Shield: WAF, DDoS, and bot protection
Shield is SuperSpace's edge security layer. It sits in front of your site and filters traffic before it ever reaches WordPress, combining a Web Application Firewall (WAF), DDoS mitigation, bot detection, and rate limiting. This page explains what Shield does, how to turn it on, which plans include it, and where to review the security events it records.
Before you start
- A provisioned site that is ONLINE and already serving through SuperSpace's CDN
- A plan that includes Shield — if your plan doesn't, the Shield section shows an upgrade card instead of the controls (see Plans and gating)
- Permission to manage the site
Shield is per-site
Shield is enabled, configured, and billed for each site individually. Turning it on for one site does not affect any other site in your account.
What Shield protects against
Shield bundles several edge-security features, each managed on its own page within the Shield section:
| Feature | What it does |
|---|---|
| WAF | Inspects incoming requests and blocks or logs ones that match known attack patterns. You set the WAF mode, sensitivity, allowed protocols, and can disable or log-only individual rules. See WAF rules. |
| Bot Detection | Identifies and challenges automated traffic. Premium feature — see Bot protection. |
| Rate Limits | Caps how many requests a client can make in a given time window. See Rate limiting. |
| Access Lists | Your own allow/block lists by IP, CIDR, ASN, country, organization, or JA4 fingerprint, plus Bunny's curated threat catalogues. See Access lists. |
| DDoS mitigation | Absorbs and filters large-scale flood traffic at the edge. Always on while Shield is active; there are no per-rule controls to manage. |
For the conceptual relationship between Shield and the CDN it runs on, see CDN and Shield.
Enabling Shield
Shield runs at the CDN edge, so the site must already be serving through SuperSpace's CDN before Shield can be activated.
-
Open the site's Shield section. In the left sidebar, open My Sites and select the site. Inside the site, expand Shield in the sidebar and choose Overview.
-
Activate Shield. If Shield isn't active yet, the Overview shows a card titled "Shield isn't active for this site". Click Activate Shield.
-
Confirm it's active. Once activation finishes, the Overview shows a Shield status card with an Active badge and a WAF mode card. Shield starts protecting the site immediately with default settings.
The Overview page is the hub for the section. The two status cards at the top show Shield status (Active / Inactive) and WAF mode (Block or Log only), followed by the Shield Overview chart covering the Last 28 Days. Use the tabs along the top — Overview, WAF, Bot Detection, Rate Limits, Access Lists, and Security Events — to reach each feature.
The same Shield controls are available over the REST API (and the MCP server), subject to the same plan gating. Check current Shield status:
curl -H "Authorization: Bearer $SUPERSPACE_TOKEN" -H "X-Auth-Account: $ACCOUNT_ID" \
https://control.superspace.nl/api/sites/$SITE_ID/shield
See the Shield API reference for activation, configuration, and the events endpoint.
WAF mode: Block vs. Log only
When you're first enabling Shield on a live site, consider running the WAF in Log only mode for a while. Shield records what it would have blocked without actually blocking it, so you can confirm legitimate traffic isn't caught before you switch to Block. You set the mode on the WAF page — see WAF rules.
Plans and gating
Shield is gated by your site's plan, and the Shield section behaves differently depending on the tier:
| Tier | Shield availability |
|---|---|
| Not included | The Shield section is visible but every page shows a "Shield isn't included in your plan" card with an Upgrade plan button. No controls are available. |
| Base (Basic) | Shield is available: WAF, rate limits, access lists, and the event log. Bot Detection and Realtime Threat Intelligence are not included and show an upgrade prompt. |
| Premium (Advanced) | All Shield features, including Bot Detection and Realtime Threat Intelligence. |
Premium-only features
Bot Detection (the whole page) and Realtime Threat Intelligence (a toggle on the WAF settings) require the premium Shield tier. On a base-tier plan these show an upgrade prompt rather than the controls. Higher Bunny tiers such as Business and Enterprise are not sold by SuperSpace, so any feature that would require them is hidden rather than shown as a permanently locked option.
Some plan limits surface only when you save
A few settings are capped by tier — for example, on the Basic tier the rate-limit time window is limited to 10 seconds. If you try to save a value above the limit, the change is rejected and the dashboard shows the reason. If a Shield change appears not to take effect, check the message shown after saving — it's usually a plan-tier limit. See Rate limiting.
If an API or MCP client gets a 403 with shield_not_in_plan, the site's plan
doesn't include Shield; a 403 with shield_premium_required means the action
needs the premium tier. Both are resolved by a plan upgrade, not an auth change —
see the Shield API reference.
Reviewing security events
Shield records the traffic it acts on so you can see what triggered its rules.
-
Shield Overview chart. The Overview page shows a Last 28 Days summary charting DDoS Attacks, WAF Triggers, and bot activity. These statistics are cached and update roughly once an hour, so very recent activity may not appear immediately.
-
Security Events log. The Security Events tab shows a per-day, paginated list of individual events. The table columns are Time, Severity (Critical, Warning, or Notice), Rule ID, Country, Method, and Status. Pick the date you want to review to load that day's events.
Legitimate traffic getting blocked?
Open Security Events for the day in question and find the matching entry — the Rule ID column identifies the rule that fired. Then adjust that rule: disable it or set it to log only on the WAF rules page, or check whether one of your access lists is responsible.
Turning Shield off
To stop Shield on a site, open the Overview page and click Deactivate Shield. You'll be asked to confirm.
Warning
Deactivating Shield removes WAF, DDoS, bot, and rate-limit protection from the site. Your custom rules and lists are no longer enforced while Shield is off.
Next steps
- Tune your WAF rules and set the WAF mode
- Set up rate limiting for login and API endpoints
- Create access lists to allow or block specific clients
- On a premium plan, configure bot protection
- Read how Shield relates to the CDN in CDN and Shield