Photo by Jeong goun / Unsplash

How to secure WordPress with a firewall using Cloudflare

Lee Matthew Jackson
Lee Matthew Jackson

Security for WordPress can be a huge concern for business owners around the world. With the growth of WordPress, it has become more and more of a target to would be hackers who want to gain access to your site either to inject viruses, or simply bring it down. With many websites out there being installed in the default manner with no thoughts to advanced security, they are becoming easy pickings for would be hackers around the world.

Your IT department would recommend you protect your network from outside threats, and it should be the same with your online presence. Your site is a representation of your business, it generates leads, and could also be how you sell your product. Downtime can have a detrimental affect, so it is wise to invest in security. Its time you secure WordPress with a firewall.

This is the first of two posts covering two different firewall services. We will cover using Cloudflare today, and in tomorrows post we will cover using Sucuri.


CloudFlare is a great content delivery network service that is really easy to use and includes a robust web application firewall. Prices start from $20 monthly, but as you will get speed and security for your twenty bucks, this represents epic value for money!


The initial setup process works like this:

  1. Sign up for Cloudflare
  2. Input your website domain
  3. Cloudflare scans your DNS settings
  4. Confirm your DNS settings by clicking the button provided (make sure you have a member of your IT department confirm they are correct)
  5. Point your name servers to the unique name servers that Cloudflare provide you (usually done via a control panel where you registered your domain)

Step five can take up to 24 hours before traffic is routing through Cloudflare.


Next you will want to install the Cloudflare Plugin on your WordPress install. This ensures you have no change to your originating IPs when using CloudFlare. (Otherwise your analytics could get skewed with Cloudflare IP addresses). It also registers the information of any comment you mark as SPAM which helps build up their threat database.

Now in Cloudflare, navigate to your Dashboard, and check out the firewall tab. Ensure the firewall is active and is set to at least Medium security. (Whatever level you set, please be sure to then test your site still functions well.)

Then ensure that you have the following “Rule Sets” activated at minimum for the firewall. See screenshot:

Finally, make sure you have OWASP activated. This covers OWASP top 10 vulnerabilities, and more.

This is by no-means an exhaustive list of security settings, and you should be sure to read the Cloudflare documentation provided, check in with their support if you need further help, or have a consultant work with you to ensure you have the best setup.

We would also recommend you look at WP Rocket as it works with CloudFlare out of the box and will update the CloudFlare’s cashing service to the optimum settings for WordPress. Therefore, you’ll get both speed and firewall protection.

Remember to check out our blog post on Sucuri tomorrow.

If you need any help setting up a firewall for your WordPress website, we offer bespoke consultancy and services to help you protect your site. Contact us today for more information.



Lee Matthew Jackson

Content creator, speaker & event organiser. #MyLifesAMusical #EventProfs