\nOther Cloudflare features like domain registration and email forwarding\n\n\n\nProtips for smoothing out your Cloudflare workflows\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_text":"Unknown Speaker 0:18 \r\nAll right, let me hear from you in the chat. What are you most excited about learning this week in the Cloudflare course?\r\n\r\nUnknown Speaker 0:26 \r\nWhat are you most excited to learn?\r\n\r\nUnknown Speaker 0:32 \r\nAs you answer that I am getting our captions all set.\r\n\r\nUnknown Speaker 0:38 \r\nAlright, captions should now be working for everybody.\r\n\r\nUnknown Speaker 0:43 \r\nFingers crossed\r\n\r\nUnknown Speaker 0:47 \r\nthe whole thing.\r\n\r\nUnknown Speaker 0:49 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:51 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:53 \r\nWe'll see what we can do, Debra. Love it.\r\n\r\nUnknown Speaker 0:59 \r\nAlright folks, we are about four ish minutes away.\r\n\r\nUnknown Speaker 1:06 \r\nFour ish minutes away from getting started with Cloudflare for agencies if you're just joining us in zoom, open up the chat and I'm dropping in once again, the link bundle which has the very large 40 Page course handbook that I've put together for you here. Many many, many things here in the handbook.\r\n\r\nUnknown Speaker 1:32 \r\nAnything you can learn? Yeah, all right.\r\n\r\nUnknown Speaker 1:35 \r\nDefinitely.\r\n\r\nUnknown Speaker 1:37 \r\nYes, Stacy. There are so many things and this is not I'll talk about this as we get started. There's no way this is going to be an exhaustive Cloudflare overview because there are just too many things.\r\n\r\nUnknown Speaker 1:51 \r\nHow much to just do so it doesn't work that way. Like some of these rules, you really do have to decide, you know, what you want to use and so forth. And actually, well, I'm gonna I'm getting ahead of myself. But yeah, some of this is what you want to do for your settings. But I'm gonna give you my recommended things and why. And then you can it should give you a really good basis to make decisions on how you want to implement.\r\n\r\nUnknown Speaker 2:24 \r\nPaul, you make the website and then we'll talk\r\n\r\nUnknown Speaker 2:31 \r\ny'all, I promise once you get into this, it's really not that complicated. Seriously. Once you see how it all fits together.\r\n\r\nUnknown Speaker 2:42 \r\nYeah, I promise it's really not that complicated.\r\n\r\nUnknown Speaker 2:47 \r\nAll right. So if you're just joining us in zoom, welcome, welcome. The chat is open. I'm dropping in once again, the link bundle that has the course handbook. The one the Yes. Yep, of course handbook is there and waiting on you to download also, of course the replay link.\r\n\r\nUnknown Speaker 3:08 \r\nIf you want to go back and rewatch today\r\n\r\nUnknown Speaker 3:16 \r\nmy oldest daughter is currently blowing me up on text messages. So I got to hit the mute button on that.\r\n\r\nUnknown Speaker 3:27 \r\nAlright, y'all just about two minutes ago. hope everybody's doing well hope your week has gotten started. Well check in question today. Let me just hear from you what you are most excited to learn about Cloudflare what you want to know what parts confuse you other than everything, as some folks have said. If there's a particular area I'd love to hear that\r\n\r\nUnknown Speaker 3:52 \r\nOh, Beth. I mean priorities right.\r\n\r\nUnknown Speaker 4:00 \r\nLove it.\r\n\r\nUnknown Speaker 4:02 \r\nYeah, laptop on the beach. Back. Yeah.\r\n\r\nUnknown Speaker 4:07 \r\nActually, Myrtle Beach is gorgeous. This time of year. Good for you, Beth.\r\n\r\nUnknown Speaker 4:15 \r\nturnstyle WAF Yes.\r\n\r\nUnknown Speaker 4:20 \r\nThere's no dancing and Cloudflare\r\n\r\nUnknown Speaker 4:28 \r\nthat's why you take a tablet to the beach, not your laptop.\r\n\r\nUnknown Speaker 4:34 \r\nStacey, that's awesome. That's 100% True. And actually, if you find dancing and Cloudflare just wait because they'll move it to another menu link later or they'll rename it.\r\n\r\nUnknown Speaker 4:48 \r\nYeah, so we'll bet Beth will invent for us the Cloudflare dance which we'll call the turnstile. I love it. Yes, that's it.\r\n\r\nUnknown Speaker 4:59 \r\nDo the turnstile through the turnstile. Alright folks, just about 30 seconds to go. hope everybody's doing well today. Come on in find a seat and grab the course handbook. But to drop the link bundle in once again.\r\n\r\nUnknown Speaker 5:14 \r\ni Yes, exactly. Karen\r\n\r\nUnknown Speaker 5:19 \r\nand what you're talking about there, Karen. There's no easy answer to that. Unfortunately. A lot of the Cloudflare rules that I'm going to give you are pretty good. But you're you're always going to want to fine tune these for your setup. And there's always new suggestions and rules that are coming along. So I'm going to give you what I'm using today. And then you'll have it's it's one of those things that will it's a work in progress. Yeah.\r\n\r\nUnknown Speaker 5:46 \r\nAll right, y'all. It's three minutes after let us get the recording started and we will dive right in.\r\n\r\nUnknown Speaker 5:56 \r\nWell, good afternoon, everybody. Good morning. Good evening, wherever you happen to be around the world. Welcome to this premium course here on solid Academy. Glad you're all here with us for Cloudflare for agencies. So over the next couple of days. We're going to take two hours today two hours tomorrow and unpack Cloudflare through the filter of you manage WordPress sites for clients. So what do you need to know right? And also interestingly, hopefully helpfully, the way that I put this course together is really there's so much that we have to know as WordPress agency owners, right like there's just so many things. And so this is not an exhaustive course on Cloudflare. Like who's got time for that? So what I'm going to give you is an overview of how things work and where the settings are and the big picture of the settings but really, our focus is going to be on okay, what do I need to do to use Cloudflare and leverage all the free stuff in Cloudflare to protect the sites that I manage. So that's where we're headed. And hopefully at the end of this course, you'll have a good idea of what all the things that Cloudflare can do. But really focused in on the practical things that you can do right away to use Cloudflare in your agency.\r\n\r\nUnknown Speaker 7:21 \r\nSo I Karen has asked a great question in the chat just now. This is very different than the Cloudflare livestream I did a couple of years ago or last year, a year and a half, something like that. So I was just I just kind of gotten knee deep into Cloudflare at that point. And so a lot of things have changed since then. This is a much more detailed look. This is I think the first Cloudflare one was like an hour and a half. So just timewise this is a much deeper dive and I've learned a lot since then, and hopefully can give you some better tools and rules and those sorts of things to use. So if you are just now coming in once again, the link bundle is in the chat you're going to want to download this course handbook, it is 40 pages of Cloudflare goodness, and grab that and follow along and I've made it such that you know this is the document you can keep in reference. The table of contents is clickable to jump to, you know the various areas that you want to get to. So hopefully it's a very usable document. All right, so let's dive into what we're going to be talking about. So I mentioned this a little bit earlier and even more in the pre show.\r\n\r\nUnknown Speaker 8:34 \r\nThe idea here is okay, I'm a web agency owner I've heard how Cloudflare is helpful. What do I need to know give me the basics. This is not an exhaustive study of Cloudflare there are far too many things Cloudflare can do to fit into four hours of of course content. So what we want to do is through the lens of what do I need to know as a WordPress website manager about Cloudflare to use it to the best of my ability. If you want a deeper dive Cloudflare has excellent documentation. It's some of the best that I've seen. And you can click the Cloudflare fundamentals link there and it'll take you through all the things if there are pieces that you want to know. So the goal here a no fluff explanation of all the Cloudflare things that you will find the most useful and that you can implement right away in your business of managing WordPress sites. Tomorrow we're going to demonstrate the live setup of a Cloudflare site after we look at some of the basics today. And that's going to include security settings, setting up WAF rules and those sorts of things. So here's the overview we're gonna do and a big overview of what is Cloudflare how does it fit? How do I use it, you know, where does it fit in with solid security and those sorts of things. And then we're going to go through a Cloudflare page by page looking at the various pieces of Cloudflare and how they fit together tomorrow, migrating a site to Cloudflare and then more Cloudflare tools and tips. All right now, this course, assumes that this was on the course intro page. So hopefully you saw this. This assumes that you have a basic understanding of DNS, so I really can't, I'm not going to be able to answer questions about how DNS works in this course. So this is a prerequisite if you need to understand a little bit more about how DNS works. There's a course here we did last year called the web foundations workshop, in which we did an hour on DNS and what the records are and how all that works, et cetera, et cetera. So please let well really I'm just not going to answer questions about DNS in general. If you have those questions, you can grab this prerequisite course it's out there, you can replay it right away. And we're going to focus in on implementing Cloudflare. Alright, so just a couple of housekeeping notes. If you're a see several folks who've just joined us, let me drop in again, our link bundle in the chat force handbook is there. Since I am presenting today, I'm going to be watching the chat as usual. So if you want to ask your questions in the chat, you can do that. It may be that I missed some because I'm presenting. I'll try to catch questions in context. But if I miss one, and it's gone past just stick it in the q&a and we'll get to those at the end of each hour as usual. So all right, let's dive in, shall we? We had some really good check in responses as we were getting ready in the pre show about what you most want to learn. And so let's just start from the top. A lot of folks were like I need to know from the cloud to the flare, the whole thing. So what is Cloudflare?\r\n\r\nUnknown Speaker 11:44 \r\nAt its heart Cloudflare is a web performance and security company. They are they have all sorts of services to secure and protect and accelerate websites. So Cloudflare is sort of like an umbrella. It is a protective barrier between your website and the traffic that comes into your website. And it can shield you from many kinds of online threats just automatically. I Cloudflare. Security Services are comprehensive. They offer protection against DDoS attacks, data breaches, other malicious activities. It works by filtering incoming traffic to your website. So at the heart of all of this is your domain has to have the Cloudflare name servers. So that's how you turn on Cloudflare is by adding the Cloudflare name servers to the domain. So that way, all traffic that goes to the domain has to pass through the filter of Cloudflare and you can think about it sort of like you know, a water filter like we got this new refrigerator when we redid our kitchen a couple of years ago and it's got you know, the fancy water in the door. You know, we're not that usually that fancy kind of people and this is the first fridge we've had like this, but we love it it because there's a water filter in there and it filters out all the impurities and garbage so that we just get really pure water when we put a glass up there. Now Cloudflare sort of works the same way. Think of it in the same way. It's like a traffic filtration system that based on some of the stuff it just knows automatically that this is a bad bot and it filters it out or based on some of the rules that you can set up. It's filtering that traffic through so you get really good pure traffic that actually hits the website.