FidoSysop Blog

Optimizing WordPress Using CloudFlare Security and Encryption

CloudFlare is the best resource on the net to Protect and Enhance WordPress Installations. This also goes for the popular WordPress Forum Plugin SimplePress. In this article i am going to show how to get the most from CloudFlare’s FREE plan and tweaking WordPress and SimplePress for best results.

CloudFlare WordPress SimplePress

Getting started: CloudFlare offers an incredible package even on their free plan. It’s rather easy to set up your domain.

  • First go to CloudFlare.com and register your account. After registering scan your domain to add it to cf dns. This process takes 1-2 minutes and when completed gives you cf’s primary and secondary name servers.

  • Go to your current registrar and change the domain ns to point to cf. Wait 12-24 hours for the domain name server change to propagate.  At this time your website should be loading as before. Next download and install CloudFlare’s WordPress plugin. Be sure to go through it’s settings. Also be sure URL Rewriting is OFF.

Basic CloudFlare setup:

  • From your domains overview tab select a security level. I recommend starting out at Low. You can raise this later if needed.

  • Next click the speed tab.

  • Check all 3 auto minify boxes.

  • Set Rocket Loader to Auto.

  • Next click the Caching tab. Set caching level to Standard.

  • Set browser caching expiration to 8 Days.

  • Toggle always online to On. Development mode would be Off.

  • Next click the Firewall tab. Here you can block rouge IPs and challenge Countries of your choice. I recommend JavaScript challenging China and Ukraine at a minimum.

Encryption:

  • This is a huge huge plus that CloudFlare offers – even on their free plan. The easiest encryption to get running on WordPress and SimplePress is Flexible SSL. “Note this is called SSL but in reality the encryption protocol used today is Transport Layer Security (TLS.)

  • First click on the Crypto tab. Be sure the encryption is set to Flexible. When you set up your domain they ordered an certificate for it. On the free plan it can take up to 24 hours to become active. Next is to verify encryption is available for your domain by going to your site and entering https://yourdomain.com.

  • There are two WordPress plugins i recommend. The 1st is WordPress HTTPS. This plugin has not been updated for a while, but it’s OK and is what i use. The other prevents a redirect loop error when running under CF Flexible SSL. The next is CloudFlare Flexible SSL. Download and activate.

  • Welcome to encryption. If all is well you should see https on your browser url with no security errors. But there is a good chance image urls or older plugins / themes will cause errors on your posts / pages.

  • The fore mentioned WordPress SSL plugin converts normal http internal urls to whats called Protocol Relative. This strips the http off internal WordPress urls and uses //: in it’s place. This tells browsers either http or https can be used. More info on protocol relative is here on Wikipedia.

  • The website whynopadlock.com is an excellent free source for testing your pages to see what is causing insecure warnings / security errors. Quick tip: Older YouTube embed urls caused me a lot of problems when first going encrypted. Just change the url to protocol relative. Of go to the video in question and copy paste YouTube’s new sharing url.

  • Going Full SSL. Even on their free plan CloudFlare offers full ssl. This is done by generating a server side certificate to install on your server. Many shared hosting plans do not offer the ability to install a certificate. If you have a Dedicated or VPS server i strongly recommend this option. It encrypts the traffic from your server to CloudFlare and will stop any rogue packet sniffing. Further info is here.

Running SimplePress WordPress plugin under CloudFlare: SimplePress is the best WordPress forum plugin on the market today. It’s rich features, plugins, and SEO factor can not be beat.

  • SimplePress is fully compatible with WordPress on standard (old school hosting installations.) However to get the most out of SimplePress here are my best tips for running it under CloudFlare.

  • It’s important to understand that Steve and Andy have written this plugins code to integrate with WordPress. Numerous hooks and database calls are made to WordPress on top of the standard operating calls. This is why we should tweak our CloudFlare settings to get the most out of SimplePress.

  • CloudFlare Rocket Loader adds a ton of speed by combining as many scripts as possible in a single request. It is GREAT! But i recommend disabling Rocket Loader when in SimplePress admin.

  • Caching combining scripts is provided by cf. I recommend disabling CSS/JS Combined Caching in sp options > global settings. Double caching can and will cause problems.

  • Disable Rocket Loader on the forum page is beneficial for your users. In your cf dashboard click on page rules. Here we want to define a rule to disable Rocket Loaderl on your sp forum page. Enter (full path to your WordPress forum page followed by /*. Select disable RocketLoader from the options list, then save the rule.

  • Further info on creating custom page rules, including Google AMP toggles is here.

These are the basics that will get you going. If you have questions comment below 😉