Security Web WordPress

Secure WordPress Installation using CloudFlare & Get a FREE CDN!

CloudFlare offers a free security plugin for your self-hosted installation of WordPress, which make use of spam database hosted and maintained by Project Honey Pot to protect your blog from hackers, attackers and malicious IP addresses.

Project Honey Pot is a distributed spam harvester tracking network which actively collects IP addresses that are constantly being used for committing email fraud (like sending spam via bulk emails). The project also makes sure that any unused MX (Mail Exchanger) entry of your domain name is not being donated for spam purposes.

Note: Honeypot is a type of network which is constantly under strict surveillance. The network is generally used as a trap so that unauthorized data access attempts can be detected and counter acted.

The service protects your installation by acting as a Reverse Proxy for your site. This means that all connecting IP addresses (your website visitors) to your website will now come from CloudFlare’s IP range. However the plugin makes sure that the originating IP addresses are never masked and you continue to see them in your dashboard.

Whenever a spam comment appears in your blog and you mark it as spam by clicking on the SPAM hyperlink present just below the comment, the information is sent to the service, so that it can learn more about malicious IP addresses and type of spam being posted.

In order to use the service with your site, first create an account with it by entering your username, email address and password on this page: Once the signup process is successful, the service will ask you to enter your website URL:

add website

Enter your blog URL without http:// and click on Add website green button. The service will now start scanning DNS (Domain Name System) Record of your domain. Once it has finished scanning the records, you will be able to proceed to the next step by clicking on the Continue button:

scan complete

The immediate next page will show you a list of all DNS records that the service has found for your domain name. The list may include all A records for your domain, sub-domains and web disk along with CNAME record for FTP, mail, and www (an alias of your domain):

dns record list

An entry which have an Orange cloud icon in front of it indicates that its traffic will be accelerated by CloudFlare’s server and entries with grey cloud icon in front of them indicates that their traffic will be bypassed by the accelerated network:

cloud icons

You may want to click on the cloud icon and change its color to orange for all your domains and sub-domains in the list. Make sure that you disable cloud acceleration for local host, web disk, FTP and mail.

If the service is able to find all the required DNS entries for your domain, then click on I have added all missing records, continue button present at the bottom of the page and you will proceed to the next step.

In case you think that an important DNS entry (A, CNAME, MX, TXT, SPF, AAAA, SRV, NS etc.) of your domain is missing, then you can add that particular entry using the fields and drop-down menu provided at the bottom of the page:

additional dns entry

The next page will ask you to choose your preferred CloudFlare Plan. While writing this book, the service is currently offering following plans:

payment performance security

  • Free – $0 (Best plan to start with and try the service).
  • Pro – $20 per month (requires you to enter your credit/debit card number, billing address and phone number).
  • Business – $200 per month (requires credit/debit card number, billing address and phone number).

Note: Free plan don’t have any support for SSL (Secure Sockets Layer). If your site is already using a SSL certificate and you’d like to use CloudFlare with https://, then you need to opt for premium plans only.

No matter which plan you choose as per your site requirements, you are required to select any one of the following under Performance:

  • CDN only (safest): Your data will be served from CloudFlare’s global Content Delivery Network which is spread across 26 Data centers worldwide. The network can automatically differentiate between static and dynamic content present in your website. When your content is served to your website visitors, it will be compressed using Gzip compression technique and your delivery route will also be optimized.
  • CDN + Basic optimizations (faster): Apart from its global content delivery network, CloudFlare will automatically minify HTML, JavaScript and CSS elements present in your webpage. The network will do more aggressive caching of your site’s hosted content. Static resources of your site will have longer timeout value, so that cache hits can be increased.
  • CDN + Full Optimization (Bleeding edge speed): Apart from CDN and basic optimization, the service will also optimize your images and allows you to safely run any JavaScript code after window on load using Rocket Loader (a general purpose asynchronous JavaScript loader plus a lightweight virtual browser). Keep in mind that Rocket Loader may interfere with some JavaScript resources or plugins present in your blog. If your site is not working as expected, then you should try disabling Rocket Loader from CloudFlare’s dashboard.

Once you have selected your preferred option under Performance, you are now required to select any one of the following options under Security:

  • High: This option provides you with highest level of protection against spam, hacking and denial of service (DoS) attacks. If you opt for high level of protection, then your visitors are required to complete a CAPTCHA challenge-response test, if their allotted IP Address is found to be engaging in malicious behavior on other websites. This option can be considered highly useful for those websites whose first priority is safety. Keep in mind that if you opt for this option, then your site may encounter lots of false positive errors because many legitimate visitors are allocated IP addresses dynamically by their ISP and most of these IP addresses are present in the database of Project Honeypot, as they might have been used for malicious activities in the past.
  • Medium: If you opt for this option then your visitors will only see a CAPTCHA if their IP address is found to frequently engage in malicious behavior. If you are concerned about false positives because of higher level of security, then this option can be considered appropriate for you.
  • Low: Your website visitors will only see a CAPTCHA page, if their IP address is found to be engaging in malicious activities very frequently. Keep in mind that if you opt for this option then chances are very high that hackers, spammers and bad bots may easily get into your site.
  • Essentially OFF: This option will only stop the worst of all nightmares! It can be considered useful only for those webmasters who want to use the performance benefits (CDN, content compression, minification etc.) of the service instead of its security features.

