On CloudFlare’s free tier I am allowed five firewall rules. This is very generous of CloudFlare, considering the free part. But it turns out to be much more generous than it first appears.
A distributed denial-of-service (DDoS) is a large-scale attack using multiple IP addresses, attempting to overwhelm a site with requests, crashing it or slowing it to a crawl. DDoS attacks vary in sophistication. The most sophisticated use thousands of IPs accessing multiple URLs with random query strings to bypass caching and increase the CPU load.
Cloudflare Apps are a lot like WordPress plugins. Each App adds specific functionality to my website. Like plugins, Apps are available in multiple categories such as SEO, Security, Social & Communication, etc. Another similarity – some Apps are free, some are not.
For awhile now, CloudFlare has been quietly advertising “coming-soon” no-added-fees registrar services for CloudFlare customers – even those like me on the free tier. According to the sales pitch, CF will charge exactly $0 for this service, adding no fee at all to the Wholesale Registry fee (currently $7.85 for dot com) + the $0.18 ICANN fee. So, CF will register a dot com domain for the bargain annual cost of $8.03.
CloudFlare announced the introduction of firewall rules on October 3, 2018. Surprisingly, five firewall rules are even provided on the free plan. By comparison the Pro plan provides 20 firewall rules. Unlike Page Rules, additional firewall rules can *not* be purchased. I get five, that’s it – but as we will see a single firewall rule can do a bunch of different stuff provided that the final action is the same. Pretty generous of CF, I think, seeing as I use only their free tier.
In other posts I give my point of view on the security advantages of using CloudFlare. But what’s to stop a bad guy, gal, or bot from accessing my site directly by IP address? I can try to keep my IP address secret, but a determined hacker will find it without too much trouble. He or she or his/her robot minions could then avoid CloudFlare security by attacking my site directly – unless I take explicit measures by allowing only CloudFlare traffic.
Read more Rocket Loader rocks! (finally)
Web cache deception hacks are a fairly recent threat, first described by Omer Gil in February 2017. In certain situations a hacker could leverage a misconfiguration between a web server and a proxy cache like CloudFlare to reveal sensitive information that could help the hacker takeover my account. To be honest, this seems like a very unlikely threat. The situations that could cause it seem complex and obscure, and large scale attacks of this sort have not been observed in the wild.
In another post I cover a CloudFlare page rule for blazing site speed. This post discusses miscellaneous CloudFlare speed settings. CloudFlare, even at the free tier, offers a plethora of speed and security settings that seem daunting at first. Most of them work fine using the default setting, and I can adjust settings at my own pace as I am able to make time to learn and optimize.
In another post I cover CloudFlare page rules for login security. This post discusses miscellaneous CloudFlare security settings. CloudFlare, even at the free tier, offers a plethora of speed and security settings that seem daunting at first. Most of them work fine using the default setting, and I can adjust settings at my own pace as I am able to make time to learn and optimize.
I chose my web host carefully. My sites are hosted on a LiteSpeed web server, so I am able to use the remarkable free LiteSpeed Cache (LSC) plugin. LSC provides much more than just lightning-fast server-side caching. In also includes a suite of optimization tools such as: Database optimization; Image optimization – which seems to be equal to or better than the paid/premium versions of competing plugins; Connection to CloudFlare so I can put CF in development mode or purge the CF cache; and Miscellaneous settings like ‘Remove query strings from static resources’.
CloudFlare, even the free tier, improves my site speed and security – so much so that I use it for all my sites. The default settings boost site speed by global distributed caching of static content. Static content, by CloudFlare’s definition, excludes HTML. This makes sense for dynamic sites with frequent new posts and user comments. For my sites like this one, that have less frequent new posts and do not allow user comments or other dynamic content, I can dramatically increase site speed using a page rule.