App for Cloudflare®

Description

Unlock advanced Cloudflare features without being a network administrator or developer. Works with any Cloudflare plan (including Free), no Automatic Platform Optimization (APO) subscription needed.

  • Cache HTML at network edge
  • View/set all Cloudflare settings
  • Fixes Cloudflare Flexible SSL redirect loops
  • Fixes situation when IPs are coming through as Cloudflare IPs rather than user IPs
  • Cloudflare analytics on dashboard
  • Purge cache
  • View Page rules, Cache rules, Firewall rules, IP Address rules, User Agent rules
  • View Zero Trust Network Access setup
  • View DMARC statistics
  • Included tools: HTTP request trace, IP address details, domain details, WHOIS

Directly cache HTML

App for Cloudflare® can automatically cache your HTML pages in 330+ Cloudflare data centers around the world. “Standard” WordPress caching plugins can’t escape the laws of physics because information can’t travel faster than the speed of light (even if the page is cached, the cache exists on your physical origin server, which can be over 20,000 km from an end user). Caching content in Cloudflare data centers makes your website faster by putting your website cache closer to end-users (95% of the world’s population is within 50ms of a Cloudflare data center).

This is able to be done without Cloudflare Workers or even a Page Rule (done with a single Cache Rule on Cloudflare’s side, and custom code in the plugin).

Manage all Cloudflare settings

All Cloudflare settings can be changed directly within your WordPress admin area.

Includes Easy config function that will optimally set your Cloudflare zone settings for WordPress.

Fixes Cloudflare Flexible SSL redirect loops

Automatically fixes HTTPS redirect loops when using Cloudflare’s Flexible SSL option (traffic between user and Cloudflare is encrypted, but traffic between Cloudflare and origin server is not).

Handles user IP addresses

Automatically handles the situation where your web server is passing Cloudflare IP addresses rather than the IP address of the user making the request.

Network analytics

View network stats for your website directly within your WordPress admin area with a dashboard widget.

View rules & firewall

Quickly review your site’s Cloudflare rules and firewall settings from within your WordPress admin area. Includes:

  • Page rules
  • Cache rules
  • Firewall custom rules
  • IP address rules
  • User agent blocking

DMARC management

Track third parties that are sending email on your behalf (for example an email provider you have authorized like Gmail or Outlook). You can also see unauthorized email senders or spammers sending email on behalf of your domain.

Multisite network support

You have the ability to have a network-wide Cloudflare API token that can be overridden on a per site basis. In the case where a multisite network operator has the site domains in a single Cloudflare account, they can allow the site users to utilize Cloudflare features for their individual site without disclosing the underlying actual API token.

Additionally, a single Pro license for the main network site allows the media from all sites in the network to be stored in the cloud, within a single Cloudflare R2 bucket.

Store media in the cloud [Premium]

Easily and seamlessly store your WordPress media in the cloud with Cloudflare R2. This allows you to offload resources (both bandwidth and disk space) from your server. The first 10GB is free, and only costs $0.015 per GB thereafter (ex. if you had 100GB of media, it would cost $1.35 per month to store it in the cloud).

Includes ability to migrate existing media from local filesystem to R2 (or from R2 to local filesystem). Works with individual media, or all media in bulk (includes web-based migration as well as a shell/WP-CLI option).

Automatically convert uploaded JPG or PNG images to WEBP [Premium]

While this was intended for use with R2, it can be used without using R2 if you want.

Protect admin area [Premium]

Utilize Zero Trust Network Access to authenticate users before they access your WordPress admin area.

Manage rules & firewall [Premium]

The premium version unlocks the ability to manage (create, delete, suspend and unsuspend) Cloudflare rules and firewall definitions. In addition to defining your own rules, you can deploy useful rules with a single click:

  • Block traffic from certain countries (or Tor exit nodes widely used by spammers and hackers)
  • Block AI scrapers & crawlers (block bots from scraping your content for AI applications like model training)
  • Force a challenge before users can register (bot/spammer mitigation)
  • Cache static content
  • Automatically block the IP address(es) of spammers for a period of time

Backup & restore [Premium]

You have the ability to backup and restore some of your most important Cloudflare configuration settings:

  • Zero Trust Access Policies
  • Firewall Rules
  • Firewall IP Access Rules
  • Firewall User Agent Blocking
  • Page Rules
  • Cache Rules

Backups can be restored to different zones (for example if you had extensive configuration for a zone, you could give another zone the same configuration through a backup restore).

