In another post I cover Cloudflare page rules for login security. This post discusses miscellaneous Cloudflare security settings. Cloudflare, even at the free tier, offers a plethora of speed and security settings that seem daunting at first. Most of them work fine using the default setting, and I can adjust settings at my own pace as I am able to make time to learn and optimize.
On the Cloudflare DNS page, I follow Cloudflare’s advice for A (IPv4), AAAA (IPv6), and CNAME (alias) records:
A, AAAA, and CNAME records can have their traffic routed through the Cloudflare system … click the cloud next to each record to toggle Cloudflare on or off.
Among other advantages, this hides my IP address so that bad bots can’t as easily launch a denial of service attack.
DNSSEC is a bit of a pain to set up, requiring configuration of a DNS record called a DS at my domain registrar. Cloudflare provides detailed instructions for popular registrars. If I turn this on – and I do – I have to remember to turn it off before I move to a new web host or otherwise change my IP address.
The first setting on the Cloudflare Crypto page is SSL.
It gives me four choices – in order from worst to best: Off, Flexible, Full, and Full (strict). SSL provides security and SEO benefits. It is a bit of a process to set up requiring configuration in Cloudflare, WordPress, and my cPanel. I use Full (strict) whenever practical.
The next Crypto setting that I can change on the free tier is Always use HTTPS: “Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone.” HTTPS provides better security for user data in transit. In addition, HTTPS enables Cloudflare to use HTTP2 and SPDY, which speed up my site.
According to Cloudflare, HSTS “… protects secure websites from downgrade attacks, SSL stripping, and cookie hijacking.” But there is a downside: “… once HSTS is turned on, your website must continue to have a valid HTTPS configuration conforming with the HSTS header to avoid making the website inaccessible to users.”
Downside? Cloudflare currently labels TLS as Beta, which in my experience sometimes translates as “buggy”.
The first Firewall setting is Security Level. I can choose Essentially Off, Low, Medium, High, or I’m Under Attack. This is a trade off. The higher the setting the safer my site is, but more users will be challenged before being allowed access. ‘Medium’ strikes a balance between user-friendly and secure. I can use page rules to select the highest security level for logins and the WP admin area.
Further down I find Access Rules. Here if I need to I can block a pesky abusive IP address, IP address range, or even an entire country, France maybe.
If my site is down, Always Online will allow users to see a limited, cached version of my site content.
The Always Online cache will usually include the one, two, or three most popular pages from my site. On these pages visitors see a message at the top of the page telling them that they are in offline browsing mode. On other pages visitors see an error page.
On the Scrape Shield tab, the first setting is Email Address Obfuscation.
According to Cloudflare …
Email harvesters and bots are roaming the Internet looking for email addresses to add to their spam lists. Cloudflare’s Email Address Obfuscation encrypts email addresses on your web pages. This means that email addresses are hidden from harvesters and bots, but still visible to human visitors.
Hotlink Protection prevents images stored on my site from being displayed on other sites, sucking up my bandwidth.
Update 2019-03-19: And a great new Cloudflare security feature … firewall rules on the free plan.
WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.