\r\n\r\nUnknown Speaker 13:30 \r\nSo Cloudflare provides free ssl certificates. Also, they use the Google certificate authority as the primary and then sectigo as a secondary. We'll get to all that when we get to the SSL section. They also have a suite of tools designed to optimize website performance, including caching, image optimization, content optimization Cloudflare Cloudflare also provides a CDN that can move your website assets closer to the requester. They have data centers all around the world. So using their CDN even their free CDN, you can move things from your the images and scripts and so forth from your website to the closest point so there's not a lot of jumps between the user and what they're trying to download, which can effectively speed up the website. And the beautiful thing is Cloudflare provides many of its services at no cost with the option to upgrade to more advanced features on a subscription basis. Now a great question in the chat from Dave. So who's monitoring Cloudflare Cloudflare is a private company and so this is you know, like whose basket are you going to put your eggs in? Right? They offer a lot of things for free, but they're making their money. It's a freemium model just like many things that are out there. So you are you have the option to upgrade but a lot of the basic features they're providing at no cost and pushing you towards some of the paid features that can be helpful. So that's how they make their money. I don't know that there's anybody watching Cloudflare like us, they're not like responsible to any governing authority necessarily because they are a private company, but they're used by an immense number of websites. Matter of fact, 32% of the top 1 million sites on the web are using Cloudflare. So that in that way, there's a lot of people watching them from high level, you know, big fortune 500 company websites, so if anything weird is happening, it's likely going to come out but they are a private company. So that is something to take into consideration.\r\n\r\nUnknown Speaker 15:41 \r\nSo a few other interesting Cloudflare statistics, again, more than 15 million websites 32% of the top million websites. Their global network has 300 data centers all over the globe at more than 120 different countries. So the the good thing about that is when traffic is requested by somebody, the hop to the Cloudflare data center is generally very short. They've strategically placed those data centers for that reason. So more than 80% of sites whose reverse proxy we know is Cloudflare. Now what does that mean? It means that if somebody's you know, has started to use proxy, which is hiding the actual IP address of the server, which is a good practice as we'll get into Cloudflare is doing that for more than 80% of sites that are doing this so that is super helpful. It's a huge chunk of the internet relies on Cloudflare to do these things. Also Cloudflare bought blocks look at this number 182 billion threats a day. On average. It's a lot and so simply by virtue of the amount of traffic that they're filtering Cloudflare you know, they, you know, they they just see patterns emerging, and they can protect sites better. It's like, you know, we have Thomas Rafe on here from we watch your website. He's managing over 17 million WordPress sites right now and watching for patterns and you get that much data under your belt, and you can immediately see how you know what's happening, what the trends are, and so forth.\r\n\r\nUnknown Speaker 17:18 \r\nAll right. So why should we use Cloudflare? So the first reason likely and probably the reason that you're here listening is the security benefits. They're just phenomenal. So Cloudflare is free services give you really robust security features at the network level. We'll talk about that in a minute. Like DDoS protection, a web application firewall, again, at the network level, which is where you want those sorts of things. They can also help improve performance with CDN caching, again, moving the downloadable assets closer to the the requester so that those things are fulfilled more quickly. They offer free SSL as we mentioned, they also do DDoS mitigation. There's this great tool in Cloudflare that says I'm under attack, toggle that on and it will effectively stop the impact of a DDoS attack on a website and it works. It's really good. We'll get to that later.\r\n\r\nUnknown Speaker 18:17 \r\nIt's very easy to implement, actually. You just change your name servers and you're into Cloudflare.\r\n\r\nUnknown Speaker 18:24 \r\nThe setup process is straightforward as you'll see as we actually work on that.\r\n\r\nUnknown Speaker 18:30 \r\nLast of all, they do provide some analytics and insights. The statistics in Cloudflare if you are a statistics person, you will love love, love the Statistics reports because it'll show you like on your firewall rules, what's hitting it and you know what the information about that traffic is it can help you further refine your rules. It's really neat once you get some data in there to start digging in and seeing how these turkeys are trying to attack your website. It's really quite interesting. Also, cloud flares analytics are GDPR compliant. They're designed to be privacy first, and so they are GDPR compliant, they state that so that's that's not an issue. So a lot of the confusion that comes in when we start talking about Cloudflare is okay. isn't just installing a WordPress security plug in enough I've been watching it it's really funny. This discussion has come up a number of times in the admin bar just in the last couple of weeks of hey, there's this cloud, this WordPress security plugin and that one and really, isn't it good enough just to install a WordPress security plug in and you're protected? And the answer is no. Heck no. Absolutely not. So let's talk about where Cloudflare fits into all this is Cloudflare a replacement for solid security? Also no. So we need to understand where does Cloudflare fit in the whole matrix of security. So, first of all, Cloudflare becomes active for a site when you change the name servers of a domain name to those that Cloudflare will provide you. So it starts at the name server level, which means Cloudflare at that point becomes responsible for every request that comes into your domain name about you know where does the subdomain live? How's the mail routed? What are the demark records, the txt validation records, all those things? Cloudflare is answering all of those requests. And it's doing it from a security perspective. So you can you can change who gets to make those requests and filter those things out. And so forth. So since all traffic to your website, and everything about that domain name now has to pass through Cloudflare they can filter it. So that's how this all works. Cloudflare can then as a result block a significant portion of malicious traffic before it ever reaches your server. That is the key.\r\n\r\nUnknown Speaker 21:04 \r\nThat is the key. So like, here's your browser, it's gotta pass through Cloudflare to get to your server where the website lives. So this is where we start to talk about a multi layered approach to WordPress security. It is not enough just to have a WordPress security plugin. It's just not because there are jobs that are there are jobs that need to be done to protect WordPress that are better done at a network. level rather than at a WordPress level. So this multi layered approach is something you need to get your mind around. And we've been talking about this now for some time here. On solid Academy. It's not just as simple as installing a plugin. So the best practice for making your site secure is multiple layers of protection. Okay, and each layer has a role that it needs to play and it does that layer best. All right, so let's talk about this. So first, we have network layer level security, which we're going to trust to Cloudflare right so that's wrapping around the whole thing. No traffic gets in until it passes through Cloudflare. Then we go to the server level security, which hopefully is handled by your web hosting provider. So there's certain things that are better done at a server level. We'll get to that in a minute. And then we have our WordPress application level or, or user level security that a really good WordPress security plugin should do. So these are the three layers of security that you should be thinking about when it comes to protecting your WordPress site. So let's unpack those just for a minute. First of all, network security. So Cloudflare is going to mitigate the impact of the distributed denial of service attacks or DDoS. And they can filter out malicious traffic before it ever gets to your server. So if a lot of that traffic can't even get past that Cloudflare wall it makes your server have to work less it makes WordPress have to work less. So it's better to handle all that stuff. Get all the primary garbage filter done at the network level before it even hits the server. So Cloudflare gives you this blanket protection by filtering the websites before a web traffic before it ever gets to the site. Relying on your server alone or worse relying on WordPress alone to filter all the traffic. It takes a lot of resources. Now does solid security have functions that can help to prevent bad traffic? Yes. But that shouldn't be the primary level at which it occurs. If Timothy was here, he tell you the same thing. We want to filter the the lion's share of that out at the network level. So if you do that, it's going to save a lot of valuable server resources. So traffic passes through the network gets to the server. So what role does the server play in this multi layered support? So good web hosting providers implement security measures like server level firewalls, and most importantly in my book is server level file level malware scanning and intrusion detection systems. So I want something at the server level that's actually scanning the files. Now I know that there are some WordPress plugins that provide malware scanning, you don't want a plugin, doing malware scanning. First of all, it's going to be incredibly inefficient at doing that and restricted to only the WordPress install and a lot of malware gets installed out in the server structure and not within WordPress itself.\r\n\r\nUnknown Speaker 24:45 \r\nAlso, if there's malware in WordPress, and the we're in and the the malware scanner exists at the WordPress level, the malware can overwrite. You know, the malware scanner so the malware can actually rewrite the malware scanner saying hey, this is bad and say no, it's actually good. You can ignore that. So you don't want the malware and the scanner. processes running in the same environment. malware scanning needs to happen at the server level, and intrusion detection systems as well. So that's the role of a good server so whoever's providing your server, this is where you have a conversation and say, What malware scanning Do you provide? What intrusion detection services do you provide to keep the server itself safe? Right, so we're filtering out most of the bad traffic at network. We're watching the we're watching the file system and intrusion level at the server. And now we get into WordPress application security. Now WordPress security might have some traffic filtering and blocking features, but that's really the third level like WordPress is consuming a lot of server resources just running and serving pages and doing things. I don't want WordPress to also have to be filtering every bit of bad traffic that comes in. And that's what can cause your website to grind to a halt. If it's getting pounded by login page attacks and all this stuff. I don't want WordPress doing that job at all, or at least as little as possible. Maybe just a few little drops of bad traffic. That have gotten through the other two layers. We pause. Does that make sense to everybody? That this whole approach? Are you getting what I'm saying? Like we want WordPress to do as little work as possible. We want WordPress to do the job of word pressing right not of security. So it's not bad to have those features in the WordPress security plugin. That's why they're included in solid security. But that's like my third level of defense. Okay. All right. So your WordPress security should focus on more specific issues. Starting again, this is exactly what solid Security does, which is why I love it. It is providing vulnerability detection. So I'm scanning my so like Cloudflare is not going to tell me I have vulnerable things in plugins. The server is not going to tell me that it's maybe watching for malware or the malware scanner but if my things and plugins aren't infected yet, I don't know that there's a problem. So I want something like solid security, which is looking at my installed themes and plugins and saying, Oh, this one has a vulnerability. I need to know about that. I need to do virtual patching. I need to do automatic updates if a patch is released, right, so it's doing exactly the job that I want a security plugin doing in WordPress and nothing else. Like the the of the kinds of plugins that exist for WordPress. The most bloat often happens in security plugins and that's why, you know, if you line up a feature list of the things that solid security Pro does, versus some of the other security plugins like it doesn't do as much. Right, exactly. That's the point. You don't want it doing some of those things. You want your server and your network doing those jobs because it's gonna make a more efficient WordPress.