Skip to main content

How to Protect a Website with Cloudflare WAF

Introduction

This guide explains how to protect your website using Cloudflare Web Application Firewall (WAF).
Cloudflare sits in front of your website and filters all incoming traffic. By changing your DNS to go through Cloudflare, you get:

  • Protection against common web attacks (SQL injection, XSS, etc.)

  • Built-in DDoS protection

  • Free SSL certificates

  • Performance benefits from Cloudflare’s global CDN

The process takes a few steps, but once set up, all visitors to your website are automatically filtered through Cloudflare before reaching your server.

Step 1: Log in to Cloudflare

Go to https://dash.cloudflare.com and log in with your account.

image.png

Step 2: Add Your Website

  1. In the dashboard, click + Add at the top.

  2. Select Connect a domain.

image.png

Step 3: Enter Your Domain

Type your domain name (example: yourdomain.com) and click Continue.

image.png

Step 4:  Choose a Plan

Cloudflare will ask you to choose a plan.

  • If you just want the WAF and basic protection, select Free (Plan $0).

  • Then click Continueimage.png

Step 5: Review Your DNS Records

Cloudflare scans your existing DNS records.

  • Make sure your main records (A and CNAME for your domain and www) are there.

  • The orange cloud (Proxied) should be ON for the records you want protected by Cloudflare WAF.

  • NS (Nameserver) records should remain as DNS only (gray cloud).

image.png

Once ready, click Continue (you don’t need to tick the checkboxes).

Step 6: Change Your Nameservers

Cloudflare will give you two new nameservers.

image.png

image.png

  • Go to your domain registrar (the company where you bought your domain, like GoDaddy or Namecheap).

  • Replace the old nameservers with the Cloudflare ones.

  • Save changes.

Your registrar  Replace: ns1.oldprovider.com ns2.oldprovider.com With Cloudflare: ada.ns.cloudflare.com josh.ns.cloudflare.com
Step 7: Wait for Propagation

DNS changes take time. Usually, 15 minutes up to 24 hours.
When Cloudflare detects the change, your site will show as Active in the dashboard.

image.png

Step 8: Enable WAF Protection

  • In the dashboard, go to Security > Security Rules > WAF.

  • Turn on the Managed Ruleset.

  • Cloudflare will now filter malicious traffic before it reaches your site.

image.png

Back to top