WP WAF Manager, a new WordPress plugin developed by Nahnu Plugins, brings Cloudflare's firewall and security management tools directly into the WordPress admin dashboard, offering site owners, developers, freelancers, and agencies a centralized way to control Cloudflare features without switching between separate interfaces.
The plugin connects to Cloudflare through the Cloudflare API and supports a range of functionalities including WAF rules, DNS records, zone controls, IP access rules, security events, analytics, email routing, and management of multiple Cloudflare accounts from a single WordPress interface. According to the developer, this solves a common workflow problem for WordPress agencies that manage Cloudflare across multiple client sites, as they often have to log into separate dashboards, repeat rule updates, and switch between accounts. WP WAF Manager brings the most-used Cloudflare controls into the WordPress admin area, where agencies already manage client websites.
For security, the plugin includes five tested firewall rules based on the open-source wafrules.com ruleset. These rules help address bad bots, SQL injection attempts, path traversal, VPN traffic, web hosting ASN traffic, and other common attack patterns. By deploying Cloudflare WAF rules before traffic reaches the WordPress server, site owners can improve edge-level security. The plugin also separates custom IP and user agent allowlists from the base WAF ruleset, allowing users to update the main ruleset without losing their own custom allowlist settings—a feature that reduces the risk of overwriting important access rules during security updates for agencies managing client sites.
Beyond firewall management, WP WAF Manager includes Cloudflare DNS management from inside WordPress. Users can manage Cloudflare DNS records, zone controls, cache purge, Under Attack Mode, Development Mode, SSL settings, IP access rules, security events, and email routing without leaving the WordPress dashboard. The plugin uses scoped Cloudflare API tokens as the recommended connection method, granting only the permissions WP WAF Manager needs. This provides site owners and agencies better control than using a full Cloudflare Global API Key.
WP WAF Manager works with Cloudflare Free for most supported features. However, the Security Events viewer requires Cloudflare Pro or higher because it depends on Cloudflare Events API access. The plugin is available as a free, open-source plugin through GitHub under the MIT license. A Pro license is available for users who want automatic plugin updates inside WordPress admin and priority email support. More information can be found on the plugin's website and documentation pages.