\r\n\r\nUnknown Speaker 28:08 \r\nSo WordPress, security should also heavily focus on user security. So we got these great features like you know, the function that bounces out and make sure that the password hasn't been compromised, and that have I been poned database. We're looking at, you know, having to FA for users and pass keys and et cetera, et cetera. We want the users user level security needs to be done by WordPress. So we want that to be done really well by our WordPress security also session cookie protection, right having that like the trusted devices features of solid security that is the perfect use case for a WordPress security plugin. So I want those features in my WordPress security, nothing else that's gonna do you know, be consuming tons and tons of server resources. Okay, so another role for WordPress security is adding in a CAPTCHA for areas that might be prone to attack, like comment form or the WordPress login page. We're actually going to protect that at the network level though. I'll show you that later. But having those captures again, two great use case and job for a WordPress security plugin. Finally, WordPress security plugins can also help you to harden WordPress, by all the little you know there's all those boxes in solid security about don't allow PHP to execute and themes and plugins, you know, turn off the file editor, all those sorts of things. perfect use case for a WordPress security plugin. So, again, think about this in layers. Most of the traffic get that filtered out at the network level so our server doesn't ever have to bother with it. Let our server do the job of file level scanning protection and intrusion detection and let WordPress primarily do the job of just keeping WordPress secure as an application themes and plugins and users.\r\n\r\nUnknown Speaker 30:02 \r\nAnd now we've got a pretty darn good approach to security. I'm gonna pause right there, because that was a, you know, a big firehose of information. I'm gonna pause, make sense questions about this before we move on to the next bit.\r\n\r\nUnknown Speaker 30:17 \r\nYou if you arrange your security approach this way, you're going to have a more efficient server and site and you're going to do a better job all the way around keeping things secure.\r\n\r\nUnknown Speaker 30:31 \r\nMan Polytune m&ms Already Okay.\r\n\r\nUnknown Speaker 30:35 \r\nHope you got a lock then.\r\n\r\nUnknown Speaker 30:38 \r\nYou have any to share with the rest of the class. I'm gonna have to move that around.\r\n\r\nUnknown Speaker 30:41 \r\nAll right. Well, I'm gonna move on then. If you're just joining us link bundle is in the chat that has the course handbook if you want to download this that you're looking at.\r\n\r\nUnknown Speaker 30:49 \r\nAll right, folks, look, we're already on page eight. Moving around, moving right along here.\r\n\r\nUnknown Speaker 30:55 \r\nAll right, now comes the fun part. Cloudflare page by page. So I thought long and hard about how's the best way to do a quick orientation to all the things that Cloudflare can do. And this is what I settled on this Cloudflare page by page. So one second before we get into that, one thing I want to mention is I've added some color coding here. And you know, I was thinking how can I best present this in a quick way to let you know you know what? really to focus on and what not to focus on and so forth.\r\n\r\nUnknown Speaker 31:35 \r\nSo it's basically like this. If I think you're probably going to want to use this feature, it's going to be great. If it's a maybe depending on the circumstance, it's a yellow, if it's probably you're not going to use this there's red. There's also one other emoji in there. That is a money bag and that's it costs money to add this. Those are usually also red because our goal here is to use as much of the free Cloudflare stuff as possible.\r\n\r\nUnknown Speaker 32:01 \r\nSo yeah, that that's, that's the way we're going to approach this now. I'm just looking at timing and where we are in the course of things right now.\r\n\r\nUnknown Speaker 32:11 \r\nOkay.\r\n\r\nUnknown Speaker 32:13 \r\nAll right. This is where it's going to be interesting to see actually how we do this.\r\n\r\nUnknown Speaker 32:24 \r\nOkay, well, let's just, I'm sorry, thinking to myself here and we'll figure out that we may go long in this first hour. So let's look at this Cloudflare page by page. Now if you would like. I would suggest that if you don't have a Cloudflare account, just go quick create one doesn't matter. Just make a make a quick Cloudflare account I'm going to log in to my I iThemes Cloudflare account that I experiment on. I would always recommend that you set up two factor authentication on your Cloudflare install Of course. All right, so what we're going to do is primarily focus on the website settings. We're gonna go down page by page, and I'm gonna explain basically what, what each of them does, just so you have a big picture understanding. Now there's a ton of stuff here. We're currently at the home or the account page you get back here by going to account home. That is this page that we're going to live for most of the course here is in the website settings. So you can you know, you'll add a website you can click that and these are the settings that pertain to the individual websites themselves. And this is where we're going to live for most of the time in this course. So let's take a quick look. Alright, so we're on the overview page, a turn off this ad. Again, you know, they're they make their money by upselling things so I'm constantly closing those boxes. Alright, so the first thing we get, is there an analytics overview. This is kind of helpful if you just want a quick overview of at the network level, what your traffic looks like. You don't get any like, you know where the traffic came from or search terms. It's not about that. It's actually about the stats of the traffic coming in.\r\n\r\nUnknown Speaker 34:12 \r\nYou can set that by days, weeks or months. Something else that's really helpful over here is the Under Attack Mode. So let's just say that you've got a problem on a site you're getting it's an E commerce site and you're getting card testing attacks. Well, I'm just going to toggle that on. And with that one toggle, what's going to happen is every single bit of traffic that comes into the site is going to get a manage challenge from Cloudflare. Now what that looks like is this\r\n\r\nUnknown Speaker 34:45 \r\nso it's going to pass through this challenge. I've got to verify and then move right on. Now that's not ideal, but that will stop a DDoS attack period, because a bot cannot pass Cloudflare turnstile, at least yet. So Todd simply toggling that on is going to stop the DDoS attack it does put a you know that that turnstile pass through manage challenge between every single visitor so it's not ideal to leave on forever. You'll want to add a WAF rule to filter out whatever's attacking you but that this is a great little setting in case something immediately is happening.\r\n\r\nUnknown Speaker 35:29 \r\nIt essentially off.\r\n\r\nUnknown Speaker 35:33 \r\nOkay, the next thing that's helpful here is development mode. So Cloudflare does provide some caching and caching can be absolutely.\r\n\r\nUnknown Speaker 35:43 \r\nYou might use it makes you want to bang your head into the wall sometimes like you you've edited something, it's not showing up then you remember, oh yeah, I've got caching turned on. So if you're making changes to your site, you might just want to toggle this on. And that turns off all caching all optimizations like that, where you're seeing what you see, right. So a lot of times we have to deal with browser caching with WordPress plugin caching. If you have set up.\r\n\r\nUnknown Speaker 36:11 \r\nIf you have set up Cloudflare for your site, you also have Cloudflare caching, it's on by default. So just don't forget that if you want like why isn't why are these changes? Not all? Yeah, Cloudflare caching, so turn on development mode, and that will help you immediately get around that. So very, very helpful. Also, something to draw your attention to here on this overview page is down here at the bottom of the pause Cloudflare. Right here, this is an incredibly important link that we'll get to in the process of adding a site to Cloudflare. You're going to want to click this every time so that you don't get SSL errors. I'll explain that when we get to the process but again, this is your friend. Also if you want to get rid of the site and delete it completely, you can just remove from Cloudflare and it'll it'll kill your whole account.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:59 \r\nYou can set up this you can set up an address here. You just add whatever you want this address to be and where it's going to forward to. And then you validate that email and you're done. And so you can set up these catch you can set up a catch all address or individual addresses. And it'll just forward right to your Gmail account or whatever other free account that you have. And you can also in Gmail, set up a send as address which is really nice. If you want to provide that level of support for your client. Email can come into that Gmail account and they can send as that info at or whatever account with this little process here. So it's really helpful. If a client doesn't want to pay for full email yet you can set up this email routing at really no cost. Cloudflare just handles that traffic for you.\r\n\r\nUnknown Speaker 42:58 \r\nI've given you that whole process right here. If you're interested.\r\n\r\nUnknown Speaker 43:02 \r\nUnder email here also we have demark management you may or may not want to use this. It's free and it's decent demark reporting it's not the best, certainly not the worst. It's really good for free. And it allows you to when you first set it up to add the correct demark record to your DNS, and then it's set up and ready to go. It adds the very basic D equals none demark record if if you have watched those live streams with us recently, it's a very basic level that meets this new Google and Yahoo criteria. So that can all be done from right here. This email security is a more advanced and so paid area.\r\n\r\nUnknown Speaker 43:45 \r\nAll right moving down to SSL. So again, Cloudflare does provide a free ssl certificate for every site that that it's filtering traffic for.\r\n\r\nUnknown Speaker 43:56 \r\nThe first thing you're going to want to look at here is your encryption mode. Now I recommend full there are four levels so you can turn SSL completely off. Don't do that. You can also do flexible which encrypts the traffic between the browser and Cloudflare. But then there's no SSL between Cloudflare and the server. That's for weird scenarios. You don't want to do that. What you want is this one here. This is going to encrypt from the blowout of the browser to Cloudflare with a Google certificate, and then from Cloudflare to the to your server with a self signed certificate at the server. Virtually every server is going to provide a self signed certificate and Cloudflare can use that the encryption tunnel is perfectly it's perfectly secure. There is this full level which says okay, I want to install a trusted like one of those, you know, you buy it certificates on the server. You can do that if you want to or Cloudflare will actually provide you an origin certificate for your server I don't ever do that. It's not necessary for security. As long as there's self sign on the server, which usually is and Cloudflare to the browser is giving Google it's one one clean tunnel.