Other features

  • API calls are done exclusively through API Tokens (with the minimum required permissions) and not a Global API Key. Global API Keys are an incredibly bad idea from a security standpoint.
  • Ability to purge Cloudflare cache from WordPress admin.
  • Cached pages are automatically purged when a post/page is edited (just the necessary pages, not all pages). Stale content is not served to users.
  • Ability to designate an individual admin user to manage settings (maybe you don’t want all admins to have the ability to change things in Cloudflare).
  • Ability to use WordPress filters to add your own logic to things (for example maybe you don’t want to cache a certain page or post for whatever reason).

Screenshots

  • See Cloudflare stats for your domain right on the WordPress dashboard.
  • Setup allows you to enter your Cloudflare API token with the minimum permissions required.
  • Control Cloudflare zone settings (SSL/TLS options shown here).
  • Control Cloudflare zone settings (Security options shown here).
  • Control Cloudflare zone settings (Speed options shown here).
  • Control Cloudflare zone settings (Caching options shown here).
  • Control Cloudflare zone settings (Network options shown here).
  • Control Cloudflare zone settings (Scrape Shield options shown here).
  • Guest page caching allows you to cache your HTML pages in Cloudflare data centers (this allows your site to deliver content to your users from the data center closest to them).
  • Cloudflare Firewall Rules, User Agent Rules and IP Address Rules are viewable within WordPress (the Pro version allows editing/creating/deleting as well).
  • An easy interface to block traffic by country before the request gets to your server.
  • Create User Agent Rule from within WordPress (Pro version).
  • Create IP Address Rule from within WordPress (Pro version).
  • Page Rules and Cache Rules are viewable within WordPress (the Pro version allows editing/creating/deleting as well).
  • Zero-Trust Access policies are viewable within WordPress (the Pro version allows simple auto-configuration to protect your WordPress admin area).
  • R2 object storage allows you to store your WordPress media in the cloud seamlessly (premium feature/part of Pro).
  • R2 configuration is simple/automatic.
  • DMARC reporting allows you to see entities sending email on your behalf.
  • Cloudflare Purge Cache is available from within the WordPress admin area.
  • An HTTP request trace tool allows you to simulate an HTTP request passing through Cloudflare’s network. This allows you to see which products and rules are triggering actions on a request.
  • An IP address lookup tool allows you to get some basic info about any IP address (works with IPv4 as well as IPv6 addresses).
  • Lookup info about any domain.
  • Get registration info about any domain.
  • The Pro version allows you to backup and restore some Cloudflare settings.
  • Media stored in R2 shows an orange cloud in the media browser.
  • Move individual media to/from R2.
  • Move all media in bulk to/from R2.
  • For multisite networks, you can utilize a single Cloudflare API token for all your sites in your network (which can be optionally overridden on a per site basis).
  • For multisite networks, you can optionally use a single R2 bucket to store the media across all your sites.

Installation

From your WordPress dashboard

  1. Navigate to “Plugins” -> Add New
  2. Search for App for Cloudflare
  3. Activate App for Cloudflare® from your Plugins area

Manual upload

  1. Download App for Cloudflare®
  2. Upload the app-for-cf directory to your /wp-content/plugins/ directory
  3. Activate App for Cloudflare® from your Plugins area

FAQ

How does the Guest Page Caching work?

It’s done by using a Cloudflare Cache Rule that makes HTML pages eligible to be cached. Making a page eligible doesn’t necessarily make it always cached (for example if a user is logged into the site or the request is a POST, you wouldn’t want the page to be cached). No need for any kludgey cache busting mechanism that alters your URLs.

This allows it to be done in a “clean” way, without the need for Cloudflare’s Automatic Platform Optimization (APO) plugin/subscription (normally $5/month for Cloudflare Free plans). It also does not require the added complexity or expense of Workers (Workers are billed per request). Additionally it does not require the use of a Page Rule slot on your Cloudflare zone.

This plugin can do Guest Page Caching for free, for everyone.

How can I test improvements on my site when using Guest Page Caching?

