It isn’t hard to find people citing the Cloudflare service as a good security solution for WordPress websites. What is lacking is any of those people citing evidence that Cloudflare provides effective protection for WordPress websites. If it was an effective solution, you would expect that Cloudflare would be the ones disclosing zero-day vulnerabilities, which are vulnerabilities being exploited before the developer is aware of them, in WordPress plugins, as there are plenty of those to be caught. Last week, for example, we disclosed serious unfixed vulnerabilities we found in two plugins based on seeing what looked to be hacker probing for them. We are not aware of Cloudflare disclosing any of those in recent years.

In March, Cloudflare announced they were “providing a Cloudflare WAF (Web Application Firewall) Managed Ruleset to all Cloudflare plans, free of charge”. In their announcement, they singled out including rules for WordPress in that:

Rules matching very common WordPress exploits

In that announcement, they also mentioned that they publicly disclose what rules they are adding:

Updates to the ruleset will be published on our change log, like that customers can keep up to date with any new rules.

Looking at what they are adding, we found was that as of the writing of this post, nearly 5 months through 2022, they had yet to add one rule for a WordPress plugin this year. That isn’t for lack of rules to add. Take just two examples. In April we warned of a serious vulnerability in the 5+ million install WordPress plugin Elementor, after seeing what looked to be a hacker probing for the plugin. Last Wednesday Wordfence disclosed how to exploit a serious vulnerability in a WordPress plugin where there isn’t a fix for the 90,000+ websites that got the plugin through WordPress’ plugin directory and where we saw hackers probing for the plugin the day it was disclosed.

If you are looking for additional security for a WordPress website, our service combines warning about known vulnerable WordPress plugins and a WordPress plugin firewall that provides protection that CloudFlare can’t provide as ties into WordPress.