WAF Guide, Cloudflare Setup & Rate Limits, Website Security Part 2

Intro
A WAF, a Web Application Firewall, is one of the fastest ways to cut automated attacks, stop common exploits, and reduce noise from scanners and bots. This part 2 guide walks through the top free WAF choices, how to set up Cloudflare WAF and rate limits, practical firewall rules to deploy, and testing and monitoring steps to keep your site safe.

Quick summary, what you will get from this guide

• Top 5 free or open-source WAFs you can deploy today, pros and cons

• Step-by-step Cloudflare setup, including managed rules and rate limits, with recommended settings

• Example firewall rules to block scanners, protect login and contact endpoints, and stop .git leaks

• How to test and monitor WAF behavior, plus next steps for automation and logging

Top 5 free, practical WAFs to consider, quick picks and why

1. Cloudflare, free CDN + managed WAF rules available to zones | Easy turn-on, global edge, rate limiting and firewall rules in dashboard, great for blocking at the edge. CloudflareThe Cloudflare Blog

2. ModSecurity, open-source WAF engine, pair with OWASP CRS | Classic, flexible, integrates with Apache, Nginx via connector, uses OWASP Core Rule Set for attack coverage. modsecurity.orgGitHub

3. NAXSI, Nginx module, lightweight rule-based WAF | High performance, rule-based XSS and SQLi protection for Nginx, good for low-level filtering. GitHub

4. Wordfence Free, WordPress endpoint firewall and scanner | Installable plugin, free firewall and scanner for WP sites, good for WordPress owners who need quick protection. wordfence.com

5. Coraza or Shadow Daemon, modern open-source alternatives | Coraza is a ModSecurity-compatible engine, Shadow Daemon offers request interception, useful for self-hosted setups and custom deployments. open-appsec

When to use which option, short guidance

• Use Cloudflare if you want global edge protection, simple DNS switch, and managed rules without touching servers. Cloudflare

• Use ModSecurity + OWASP CRS if you control your server stack and want deep, local request inspection. GitHubLinuxBabe

• Use NAXSI when you run Nginx and prefer lightweight, pattern-based protection. GitHub

• Use Wordfence if your site is WordPress and you need quick plugin-based protection. wordfence.com

Cloudflare setup, detailed step-by-step, from signup to WAF rules

Step 1, add your site to Cloudflare and change nameservers

1. Sign up or log in to Cloudflare, add a new site, follow the zone scan, get the Cloudflare nameservers.

2. Update your domain registrar to point to Cloudflare nameservers, wait for propagation.

Step 2, TLS and basic security settings

1. In Cloudflare dashboard, go to SSL/TLS, set SSL mode to Full or Full (strict) if possible, enable HSTS only after testing.

2. Enable HTTP/2 and HTTP/3 if available, enable Always Use HTTPS redirect. Cloudflare

Step 3, enable Managed WAF rules, quick deployment

1. Go to Security, WAF, Managed rules, deploy Cloudflare Managed Ruleset or OWASP ruleset for the zone.

2. Start in detection or Managed Challenge mode if you want to observe first, then change to Block for high-severity rules once stable. Cloudflare Docs+1

Step 4, create custom Firewall rules for your app

1. Go to Security, WAF, Custom rules, create rules like block known bad patterns, block .git probes, block common scanner signatures.

2. Example rule ideas, paste into Cloudflare expression builder:

   • Block .git, http.request.uri.path contains ".git"

   • Block suspicious user-agent patterns, http.user_agent contains "curl" or http.user_agent eq ""

   • Protect admin login, http.request.uri.path contains "/wp-login.php" and http.request.method eq "POST" then challenge or rate limit. Cloudflare Docs

Step 5, set up Rate Limiting, protect POSTs and slow endpoints

1. Go to Security, WAF, Rate limiting rules, click Create rule. Follow dashboard prompts. Cloudflare Docs+1

2. Recommended initial rate limits, tune for typical traffic:

   • Login endpoints, 5 POSTs per minute per IP, action challenge or block on exceed.

   • Contact forms, 10 POSTs per 60 seconds per IP, action block or challenge.

   • API endpoints, set stricter limits like 30 requests per minute with burst control.

3. Use “Simulate” or log mode if available, to observe before enforcing.

Step 6, monitor and iterate

1. Watch Firewall events and Analytics, check false positive hits, add exceptions for trusted IPs.

2. If legitimate traffic is blocked, add allow rules with higher priority or refine expression with ip.src in {x,x} or not cf.client.bot.

Example Cloudflare firewall rule snippets, priority and logic

• Block .git probes:
  Name, Block .git probes, Expression, http.request.uri.path contains ".git", Action, Block

• Protect contact form:
  Name, Contact spam block, Expression, (http.request.uri.path contains "/contact/send" and http.request.method eq "POST") and not ip.src in {LIST_OF_YOUR_SERVERS}, Action, Rate Limit or Block if abused

• Challenge empty UA or known scanner UA:
  Name, Empty UA challenge, Expression, http.user_agent eq "", Action, JS Challenge or Block

Caveat, Cloudflare expression language evolves, use the dashboard expression builder to test expressions. Cloudflare Docs

How to configure Cloudflare rate limits, practical example

1. In dashboard, Security, WAF, Rate limiting rules, Create rule.

2. Rule name, e.g., Login Rate Limit, Expression, http.request.uri.path contains "/wp-login.php" and http.request.method eq "POST"

3. Threshold, 5 requests per minute, Action, Block for 10 minutes or JS Challenge, set response code 429 if you want visible throttling.

4. Set scope to Zone, IP address based, add exception for known monitoring IPs. Cloudflare Docs

Quick setup for ModSecurity + OWASP CRS, Nginx or Apache, headlines only

• Install ModSecurity package for your platform, enable the module for Apache or the connector for Nginx. modsecurity.orgLinuxBabe

• Install OWASP Core Rule Set from the official repo, enable CRS and tune Paranoia Level, test in detection mode first. GitHub

• Add logging and audit collection, use fail2ban to ban IPs that trigger severe rules. LinuxBabe

Quick setup for NAXSI on Nginx, key steps

• Install NAXSI package or compile as Nginx module, include default ruleset, set learning mode to build whitelist. GitHub

• Move from learning to blocking after tuning, monitor logs, add exemptions for legitimate payloads.

Quick setup for Wordfence on WordPress

• Install Wordfence plugin from WP repo, enable firewall, run the built-in traffic scan, tune rules and enable rate limiting options. wordfence.com

Testing, monitoring, and avoiding false positives

• Test rules in a staging zone, use Cloudflare’s “Simulate” or “Log Only” modes where possible, review firewall logs daily. Cloudflare Docs

• Use synthetic tests, curl or openssl to simulate traffic, check Firewall event logs for blocked requests.

• Add IP allow entries for trusted services, monitoring, and your CI/CD IPs to prevent lockouts.

Example incident response, quick playbook

1. If you see a flood of POSTs to /contact/send, enable a temporary rate limit, block the top offending IPs, place a JS Challenge on the zone.

2. If scanners are probing .git or .env, add blocking firewall rules for those paths, and set a Fail2Ban rule to ban repeat offenders at the host level.

3. Restore access for legitimate users by whitelisting verified IPs, then refine rules.

Final notes, operate WAFs like any production tool

• Start in detection mode, learn the noise patterns, tune rules slowly, add exceptions cautiously.

• Automate alerts for repeated rule triggers, connect firewall logs to your SIEM or centralized logging.

• Keep a short incident runbook to avoid accidental lockouts when you change rules.