Why we don’t use Cloudflare for WordPress security

Cloudflare offers a Cloud based Web Application Firewall (WAF) as a means to setup a WordPress Firewall.
This means your website traffic is routed through their web-based firewall, where traffic is filtered according to their firewall rules.

This sounds great. However, there are 2 flaws in this approach:

1. The re-routing of your website traffic is done through DNS, which means through your proper domain name. Its easy to bypass this using simple online tools to discover the IP address of the website, thus bypassing the DNS services and bypassing the Cloud Firewall.

This issue is well documented by many security bloggers. Tools like CloudPiercer.org and CrimeFlare exist to help attackers bypass a Cloud WAF.

CrimeFlare lets you look up a Cloudflare customer’s origin IP address or download an entire database of 1.5 million Cloudflare customers and what CrimeFlare detected as their origin IP address.

CloudPiercer uses an array of techniques to reveal a targets real IP address. They estimate that 70% of sites protected by cloud WAF providers have their origin IP address exposed. More detailed stats and our own data is included below.

2. The Cloud based firewall does not know the identity of visitors to your site. This means it cannot discriminate between visitors and filter traffic accordingly. In other words, its dumb. In order to be effective it has to therefore be over sensitive to web requests and traffic, which can cause some features/services on your website to break.

What we use
We use endpoint Firewalls – which basically means an Application firewall on the same host as your website. This cannot be bypassed and, since its hooked into your website, it knows what type of visitor each bit of traffic is. It can make better informed decisions and filter traffic more effectively.

Its just a lot better.

Additional note
Cloudflare are not offering a WordPress specific firewall, but a generic one, which means that they cannot offer a Firewall tailored to WordPress weaknesses. We use WordPress specific Firewalls, so we are able to tailor our rules for attacks that we know target that platform specifically.