Tech

Enable Cloudflare WAF to Protect Your WordPress Site

Enable Cloudflare WAF to Protect Your WordPress Site

Cloudflare WAF intercepting malicious requests before they reach a WordPress site

WordPress just shipped fixes for two serious vulnerabilities, and if your site runs on the platform you should assume exploit traffic is already on the way. The good news for anyone whose domain sits behind Cloudflare: you can deploy blocking rules at the edge in a few minutes, buying time to update while cutting off the most common attack patterns. Cloudflare published the details and the rules in its WordPress vulnerability advisory, and this guide walks through exactly what to turn on and why it is a stopgap rather than a cure.

What Cloudflare is actually blocking

The two flaws are an unauthenticated remote code execution (RCE) bug in WordPress’s REST API and a related SQL injection weakness. Cloudflare identifies them by their CVEs:

  • CVE-2026-60137 — the SQL injection vector, present from WordPress 6.8 onward.
  • CVE-2026-63030 — the unauthenticated RCE path, which only appears in 6.9 and later.

The WordPress security team coordinated the disclosure with Cloudflare before public release, so edge protections were live ahead of the announcement. Patches landed in WordPress 7.0.2, with backports to 6.9.5, 6.8.6, and 7.1 Beta 2. Because the SQLi exists on 6.8 but the RCE does not, version 6.8.6 closes only the injection, while 6.9.5, 7.0.2, and 7.1 Beta 2 receive fixes for both.

Cloudflare deployed two managed rules, each defaulting to Block:

  1. WordPress - SQL Injection - CVE:CVE-2026-60137
  2. WordPress - Remote Code Execution - CVE:CVE-2026-63030

The SQLi rule inspects parameter values before they ever reach WordPress; the RCE rule watches for requests probing the remote-code-execution path. Together they catch the attack at two different points in the request chain.

Turn the protection on

You do not need to write a single rule by hand — the detections ship inside Cloudflare’s Managed Ruleset. What you need to do is make sure they are enabled and actually set to Block.

  1. Log in to the Cloudflare dashboard and select the zone for your WordPress site.
  2. Open Security → WAF from the left navigation.
  3. Go to the Managed rules tab. Confirm that Cloudflare Managed Rules is toggled on. On Pro, Business, and Enterprise plans this is the ruleset that carries the two WordPress rules.
  4. Find the two new WordPress rules by searching the ruleset for CVE-2026-60137 and CVE-2026-63030. Verify their action is Block, not Log or a custom override.
  5. Check the ruleset-level settings for any global override that flips every rule from Block to Log. A common misconfiguration during testing is leaving “Log everything” switched on, which would let exploit traffic through while only recording it. Set the two WordPress rules back to the recommended Block action.
  6. Open Security → Events and filter for the two rule IDs. Any matches after enabling means the WAF is doing its job; investigate those requests and then finish your update.

Cloudflare’s own Managed Rules documentation covers where these controls live if your dashboard layout differs by plan.

Why this is a bridge, not a fix

The single most important point: WAF rules reduce your exposure, they do not repair the vulnerable code. The SQL injection and RCE rules are designed to catch known exploit signatures, and Cloudflare says it will keep tuning detections as new attack variations appear. But a determined or novel request can still slip past a signature filter. Updating WordPress — core, themes, and plugins — remains the only complete defense, and it is the step most site owners neglect.

So treat the WAF as the alarm system you switch on while you walk to the fuse box. Enable the rules, confirm they are blocking, then immediately run the update to 7.0.2 (or apply the appropriate backport for your branch). Once you are on a fixed version, leave the rules in place; they cost nothing and will blunt the next wave of automated scanning that always follows a high-profile disclosure.

Confirm you are covered

After enabling, send a benign request to your site and confirm it still loads — the rules are narrow and should not affect normal traffic. Then watch Security Events for the first hits; a spike immediately after a disclosure is expected and is exactly what the block action is meant to absorb. If you run multiple WordPress zones, repeat the toggle on each one rather than assuming a single setting propagates.

The practical takeaway is simple: if your WordPress site is behind Cloudflare, the protection is already deployed at the edge and only needs to be switched on and verified. Do that today, then patch. The combination — edge blocking now, core update immediately after — is the difference between being one of the sites that weathered the disclosure and one of the ones that did not.

We may earn commission from affiliate links at no extra cost to you. Last updated: Jul 19, 2026.
Jinultimate

Editor of ZBrandCo and the person accountable for what we publish — setting our sourcing standards, fact-checking claims against primary sources, and issuing corrections promptly across AI, open source, and gaming. Reach the desk at editorial@zbrandco.com.