Free Cloudflare: how to set it up and 5 WAF anti-bot rules for your WordPress

If your site has no Cloudflare in front of it, you are leaving money on the table. And I do not just mean speed — I mean that 49.6% of your global traffic is bot (Imperva Bad Bot Report 2025) and your hosting is serving ALL of it.

Free Cloudflare filters that out before it reaches your PHP. Today: how to set it up + 5 concrete rules anyone can enable without paying a dime.

What Cloudflare is (in one sentence)

It is a global proxy between the internet and your server: when someone visits your site, they hit Cloudflare first. Cloudflare decides what reaches your hosting and what gets blocked.

As a bonus you get CDN (global cache), automatic SSL, managed DNS, and DDoS protection. All of that, free.

Why the free plan is brutal

Compare what you get vs going without Cloudflare:

Feature	No Cloudflare	Cloudflare Free
CDN edge POPs	0	300+ cities
SSL certificate	manual renewal (Let’s Encrypt)	automatic + universal
DNS	your registrar’s (slow, ~50-200ms)	Cloudflare DNS (1-10ms)
DDoS protection	whatever your host ships	unlimited L3/L4
WAF rules	0	5 custom rules free
Bot Fight Mode	does not exist	yes, free
Cache	you configure it	edge cache automatic
HTTPS upgrade	manual	Always Use HTTPS toggle
Analytics	whatever your plugin tracks	Web Analytics + Edge Analytics
Requests/month	limited by host	10 million (free)

10 million requests per month on the free plan. For reference: a site with 100k visits/month (already high) typically uses 1-3 million requests. You have plenty of headroom.

How to add your site to Cloudflare (step by step)

Step 1: Create a free account

Go to cloudflare.com/sign-up. Email + strong password. 2FA mandatory on day 1 (this is serious — it controls your DNS).

Step 2: Add your domain

Dashboard → Add a site → type yourdomain.com (no www, no https://).

Cloudflare scans your current DNS records (it reads them from your public zone). You will see something like:

A     @       1.2.3.4         Proxied (orange cloud)
A     www     1.2.3.4         Proxied
MX    @       mail.server     DNS only (gray cloud)
TXT   @       v=spf1 ...      DNS only

⚠️ Important: verify the scan captured ALL your DNS records before continuing. Especially:

• MX records for email (Google Workspace, ProtonMail, etc.)
• TXT SPF/DKIM/DMARC (otherwise email breaks)
• Google Search Console / Bing Webmaster records
• Subdomains (cms., admin., staging., etc.)

If anything is missing → add it manually NOW, before the switch.

Step 3: Pick a plan

Free. You have no reason to pay on day 1.

Step 4: Switch nameservers at your registrar

Cloudflare shows you 2 unique nameservers for your account (something like alex.ns.cloudflare.com + kate.ns.cloudflare.com).

Go to your registrar (Namecheap, GoDaddy, Hover, Cloudflare Registrar, etc.) → find DNS Management or Nameservers → swap the current ones for Cloudflare’s.

⚠️ Save the previous nameservers somewhere safe. In case you need to revert.

Step 5: Wait for propagation (1-24h)

DNS takes between 1 hour and 24 hours to propagate globally. Meanwhile, your site keeps working — only DNS resolution changes hands.

When Cloudflare detects the switch, it emails you “Your site is active on Cloudflare”.

Step 6: Configure SSL/TLS

Cloudflare dashboard → SSL/TLS → Overview → mode Full (strict).

Full = traffic encrypted from visitor to Cloudflare AND from Cloudflare to your server. Full (strict) = same + verifies your server’s certificate is valid (not self-signed).

If your hosting already has Let’s Encrypt SSL: use Full (strict). If it does not: use Full (Cloudflare acts as the gateway). Never use Flexible — it encrypts visitor ↔ Cloudflare, but Cloudflare ↔ your server runs over plain HTTP. Insecure.

Step 7: Enable Always Use HTTPS

Same SSL/TLS menu → Edge Certificates → toggle Always Use HTTPS = ON.

This forces a 301 redirect from http:// to https:// at the edge. You touch nothing in WordPress.

Step 8: Minimum TLS 1.2

SSL/TLS → Edge Certificates → Minimum TLS Version → TLS 1.2 (or 1.3 if your audience is 100% modern browsers).

This blocks connections from old bots still on TLS 1.0/1.1 (90% are scanners).

The 5 free anti-bot rules

Cloudflare Free gives you 5 Custom WAF Rules + built-in features. I use them like this:

Rule 1: Bot Fight Mode + Browser Integrity Check (built-in, free)

Does not use your 5 custom-rule quota. It is a toggle.

Cloudflare dashboard → Security → Bots → enable Bot Fight Mode.

Same dashboard → Security → Settings → enable Browser Integrity Check + Challenge Passage = 30 minutes.

What it does: Bot Fight Mode blocks known bots (list maintained by Cloudflare with thousands of patterns). Browser Integrity Check fires an invisible challenge to verify visitors are real browsers.

Typical block rate: 30-40% of obvious malicious bot traffic.

Rule 2: Block typical sensitive endpoints

WordPress + Laravel + Git expose paths that should NEVER be public. Bots hammer them.

Dashboard → Security → WAF → Custom rules → Create rule:

• Rule name: Block sensitive paths
• Field: URI Path → Operator: contains → Value: /xmlrpc.php
• Click Or and add more:
  • URI Path contains /wp-config.php
  • URI Path contains /.env
  • URI Path contains /.git/
  • URI Path contains /wp-config.php.bak
  • URI Path contains /.htaccess
  • URI Path contains /phpunit
• Action: Block

Typical block rate: additional 10-15% (all vuln scanners hammer these paths).

