Cloudflare Setup for WordPress Users
I have been a huge fan of Cloudflare since they first came to my attention. I did a post on them a few years ago. They do an excellent job of improving web performance and increasing security. I also find Cloudflare’s Blog a fascinating read
I saw a tweet by Chris Wahl recently where he talked about a Cloudflare firewall rule he is using to protect his WordPress instance.
I am using something similar in the Firewall section and also leveraging a couple of other cool features.
Chris has done an excellent write up on the firewall part including how to achieve this with Terraform so for the detailed look check out his blog post here for a slightly simpler version see below. This post will talk about some of the other features I am using to improve the Speed, Security and functionality of my site.
The most important thing when hosting a WordPress site is to protect the admin section. This should be done with a strong password and preferably two-factor authentication. However, if you can stop people even accessing this part of the site then even better. If you are using Cloudflare then this is easy to achieve.
From the Cloudflare, portal navigate to My account > Firewall > Firewall Rules and create a rule and give it an appropriate name then configure the settings as per below. The IP(s) in the value section are the only ones that will be able to access the site once this configuration is live.
When the rule is live it will look like the below. A really nice touch is the graph showing how many requests have matched this rule and you can also dig into see the individual events if required. An example drop log is shown below
I also use another feature within Cloudflare called Page Rules. My account > Page Rules
Within the free tier of Cloudflare, you are allowed to create up to 3 rules. At the moment I am using two of these.
The first of these is an automatic rule to rewrite to HTTPS. I am using this with wildcards to ensure that all pages are taken care of but still land on the intended page. Details of what Cloudflare does are here
The other rule I use is for a status page. This is more for demonstrating some AWS features as a status page but I am sure multiple other use cases exist. As Cloudflare intercepts the request before any webserver the redirect is quicker. However, in this case, they can do the redirect even if my webserver is not online.
Another really nice use case is Cloudflare’s applications. As the HTML CSS etc is passing through the Cloudflare network they can manipulate it. They do this to improve performance using compression. They also have the capability to inject code I use this to add Google Analytics into every web page. They have a large number of Apps available to easily make functional changes to your site.
WordPress has a plugin for interacting with Cloudflare via the API. This has a couple of uses and it is highly recommended. Firstly the plugin can optimise your WordPress install to work best with Cloudflare. It also gives you access to some of the basic settings allowing anyone with admin access to WordPress to tweak Cloudflare settings if required.
The second function that it performs is that performs automatic cache management automatically invalidating cache as the content is changed as required.