Under other recommended settings:

  • Automatic IPv6: If you want to enable full support for IPv6 (Internet Protocol version 6) on all your domains and sub-domains, which are marked by an Orange cloud icon in your DNS settings, then select ON from the drop-down menu. This will instantly enable CloudFlare’s IPv6 gateway for your blog.
  • SmartErrors: Whenever a visitor requests a non-existing page/resource on your website, he will see a 404 Not Found Error in his web browser. SmartErrors feature of CloudFlare allows you to transform this 404 page into an internal site search. By enabling this option your visitors will remain engaged to your website and you will be able to reduce your site’s bounce rate. Select SmartErrors (FULL), if you want to enable this feature for all non-existing pages and resources of your domain. Keep in mind that SmartErrors (FULL) will also be active for all custom error pages that you have made or are already present on your server. In case you’d like SmartErrors to skip any custom error pages, then select SmartErrors (Partial) from the drop-down menu.

Once you have selected above options as per your requirements, click on Continue button and the next page will ask you to change your name server with your DNS provider:

name servers

If you have access to your domain name’s control panel, then you can change the name servers yourself. Otherwise you will have to open a support ticket with your provider and ask them to change your current name servers.

For example, if you are using Namecheap (a popular domain name registrar), then you can change the name servers of your domain by following these steps:

1. Login to your account using this link: Once you are logged in successfully in your account, click on View hyperlink present in front of Number of domains in your account under Account Information:

account information

2. The next page will ask you to select the domain whose name server you’d like to change. Click on the name of the domain and on the next page click on Domain Name Server Setup in the left sidebar:

domain name server setup

3. You will now see the name servers that you are currently using with your domain:

current nameservers

Replace the current name servers with the name servers provided by CloudFlare and click on Save changes button present at the bottom of the page:

cloudflare name servers

After saving the changes it may take up to 48 hours for the changes to take effect as your DNS will be propagating worldwide.

Return to your CloudFlare account and click on I’ve updated my name servers, continue button present at the bottom of the page:

updated my name servers

Note: Once you have finished setting up your domain name in CloudFlare, the service will provide you with 2 name servers. If your current provider has asked you to use more than 2 name servers, then you will have to delete the extra name server(s) from your domain’s control panel. Keep in mind that this is not going to affect your website in anyway, as CloudFlare will take care of these things automatically. In future if you don’t want to use CloudFlare anymore, then you are required to revert back to original name servers of your hosting provider.

Once the DNS has been fully propagated, install the CloudFlare plugin for your self-hosted installation and go to its settings.

Note: To check whether your domain’s DNS has been fully propagated or not, go to >> enter your domain name in the field provided >> click on start button. The service will ping your website from different locations worldwide and if you see CloudFlare’s IP address under IP column, then your domain has started using the service’s accelerated network.

ip column

The settings page of the plugin can be accessed by going to Plugins >> CloudFlare in your dashboard. When you first open the page, you will see following messages at the top of your dashboard:

  • Plugin status: True visitor IP is being restored: When the plugin starts acting like a proxy, it makes sure that you continue to see the original IP address of all your website visitors (which includes good as well as bad web crawlers too) instead of CloudFlare’s Proxy IP addresses. This will also prevent other security plugins from marking CloudFlare’s IP range as SPAM.
  • Enter your domain name, email address and API Key below: It is necessary to enter these details as otherwise the plugin won’t function with your blog as it can’t connect to its server.
  • Plugin status: Will not be notified when you mark a comment as SPAM, enter your API details below: Without an API key the plugin won’t be able to connect with its server and as a result it won’t be able to send any information about spam comments to the online service.

You are now required to enter following information on plugin’s settings page to fully configure it:

cloudflare plugin settings

  • Domain Name: In this field enter the same domain name (without http:// and www) that you have entered in your CloudFlare account. Keep in mind that you should never enter a sub-domain OR sub-directory in this field.
  • API Key: Enter your CloudFlare account’s API key. You can find your unique alpha-numeric API key by going to this page:
  • Email address: Enter the Email address that you are using with your CloudFlare account in this field. If you want to know the email address that you are currently using with your account, then all you need to do is to go to your account’s setting page:
  • Development mode: You may want to enable this option as it allows you to bypass the service’s accelerated cache and make LIVE changes to the content (images, CSS and JavaScript) of your blog. Once development mode has been triggered, it will last for three hours and after that it will automatically switch itself OFF. You can also disable development mode yourself by selecting OFF and then clicking on Update options button present at the bottom of the page.