Cloudflare WAF and WP REST API Protections


I was just wondering what kind of protections Cloudflare has for the WordPress REST API?

Would they allow plugins to use it but when a human or bot tries to use it will they block those attempts?

I tried Googling this information and I could not find anything.

Thanks and regards,


I believe this is a tricky part here as I assume Cloudflare does not have all the plugins list which use REST API, or I may be wrong about it?

Due to security measurements, the thing here is you should limit the access to wp-users or any other not used via JSON, if so.

  • (http.request.uri.path contains "/wp-json/wp/v2/users")

If not being used at all, even a better approach would be to completely disable it via functions.php or some plugin nowadays.

I believe this could depend on few points like the Security Level option, Bot Fight Mode, IP reputation, we can even block the bad ASNs already by IP Access Rules / Firewall Rules for prevention and some other, for example to create a Firewall Rule like “why to allow a request via HTTP/1.0 to the REST API part or some other like wp-cron.php which is not comming from the IP address of the origin host/server?”.

Furthermore, using a Rate Limiting option for the REST API request/URL could help too.

Just few thoughts about it as it could be prevented in the early stage.

I haven’t tested a lot the Managed WAF Rules and WordPress REST API, so I cannot tell due to the lack of the experience and testing.

It’s possibly something exist, but I am afraid it’s not the “one-click solution” (silver bullet) made yet.
Or, if it actually is, then I believe it would be possible to have some blocked even the “good request” as far as from my point of view and complexity of it.

Therefrom, I can admit the Managed WAF Rules are actually good working and doing their job as far as I have tested and used them on a few domains.

Kindly and patiently wait for someone more experienced to provide a bette answer.


This is extremely hard to accomplish and hardly doable as it depends completely on who is going to consume the API.

1 Like

@fritexvz thank you for taking the time to write that very detailed information. I appreciate it.

Unfortunately I cannot deny access to unauthenticated users because some plugins require REST.

I put in a rate limit for it, but I am not sure as to exactly how many requests to limit so I got a gauge of what Cloudflare has implemented for their API and I did something similar. That rate limiting is a great feature.

What would you recommend for limiting the use of REST without breaking plugins that use REST? Not exactly sure how many times a minute or 10 seconds plugins use REST.

Thanks again for the knowledge and the time you took to write that. I definitely feel better about the WAF taking care of business.

Thanks and regards,


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.