With the web ACL created, you can now easily assign it to one or more CloudFront distributions, as per your requirements. To do so, simply log in to your AWS dashboard and filter the CloudFront service, or alternatively, navigate to https://console.aws.amazon.com/cloudfront/home to view the CloudFront dashboard directly:

1. Once logged into the CloudFront dashboard, select the appropriate Distribution ID for which you wish to enable the WAF Web ACL rules.
2. Select the Edit option from the General tab to bring up your distribution's configurations and settings.
3. Here, in the Edit Distribution page, select your newly created web ACL from the AWS WAF Web ACL drop-down list, as shown in the following screenshot:

4. Once the ACL is selected, I would also recommend that you enable the logging of your distribution in case you already haven't done that. This is just an added measure of precaution and security that is a must for any production-grade environment that you may be working on. Scroll down on the Edit Distribution page, and select the On option adjoining the Logging field. Provide your logging bucket's name in the Bucket for Logs field and click on the Yes, Edit option once the required fields are all filled in.

The changes will take a good few minutes to propagate through the CloudFront distribution. You can then move on to testing your WAF once the distribution's Status has changed to Enabled.

To test your WAF, simply open a browser and type in the URL of your WordPress application (<http://YOUR_CLOUDFRONT_URL>/wp-login.php) from your own laptop/desktop. In this case, you should be able to see the wp-login.php page without any issues whatsoever. However, if you try accessing the same page from a different laptop or machine, you will be thrown the following error on screen:

At this point, your WordPress administrator login page is now protected from all IPs except those that you specified in your Web ACL's allow list! Amazing, isn't it?

With this, we come towards the end of this basic web ACL configuration section. In the next section, we will be looking at how to enhance your basic ACL setup with more conditions, with more emphasis towards SQL injections and cross-site scripting.