\r\n\r\nUnknown Speaker 45:13 \r\nSo if you have SSL at the server, yeah, that you don't have to worry about it most most of the P SS that are set up by a reputable hosting company like if you have a liquid web VPS it's going to have a self signed certificate on the server and Cloudflare will use that to create encryption.\r\n\r\nUnknown Speaker 45:32 \r\nOkay, all right. So Paul, great question in the chat. That's tomorrow. We're talking about all the whole process and client stuff tomorrow. All right, so this is an area you're going to want to be familiar with here. Other settings here.\r\n\r\nUnknown Speaker 45:49 \r\nWe're gonna go down to let's see, Edge certificates. I do keep this on if they're sometimes you'll get an email. This lets you know if there's anything you can do better with SSL.\r\n\r\nUnknown Speaker 46:03 \r\nIt's helpful. All right, so edge certificates. This says okay, there is an active certificate that's been created for this website. And a backup. This is pretty cool. This tells me that this is a Google trust certificate. This is the primary one so if I go to WP nathan.com And I look at the certificate details here it is valid. It is Google Trust Services right there. So that's what it shows to the user is this Google certificate. If something goes wrong, or there's some weirdness with the Google certificate, it's very unlikely that would ever happen. But if there is then it does have a backup, as this it's a Let's Encrypt certificate here. On the up Nathan it can also be set for set Teego doesn't really matter. Very, very rarely.\r\n\r\nUnknown Speaker 47:00 \r\nWill this backup certificate ever be used?\r\n\r\nUnknown Speaker 47:03 \r\nOkay, so Stacy, Stacy's mentioning here and let me just make let me let me address this. So if you are using CloudFlare, you cannot use Let's Encrypt on your server, because your server isn't it can't validate right or it's the the server isn't controlling the traffic anymore. It's passing through Cloudflare. So you might have Let's Encrypt turned on at your server. But the but like, you may be able to have full strict at the beginning because the Let's Encrypt certificate exists. But eventually that Let's Encrypt certificate is not going to be able to renew in many cases because Cloudflare is in the middle. So that's why I recommend full because there's always a self signed certificate at the server. If you do strict, and something happens to that Let's Encrypt certificate, it's going to create an SSL error. So you don't want that. That's why I'm saying full it's going to be just as secure as having a Let's Encrypt on the server. And you're not going to get those SSL errors Does that make sense?\r\n\r\nUnknown Speaker 48:18 \r\nYeah, so Melanie's encountered that like full string, that sounds great. I want that but you don't want that. It's you want to be able to set this and forever. So yeah, and Stacy, it may be dependent on the host you'll want to know you'll want to look into that. And that's where I just recommend setting it at full and then you want to have any problems.\r\n\r\nUnknown Speaker 48:37 \r\nThere is no limit. Let me say it this way. There is no extra security benefit from full or full strict because the self signed certificate at the server is the same level of encryption as a Let's Encrypt, or you know, your purchased your favorite purchase certificate for whatever. It's generally the same encryption level.\r\n\r\nUnknown Speaker 49:02 \r\nSo it doesn't matter. What's important is what does the user see? And in this case, it's Google first and then you know one of those so does that make sense everybody? Do I need to answer any more questions about that?\r\n\r\nUnknown Speaker 49:15 \r\nFall is easy. It's always going to work unless there's something wrong with your server.\r\n\r\nUnknown Speaker 49:24 \r\nOkay let's keep going. So edge certificates. We talked about these, you're not going to want that cost money. You don't really need it. You don't total TLS this lets you choose like if I toggle this, Oh, I gotta pay. Yeah, it used to let you do this for free. They've changed that. It's another paid feature. This you always want on it's part of the onboarding process that we'll cover tomorrow as we move a site into Cloudflare.\r\n\r\nUnknown Speaker 49:54 \r\nSo, all right, this is a complicated feature that I would not turn on because it's real, real easy to screw things up. And if like, for example, I had a site where I really mess things up on this. Thankfully, it was one of my own, but it took for some traffic almost a month before it straightened out. This is really bad. So it's a way to enforce HTTPS. I'm just going to recommend that you don't use it unless like it can heighten your security. And sometimes, if you have a client that has like a security, like a level of security, they have to reach for their own internal audits or whatever you may have to turn this on. But don't do it if you're planning to make any changes, like migrate the site or change Cloudflare to some other DNS provider because it can lock down it'll lock out traffic. It's just it's very powerful, but also could be very damaging in some cases. So if you're in a scenario where this comes up, you'll want to read more into that minimum TLS version. I'm going to recommend here 1.2 Because it's kind of the it's everybody can use 1.2 But you really might want to consider 1.3. So 1.2 is required for if you're trying to get PCI compliance. You have to have 1.2 layer level of TLS TLS, which is the next level of SSL but really only really, really, really old browsers can't use TLS 1.3. So if you look here, like Internet Explorer can't use.\r\n\r\nUnknown Speaker 51:46 \r\nCan't use TLS 1.3 and Opera Mini like those are the only two browsers. So the chances I mean those are teeny tiny percent. So I'm at the point of where I might just bump everything to 1.3 because it is more secure. It is a little faster.\r\n\r\nUnknown Speaker 52:01 \r\nBut at least 1.2.\r\n\r\nUnknown Speaker 52:06 \r\nAll right, opportunistic encryption, you're going to want to turn that on. I believe that's on by default. You want to enable TLS 1.3, which says, if the browser can support 1.3, use it. That's basically what that's about. I do want to rewrite everything to HTTPS at the network level. That's good. I think that's one by default. I do want to toggle this transparency on what this does is basically, if something if some other server or authority or whatever, issues an SSL certificate for this domain, I'm gonna get an email about it. Where that's helpful is if somebody has hijacked your domain somewhere along the way, or they've got traffic going somewhere something odd is happening. And a certificate gets issued. And I'm not aware of it. I want to be aware of it. So that's what this does. Pretty nice. Works pretty cool.\r\n\r\nUnknown Speaker 52:56 \r\nSo let's see. Moving on down here, the most of the stuff you're not really going to use. You're not going to use this most likely it's complicated scenarios. origin server. This is where if you want to install a Cloudflare generated certificate on your server to do full strict, you can do that here. I don't recommend that it's not super necessary. And then custom host names you're probably not going to use so that gets us all the way through SSL. That was a lot. Let me pause just for a minute. And any questions about this bit, I realized that was a lot. So walking through all the settings is the most tedious part of this, but And my goal here is to kind of set the table and let you know what all is here.\r\n\r\nUnknown Speaker 53:42 \r\nAll right.\r\n\r\nUnknown Speaker 53:44 \r\nLet's move into security. You're gonna live in security a lot. So the main two let places you're going to live in Cloudflare our DNS and security. So security is awesome. I love this area, the events page. This is a log of all the things that have hit my firewall rules. So any event has happened on the server where a firewall a WAF rule was hit by something or whatever.\r\n\r\nUnknown Speaker 54:11 \r\nHere's some examples of some skip rules that I've put into place. And I can see what's going on here.\r\n\r\nUnknown Speaker 54:18 \r\nIt gives me a great amount of detail about what was the IP address that came in? What was the ASN in this case, it is I have a pass a skip rule created for WordPress doing cron, so sometimes the query string here can cause weird security things to go on. And so that's one of the skip rules that I put in.\r\n\r\nUnknown Speaker 54:40 \r\nAnd it's logging here just to show you what that looks like. Here's one look here. Here's something that came in earlier.\r\n\r\nUnknown Speaker 54:48 \r\nAnd this was something from the UK. I don't know what that ASN is but it was trying to get to a weird port like what the heck is this one a 53 I don't even know what that is. This was bad traffic and it got to manage challenge primarily because it was coming from outside the US actually no I've got this setup for to accept UK traffic. So this, this hit Oh no, it hit a challenge right here.\r\n\r\nUnknown Speaker 55:19 \r\nSo it hit a rule that says okay, something's not right here. We're going to challenge this traffic and so it wouldn't have made it through to the site. So this is a great place to look after you've implemented a rule make sure you're not getting legitimate traffic caught or as you are refining your rules later on. Really, really helpful.\r\n\r\nUnknown Speaker 55:40 \r\nHere's something from Netherlands same thing. We'll get into all these as ins and things later. Like look here. They tried to hit XML RPC. This is garbage traffic.\r\n\r\nUnknown Speaker 55:49 \r\nIs there a setting in solid security that turns off XML RPC? Yes. But WordPress would have had to wake up and do something when this traffic and server resources would have been expended. We block this traffic at the network level before it even hit the server. So that's why you do these things. So events is super helpful gives you a lot of good information. Now we move into WAF which stands for web application firewall. Now, these are your this is a place again, you're gonna spend some time here as you're setting up Cloudflare there are five rules available at the free plan. I've suggested four, and so you have room to add your own rule.\r\n\r\nUnknown Speaker 56:28 \r\nSo we'll get into all these rules later. But this is where those are defined and set up. You can actually click the link here and see traffic that just hit that rule. There's a ton of traffic here. Like this first rule here. These are challenges. So you know trying to go to their PII login or my account or if the country is not in Canada or the USA, it's going to get a challenge.\r\n\r\nUnknown Speaker 56:53 \r\nAnd I can go back and look at what traffic actually is hitting that rule by clicking on that number. So it's pretty nice to be able to look and see what all is going on here with my individual rules.\r\n\r\nUnknown Speaker 57:08 \r\nSo I'll give you the rules a little bit later. Now let's keep going here. So those are our custom rules. We also have rate limiting rules and this is pretty neat.\r\n\r\nUnknown Speaker 57:16 \r\nSo you can actually blocked traffic that is pounding away at your website. And we'll go into rate limiting rules later in our recommended settings. But like if there's anything that's hitting my site more than like once a second, I want to block that traffic because there's no legitimate traffic that's going to be making multiple requests per second. Unless it's like a Google bot or something like that. And even it usually throttles back how many requests are being made. So this is a really helpful rule to be able to put into place we'll get into that in the rules section.\r\n\r\nUnknown Speaker 57:53 \r\nHere in tools, there is a the ability to block IP addresses or ranges even over and above the WAF rules themselves. So you can block user agents you have 10 user agent blocking rules if you want to use those. I typically don't but it's there if you want to use it.