Security Tutorials

How to secure your WordPress blog with Cloudflare ®

The internet is a beautiful place but is often compared to the American wild-west, not without good reason. The internet allows nearly everyone and everything to connect to each other. The problem is that includes all things good and bad. It is no secret that every service and website is under constant scanning for flaws that an attacker can exploit. Don’t fret, there are a few simple steps you can do to improve your website’s security with Cloudflare. This blog assumes you already have Cloudflare setup for your domain, if you haven’t done that yet read our article on how to speed up your website with Cloudflare.

Cloudflare traffic classifications

Cloudflare has four ways to handle web traffic. Some automated protections are hard-set into a specific traffic class. However, for most things you can classify how Cloudflare handles the traffic:

  • Block:
    This directly blocks the connection and only shows a Cloudflare page telling the visitor (or bot) that they have been blocked from viewing the requested resource.
  • Challenge:
    This pulls up a Cloudflare page which requires the visitor (or bot) to solve a captcha before they can view the requested resource. This helps block sophisticated bots which are more interactive with their attacks, which are already less likely to find.
  • JavaScript Challenge:
    This is similar to the standard challenge, except it doesn’t require the solving of a captcha. Instead it issues a challenge which is solved by a client’s browser using JavaScript. This is typically mathematically intense and requires a few seconds of computation, but only requires a visitor to wait a few seconds.
  • Allow:
    This allows the traffic to pass through and connect to the website.

Striking a balance

In a perfect world, we could always block every bot and allow good users without confusing either group for the other. Sadly that’s not possible. While you could put your entire website behind a captcha, you are likely to lose visitors quickly. It is important to decide what’s important to protect, and how strictly you want to protect it. We discuss this balance in some options below.

Set your challenge passage

Cloudflare remembers which visitors pass a challenge and will allow them to continue to visit the website unchallenged for a specified time period. You should adjust this to increase usability and decrease the frustration visitors may experience when being classified as dangerous. You can adjust this under “Firewall” and the “Settings” tab. I suggest setting this to 8 hours for your WordPress blog.

Block bots from accessing your website

WordPress is a jackpot for malicious attackers. Due to the flexibility WordPress provides, if an attacker is able to break into your install they can enslave your website to their will, attack your visitors, and steal your data.

Set your security level

Setting your security level applies a generic threat acceptance across your entire website. For a WordPress website, I would suggest either medium or high. You can change your security level under “Firewall” and selecting the “Settings” tab. Any traffic which violates the security level setting will be issued a JavaScript challenge. The various security levels are:

  • Essentially Off: Challenges only the absolute worst attackers, the ones who are guaranteed going to hurt your website.
  • Low: Challenges the most threatening attackers
  • Medium: Challenges visitors with a medium threat level and the most threatening attackers.
  • High: Challenges all visitors who have done anything suspicious across the entire Cloudflare network within the past two weeks.
  • “I’m Under Attack”: This mode should only be enabled if your website is under a heavy targeted attack, it forces every single visitor, good or bad, to receive a JavaScript challenge.

Enable Cloudflare Bot-fight mode

One of the quickest changes you can make is to enable the Cloudflare “Bot-Fight” mode, which automatically issues a JavaScript challenge to known bots who are attempting to exploit your website. This is a safe option to enable because it’s unlikely to be tripped up by normal users.
You can enable bot-fight mode in your dashboard under “Firewall” and under the “Tools” tab.

Protect WP-Login

Most automated bots targeting WordPress will attack the login page. They typically look for exploits (which hopefully are not available if you’re up-to-date on your WordPress install) or to brute-force credentials. You can easily restrict these kinds of attacks by taking advantage of the Cloudflare firewall rules.

Example of WordPress login firewall rules

Under “Firewall”, select the “Firewall Rules” tab. Create a new rule and name it “Protect WP-Login”.

Under the “When incoming requests match..” section, input the following: Field: URI; Operator: Contains; Value: “wp-login”.

Next, scroll down to the “Then” section and either choose the JavaScript challenge or standard challenge. Review to our section above which explains the difference between the two challenges. Note: If you select allow, all traffic even if malicious will be permitted, and likewise selecting block will block anything (including you) from being able to log into your website. I would suggest starting with the JS challenge. If you notice many bots (unlikely) getting past the challenge, then upgrade it to a standard captcha challenge.

Effectiveness of the WP-Login firewall rule

My blog at the time of writing has no active visitor base and is rather small. Yet my Cloudflare logs have indicated over 200 unique attack attempts that have been blocked by the firewall rules. The challenge has a passing rate of 4%, which corresponds to the number of times I personally have been issued the challenge, proving that so far every automated attack has been blocked for free by Cloudflare, my webserver never saw the requests.

