Once you are done with your CDN, head over to the AWS Management Console and filter out WAF and Shield services using the dashboard, or alternatively, navigate to this URL https://console.aws.amazon.com/waf/home to bring up the WAF dashboard:

1. Assuming that this is the first time you are configuring WAF, you will be prompted by a welcome screen to either opt for AWS WAF or AWS Shield services. Select the Go to AWS WAF option. This will redirect you to the WAF dashboard, where we select the Configure web ACL option to get started.
2. Selecting the Configure web ACL option will bring up a Set up a web access control list (web ACL) wizard that will guide you through your first web ACL setup.
3. The first page on the wizard basically covers the concepts of conditions, rules, and ACLs, so simply select the Next option to proceed further.
4. In the Name web ACL page, provide a suitable Web ACL Name for your new ACL. You will notice that the CloudWatch metric name field gets correspondingly auto-populated with a matching name. You can change the name as per your requirements. This metric name will be later used to monitor our web ACLs using CloudWatch's dashboards.
5. Moving on, from the Region drop-down list, select either Global (CloudFront) or an alternative Region name, based on whether you want to secure a CDN or an Application Load Balancer. In my case, since I already have a CDN set up, I've opted for the Global (CloudFront) option.

6. In the AWS resource to associate field, you can opt to select your CloudFront distribution or your Application Load Balancer using the drop-down list; however, for the sake of simplicity, do not configure this option for the time being. Remember, you can always associate your web ACLs with one or more AWS resources after completing this wizard! Once done, click Next to proceed:

7. With the web ACL named, we move on to the next section where we can configure our conditions. On the Create conditions page, select an appropriate condition that you wish to configure for your web application. In this scenario, we will be configuring an IP match condition along with a string match condition. The idea here is to only grant access to our WordPress administrator login page (wp-login.php) from my local laptop's IP, and, conversely, for any other IP that wishes to access the wp-login.php page, the traffic should get dropped.