\r\n\r\nUnknown Speaker 58:15 \r\nMoving down to security the page shield This is a paid feature basically keeps your content safe. Bots feature okay, this is probably the place where most people make a mistake. Bot fight mode on I recommend that you leave this off because of a number of things.\r\n\r\nUnknown Speaker 58:33 \r\nBot fight mode. If there's anything that I've had to troubleshoot more, there's nothing I've had to troubleshoot more than bot fight mode creating problems for X legitimate external connections to websites like web hooks, and, you know, syncing up one thing with another or whatever. It's always bought fight mode. And honestly, bot fight mode gets in the way of a lot of legitimate traffic in an effort to prevent bot traffic. So it's like you know, this ongoing war of how do we keep bots away versus legitimate traffic. It's too heavy handed in my opinion. Also, it adds JavaScript to every single page load on your website, that bot activity and that can actually add as much as two seconds to a page load speed. So just don't do this. Try to get a lot of that traffic out with web application firewall rules, which we'll cover as we move forward. But don't turn this on. It looks like a good idea. It's not a good idea. Don't turn this on is my recommendation. Unless you know what you're doing. There is also in Cloudflare super bot fight mode that actually lets you make some granular changes to the bot fight mode. That's great, but it's an enterprise level. It does cost money.\r\n\r\nUnknown Speaker 59:51 \r\nAlright, let's move on to the DDoS section. This is super helpful. Like let's say you're under attack and you toggle on under attack mode and you can sort it you get to see you know a little bit of what this traffic pattern looks like. You can add a rule here that can stop a lot of those floods that's beyond the scope of this course. But it is there and it's pretty helpful.\r\n\r\nUnknown Speaker 1:00:16 \r\nThere's really good documentation for that's available at this link. And finally, there's some settings here that you may or may not find useful, probably not. The default settings are generally what I use, which is just right here. A security levels essentially off meaning that the average traffic the average user is not going to get a manage challenge to say that I'm human I don't want that in the way of average users. 30 minute, Pat challenged passage meaning like if I'm good, I'm good for the next 30 minutes at least. And then you definitely want this browser integrity check on that just it blocks garbage traffic where there's problems with the requests. So those are all the default settings. You probably don't need to ever change those. But they're there if you do need to.\r\n\r\nUnknown Speaker 1:00:58 \r\nThis access this is actually going away will probably be removed from this menu pretty soon and let me just mention also if you're watching this on a replay and it's like a year from now, a lot of these menu changes may change. Cloudflare is as bad as Google about renaming and moving things and changing it they they change stuff all the time. They literally last week changed the onboarding process for adding a new account. They're constantly changing things and so, you know, the things that I'm talking about here are likely going to be in other places. But yeah, it may not be in exactly the same spot. kind of frustrating.\r\n\r\nUnknown Speaker 1:01:37 \r\nHere under speed, these are some moderately useful things. The observatory is you know, what is my White House speed. So that's kind of cool. I mean, it can show you, you can schedule a test to run at a at certain intervals. It's kind of cool. I like that.\r\n\r\nUnknown Speaker 1:01:56 \r\nYou may or may or may not want to do that. The optimization here not a whole lot to do here. Most of the basic settings are correct, just with the defaults.\r\n\r\nUnknown Speaker 1:02:10 \r\nNot a whole lot you're gonna do here this just gives you an overview of what your settings are. image optimization is now offered by Cloudflare. But if you have a good WordPress image optimizer, which I recommend, do it there do it at the WordPress site like just control your images don't do that off in the cloud. But you can if you want to. It's all here. You are going to want to make some changes here to content optimization Brotli basically speeds up an H an SSL connection. This is part of the onboarding steps that are recommended. We'll get to that tomorrow. This is super cool. So Cloudflare fonts is a recently in the last six months or so added feature. And it basically pulls all the fonts up into the Cloud Flare cloud. So instead of having to go out to Google fonts and download the font Cloudflare fonts, pulls those up into the cloud. So you, you blood, they load faster, and you don't have privacy issues, because Cloudflare is going to deliver that font in a privacy first manner. It's not like you're pulling fonts off of Google server and as a result, the user's IP addresses exposed and all that. So this is great. Just turn it on. It's gonna be faster. It's pretty good. This is also a super cool feature called early hints. And what this is going to do, you may have a WordPress optimizing plugin that does this as well. And actually this may be part of core WordPress going forward. But like when you mouse over a link in the background, the browser starts to load that page already. This does that at the Cloudflare level, which is pretty cool.\r\n\r\nUnknown Speaker 1:03:47 \r\nRocket loader. This is another one of those things that people say oh, it's speed. I'm going to turn don't turn this on. Rocket loader has a bad habit of breaking WordPress, jQuery and other Java scripts. Just don't don't turn that on. It will create problems. That's a red dot for me. And if you Google other WordPress folks talking about this it's a it's a red.it can cause problems.\r\n\r\nUnknown Speaker 1:04:14 \r\nAuto minify yet you want all that on so all your assets are compressed up there at the network level.\r\n\r\nUnknown Speaker 1:04:21 \r\nI mentioned this automatic platform optimization for WordPress. This is a can be really good. It's $5 a month per site. Okay, but with out having to deal with any of those granular performance settings at the WordPress level with plugins like MP rocket or hummingbird or whatever, you can actually push all that up to the cloud and it moves the really big the real benefit here is it moves all of your assets for your website to cloud flares edge CDN, so that it's right as close to the user as possible and it's optimized all it really does a good job at optimizing traffic. So take a look at that. It is expensive. You know, when you put 10 sites on there, it's going to be $50 a month, but it really you know, if you've got a few sites that you're having performance issues out of five bucks a month solves that problem, pass it on to the client and you're done.\r\n\r\nUnknown Speaker 1:05:19 \r\nLet's see.\r\n\r\nUnknown Speaker 1:05:21 \r\nEven ongoing here. Let's see caching. All right. Cloudflare caching. So Cloud for does a good job of caching things the right way. You do get some basic analytics here with an upgrade of a plan. Let's move into configuration. So here is the place where you can purge all the things out of the Cloudflare cache. So if you're having some sort of Cloudflare issue going on, you can come in to caching configuration purge everything. I'm going to mention also later on in the course that a lot of WordPress optimization plugins have a Cloudflare integration, where they will actually you can like for example, I use Lightspeed as a WordPress optimizer. And you add in your API for Cloudflare. And whenever whenever Lightspeed flushes the cache because a page has been updated or there's WordPress updates, it also flushes the Cloudflare cache most good WordPress optimizing plugins like WP Rocket like Perf Matters like hummingbird have Cloudflare integration and you're going to want to use that because what otherwise what you're going to run into is you got one set of assets that are here on the site that the WordPress performance plugin has flushed, but your Cloudflare cache isn't matching and you get wonky CSS, and you don't want that. So that that helps and it solves that problem.\r\n\r\nUnknown Speaker 1:06:44 \r\nLet's see here caching level we kind of leave that alone unless you know what you're doing. browser cache TTL you're gonna want to set this to at least a month. Google requires that those it's set to 30 days or higher. Otherwise, you get that thing you may have seen in Lighthouse of serve static assets with efficient policy, blah, blah, blah. That's this needs to be at least a month. This is helpful if you have a big website that a lot of people have access to. This is a tool that will scan for child sexual abuse material, which is definitely helpful. These next two are really cool crawler hints. Okay, how many of you remember from the Starter Site webinar? We did do every year. We've got that really cool plugin called index now from Bing and it watches changes on your website and let's Bing and let's see which ones it is Bing, duck, duck go Yandex and Naver, which I've never heard of before.\r\n\r\nUnknown Speaker 1:07:43 \r\nAnd yep, so what this does, I've just lost my Here we go. So crawler hints basically adds index now to your site at the Cloudflare level. So as soon as Cloudflare sees you add a new page, it lets all the search engines No, you absolutely want to do this. And it means you cannot use the index now plugin on WordPress, which is kind of cool. Always online this is another one you're gonna want to toggle on.\r\n\r\nUnknown Speaker 1:08:09 \r\nWe've probably all at some point, use the Wayback Machine to go back and look historically at websites. And some websites are there a lot and some are they're just like every once a month or once every few months or whatever. How do you get the site listed on the Wayback Machine what you toggle this on right here and Cloudflare will make sure that the site is saved into the Wayback Machine and if for some reason this your server goes down Cloudflare will know okay, I'm gonna pull the latest copy out of Wayback Machine to serve and it's not the best thing but it's better than the site being down. So this is pretty cool. Definitely want that on. Here's the actual development mode. We looked at that under the overview settings, but this is where the actual toggle is for turning on development mode. And so that's all the configuration things.\r\n\r\nUnknown Speaker 1:09:02 \r\nAll right, cash rules.\r\n\r\nUnknown Speaker 1:09:05 \r\nWe're going to talk about cash rules later. But this is the spot where you can add rule like what if I don't want Cloudflare to cache the site at all? Great. What if I have an E commerce site and I don't want to cache the cart or checkout page, I can do all that here. And I'll give you those rules when we get into that section in a little bit. So tiered cache or the cache rules are very helpful, and the tiered cache is helpful. You're going to want to make sure you enable smart tiered technology that just moves the stuff closest to the user. It's good stuff cash reserve as a paid feature, which you're not going to use. Now if you're getting tired. You're not alone. It is now 207. We've been at this for a little over an hour, but we're coming to the end. There's only a few more things here and then we'll take a break. First of all workers routes don't have to worry about that at all. unlikely you'll use this rules. There's another place for rules. Here's 10 more sets of configuration rules that you can use. Probably not going to use any of those but you certainly can.\r\n\r\nUnknown Speaker 1:10:06 \r\nTransform rules origin rule. These are all ways to deal with rules and traffic. Probably not going to use those unless you have a unique case. Page rules can be helpful.\r\n\r\nUnknown Speaker 1:10:18 \r\nI'll show you some options on when you might want to use those a little bit later.\r\n\r\nUnknown Speaker 1:10:22 \r\nAnd the default settings are just fine. You never have to really change these. So not a whole lot to do here.