Advanced protections

If you want to go the extra step to receive the most out of Cloudflare, there are some further steps that require more effort and configuration that you can take.

Utilize Cloudflare Authenticated Origin Pull

Authenticated Origin Pulls are a free feature provided by Cloudflare which forces Cloudflare as the only thing that can communicate to your webserver. This is important as Cloudflare can provide a protective blanket over your website, but that doesn’t matter much if an attacker can directly contact your webserver, bypassing Cloudflare completely. Internet scanning regularly occurs, and it is not unreasonable to expect your direct webserver information to appear in a database somewhere.

Authenticated Origin Pulls must be enabled in your Cloudflare control panel under the “SSL/TLS” tab and the “Origin Server” sub-tab. Simply flick the switch to “on” and you’re done with the Cloudflare side of things. Finally, you need to configure your webserver to require the Cloudflare origin client certificate. You can find the instructions on how to perform this here. Unfortunately, if you are using a shared hosting provider it may not be possible to configure this. Contact your provider for more info if you are having difficulties.

Block non-Cloudflare IPs

The next step you can perform is to only allow Cloudflare’s servers to connect to your webserver. This is best achieved by restricting connections to your webserver’s port using a software firewall, and works great with Authenticated Origin Pull. All of the IPs utilized by Cloudflare can be found at An automated script to perform this on your server can be found here.

Enable TLS full strict mode

TLS (SSL) is one of the most important tools to ensure all data transmitted from a website is secure. When using Cloudflare a visitor has an encrypted connection between their browser and a Cloudflare server. Then Cloudflare should encrypt the connection between your webserver and the Cloudflare network. You can check your settings under the “SSL/TLS” tab. The problem with full is that Cloudflare will accept certificates not signed by a certificate authority. In theory, this could allow an attacker to imitate your web server. Instead, you can use Full-Strict mode which requires a valid signed certificate on your website. To receive a valid signed certificate for free, you can either use LetsEncrypt or the Cloudflare origin certificate.


Cloudflare is a great service (especially for the free price tag) that can speed up and secure your website. Depending on the size of your website it may be worthwhile to look into their Pro plan which includes things like a Web Application Firewall (a must need for a WordPress site) or additional performance options. Good luck and utilize the information on this page to ensure your website is secure and stays online.

*Cloudflare is a registered trademark of Cloudflare, Inc.* This website, and article, are not in affiliation with or endorsement, sponsorship, or support of Cloudflare.
-Images and trademark are utilized within the Cloudflare Trademark guidelines.

How It Works

How DNS works, the recursive process

As more companies and products become dependent on internet connections, it is ever important to ensure secure and private communications. Thermostats, lights, security systems, door locks, window shades, entertainment, cameras, doorbells, outlets and smoke detectors are a few of the many devices available to connect to the internet. With more devices relying on external servers to operate, it is important that it is quick to find remote servers. DNS is the world wide distributed system which handles

This article is part of a series of articles explaining the security and infrastructure considerations behind the Domain Name system, in simple terms.

The role of DNS

The Domain Name System is an essential part of the internet as we use it. The system efficiently translates a domain to a set of IP records (among other things). When is entered into your browser, your computer contacts a recursive server asking for the IP address of, the recursive server then performs a process to determine the IP of and returns it to your computer. This rather simple process called resolving is integral to IoT devices and the internet as we know it.

How it works

There are typically 5 different resources involved in the resolution process:

  • Stub Resolver:
    A stub resolver is a service that runs on every client device. The purpose of a stub resolver is to send a DNS request to a recursive server to provide a system with DNS services. When your browser requests a connection, it asks the stub resolver for the IP, and almost magically to the rest of the system — An IP is returned.
  • DNS Recursor:
    A recursive server receives requests from clients, and handles the rest of the DNS resolution process. The Recursor is responsible for for contacting and caching the rest of the DNS servers in the resolution problem. Typically your Internet Service Provider runs a recursive server, but you may have also heard of the Google ( or Cloudflare ( resolver.
  • Root Nameserver:
    This is where the true structure of DNS begins. There are 13 root DNS server IPs which are hard-coded into DNS recursors. Don’t believe that means there are only 13 root servers, in fact there are well over 600 distributed across the world thanks to a technology called Anycast, allowing multiple servers to sit behind one IP.
    The root nameserver resolves the IPs of the TLD nameservers. A TLD is a Top-level-domain, typical the last “dot” in a URL. For example, the TLD for is “com” and for, the TLD is org. Each TLD has it’s own set of nameservers which is then contacted next.
  • TLD Nameserver:
    These servers contains information about the about the domains hosted within a TLD. The TLD nameserver resolves the IP of the authoritative nameserver. If looking for, the recursive resolver asks the .com TLD nameserver for the IP of the nameserver for The recursive nameserver then contacts the authoritative nameserver.
  • Authoritative nameserver:
    The authoritative nameserver is typically (but not always) ran by the host of a website or service. There is a large market to have another business to host and provide a more robust authoritative nameserver, but anyone can setup an authoritative nameserver for their own domain. This is where the IP for is actually served. This is also where subdomains are resolved, such as, but it also possible for for another authoritative nameserver to be declared for a subdomain.

