Cloudflare and WP Cerber
How to make them play nice together on your WordPress
If your site is behind the Cloudflare proxy service and your WordPress is protected by the WP Cerber plugin, you have to do two things to let them work well together.
- Enable My site is behind a reverse proxy on the Main Settings page.
- If you have configured the Custom login URL, you have to exclude it from caching by Cloudflare’s servers. Do that by adding a rule on the Page Rules settings page in your Cloudflare account settings as described here: https://support.cloudflare.com/hc/en-us/articles/200172316-How-do-I-exclude-a-specific-URL-from-CloudFlare-s-caching-
Integration with the Cloudflare firewall
Consider using an optional Cloudflare add-on to synchronize locked out malicious IP addresses and access-lists entries with the Cloudflare cloud-based firewall.
Have any questions?
If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.
Spotted a bug or glitch?
We’d love to fix it! Share your bug discoveries with us here: Bug Report.
Configuring exceptions for the anti-spam engine
Automated recurring scans and email reporting for WordPress
I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.
So you would bypass the caching on the login page? I just want to make sure that’s what you mean? If I setup my WordPress login page in Cerber as https://www.mysite.com/jim that’s the url I would create a page rule in cloudflare to bypass caching for?
Exactly.
I’m using CloudFlare for my DNS and HTTPS. When I check ‘My site is behind a reverse proxy’ and save the settings, my site’s links simply stop working. Clicking on them does nothing. I can right-click and Open In A New Window okay, but I can’t expect my site visitors to do that. FORTUNATELY when I turn that switch back to OFF, save the settings, and then clear the cache on CloudFlare.com, it works okay again.
I do not wish to implement the Custom login URL so I did not setup the Rule as described on this page. There’s no explicit mention that the two things must be done together, so I didn’t. What might be the problem?
What does “my site’s links simply stop working” mean?
Hi Gregory,
I’ve been using the plugin and it is working great. As you may know CloudFlare gives 3 page rules for FREE subscription. CF advice is to exclude wp-admin.php and wp-login.php from cache too. I was wondering that if I exclude wp-admin would that not mean that all wp-admin.php actions are not going to be cached? That way I don’t need to exclude the Custom URL.
Secondly if I disable the cache for my custom URL then do I also have to exclude wp-admin?
This is important because I only have 3 rules, but we need to define 4 rules, so I wanted to know how this works so that we can make a better decision.
thank you.
You need to configure rules for the following locations:
1. Your custom login URL
2. Your WordPress dashboard with a wildcard: https://your-domain/wp-admin/*
See a full Cloudflare tutorial: https://support.cloudflare.com/hc/en-us/articles/218411427
Hi.
If my server has been configured to show actual IPs of all visitors even with CF proxy on, do I still need to enable “My site is behind a reverse proxy”?
Thanks!
If WP Cerber is able to detect real IP addresses (you see them in the Activity log), you don’t need to enable “My site is behind a reverse proxy”. Please follow instructions in the first step here: https://wpcerber.com/getting-started/
That’s great. Thank you!