Yes, Wordpress is attacked incessantly. It's designed to be actively hostile to security, so yes, a firewall that helps ameliorate is a good thing.
However, if you really care about Wordpress security, a WAF is just covering things up, and yes, you need to patch (but that's not really the fix). The proper fix is to reconfigure things to not follow Wordpress' absolutely ridiculous security. While patching depends on vendors, securing Wordpress from its own hubris doesn't depend on vendors.
But even where Cloudflare's products are arguably good, they still do too much in my opinion to marginalize non-mainstream visitors and to re-centralize the Internet around one big company. Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.
WP core isn’t bad, the problem is when you’re the ops guy and you get handed an installation with 30 plugins.
Anyway, WP was just an example. Are you 100% certain that all your software is 100% on the ball when it comes to modern security practices? We all know that not everyone takes security seriously.
> Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.
Which ‘elsewhere’ would you suggest? Every time AWS, Azure or GCP have issues, the internet is affected too.
However, if you really care about Wordpress security, a WAF is just covering things up, and yes, you need to patch (but that's not really the fix). The proper fix is to reconfigure things to not follow Wordpress' absolutely ridiculous security. While patching depends on vendors, securing Wordpress from its own hubris doesn't depend on vendors.
But even where Cloudflare's products are arguably good, they still do too much in my opinion to marginalize non-mainstream visitors and to re-centralize the Internet around one big company. Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.