Different record types

Different kinds of data exist in the Domain Name System, labeled records. The typical record used when requesting an IP is called an “A” record. The A record represents an IP of a domain or subdomain. There are multiple other records such at TXT records which only contain text, SPF and MX which are used for email services, and AAAA which is used for IPv6 addresses.

DNS summary

Image of example DNS resolving process

Lets take all the information we have learned so far to summarize the DNS resolution process.

A user enters into their web browser. The web browser tells their computer they need the IP of The stub resolver on the computer contacts the IP of a recursive DNS server requesting The recursive DNS server contact the DNS root nameservers, whose IP is hard coded into the resolver, and asks for the IP of the .com nameserver. The recursive DNS server then contacts the .com nameservers, and asks for the authoritative DNS IP. Next the recursive DNS resolver then contacts the authoritative DNS server and asks for the connection information for With this IP, the recursive DNS resolver then returns the IP to the stub resolver, which passes it to the browser to open a connection.

The importance of a trust worthy recursive resolver

In an article which will be published soon, we explain the shortcomings of DNS. The DNS based system is originally based off blind trust in your recursive resolver. As such you should use a recursive resolver which deserves your trust. One such services is operated by Cloudflare, one of the largest organizations pushing for a safer and more private internet. The service is called, and it comes highly recommended. I urge you to consider placing your trust in them for DNS needs, and removing it from your ISP or tracking conglomerates like Google.

Other DNS considerations

Caching of DNS requests typically occurs at the recursive nameserver level. This is enforced using Time-To-Live parameters in DNS records. An authoritative DNS server can tell a recursive to remember the IP of for a set period of time. This means that if another request for is made in the defined time frame, the recursive resolver can return it instantly without contacting the entire DNS structure. Caching can also occur by the stub resolver.

A client on a network may not directly contact the recursive resolver. Its increasingly common for home routers to serve their own DNS server which then contacts the recursive resolver on the stub’s behalf. These may also cache results themselves.
In enterprise environments, it can be rare to find a client which is permitted to directly connect to an external resolver.


Why are people ditching WhatsApp?

You may have heard of a sudden outcry from WhatsApp users, and a sudden upsurge of leaving the platform. Whats the big deal? Here we discuss the controversial change which is causing millions to leave.

What is WhatsApp?

WhatsApp is a instant messaging app that was released in 2009. It utilizes the Signal Protocol for message sending and was acquired by Facebook in 2014. In 2015 it became the most popular instant messenger and has over 2 billion users as of 2020. WhatsApp slowly became the primary communication method in Latin America, India, and in parts of Europe and Asia.

Why are people leaving WhatsApp?

The Facebook Subsidary updated their privacy policy in early 2021 to reserve the right to share data it collects about you with the broader Facebook network, which includes Instagram, regardless of whether you have accounts or profiles there. WhatsApp argued the change was needed to better integrate the app to the Facebook ecosystem.

WhatsApp strong arms users

The chat app notified its 2 billion users to either accept the new privacy policy or get out. It planned to enforce the new terms by deleting any account which did not accept the change by February 8th. This change is a drastic approach and a clear attempt to capture data of the large ecosystem.

Public outcry following change

Elon Musk encouraged a switch to the competitor app Signal on his Twitter feed. Turkey Tayyip Erdogan’s Presidential Media Office declared the government would drop use of WhatsApp following the change of policy. Other privacy advocates and government associations condemned the change. As a result of the public outcry a large portion of WhatsApp users began to defect to Signal. The defect caused record registrations on Signal’s platform and overwhelmed Signal’s servers to the point of service connectivity issues.

Facebook’s plan for the data

Facebook’s primary revenue source comes from serving advertisements to its users, earning nearly $21 billion in revenue in the third quarter of 2020. While WhatsApp does not serve ads to its users, Facebook can begin to improve targeted ads on other platforms with the new data collected. This change is targeted to empower businesses which advertise on Facebook’s platforms by determining what you discuss when messaging businesses directly.