Rule 3: Block known scraper user-agents

Legit user-agents from Googlebot, Bingbot, etc. follow well-known formats. Automated scrapers usually carry tags like python-requests/2.28, Scrapy/2.5, selenium, headless, puppeteer, etc.

Dashboard → WAF → Custom rules → Create rule:

• Rule name: Block scraper user-agents
• Field: User Agent → Operator: contains → Value: scrapy
• Or → User Agent contains selenium
• Or → User Agent contains headlesschrome
• Or → User Agent contains puppeteer
• Or → User Agent contains phantomjs
• Or → User Agent contains python-requests
• Or → User Agent contains httpclient
• Or → User Agent contains bot AND User Agent does not contain googlebot AND User Agent does not contain bingbot AND User Agent does not contain duckduckbot
• Action: Block

⚠️ Important: the last clause with User Agent contains bot is aggressive. Exclude legit bots (Google, Bing, DuckDuckGo). If you have other bots you DO want to allow (e.g., Slackbot, Twitterbot, Facebookbot for previews), add them to the exception list.

Typical block rate: additional 15-25% (cumulative 55-80%).

Rule 4: Block /wp-json/wp/v2/users (anti-enumeration)

WordPress by default exposes /wp-json/wp/v2/users which returns the list of usernames. It is the first phase of any brute-force attack.

Dashboard → WAF → Custom rules → Create rule:

• Rule name: Block /wp-json/users enumeration
• Field: URI Path → Operator: contains → Value: /wp-json/wp/v2/users
• Action: Block

If you need a tool of yours to consume /wp-json/wp/v2/users with auth → allow by IP:

• Add another clause: AND IP Source Address is not in [your_IP]

Why Block and not Challenge: no human visitor hits that endpoint. If it shows up, it is a bot or scanner. Block outright.

Rule 5: Block countries with no real audience

If your business is Spain + LATAM, traffic from Russia, China, Vietnam, Bangladesh, etc. is 99% bot.

Dashboard → WAF → Custom rules → Create rule:

• Rule name: Block countries with no audience
• Field: Country → Operator: is in → Value: list of countries based on your case
• Action: Block (or Managed Challenge if you want to be more conservative)

Countries typically recommended to block if you do NOT operate there:

• Russia (RU), Belarus (BY), China (CN), North Korea (KP)
• Vietnam (VN), Bangladesh (BD), Pakistan (PK)
• Nigeria (NG), Indonesia (ID)
• Philippines (PH) — origin of mass click farms

⚠️ Do not block for the sake of blocking. First check Analytics to see which countries bring real traffic. If Indonesia sends you 10 sales/month, do NOT block it.

Typical block rate: additional 10-20%. Almost no false positives if you validate with Analytics first.

Bonus: configs that save you headaches

Auto Minify (HTML/CSS/JS)

Speed → Optimization → Auto Minify → enable HTML + CSS + JS.

Reduces 5-15% of asset weight without touching WordPress.

Brotli compression

Speed → Optimization → Brotli → ON.

Better compression than gzip. Each response goes out 20% smaller to users on modern browsers (all of them).

Caching: edge cache TTL

Caching → Configuration → Browser Cache TTL = Respect Existing Headers.

If WordPress sends correct Cache-Control headers, Cloudflare respects them. If not, set Edge Cache TTL manually to 4 hours for static assets.

Page Rules (3 free)

Rules → Page Rules. You get 3. One useful:

• URL: *yourdomain.com/wp-admin/*
• Setting: Cache Level: Bypass + Security Level: High

Prevents caching the admin and tightens security only there (not on the public frontend).

Free plan limitations

So you know what you do not get:

What free does NOT give you	What to do if you want it
Super Bot Fight Mode (advanced Cloudflare bot intel)	Pro $20/mo
Managed WAF rules (OWASP + Cloudflare Managed)	Pro $20/mo
Page Rules > 3	Pro $20/mo (20 rules)
Image Resizing / Polish	Pro $20/mo
WAF rules > 5	Pro $20/mo
Detailed logs (Logpush)	Enterprise
Traffic filtering rules	Pro $20/mo
Advanced analytics	Pro $20/mo

If your site earns serious money → $20/mo for Pro is a bargain. For pre-launch / personal projects, free is more than enough.

When Cloudflare is not enough

Even with the 5 rules + bonus, 2 scenarios need more:

1. Targeted attacks against your business: competitor running bot spam, fake reservations on restaurants, etc. → you need behavior-based WAF (Pro/Business) or a dedicated solution
2. Sites with very exposed /wp-admin/: even with Cloudflare filtering, some bot traffic passes the challenge. Here you need PHP-level protection with serious plugins or the security module of SeoNova WPO Toolkit that acts as a bouncer before WordPress loads

Wrap

Free Cloudflare is not “a mediocre solution”. It is the most cost-effective defense line you can have on the internet today. 15 minutes of setup + 5 WAF rules + 3 built-in toggles = 60-80% of malicious bot traffic blocked, better SEO (more crawl budget for Google and Bing), less load on your hosting, free SSL, global CDN.

If you run a WordPress site and you are not using Cloudflare, this is the most obvious improvement you can make this weekend.

---

If your hosting is still saturated after adding Cloudflare (because the most sophisticated bots pass the challenge), the security module of SeoNova WPO Toolkit acts as the second layer: blocks bots at PHP level before WordPress loads anything. Cloudflare + WPO Toolkit = 95 %+ of bot traffic gone.

Questions? [email protected]. If your question is good, it ends up in the blog (without your name).

— The SeoNova team