free plans can still benefit from all other features, making the plugin accessible to a wide range of WordPress users.
WP WAF Manager is available as a free, open-source plugin through GitHub under the MIT license. A Pro license is available for users who want automatic plugin updates inside WordPress admin and priority email support. More information can be found on the plugin's website and documentation pages.