Should you leave WhatsApp?

That is up to you. It is notable that the co-founder of WhatsApp Brian Acton himself ditched the company in disagreement with Facebook’s proposed monetization plans after they acquired the platform. After Acton defected, he created The Signal Foundation, and funded the Signal App. It could be argued that if the co-founder defected to create a rival product after disagreeing with Facebook’s new practices, that maybe you should too. Choosing to leave WhatsApp could show big-tech how consumers view buying platforms just to harvest data from them. Take a moment and decide if you should switch to Signal too.

Open Source Privacy

Why you should start using Signal

In the age of constant contact, posting, uploading, and sharing, you might not think twice about what you use to directly message friends and family. A lot of us are inclined to stick with what’s already available. However, new trends in the world indicate that sticking with what you have may not be the best idea. Maybe it is time to start thinking about switching to Signal as your primary messaging app. Learn more about why people are switching from WhatsApp.

What is Signal?

Signal is an instant-messaging app available to iPhone, Android, and most desktop environments. To most, Signal has what you expect, a textbox and a send button, stickers, calls, and group chats. What is special about Signal is who made it and the reason it was made.

Signal is based off a messaging protocol called The Signal Protocol. The Signal Protocol is special because it provides a complete end-to-end encrypted connection. Signal is owned by The Signal Foundation, which is a registered non-profit charity in the United States.

Signal is full featured and supports many features available in other messengers. It has stickers, Facetime, phone calls, emojis, and group chats.

Signal app in use.
Signal app in use, Attribute:

Why should you switch?

Comparison of the data collected across three major message platforms. Credit: Reddit user u/misterdhm, by permission.
  • Completely free, and always will be
    Signal is funded by grants and donations. It is free for everyone to download and use. It has no ads, premium features or trackers.
  • End-to-end encrypted
    End-to-end encryption is important in our ever digital world because it ensures no one can snoop on your conversation. It works by encrypting every message, image, phone call, and anything else you send using a secret key only available to the sender and recipient.
    Why should you care? It is a well known fact that companies like Facebook, Google, and even your own government love to absorb as much data about your life as possible. If you send an email detailing your awkward love letter, there is a good chance Uncle Sam and Google are reading it. If you are trying to discuss sexual health with a trusted friend on FB Messenger, good chance Facebook and Uncle Sam are reading it. Privacy can only be ensured with end-to-end encryption.
  • Operated by an independent non-profit charity
    The app is ran by The Signal Foundation, an independent 501c3 nonprofit, and is not owned by any other major tech company. Most companies that offer free products are selling your information. For example, Facebook builds an entire profile which is predicted to know you better than yourself for the sole purpose of selling it to advertisers. Facebook has shareholders to pay, and as such must maximize the information it has on you to maximize its profits.
    Being a non-profit does not have an interest in profit margins, and instead focuses on their mission statement: allowing its users “To Speak Freely.”
  • Does not collect data on it’s users
    Kinda, the only data Signal collects is its user’s phone numbers. A phone number is used to register your account, everything else is encrypted and not able to be accessible. By design Signal does not have access to contacts, conversation lists, location history, or any user profile information.
  • Retains as little data as possible
    Even though the data that sits on Signal’s servers is encrypted so only the user can read it, it is setup to ensure the servers forget any data that is sent. An encrypted text can sit on a server until it is delivered to a recipient, then it is instantly deleted from the servers.
  • Does not know who is messaging who
    Signal has a unique feature called sealed sender, which encrypts who a message was sent by. All an attacker could know is that a user received a message, but not who by. Imagine a scenario where you need to message a therapist, but don’t want anyone knowing that you are seeing a therapist. This feature ensures that all anyone could ever know is that the therapist received a message, but not what the message said or who sent it, except the therapist.
  • Guaranteed to go to the right person
    Signal has a feature called Safety Numbers. Safety numbers are a unique number calculated from the keys of the sender and recipient. This unique number is nearly impossible to fake. You can optionally verify this number matches with the other party to ensure your conversation is safe and private.
  • Open source
    The Signal protocol, apps, and server code is free and open to view for everyone. This allows experts to analyze the code and detect flaws (which they have not found at the time of writing). This is an important tool to ensure the quality and security of any system.
  • Trust by the privacy community
    -Used by journalists, activists, and whistleblowers alike. It is the trusted gold-standard messaging application for privacy and security, used by millions of users.

Where to get Signal

Signal is free to download and setup at You must have a phone number to setup an account. If you support what they do and want to support true privacy and security, you can donate to them at