Cloudflare WAF and Wordfence?

I am trying to understand the interaction between Wordfence and Cloudflare WAF and what is the right way to make sure I am properly configured.

I see in Cloudflare I can set up WAF rules for either countries or continents.

In Wordfence, I have already turned on the country blocking to limit traffic to just the USA and Canada as that is the only place I can conduct business.

I see in Cloudflare I can set up rules in the WAF to block countries or continents.

Since traffic to my website would obviously come from Cloudflare CDN, should I also set up blocking at that level or just let Wordfence do the blocking at the website level?

I also see an option in Wordfence that says:

Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.

Should I select this option or remain with the recommended setting that has Wordfence do its thing?

I used Cloudflare and worfence on all my sites. I find blocking at the Cloudflare level is better as it means less server load. Your firewall rule would be as simple as
Also, leave the wordfence rules in as a backup.

As for the visitor IP I use the let wordfence decide option (cannot remember the exact wording).

Hope this helps. :smile:


That makes total sense, I appreciate this feedback immensely. Thanks for the screenshot, I have taken your advice and done this like the screenshot.

There are times when I may need support to gain access to my website but they are out of the US or Canada for something like my Divi, I assume I would need to get their IP address and figure out how to put that in a whitelist in Cloudflare? I assume I can do that in Cloudflare? Is that correct?

Yes, you can just add an or ip not equal to that rule.

Thanks so much, you are AWESOME!!


1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.