\r\n\r\nUnknown Speaker 1:10:29 \r\nAnd the rest of this stuff is pretty much read. So let's network you probably won't have to change anything here. Very unlikely that anything will be needed in this area. All the default settings are fine. Traffic is a paid feature. custom pages paid feature apps, it's being deprecated the scrape shield, okay, let's talk about this.\r\n\r\nUnknown Speaker 1:10:53 \r\nSo there's a couple of things. Remember, if you are a long time I iThemes Training solid Academy member we used to have a shortcode that would obfuscate an email address. Cloudflare will actually do this at the network level, so you don't have to hide email addresses at all. It will just automatically obfuscate email addresses from bots that would scrape the site. The problem is it adds some JavaScript which again can potentially add some weight to the page and make the page load slower. So there's a way to apply that with the rule that we'll get to in a little bit. I would not toggle this on for the whole site. I would only have it on with a rule for like the contact page or a team page where email addresses actually appear.\r\n\r\nUnknown Speaker 1:11:38 \r\nhotlink protection this is something I would toggle on because well in certain cases. So if you want to protect your site, like I don't want my images showing up in Google image search, I don't want anybody linking off the site and pulling my images and to show on their site. This is what that does. It will stop that at the network. Level period. But if you are relying on a lot of SEO people, for example.\r\n\r\nUnknown Speaker 1:12:07 \r\nThey rely on an image optimization strategy for SEO like they want people to find the image in Google Images and then go to the page and it's a legitimate SEO strategy. But this will stop that. So depending on what you want to do, this can be super helpful or completely get in the way of an SEO strategy.\r\n\r\nUnknown Speaker 1:12:26 \r\nAll right.\r\n\r\nUnknown Speaker 1:12:29 \r\nxerez so this is super cool, actually, it's way out of scope for this, this live stream in this course. But think of it like this. This is like Google Tag Manager, but at the Cloudflare level. So at the network level, I can actually go in and add code to pages. Like it's really powerful, but it's way out of scope for what we're trying to do today. So you know, it's it's interesting, and if you're super geeky, you want to get into that have added because it's a very powerful tool. And last of all web three, you're probably not ever gonna get into that stuff. All right, so that's all the settings and I'm out of breath.\r\n\r\nUnknown Speaker 1:13:05 \r\nOkay, how let me check in. How are you? Are you are you panting for breath? Are you okay? We've just done this was the fire hose. Okay? Dizzy is legitimate. That's a lot. Okay. And my goal again in that section was simply to give you a lay of the land. There's only a few things in here. If you notice, there's only a few things that you're gonna need to go in. And set. Primarily we're going to focus on DNS, SSL, and security. Those are my main areas. Okay. So, what are we doing next? I am going to give you my recommended settings for each of the areas we're gonna do that probably I hope we can fit that in before 3pm Central. We're going to take a five minute break, because I need to breathe and then we'll do some recommended settings. So we're actually going to go now right back into these areas that we've looked at and I'm going to show you some the actual recommended rules and things like that, that you're gonna want to implement. Now from that tomorrow. We're actually going to migrate a site into Cloudflare and do all this stuff live. Sound good?\r\n\r\nUnknown Speaker 1:14:17 \r\nOkay, so break for five minutes. It is now about to be 12 minutes after so we'll come back at 217 Central time so 17 minutes after and we will be quiet until then.\r\n\r\nUnknown Speaker 1:18:47 \r\n32nd Warning we're back in 30 seconds. From now.\r\n\r\nUnknown Speaker 1:19:32 \r\nAll right, part two, let's talk about some recommended settings. Now. First of all, in this section, there's a couple of caveats. We're going to look at the Cloudflare settings that I use. Okay, these are the ones that I've decided work well for me in my clients. And I'm specifically going to talk about what has changed from the default. Okay, so we just looked at everything. We're going to put a filter in place and now only the things that are going to change from the default settings are what I'm going to cover now with this again, caveat, disclaimer, slash scary warning, scaly emoji grimacing emoji, okay. Is this is this bold enough for you?\r\n\r\nUnknown Speaker 1:20:16 \r\nVery important. These are based on my experience with how we are using Cloudflare currently in my agency. So as with settings, recommendations of any kind at all, you need to test these for your specific use case. Cloud flares tools can block legitimate traffic if they're not used correctly. Okay. Now in my experience, we've had to adjust certain rules in situations where there's external calls to web hooks, certain SEO tools, uptime, monitoring, all sorts of things can be a little different. So I'm providing some very basic settings that we use on all of our sites. They may not be the right settings for your sites. Okay, that's why it's important to look at those event logs, try it on one site, look at the event logs, make sure nothing's getting blocked, etc. So they get sometimes sites require these granular adjustments and it might take a little bit to dial them in so pick a site. Do that one make sure everything's good before you do. We all put 5080 100 sites into all these settings, because they would then have to be changed individually. That's not fun. All right. So Cloudflare can significantly increase your security but with great power comes great responsibility. So just keep all that in mind. Do not blindly apply these settings with under without understanding how they're going to impact your website. So again, educational purposes only, you alone are responsible for the actions you take. In other words, don't call me if you break something or you know, ask an office hours question but Is that Is that a good enough disclaimer?\r\n\r\nUnknown Speaker 1:21:59 \r\nAll right. Let's take a look at DNS records.\r\n\r\nUnknown Speaker 1:22:04 \r\nSo let's move on into this area first. This is one of the places where I mentioned that you'll probably spend some time so here's a pretty typical DNS record setup that's being used for WP Nathan currently. So the first thing you'll notice here is proxied. Now what proxy means, okay, this is the actual IP address of the server. This this little this liquid web VPS that they're up Nathan exists on. But if I go to ping, this address, notice it doesn't give this server IP address. And why is that Cloudflare is proxying the IP address which basically means it's hiding it. So this 104 2147 162 IP address is what the world sees when it says where's that up Nathan located this IP address, but that's not the IP address of the server. This is really good because you unless you know in most cases you're going to want to hide the actual IP address of the server, the real live raw IP address, you're gonna want to hide that from the world. It just puts a layer of security between hackers and your server itself. So that's what proxying does. You can turn this off if you want, but I wouldn't recommend it. So the recommendation is proxy all A records and the CNAME for www.\r\n\r\nUnknown Speaker 1:23:35 \r\nBut other C names like in this case, I don't even know why we still have this one but FTP dot and like this is the postmark record. postmark will not validate this record for the CNAME unless the proxies turned off. So for a lot of C names, especially those used for validation, you're going to want to make sure that proxying is off.\r\n\r\nUnknown Speaker 1:23:59 \r\nUnless you know for sure that proxying isn't going to get in the way of that traffic proxying a CNAME can often get in the way of the server that's handling that traffic knowing that the traffic is correct, and it can cause weird things to happen. So proxy the A records generally proxy do not proxy CNAME records. Now here's another pro tip.\r\n\r\nUnknown Speaker 1:24:21 \r\nIf you like me enjoy having the ability to spin up quick staging sites. I in my case on cPanel I love the WP toolkit. It'll just spin up a quick staging site.\r\n\r\nUnknown Speaker 1:24:32 \r\nYou would normally have to go out and actually create an A record for whatever that subdomain is. But if if most or all of the subdomains you're ever going to create for this domain are going to the same place. They're all on the same server. Then what you can do is just set up a wildcard record. The name has an asterisk and it points here which means unless otherwise defined by another a record that any other traffic, you know, whatever dot DDP nathan.com goes to this server. So it's super helpful. It doesn't prevent you from directing traffic elsewhere. You know we could, you know, we could specifically define a subdomain to go to another IP address. But otherwise, the catch all is pointed to the server and it's really helpful. So add a star record. That's a good thing. All right. We talked about DNS sec. Let me just show you how this works. Here under DNS and sec. Oh, I haven't. I'm going to disable this earlier. Let's that's going to take a minute Doggone it. Sorry about that, y'all.\r\n\r\nUnknown Speaker 1:25:43 \r\nOh, I'm gonna have to remove it from here. Well, I can probably just show you how this works. So here, oh, it's WP one dot Dev. Let me go. Let me get one second. Let me get over to the VP Nathan.\r\n\r\nUnknown Speaker 1:26:01 \r\nAnd I'll show you where this DNS record is set up.\r\n\r\nUnknown Speaker 1:26:06 \r\nSo again, this is GoDaddy. You've all probably use GoDaddy, most other registrar's you're going to be this way as well. Here under DNS, there's a setting for DNS record. And here is the value that Cloudflare gave me I'm going to delete this\r\n\r\nUnknown Speaker 1:26:23 \r\nlet's see how long it takes to create if it sees it right away. Okay, I'm gonna give that just a minute. We'll come back and I'll show you how to create the record. But it's basically Cloudflare is going to give you the value, you put it in over the registrar and that validates your traffic for DNS sec to work correctly. We'll come back to that. In just a minute.\r\n\r\nUnknown Speaker 1:26:42 \r\nAll right, so SSL TLS again, encryption method full I talked about that a lot earlier, so that hopefully that doesn't need any more explanation. Under edge certificates. Always use HTTPS is on and minimum TLS version 1.3 or 1.2. We talked about that earlier. You're probably fine to go 1.3 I've only the really old browsers, right. So all the rest is default settings. And now we get into the WAF rules slightly that we're already past SSL. It's not that hard. Once you see the lay of the land and all the details now we can just focus on the things we need to change. And it's not that terribly complicated. Let's do a quick check for the Yes, right. Oh, okay, good. That's ready. So here's the process are rewinding a bit to do DNS sec. I'm going to click Enable.\r\n\r\nUnknown Speaker 1:27:37 \r\nAlright, here's all the stuff. Let's go over to DNS records and I'm going to add one.\r\n\r\nUnknown Speaker 1:27:45 \r\nAll right, so I need the first the Key Tag and it's not necessarily an order. So Key Tag is here.\r\n\r\nUnknown Speaker 1:27:52 \r\nBoom algorithm is 13. I don't know what that means. I'm just going to put it there. Digest type is this or I can click to copy.\r\n\r\nUnknown Speaker 1:28:06 \r\nOh, that's this digest. Is there and digest type oh two.\r\n\r\nUnknown Speaker 1:28:13 \r\nRight there, I hit Save.\r\n\r\nUnknown Speaker 1:28:19 \r\nAnd it's gonna think about it for a minute.\r\n\r\nUnknown Speaker 1:28:22 \r\nConfirm.\r\n\r\nUnknown Speaker 1:28:24 \r\nAnd it's got to wait and validate. That's all it is. It's just basically it's like adding any other DNS record. And that will help to further validate that the traffic that's coming to my domain is correct.\r\n\r\nUnknown Speaker 1:28:39 \r\nThere it is. Done. Super simple.\r\n\r\nUnknown Speaker 1:28:44 \r\nclass has a great question.