I am trying to understand the interaction between Wordfence and Cloudflare WAF and what is the right way to make sure I am properly configured.
I see in Cloudflare I can set up WAF rules for either countries or continents.
In Wordfence, I have already turned on the country blocking to limit traffic to just the USA and Canada as that is the only place I can conduct business.
I see in Cloudflare I can set up rules in the WAF to block countries or continents.
Since traffic to my website would obviously come from Cloudflare CDN, should I also set up blocking at that level or just let Wordfence do the blocking at the website level?
I also see an option in Wordfence that says:
Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.
Should I select this option or remain with the recommended setting that has Wordfence do its thing?
I used Cloudflare and worfence on all my sites. I find blocking at the Cloudflare level is better as it means less server load. Your firewall rule would be as simple as
Also, leave the wordfence rules in as a backup.
As for the visitor IP I use the let wordfence decide option (cannot remember the exact wording).
That makes total sense, I appreciate this feedback immensely. Thanks for the screenshot, I have taken your advice and done this like the screenshot.
There are times when I may need support to gain access to my website but they are out of the US or Canada for something like my Divi, I assume I would need to get their IP address and figure out how to put that in a whitelist in Cloudflare? I assume I can do that in Cloudflare? Is that correct?
