When a Donegal craft e-commerce business noticed unusual orders appearing in their system — low-value purchases from overseas accounts using cards that later came back as disputed — they assumed it was payment fraud. The actual problem was discovered during a security review: attackers had been running automated SQL injection probes against their booking and checkout forms for three weeks, and had successfully extracted customer email addresses from the database. The breach required DPC notification, a forensic investigation, and customer notification letters. The cost was well over €15,000. The WAF that would have blocked the initial probes was available free on Cloudflare's platform.
A web application firewall is not an optional extra for businesses that accept payments, handle personal data, or run any customer-facing form. It is a baseline control — and in Ireland, it is one the Data Protection Commission and NCSC Ireland expect to see as part of reasonable technical measures under GDPR.[^1]
What a Web Application Firewall Does
A traditional network firewall controls which ports and IP addresses can communicate with your server. It stops network-level attacks but cannot inspect the content of legitimate web requests. A web application firewall works at a higher level — it reads the actual content of HTTP requests coming to your website and compares them against patterns associated with known attacks.
When someone submits a form on your site, a WAF checks whether the input looks like normal user data or whether it contains patterns like SQL code, script tags, or path traversal sequences that indicate an attack attempt. If the request matches a known attack pattern, the WAF blocks it before it ever reaches your application or database. If it looks legitimate, it passes through.
This matters because web applications — especially those built on common platforms like WordPress — are complex software with long histories of discovered vulnerabilities. New vulnerabilities are found regularly. When a vulnerability is announced publicly, automated scanning tools operated by attackers begin probing for sites that have not yet patched within hours. A WAF provides a layer of protection during that window between vulnerability disclosure and your next update.
Does your website handle customer data, payments, or bookings? If so, do you know whether it has a WAF in place? Book a free 20-minute strategy call — we'll check your current protection and explain what Cloudflare's free WAF covers.
Common Attacks a WAF Blocks
SQL injection is the most commonly used attack against databases accessible through web forms. An attacker enters SQL code into an input field — a search box, a login form, a contact field — hoping the application passes it directly to the database. If it does, the attacker can extract data, bypass authentication, or in some cases delete records. SQL injection was the attack vector in the Donegal e-commerce incident described above. Cloudflare's WAF includes rules specifically targeting SQL injection patterns and blocks them before they reach your database.
Cross-site scripting (XSS) involves injecting malicious JavaScript into web pages viewed by your visitors. An attacker might post script code into a comment field or forum. When other users view the page, the script runs in their browser, potentially stealing session cookies or redirecting them to a phishing site. XSS has been used to harvest banking credentials from Irish users visiting compromised business websites.
Bot attacks use automated tools to probe your site for vulnerabilities, brute-force login pages, make fake bookings, or scrape your pricing and content. For Donegal hotels and restaurants, fake bookings made by bots consume your availability and create administrative burden. Cloudflare's bot management on the free plan challenges suspicious traffic with CAPTCHA challenges or browser verification tests, significantly reducing automated abuse.
Cross-site request forgery (CSRF) tricks an authenticated user into performing an action they did not intend — such as transferring funds or changing account settings — by embedding a malicious request in a link they click while logged in. WAF security headers help mitigate this class of attack.
How Cloudflare's WAF Works on the Free Plan
Cloudflare's free WAF applies a managed ruleset — a regularly updated collection of detection rules maintained by Cloudflare's security team based on global threat intelligence. This ruleset includes protections for the OWASP Top 10 vulnerabilities, which represent the most common and impactful categories of web application attack.
When you add your domain to Cloudflare and configure it as your DNS provider, all web traffic to your site passes through Cloudflare's network. The WAF inspects each request against its ruleset in milliseconds. Requests that match attack patterns are blocked or challenged. Requests that look legitimate pass through to your server unchanged.
The free plan's WAF is not as customisable as paid tiers — you cannot write your own rules or apply specific protections for custom application logic. But for most Irish SMEs running standard CMS platforms or business websites, the managed ruleset addresses the threats they are actually facing.
An Garda Síochána's National Cyber Crime Bureau receives reports of cybercrime incidents including web attacks and data theft.[^2] If an attack succeeds despite your controls, reporting to the Garda NCCB creates a record and may contribute to broader investigations targeting the same attackers.
The managed ruleset on Cloudflare's free WAF addresses the OWASP Top 10 — the attacks most likely to succeed against standard Irish SME websites. It is a significant reduction in your exposed attack surface at no cost.
What the WAF Does Not Protect
A WAF is one layer of protection, not the whole answer. Being clear about what it does not cover prevents a false sense of security.
Your WAF does not prevent attacks that originate from inside your network — a compromised employee account or a device with malware on your internal network. It does not prevent phishing attacks against your staff. It does not protect you if your admin credentials are stolen and an attacker logs in legitimately — from Cloudflare's perspective, that login looks like valid traffic.
It does not replace patching. A WAF reduces your exposure to known vulnerabilities, but it is not a substitute for keeping your software updated. If a zero-day vulnerability is discovered in your CMS and Cloudflare's rules have not yet been updated for it, your WAF may not catch attacks exploiting it. Keeping your platform, plugins, and dependencies updated remains essential.
It does not protect your server if your admin panel is directly accessible without going through Cloudflare. If you access your server via SSH or a direct IP address that bypasses Cloudflare, those access points are outside the WAF's scope.
Three Steps to Enable WAF Protection
These steps bring your site under Cloudflare's WAF protection in one session.
Create a free Cloudflare account, add your domain, and follow the guided setup to update your nameservers at your domain registrar. Cloudflare scans your existing DNS records and imports them. Your site configuration is preserved. The change takes up to 48 hours to propagate.[^3]
In your Cloudflare dashboard, navigate to Security and confirm that the WAF is set to active. On the free plan, Cloudflare applies its managed ruleset automatically. Check the Security Events log after 24 hours to see what traffic has been challenged or blocked — this gives you visibility into what attacks were already probing your site.
Enable the Security Level setting to Medium and turn on Bot Fight Mode. These settings add an additional layer of challenge for suspicious traffic without blocking legitimate visitors. Review the Security Events log weekly for the first month to understand your traffic patterns and identify any legitimate traffic being incorrectly flagged.
For businesses in Donegal and Sligo handling personal data or customer transactions, this is not optional security hardening. It is a baseline technical control that NCSC Ireland, the DPC, and your cyber insurance underwriter will expect to see documented.
Related Reading
- Cloudflare and GDPR Compliance for Irish Businesses
- Website Defacement and Brand Protection for Irish Businesses
- What Is Cloudflare and Why Your Donegal Business Needs It
[^1]: NCSC Ireland — Technical security guidance and advice for Irish organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Reporting cybercrime and web attacks to the National Cyber Crime Bureau: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland — GDPR requirements for technical security measures: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.