Key Takeaways
How to Setup Cloudflare WAF Rules for WordPress

- Cloudflare deployed WAF rules on July 17, 2026 to protect against CVE-2026-60137 (SQL injection) and CVE-2026-63030 (unauthenticated RCE) in WordPress
- WordPress 6.8+ is vulnerable to SQL injection; WordPress 6.9+ is also vulnerable to remote code execution without authentication
- WAF protection is active for all Cloudflare customers including free plans, but patching to WordPress 7.0.2 or relevant backports remains essential
Cloudflare has pushed emergency Web Application Firewall rules to block two high-severity vulnerabilities in WordPress: an unauthenticated remote code execution flaw and a related SQL injection bug. The rules went live at 17:03 UTC on July 17, 2026, covering all Cloudflare customers, including free-tier users. WordPress disclosed the vulnerabilities to Cloudflare before public release, giving the CDN provider time to prepare defenses.
Disclosure
Some links in this post are affiliate links — Logicity earns a commission if you sign up, at no extra cost to you. We only link products we have used or actively recommend.
The coordinated disclosure matters because WordPress powers roughly 43% of all websites. An unauthenticated RCE vulnerability in that install base is a worst-case scenario. No login required. No user interaction. Just a crafted request to the REST API batch endpoint, and an attacker owns your server.
What are the two WordPress vulnerabilities?
CVE-2026-60137 is a SQL injection flaw present in WordPress 6.8 and later. Attackers can craft input that alters database queries. WordPress rates it high severity. CVE-2026-63030 is the more dangerous of the two: an unauthenticated remote code execution vulnerability affecting WordPress 6.9 and later. It exploits the batch endpoint of the REST API when a persistent object cache is not in use. WordPress rates it critical.
The RCE depends on the SQL injection, which is why version 6.8 only gets a fix for the SQLi. Versions 6.9.5, 7.0.2, and 7.1 Beta 2 patch both flaws. If you're running anything older than 6.8, you're not affected.
How does Cloudflare WAF protect against these flaws?
Cloudflare created two WAF rules. The first detects crafted parameter values targeting the SQL injection before they reach WordPress. The second targets requests attempting to hit the RCE path in the REST API. Together, they catch the attack at two different points in the request chain.
Both rules ship with a default action of Block. Pro, Business, and Enterprise customers should verify that Cloudflare Managed Rules are enabled. Free plan users get automatic protection through the Free Ruleset. The rule IDs for the Managed Ruleset are 1c060d3a371549219ee290d7ed933fcc (SQLi) and 7dfb2bd4708d4b88b9911dc0550664b6 (RCE).
One catch: if you've configured ruleset-level overrides that change all rules from Block to Log, the new rules will inherit that setting. Check your configuration. The WAF is only as good as its action settings.
Should you still patch WordPress?
Yes. Cloudflare is explicit: WAF protections reduce exposure, but they do not substitute for patching. The rules mitigate the attack vector; they do not fix the vulnerable code running on your server. WordPress is forcing automatic updates to affected sites, so most installations will patch themselves. But "most" is not "all." Confirm you're running 7.0.2, 6.9.5, 6.8.6, or 7.1 Beta 2.
If you cannot update immediately, verify both Cloudflare rules are active with Block as the action. Monitor Security Events for requests matching either rule. Any hits to the affected REST API endpoint warrant investigation.
Why unauthenticated RCE is the worst-case scenario
Remote code execution vulnerabilities exist on a spectrum. Some require admin credentials. Some need a logged-in user to click a malicious link. CVE-2026-63030 requires neither. An attacker sends a request; your server executes their code. That's it.
The attack surface narrows slightly because the flaw only triggers when a persistent object cache is not in use. Sites using Redis or Memcached for object caching may not be exploitable through this specific path. But most WordPress installations, especially smaller sites, run without persistent object caching. They're the majority of that 43% market share.
What DevOps teams should do right now
- Check your WordPress version. If you're on 6.8, 6.9, 7.0, or 7.1 Beta, you need the patch.
- Confirm auto-updates completed. WordPress is forcing updates, but cron misconfigurations or file permission issues can block them.
- Verify Cloudflare WAF rules are active. Log into your Cloudflare dashboard, navigate to Security > WAF, and confirm Managed Rules are enabled with Block action.
- Review Security Events. Look for requests matching the two new rule IDs. Any matches are attempted exploitation.
- Audit other WordPress sites. If you manage multiple properties, check each one individually.
For teams running WordPress at scale, consider managed WordPress hosting providers like Kinsta or WP Engine, which typically handle core updates and WAF configuration as part of the service. Self-managed installations on DigitalOcean or similar infrastructure require manual verification.
Logicity's Take
The coordinated disclosure between WordPress and Cloudflare worked exactly as it should. WAF rules deployed before public disclosure means attackers couldn't weaponize the CVEs against unpatched sites immediately. That said, this incident highlights a recurring tension: WordPress's plugin architecture creates attack surface that core security can't fully control. Engineering teams running critical infrastructure on WordPress should evaluate whether managed hosting (Kinsta at $35/month, WP Engine starting at $20/month) is cheaper than the incident response cost of a breach. For sites that must stay self-managed, layering Cloudflare's free WAF is now table stakes, not optional hardening.
Frequently Asked Questions
Does Cloudflare WAF protection work on free plans?
Yes. Cloudflare deployed the new WordPress vulnerability rules to all customers, including free plans, through the Free Ruleset. Protection is automatic as long as your traffic is proxied through Cloudflare.
Which WordPress versions are affected by CVE-2026-63030?
The unauthenticated RCE vulnerability affects WordPress 6.9 and later. WordPress 6.8 is only affected by the related SQL injection flaw (CVE-2026-60137). Versions earlier than 6.8 are not affected by either vulnerability.
Can I skip patching if Cloudflare WAF is protecting my site?
No. Cloudflare explicitly states that WAF protections reduce exposure but do not substitute for patching. The rules block known attack patterns, but they don't fix the vulnerable code on your server. Patch to WordPress 7.0.2 or the relevant backport for your version.
Does persistent object caching protect against the RCE vulnerability?
The RCE vulnerability exploits the REST API batch endpoint when a persistent object cache is not in use. Sites using Redis or Memcached for object caching may not be exploitable through this specific path, but patching is still required.
How do I verify the Cloudflare WAF rules are active?
Log into your Cloudflare dashboard, navigate to Security > WAF, and confirm Managed Rules are enabled. Check that the default action is Block, not Log. If you have ruleset-level overrides, verify the new rules inherited the correct action.
Coordinated vulnerability disclosure and patch timing affect enterprise security planning across platforms
Need Help Implementing This?
If your team needs assistance configuring Cloudflare WAF rules, auditing WordPress installations, or building a patch management workflow, reach out to our security consulting partners through Logicity's resource network.
Source: The Cloudflare Blog
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.






