I’m working on a site that was set up under Cloudflare by a previous developer. On Pro plan. WAF is currently disabled. I’ve read the docs What does the Web Application Firewall (WAF) do? and Configuring the Cloudflare Web Application Firewall (WAF).
1. Restoring default settings
The docs suggest the default settings are a good starting point, however I suspect the current settings aren’t default. E.g. Cloudflare WordPress is enabled (but not operative because the WAF master setting is off), despite the site not being WordPress. Is there a way to restore the default WAF settings?
2. Risk vs benefit of WAF.
I have pointed the client to sections of the above docs addressing this, e.g.
“If you do see false positives or issues with your application or website, we definitely encourage you to not disable either of the WAF Packages, or the WAF in general. We have never encountered a website that was entirely incompatible with our WAF, and it’s always worth the time and effort to tune your WAF configuration.”
However before going ahead with enabling WAF, the client is seeking further reassurance from Cloudflare about the balance of risk vs benefit.
Thanks in advance,