\r\n\r\nUnknown Speaker 1:28:46 \r\nThat this process was for a domain that's registered and an external Registrar for Cloudflare. It knows like if you've registered your domain at Cloudflare. We'll talk about Cloudflare for domain registrations tomorrow. But if there's just a button, you push the button it adds the record and validates it's done. It's like a one click thing. That's all you have to do. Pretty neat.\r\n\r\nUnknown Speaker 1:29:06 \r\nOkay, any other questions about that before we move on?\r\n\r\nUnknown Speaker 1:29:12 \r\nAll right, we went through the rest of this full encryption mode edge certificates. Now we're into the fun part which is security. Here are some suggested WAF rules. And um, they're all defined here already, and I'll show you what they look like. So when you get into a WAF rule as you create a rule you have the ability to either do an Expression Builder, which lets you kind of compose with a visual editor like country does not equal you know, it lets you create records like this. And or and you can stack those down. Now notice what's happening here, though. There's an expression preview and so there's this expression that's being created based on the visual here. So let's see if country does not equal United States and I don't know\r\n\r\nUnknown Speaker 1:30:15 \r\nand it's unknown bought, whatever, right? So it continues to build the expression based on what you build up here. Now for these predefined rules. We don't need all like it will take you a while to actually reproduce this rule in the builder, but instead what we can do is this.\r\n\r\nUnknown Speaker 1:30:37 \r\nCopy this expression. I'm going to call this the challengers rule.\r\n\r\nUnknown Speaker 1:30:43 \r\nYou can do edit expression, and just paste in there.\r\n\r\nUnknown Speaker 1:30:49 \r\nAnd what so the action is going to be managed challenge and hit Deploy.\r\n\r\nUnknown Speaker 1:30:59 \r\nAnd look it actually created the rule in the builder. So I can still modify it here if I want to.\r\n\r\nUnknown Speaker 1:31:06 \r\nBut I don't have to actually create it. I can just paste in the expression. And that's what I would recommend that you do for these basic rules. Does that make sense? Does everybody see the process here?\r\n\r\nUnknown Speaker 1:31:20 \r\nI want to pause just for a minute to make sure there any questions?\r\n\r\nUnknown Speaker 1:31:26 \r\nWhat drop down that I choose here? Or action is managed challenge. There's this drop down up here.\r\n\r\nUnknown Speaker 1:31:35 \r\nCan y'all see this drop down on the screen share?\r\n\r\nUnknown Speaker 1:31:40 \r\nOkay, good.\r\n\r\nUnknown Speaker 1:31:42 \r\nSad. Sorry about that. So this is just an example rule. But when you when you put in your challenge rule, you're gonna whatever country you're in, or whatever, like for example, we have one customer that only does business or they they primarily do business in the US, Canada and about seven European countries. And so all those are in this is not in rule, but every other country as a result is going to get a challenge because they're not typically going to get traffic from those countries. And that lets us weed out bot attacks for example, that aren't coming from those those specifically Devine defined countries makes sense. So add, you're gonna want to add the countries that you're typically going to want legitimate traffic from. Right. So that that really helps Karen first drop down on not getting the open field. Oh, okay. All right. So let's start over again.\r\n\r\nUnknown Speaker 1:32:42 \r\nLet me delete this rule that I just created. eally All right. I'm gonna do create rule once again. I'm gonna give this a rule name, call it whatever you want.\r\n\r\nUnknown Speaker 1:32:54 \r\nChallenges, and click right here. Edit expression and paste in there.\r\n\r\nUnknown Speaker 1:33:01 \r\nThen you can save it as a draft if you want or whatever or just click Use Expression Builder and that puts you back into the builder here.\r\n\r\nUnknown Speaker 1:33:08 \r\nSo this edit expression is 100% Your friend i It makes the so much easier.\r\n\r\nUnknown Speaker 1:33:16 \r\nAll right, any other questions? About the process of adding a rule before I go on?\r\n\r\nUnknown Speaker 1:33:27 \r\nOkay, so these rules I've actually added in here already, and I'm just going to go down one by one and show you how they work. And so the first rule is our challenge now by the way, I put in whenever I'm doing a rule i Our prefix for our agency for code we write in for other things is be WW brilliant web works but your own little this what this lets me know is it's our rule. Basically that's why that's there. So I'm going to go here to our challenges rule. And you'll notice it's this first one here, you can edit the rule in the expression if you want and put the two letter country code and if there's more you can just stack amend the expression itself or use the expression builder. Either way. Melanie, does order matter for firewall rules. Yes. And I'll show you that in just a minute. But Cloudflare processes these rules in order. And that's going to matter here in just a minute. Great question.\r\n\r\nUnknown Speaker 1:34:26 \r\nSo here's something I want to talk about. So we've talked about managed challenge already. This is the kind of the interstitial screen that we saw that challenges are you human. It's it's the same thing as Cloudflare turnstile. Okay. Cloudflare turnstile is the Cloudflare managed challenge in a widget that can be applied to just a form or you know, a login or whatever. Okay? So just think about it in those terms. turnstile equals a manage challenge, manage challenge, just full screen. Whereas turnstile is a widget that can be added to a form submit or login or that sort of thing. There are a bunch of other actions that can be taken here. Like I don't want to do anything. I just want to log this traffic. I want to block this traffic altogether. This is a JavaScript challenge. This is the pre managed challenge way that Cloudflare used to block or challenge traffic. I don't use that at all anymore. It's not as good as manage challenge. Use manage challenge. This also the skip this traffic so some way I can notice that this traffic is good and legitimate. I always want to skip it. I have a rule. That action can do that. And interactive challenge again. It's I don't use that at all use manage challenge. That's just the best way to do it. Because a lot of times the Manage challenge if it's has seen what this browser is doing, it knows it's probably legitimate. And so it's you let Cloudflare manage whether or not this user or bot or whatever. Is going to be challenged with a checkbox, right. So just use manage challenge instead of interactive or JavaScript challenge is just better. Does that make sense?\r\n\r\nUnknown Speaker 1:36:11 \r\nOkay, so let's get into each of these. We just look at this one. So this is and by the way, what I like to do is cluster are my rules, usually around what the action is. I only have five rules, right? And so I want to be able to get the most bang for my buck. And so I tend to cluster the rules around what action I want to happen. So I'm going to start with this, this challenge rule. So any kind of traffic that I want to give a challenge to is going to go into this rule. So the first is, and this is probably my favorite rule out of all the Cloudflare rules. It is probably the most helpful rule and that is if you come to the WP any URL that comes in to WP login, so even by the way, like if you're logged out and you used to go to WP admin to log in, it's going to forward you today P login dot PHP, query string blah blah blah. So if the URI path, this is your URI, same thing, essentially is URL. So if the path coming in being requested from the server contains that AP login, I want to challenge that if it it like for here for a WooCommerce as my account is their default login page, right? If you have a membership site, where you've customized a login page, put that URL here. So whatever the login page is, that I want to challenge that traffic. And what that lets me do is like Stacy is saying, it's way better than hiding the login page to try to make it where bots can't find it. That's that's a terrible strategy that doesn't really work. Or it's even better than using something like aI solid security to put a CAPTCHA on the login page. I don't even do that anymore. Because all of that traffic is being challenged at the network level is it bad to use a plugin like solid security to protect the login page with a with a even Cloudflare turnstile? It's not bad, but I want that traffic filtered out at the network level so that the login page doesn't even have to load, right? So do that at the network level. You don't even have to put a CAPTCHA on your login page at all. Just make sure that all your potential login pages are listed here. So if you've got another URL, you could do like, you know URI path contains, you know, login or whatever it is right?\r\n\r\nUnknown Speaker 1:38:41 \r\nAnd just you can keep stacking those up with AND or OR statements.\r\n\r\nUnknown Speaker 1:38:46 \r\nThat makes sense.\r\n\r\nUnknown Speaker 1:38:49 \r\nSo that's our first rule.\r\n\r\nUnknown Speaker 1:38:52 \r\nSecond rule is a skip rule. Now I put these in order of priority in this skip rule will tell you why.\r\n\r\nUnknown Speaker 1:39:02 \r\nThis is a big rule. There's a lot of stuff here. So I've given you the whole rule to copy here. Now right here, notice, boom, this is the IP address of the server. So whenever you know whenever you go to add this rule, you're gonna want to, for your purposes, wherever you're copying from put your server IP address in here, because any request that comes from my server, I don't want Cloudflare to do anything with we want that to happen. So here's our here's our skip rule.\r\n\r\nUnknown Speaker 1:39:37 \r\nSo if it's a known bot, and it has one of these as numbers.\r\n\r\nUnknown Speaker 1:39:47 \r\nLet's talk about AAS numbers for a minute. So an AAS number probably best to be seen here in our events. Let me load our events page.\r\n\r\nUnknown Speaker 1:39:59 \r\nAlright, so here's a skip rule.\r\n\r\nUnknown Speaker 1:40:12 \r\nKaren, if you're getting an error, it's probably because you haven't selected the action here skip.\r\n\r\nUnknown Speaker 1:40:21 \r\nYou did.\r\n\r\nUnknown Speaker 1:40:23 \r\nWell, let's just try copying the expression in and trying it ourselves here\r\n\r\nUnknown Speaker 1:40:39 \r\nYeah, it's working.\r\n\r\nUnknown Speaker 1:40:42 \r\nI don't know check your check your copy because it does work. That's That's odd.\r\n\r\nUnknown Speaker 1:40:49 \r\nAnyhow, so as ns. You can see these right here. So an ASN is think of it this way. It's like a\r\n\r\nUnknown Speaker 1:41:01 \r\nIt's one number that a company like Google can use when Google has hundreds and hundreds or 1000s of IP addresses. And it would be hard for you and they may even change IP addresses from time to time.\r\n\r\nUnknown Speaker 1:41:15 \r\nThis ASN is sort of a placeholder for all of those addresses. So you can create firewall rules based on the ASN and know that it's going to affect all these Google IP addresses. And so there's all these ASN that are listed here are of known services. I've given you a way down here at the very end of the document what to for Sorry, sorry, if I'm making everybody nauseous. So I've given you a table of popular ASNs here. You can also look those up with links like this one, and add your own but these are the most part some of the most popular ones. And many of these are including that firewall rule, but this is one that again, you're going to want to tweak this to have the traffic that that that you want.\r\n\r\nUnknown Speaker 1:42:09 \r\nBut in general, this is going to work.\r\n\r\nUnknown Speaker 1:42:13 \r\nIn general, what I've got here is going to work in most cases, just make sure you update your IP address here. Okay, so got this list of\r\n\r\nUnknown Speaker 1:42:25 \r\ngood ASN so it's a known bot, and it's one of these bots. Okay. It's an there are a lot of Cloudflare bots that are known that I don't want to, you know, have access to the site. Like one of the really bad ones is sem rush. Like they will hit on your site with their bots sometimes. Anyway.\r\n\r\nUnknown Speaker 1:42:50 \r\nSo, yeah.\r\n\r\nUnknown Speaker 1:42:55 \r\nWhy would you want stamps.com Because, if you are if you're, for example, with a WooCommerce connector, you're going to want if you don't exclude stamps.com, the WAF rule will get in the way of WooCommerce talking back and forth to stamps.com.