WAF (Firewall)

A WAF (Web Application Firewall) is a guard that checks visitors before they reach your website and blocks the harmful ones. It stops common attacks and lets you set your own rules about who is allowed in.

Think of it as a doorkeeper for your site.

What the WAF protects against

Common attacks that try to break into websites.
Bad bots that scan for weaknesses.
Unwanted visitors you choose to keep out (for example, traffic from a certain country, or one specific address that keeps causing trouble).

Create a firewall rule

Go to Rules → Add Rule → WAF.
Set the When (who the rule is about). You can match on things like:
- A specific IP address (a single visitor’s internet address).
- A country.
- The address they’re visiting (for example /admin).
Choose the action:
- Block — refuse the visitor.
- Challenge — make them prove they’re human first.
- Allow — let them through (useful to make an exception).
Save.

Common examples

Block a troublesome address:

When: IP address 203.0.113.50
Then: Block

Protect your admin area with a challenge:

When: address is /admin
Then: Challenge

Allow your office, challenge everyone else:

Rule 1 — When: your office IP → Allow (put this on top)
Rule 2 — When: /admin → Challenge

Block vs. Challenge

Block stops the visitor completely. Use it when you’re sure they’re bad.
Challenge gives the visitor a quick test (to prove they’re a real person). Use it when you want to keep out bots but not risk blocking real people.

Common questions

I accidentally blocked myself. Add an Allow rule for your own IP address and place it at the top, or remove the rule that blocked you.

Real visitors are being challenged too much. Make your rule more specific (for example, only challenge /admin instead of the whole site), or switch some rules from Challenge to Allow for trusted visitors.

Should I use the WAF or rate limiting? Use both. The WAF blocks who you don’t want; rate limiting controls how often anyone can knock.