A few days back on March 15th, 2022 Cloudflare announced that it will be bringing some Web Application Firewall (WAF) functionality to its free tier. Traditionally, free Cloudflare users have only been able to access 5 manual firewall rules that need to be configured individually. Even though you can get creative with OR and AND statements, it’s still a huge limitation. So for Cloudflare to provide a WAF layer (even if it’s limited) at no cost is a big deal for small businesses that don’t have the expertise to deploy their own firewalls.
Cloudflare’s Free WAF Tier Will Cover High Profile Vulnerabilities
It’s been just a few months since the infamous Log4j vulnerability hit servers around the world. The exploit targeted a popular server admin utility that allowed for remote code execution. I don’t have any evidence that it’s related, but in the past few months, I’ve seen a massive uptick in compromised servers, hosting content that’s clearly spam. I suspect that a fair number of these servers were hacked in the Log4j attacks.
Like Log4j, there have been some other popular malware attacks that caused tremendous damage to a wide array of systems. Shellshock in 2014, and Heartbleed around the same time are good examples. These are vulnerabilities that rise above the normal malware attacks, and their widespread destruction makes them a fitting target for Cloudflare’s new WAF.
In its blog post about the free WAF tier, Cloudflare confirmed that this was the intention. The tool will target these high-profile vulnerabilities, precisely because so many systems are affected. The broader OWASP ruleset will still be available only for paying customers.
Small Websites Need Threat Mitigation Too
The problem is that there’s an asymmetry between the amount of effort required to deflect an attack, vs the ease of launching one. A single operation can target hundreds of thousands of servers from a centralized command point, whereas every one of those target computers needs to defend itself individually. This means that small and medium-sized websites that just want to get on with their business have to spend time and money on security when they have neither the expertise nor the resources to do so.
And all it requires is for one attack to succeed. There are solutions like Sucuri’s firewall, of course, but these end up costing more than the entire price many businesses pay for an entire year’s worth of web hosting!
So Cloudflare’s free tier plan is a huge step in eliminating at least the most threatening attacks. All of these attacks are technically sophisticated, and defending against them is even more so. A big provider like Cloudflare that already routes a large percentage of the Internet’s traffic through its servers, is in a great position to mitigate these attacks on a large scale.
The Free WAF Will Roll Out in a Month or So
Cloudflare has indicated that free users of its platform will soon have access to the WAF rulesets. The interface on the Cloudflare website has already changed to reflect this:
While this provides a good amount of protection, is it enough?
The OWASP WAF Rules are Still for Paid Users
I’ve mentioned earlier that for those who are worried about security, the Cloudflare Pro plan is a good investment to help you sleep at night. By itself, the WAF blocks thousands of attacks a day on my relatively small website. Without the WAF, each of those attacks would need to be handled by my server.
The OWASP ruleset for paid users is a significant WAF upgrade that’s constantly evolving. I just “set it and forget it”. And the paid plan comes with a bunch of other benefits including caching, page speed improvements, bot detection, and more.
But for those who just want to keep the free tier, it’s good to know that Cloudflare has your back when a major vulnerability hits the world stage!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!