An easy way to test it is with a testing tool like GTmetrix. Test it without Guest Page Caching enabled and test it again with Guest Page Caching enabled and compare the results.

If you are a little more technical, you can look at the cf-cache-status HTTP header on the page request. If you see a value of HIT, the request is being successfully being served from Cloudflare’s edge cache.

If you want to compare the speed of WordPress sites from different cities, try these:

Does this work with multisite networks?

Yes. Not only does it work as a standard plugin on any site within the network, it can be deployed as a “network activated” plugin (automatically available to all sites within the network). Additionally, there are settings available to the network admins where you can optionally set a default API token (that is used, but not disclosed to the individual sites). Individual sites can set a different API token to override the network-wide token if needed. This is useful in a scenario where all (or most) of the sites in the network are on the same Cloudflare account and can share the same API token.

The Pro version allows a single Cloudflare R2 bucket to be used for storing the media for all sites in the multisite network.

I locked myself out of settings

There is an option to allow settings to be changed only by one specific admin account. If you use that setting, and then lose or change the admin account you assigned to that role, it can be problematic. If you need to bypass that option, you can by adding the following to your WordPress wp-config.php file:

define('CLOUDFLARE_BYPASS_USER_LOCK', true);

I have an idea for this plugin, can I make a suggestion?

Yes, please do! You can find the suggestion area over here.

Reviews

February 8, 2024
I was hoping for an plugin like this one. Clear clean interface with a lot of options and insight. I just went through all the tabs/pages and everything went smooth, all setup and working beautifully. Thank you for this very useful extension!
October 25, 2023 7 replies
I can access all the settings of Cloudflare in my WordPress directly, perfect. Now what? How can I get benefit from your plugin? Only feature I found useful is Guest Caching. That will only be useful if you can give a “purge cache” option on per post basis. Purging the whole cache is not useful as a plugin. It would be really great if you can give an option which detects any new post/images and other changes and purge the specific cache automatically. A purge option in each post will also do the job for now. I will wait for the update. Thank you.
October 18, 2023
Has all cloudflare settings in one place + analytics dashboard. Great addition to the wordpress community.
Read all 6 reviews

Contributors & Developers

“App for Cloudflare®” is open source software. The following people have contributed to this plugin.

Contributors

Translate “App for Cloudflare®” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.8.8 (2024-09-30)

  • Added new Cloudflare setting (under Speed): Speed Brain
  • Easy Config enables Speed Brain
  • Added support for setting SSL/TLS Encryption Mode to Strict (SSL-only origin pull) (for Enterprise zones)
  • Added new Cloudflare setting (under SSL/TLS): Encrypted Client Hello
  • Added new Cloudflare setting (under Security): Leaked credentials

1.8.7 (2024-08-28)

  • Fixed issue with deleting a Page Cache rule (change to Cloudflare API)
  • Updated charting library (Chart.js) to 4.4.4

1.8.6 (2024-08-02)

  • Added new Cloudflare setting (under Security): Replace insecure JavaScript libraries
  • New option: Purge cache button in admin bar
  • Fixed issue where “Block IP address on spam flag in comment queue” option couldn’t be unchecked
  • New option: Convert uploaded media to WebP [Premium]

1.8.5 (2024-06-25)

  • Removed Brotli compression setting (it’s now always on in Cloudflare)
  • Removed Minify settings (they have been deprecated and will be removed from Cloudflare soon)
  • Removed Server-side Exclude setting (it has been deprecated and will be removed from Cloudflare soon)
  • Added framework for new option to create Firewall Rule to block AI scrapers & crawlers
  • Updated charting library (Chart.js) to 4.4.3

1.8.4 (2024-05-29)

  • Added deprecation notice for Auto-Minify setting

1.8.3 (2024-03-12)

  • When installing Pro plugin, replace the default activate plugin link with a link to enter license key (the plugin isn’t “activated” in the traditional sense)
  • Updated charting library (Chart.js) to 4.4.2

1.8.2 (2024-01-21)

  • Fixed typo when installation is the primary site in a multisite network
  • If API token can’t be verified, present an error about it being an invalid API token immediately
  • Changed wording of the “API tokens & keys” button
  • Updated charting library (Chart.js) to 4.4.1
  • A few custom actions are intended to execute last, so PHP_INT_MAX was used as the priority, however it was causing issues on certain servers so the priority was lowered (but still very high)

