Cloudflare and WordPress are a great combination

Michael Addison  Director of Technology

A few months ago we published some ways to improve your WordPress website’s page-load speed and general performance. One we briefly touched on was the importance of using a content delivery network (CDN) to host your images and files on various servers around the world. This helps to reduce the reaction time of the server and corresponding download time. We mentioned Cloudflare in that article, and I wanted to go into more detail about why it’s such a great service.

Why Cloudflare?

First of all, I should say that this is not a sponsored post. There are quite a few good CDN companies out there, and we chose — and are very satisfied with — this one. That’s, in large part, because it’s free to use and has some pretty impressive features. This post will briefly cover the following free services: DNS management, SSL management, CDN, the firewall, and some page caching options.

DNS

If you have a website, you will have almost definitely gone through the process of buying a domain name and possibly setting up an IP address for it in some sort of manager so that people going to your site find themselves at your server. If you have email or needed to activate some service that requires DNS authentication, then you would have had to use the DNS manager more than once.

To start using Cloudflare, you need to change your domain name servers, and essentially give control of your domain settings to Cloudflare. This is not risky. You can easily switch it back without needing to change anything in Cloudflare. Once you have done this, though, all DNS settings are controlled in Cloudflare, which is a very good thing, in my opinion. You also now have the option to move ownership, including payments of your domain to Cloudflare. And this simplifies things even further. With a very pleasing UI, you can handle a large number of domains and keep track of all their settings easily.

The key is to click the little ‘cloud’ icon in the settings. With this enabled, all traffic goes through Cloudflare before it hits your server. This functionality opens up a world of options. Let’s start with SSL.

SSL

Setting up SSL or https for your site is a must these days and is made very easy with services like Let’s Encrypt. With Cloudflare enabled, you just click that little cloud to activate it for your site. You can also tell it to force everything coming from your site to be https just in case a URL was not entered correctly. It’s also best practice to secure the connection between Cloudflare and your server. The easiest way to do that is to create a 15-year specific certificate that only Cloudflare recognizes and paste it on your server. Now you don’t need monthly updates or renewals. Simple.

CDN

The CDN is the reason we mentioned Cloudflare before. With many servers around the world, your content will be cached on them. This reduces the load on your server and delays in getting content to users. Cloudflare is constantly working on network traffic algorithms to speed up access for your users. And there are paid options that give you even more speed.

Page Caching

By default, Cloudflare caches images, CSS and JS, and can even minify them. If you install the plugin in WordPress, these can all be activated with one click. If you have a very static site, however, you can take it a step further and add some page rules. For example, one particular rule I use is to cache everything except wp-admin pages. I also make sure the toolbar doesn’t show on the front end. This means that static HTML is saved on Cloudflare and reduces requests coming to your server. It’s pretty amazing considering the service is free. You’ll need to test it to make sure admin or user specific content isn’t cached and also to ensure forms work and aren’t cached for more than about 10 hours, depending on your setup.

Firewall

Finally, a few words on security. The firewall can adhere to various rules, and there are many options available. I want to quickly discuss one we have implemented.

WordPress gets a lot of hacking attention on the login pages and various other entry points. With strong passwords and a proper installation, this isn’t normally a problem. But it can increase your server load — especially for high traffic installations or if you are using a plugin to block offenders. Each time a potential intruder tries, PHP has to run all its code to work out which countermeasure to use. For this reason, we usually install Linux software, called Fail2ban, which reads the logs and decides to block IP addresses based on the rules you give. More recently, Fail2ban has added Cloudflare functionality. Now when someone is banned, it sets a firewall rule on Cloudflare so intruders can’t access your server at all.

We know that there are many great services out there, some with even more advanced functionality. For example, we use Akamai on large installations. We’ve chosen to discuss Cloudflare because we like the direction they’re heading in and the way they’re improving the internet for everyone.

I hope you learned something from reading this post. Let us know if you would like us to help you with your site.