WordPress Jetpack and Cloudflare Integration Overview
- Compatibility: Cloudflare and Jetpack for WordPress are designed to work together seamlessly. No additional configuration is necessary for them to operate in conjunction.
- Security Features: There are specific security measures in place to protect your Jetpack installation. Read on for more details.
Cloudflare’s Default Protection for Jetpack
- XMLRPC.PHP Protection: Cloudflare’s Web Application Firewall (WAF) includes a rule (WP0007) that safeguards the
xmlrpc.phpfile. This rule allows only Jetpack’s automation systems, identified by their IP range, to use thexmlrpc.php?for=jetpackquery string. - Blocking Unauthorized Access: Attempts to access
xmlrpc.php?for=jetpackfrom IPs outside of Jetpack’s range are blocked, resulting in a HTTP 403 Forbidden message. This enhances your website’s security without affecting Jetpack’s functionality. - Background Information: The reasoning behind this protection measure is discussed in Cloudflare’s blog post, which can be viewed here.
Additional Considerations for WAF Managed Rules
- Potential Impact on Jetpack: A particular WAF managed rule, “WP0002 – Block WordPress XML-RPC,” can block Jetpack’s servers from managing your settings if it’s enabled.
- Rule Activation: By default, this rule is disabled. Activating it should be considered only as an emergency response to attacks targeting your
xmlrpc.phpendpoint, as it completely restricts access to this file. - Support: For more advice or if you’re facing issues, it’s recommended to reach out to Cloudflare’s Support team for assistance.
This format presents the key points in a structured manner, making it easier to understand how Cloudflare and Jetpack for WordPress interact and what security measures are in place.