Security Blog
Posted By Gregory

Cloudflare Add-on für WP Cerber


This optional add-on brings an additional security measure for your WordPress by providing integration with the Cloudflare cloud-based firewall. When enabled it prevents malicious IP addresses blocked by WP Cerber from accessing an entire website. To use the add-on, you need to have a free or paid Cloudflare account and WP Cerber 8.6 or newer.

Warning: this add-on is not recommended for beginners. You can easily lock yourself out or block your users.

When to use the Cloudflare add-on

If you already have a Cloudflare account and use it as a firewall for your website. If your website permanently suffers numerous cyber attacks and you’d like to reduce the burden on the server. Don’t forget about the following drawbacks: the necessity to delegate the domain to Cloudflare’s nameservers and your SSL certificate to Cloudflare’s webservers; plus, you have to accept the necessity to process your private data and personal data of your customers on Cloudflare’s webservers in unencrypted form.

How to install the add-on

The add-on is a standard WordPress plugin and available to download for free from our website. Follow the instructions at the end of the page. Once you’ve activated the plugin, you get the following settings page. By default, all operations are disabled.

Cloudflare WordPress Add-on Settings

Syncing IP addresses blocked by WP Cerber

When enabled, the list of locked out IP addresses is continuously monitored and Cloudflare IP Access Rules are kept in sync with the list. Once an IP address is locked out, it is completely blocked from accessing an entire website because it’s added to the Cloudflare firewall. Without using the add-on, a blocked IP address has read-only access to the website. If you accidentally block your own IP address, see the instruction below.

Some lockouts are not synced

In the following cases, locked out IP addresses are not synced and are not blocked by the Cloudflare firewall: a user is logged-in, a remote host produces erroneous requests such as 404 Page Not Found, the limit on login attempts has been reached for the first time, Googlebot requests originating from the googlebot.com domain.

Note: We intentionally do not implement syncing of subnet lockouts. If you use the add-on to sync Cerber’s lockouts, the WP Cerber’s “Block subnetAlways block entire subnet Class C of intruders IP” setting must be disabled.

Syncing IP Access Lists

When enabled, all changes in the WP Cerber’s IP Access Lists are one-way synchronized with Cloudflare IP Access Rules. For instance, if you add the 192.168.1.0/24 network to the Black IP Access List, no computers from this network have access to your website. If you accidentally block your own IP address, see the instruction below.

The Cloudflare firewall has limited capabilities, though. Keep in mind that unlike WP Cerber, Cloudflare doesn’t support arbitrary IP ranges or CIDR networks. It supports single IP addresses and classful networks only such as A, B, C. So if you add a network other than A, B, or C classes to an access list, the network will not be added to the Cloudflare firewall and remains a local entry fully processed by WP Cerber.

Note that it’s a one-way synchronization. If you make changes to access rules on the Cloudflare website, Cloudflare does not send them to WP Cerber.

Also note that currently, the add-on doesn’t sync existing entries in the Access Lists that were added/deleted before ACL syncing has been enabled.

Other settings

Verbose syncing

It’s an optional privacy-related feature that enables or disables saving additional information as Cloudflare notes. When enabled, the add-on saves your Access Lists comments and the reason for an IP address lockout to a Cloudflare note. Enable it if you need to precisely identify or search entries by a keyword among the firewall rules on the Cloudflare website. Don’t forget that those notes can be stored on Cloudflare servers for an unknown amount of time.

Delete Cloudflare rules on plugin deactivation

If the Cloudflare add-on or the WP Cerber plugin will be deactivated, all rules that were previously added to the Cloudflare firewall will be deleted. It’s important to understand that once the plugins get activated again, the deleted entries will not be added back.

How to get support

The professional support is provided for our customers only; please see plans and pricing here. If you use the free version of WP Cerber, please serve yourself by using online documentation and how-to manuals. If you come across a technical issue, enable diagnostic logging and check the WP Cerber log, which is located on the Tools / Log tab.

How to unlock yourself

If you accidentally block the IP address of your computer, and so have no access to the website, there are two ways to unlock the IP on Cloudflare:

  1. Use your mobile device that connected to the Internet with a different IP address (a cellular network instead of Wi-Fi) to log into the website and delete a lockout or an access list entry.
  2. Log into your account on the Cloudflare website, find the entry with your IP address on the Firewall / Tools page and remove it manually. Hint: get your current IP address on this page: https://wpcerber.com/what-is-my-ip/

How to delete all synced Cloudflare rules

  1. Enable Delete Cloudflare rules on plugin deactivation
  2. Deactivate and activate the add-on plugin on the Plugins page

How to install this Cloudflare add-on

The add-on is available to download for free from our website, not from the wordpress.org plugin repository. The add-on is a standard WordPress plugin.

  1. Download the plugin ZIP archive to your computer: https://my.wpcerber.com/downloads/wp-cerber-cloudflare-addon.1.0.zip
  2. Log into your WordPress admin dashboard
  3. Click the Add New submenu under the Plugins admin menu
  4. Click the Upload Plugin button that is located next to the page title
  5. Select the downloaded ZIP archive
  6. Click the Install Now button
  7. Click the Activate Plugin button

Last posts from WordPress security blog


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments
There are currently no comments.