1.8.1 (2023-12-01)

  • Cloudflare statistics charts on dashboard dynamically resize properly when resizing window
  • Added ability for individual API calls to ignore multiple error codes instead of just one
  • Existing media can be moved to/from R2 individually or in bulk [Premium]

1.8.0 (2023-11-13)

  • The API calls necessary to build the Cloudflare settings page are now run in parallel (it’s currently 10 API calls that were previously made sequentially). Viewing (and editing) settings is significantly faster now (it’s as fast as the single slowest API call, rather than as slow as all 10 API calls added together).
  • Raised timeout for Cloudflare API calls from 5 seconds to 15 seconds
  • For multisite/network installations, there is a new settings page that allows you to set some network-side settings (for example the API token to use) across all sites without specifically setting it for each site. See Network Admin -> Settings -> Cloudflare
  • If there’s a multisite network API token set, an individual site can still override that API token (allows a situation where most sites are on a single Cloudflare account can use the network-side API token, but the ones that aren’t can still specify a different one)
  • Added info page about using R2 in a multisite setup (using a single bucket for all sites)
  • Added sanity check (make sure it exists) when attempting to display an actioned template
  • Added more sanity checks for unexpected Cloudflare API results
  • The intel tools (IP address details, Domain details, WHOIS) can’t be used (and are removed from the navigation) if a site doesn’t have their own API token (in a scenario where they are using a default multisite network API token). This is because there is a very small monthly quota for API calls for the entire Cloudflare account/API token (around 100 per month).
  • Fixed issue with HTTP Request Trace tool

1.7.7 (2023-11-03)

  • Added link for info about why each Cloudflare token permission is needed
  • Increased the number of URLs being purged per API call from 8 to 30
  • Suppress API rate limit error message when using guest page caching and the backend is purging individual URLs from Cloudflare’s cache (if there are a ton of posts being added at once, or edited quickly over and over, a site might hit rate limits after about 40 new posts/edits/comments in a single minute). Since it’s not catastrophic if a cache purge didn’t successfully run, we are just going to ignore the failure and let the cache expire on its own.
  • Better handling of situation where Cloudflare API is down/unavailable
  • Changed how menus are built (old method was deprecated in PHP 8.x)
  • Removed “Security -> Privacy Pass Support” setting (it’s been deprecated by Cloudflare and is no longer used)

1.7.6.1 (2023-10-25)

  • Clean up some layout anomalies when using a right-to-left language
  • The Cloudflare Fonts option ID has changed. This addresses that (it’s what I get for giving the ability to toggle options that Cloudflare has deemed “beta”… they are subject to change).
  • Added a sanity check so if future option IDs change, it won’t throw an error (along with not being able to change them). Instead, that option won’t change until the ID is updated.

1.7.6 (2023-10-22)

  • Fixed issue where boolean settings wouldn’t always be parsed to boolean values
  • Fixed issue where HTTP Strict Transport Security (HSTS) settings wouldn’t always be changeable
  • Added support for Super Bot Fight Mode settings: Likely Automated, Definitely Automated, Verified Bots, Static Resource Protection, Optimize For WordPress, JavaScript Detections

1.7.5.1 (2023-10-21)

  • Better handling of unexpected Cloudflare API changes

1.7.5 (2023-10-19)

  • Fixed issue with modal confirmation dialog not scrolling when it goes off the screen (mainly an issue when enabling R2 for media from a mobile devices)
  • Cloudflare made a change to the bot management API (but only for paid plans), this version addresses that.

1.7.4 (2023-10-12)

  • Fixed issue where a settings page redirect would fail because WordPress had already output HTML in some cases
  • Cosmetic clean-up here and there
  • Notice in Media section about using/setting up R2 is dismissible
  • Added support for new Cloudflare setting: Speed -> Optimization -> Content Optimization -> Cloudflare Fonts
  • “Easy config” enables Cloudflare Fonts
  • Settings that are deemed beta by Cloudflare, are shown with a beta label
  • Better handling of cases where there’s an error when making an API request

1.7.3 (2023-10-05)

  • Initial release of App for Cloudflare® for WordPress.

The WordPress version is kept in feature parity with the XenForo version. You can find the update changelog for older versions (if you are curious), over here.