\r\n\r\nUnknown Speaker 1:43:11 \r\nYep, so this is again, if you're anytime you're this is with much power comes great responsibility. Okay, so you're putting a rule and that's going to block traffic. If traffic is being blocked and something's not connecting. Now you go into the event and say, Oh, here's that traffic now I can you know, you can find that ASN to that external service in your event log and then add it to your list of good ones.\r\n\r\nUnknown Speaker 1:43:39 \r\nOkay, so I've added another few things here that are commonly blocked. So for example, if you're using the Gravity Forms stripe add on, okay, then I want to make like this is part of the query string for every that should have\r\n\r\nUnknown Speaker 1:44:02 \r\nyour your web hook for Gravity Forms, always includes Gravity Forms stripe, your webhook for WooCommerce always contains this bit of text. So basically what this is doing is this is a good rule for all sites. So if the traffic is coming to a Gravity Forms web hook or a stripe web hook, if you're using other plugins that have different web hooks, just add them in here. Like this, or replace Gravity Forms with your plugin, that sort of thing. But you're that way, you're letting tret legitimate traffic to that web web hook for the payment processor come through.\r\n\r\nUnknown Speaker 1:44:36 \r\nHere's another one. User Agent is GT metrics or we use better uptime to monitor our site. So user op agent contains better uptime. If you don't use better uptime. Don't use this part of the rule.\r\n\r\nUnknown Speaker 1:44:49 \r\nHere's our server IP address.\r\n\r\nUnknown Speaker 1:44:53 \r\nRight now in Davis, right? If you are if you have other payment processors, whatever that web hook is that they give you just find the particular piece that's not going to change. Like the the WooCommerce stripe. web hook has a whole bunch of characters after this right? But this part is always the same. That way you can create a rule that you don't have to change from site to site.\r\n\r\nUnknown Speaker 1:45:20 \r\nAnd then, you know, here's the IP source address is my server for verified bot category is search engine crawlers or web hooks. Okay, so why, you know, I can choose web hooks here, but I've also specified some web hooks.\r\n\r\nUnknown Speaker 1:45:36 \r\nI know web hook has having that as a rule is good, but I don't necessarily trust that part. Cloudflare is always going to catch all my web hooks with that. So I'm going to specify just to be sure, so this is fine, but I always specifying the actual some contents of that web hook URL. Okay, so does this bit make sense? In that many external SAS calls this you want to, you want to allow those through, okay. Now the action for this is skip.\r\n\r\nUnknown Speaker 1:46:09 \r\nBut make sure that you check and this actually Karen may be where your error is coming from.\r\n\r\nUnknown Speaker 1:46:14 \r\nCheck all the boxes, check all the boxes, otherwise you're not telling it to skip anything.\r\n\r\nUnknown Speaker 1:46:24 \r\nSo we don't if the traffic meets any of this criteria, I always want to skip it. Okay, that was it. Karen Awesome. Now, does that make sense everybody?\r\n\r\nUnknown Speaker 1:46:40 \r\nOkay, one thing here and I don't know how to fix it in the handout. This is very important. Notice how there's a line break here.\r\n\r\nUnknown Speaker 1:46:50 \r\nThis, if you copy this, it creates a problem. I just just noticed this.\r\n\r\nUnknown Speaker 1:46:57 \r\nLet me go into the expression editor and paste this in.\r\n\r\nUnknown Speaker 1:47:03 \r\nSee how there's a space here.\r\n\r\nUnknown Speaker 1:47:06 \r\nMake sure you delete that space. Otherwise, it's not going to match your the exact URL. I'll see if I can update the handbook for that. I'll figure out how to do that. But just for now. If there's a space here, it's not going to match that URL. So make sure it doesn't have a space\r\n\r\nUnknown Speaker 1:47:26 \r\nokay\r\n\r\nUnknown Speaker 1:47:32 \r\nall right. Next okay. This is a locked down WordPress rule. This is pretty refined from lots of different suggestions that I've read and seen and I've tested.\r\n\r\nUnknown Speaker 1:47:45 \r\nAnd it this is pretty darn powerful. So again, this is one of those rules. Okay. If the traffic meets any criteria in this rule, it's going to be blocked period, which means you better be sure that you're not catching the legit traffic here. Okay. But you'll see how this works. So I'll go copying this. And notice there's some instances of the domain name of the site here that you'll want to replace with your domain.\r\n\r\nUnknown Speaker 1:48:15 \r\nBut let's look at what it does.\r\n\r\nUnknown Speaker 1:48:18 \r\nAll right. There's absolutely no reason whatsoever that any site or any match any request from the server should contain WP config if it's not coming from my site, to block that. There's no legitimate reason that should happen or there's no reason like we don't use XML RPC at all ever. So we're gonna block any traffic that comes to XML RPC. Period.\r\n\r\nUnknown Speaker 1:48:46 \r\nSame thing for if the if the, if somebody is trying to get to wp content, and it's not coming from my site. I'm gonna block now that can all that can impact google image searches. So make sure you may not want this if you want the images on your site showing up in Google image search.\r\n\r\nUnknown Speaker 1:49:05 \r\nBut I don't I don't want that so I'm blocking all that traffic. Same thing for WP includes there's a lot you'd be surprised how much traffic comes in matter of fact, let's just I mean, look at this. Look at the traffic that's coming in. From what traffic that tries to come in from.\r\n\r\nUnknown Speaker 1:49:26 \r\nYeah, look at this garbage. Here's traffic that's coming in. I don't even know what this is there trying to access. This is some image. Here's something that's trying to access a lot of this images. There's all this garbage traffic and look at this. What What the heck would anybody need you know, here's some Amazon server that's trying to get to this dopey content, whatever. This is like they're testing for security issues. And we're just blocking all that traffic. Right? And look, there's 192 items in the last 24 hours that have hit this rule. It's crazy.\r\n\r\nUnknown Speaker 1:50:04 \r\nPlease grab this, this this.\r\n\r\nUnknown Speaker 1:50:08 \r\nSo what's happened here is some hacker has spun up in some Amazon server to do this hacking, or it's a site that's been compromised. Crazy and this is WP Nathan, which is a dumb garbage site. Right?\r\n\r\nUnknown Speaker 1:50:29 \r\nAnyway, you see all this stuff, and so this blocks all that garbage traffic. Another thing here if the country's coming in from the Tor network, you're not going to want that that's going to be bot traffic. A lot of by the way. A lot of form spam comes in this way.\r\n\r\nUnknown Speaker 1:50:45 \r\nIf the URL if the if the path contains dopey content and it's a PHP file, I want that out of there. We don't use ASP at all in WordPress so filter that out if the traffic is not a known bot, and it's trying to do anything, post anything on WP Nathan so this is this filters out a lot of of form spam traffic or you're trying to post either things into login fields, or post comments anything like that this just blocked all that traffic. I did add this when I was testing this rule, just to make sure that the host name it's not coming from my site. And it's not in it's not trying WordPress is trying to do a cron I was finding that legitimate WordPress cron jobs were being blocked by this. So that's why I added this extra little bit here.\r\n\r\nUnknown Speaker 1:51:41 \r\nSo here's another one if it's not a known bot, and it's going to admin Ajax admin AJAX is again another bit of forum spam prevention that filters that out. Here it so we're going to filter out post and let's see, why is this this rule is duplicated.\r\n\r\nUnknown Speaker 1:52:01 \r\nLike that out. Sorry about that. And again, there's just an actual I'm posting to the comments. PHP file. So most of this is a form spam and comment spam traffic.\r\n\r\nUnknown Speaker 1:52:16 \r\nDave, on the ASP if you have redesigned a site that was based on this?\r\n\r\nUnknown Speaker 1:52:22 \r\nThat's a great question. So if you are taking over a site that previously had ASP, it was built on ASP, then that's probably something you want to take out. Yeah. Otherwise, it's going to block the traffic completely. You don't want that you want to show a 404 page with hey, we've redesigned blah, blah, blah. So that's a good example of don't just apply these rules wholesale, know what you're doing and know that oh, I need to take out that part of the rule, at least for now. That makes sense, everybody. So the action here is block and you're blocking stuff at the net, the network level, they're going to see a Cloudflare block screen. It's not ever going to even hit your server.\r\n\r\nUnknown Speaker 1:53:02 \r\nLet me show you a little trick. How many of you are using something like text expander or in my case, I use type desk to do like little macros that explode into things, right? Like this macro here that I use, and sometimes you'll see this. Like it'll come in as slides. When I do slides. Type desk explodes into this pre configured bit of text. So I've set up all these Cloudflare rules actually in pipe desk, and some of them have variables. So watch this if I was going to set this rule up for the first time. This is set up as\r\n\r\nUnknown Speaker 1:53:42 \r\nthe F three boom Okay, so it comes in over here. So here's my thing. Oops.\r\n\r\nUnknown Speaker 1:53:57 \r\nSo it I'm gonna have to show this here. Alright, so you have three this, okay, what is my domain? That would be nathan.com.\r\n\r\nUnknown Speaker 1:54:04 \r\nIt fills out with there's variables. So I've set up my exploder to have the variable for the expression of the website. So now when we go into add rules, I have cf One CF two CF three it just drops all the expression in with a variable for the website, right? So I don't have to go in and change that every single time. So that's just a little time saver. Pretty cool.\r\n\r\nUnknown Speaker 1:54:29 \r\nAll right. Here's our next rule.\r\n\r\nUnknown Speaker 1:54:33 \r\nSo we have our skip rule. We get our block rule. Now. This is one I don't know I added this one, just to have something else to show you.\r\n\r\nUnknown Speaker 1:54:44 \r\nHere we go. So this, this can be heavy handed, but it also might be good. This is an example of how do I filter bot traffic? Right. So you may or may not want to use this rule. I don't know. Look what it does. So if it's not the Google bot or the Bing bot or the bot or the Facebook bot or slurp which is Yahoo I think, or Alexa and it's a known bot. So Cloudflare actually has this list of known bots.\r\n\r\nUnknown Speaker 1:55:17 \r\nAnd it's pretty extensive. There's 717 pages of this you can see all the things they do have categories too anyway.\r\n\r\nUnknown Speaker 1:55:31 \r\nSo this is an example of a rule that I probably wouldn't use on every site.\r\n\r\nUnknown Speaker 1:55:36 \r\nBut so if it's a known bot, and it's not one of these, or like a this, the crawler category is AI crawler, then given a man a challenge or you could say give it block. So if you want to stop AI bots crawling your site, you can do it at the network level if you want. And this is a way to do that. So the bot category, there's a lot of different ones here like you can do. Like I don't want any SEO crawlers. Let's see how about is in.\r\n\r\nUnknown Speaker 1:56:09 \r\nI don't want any SEO crawlers. I don't want any AI crawlers.\r\n\r\nUnknown Speaker 1:56:14 \r\nNow this is not Googlebot for example. This is Seo crawlers like sem rush and things like that. Phoebe Why not say if it's not a known bot instead of listing those out great question, because known bot no means it's any track. Just that doesn't say it's a bot and I know what it is. Known bots means it's not in this list of predefined known bots, right? It doesn't say it's a bot and it's unknown. Now there are rules like that. If you upgrade to the enterprise level, you get a lot more control over. I think it's a bot. I don't think it's a bot but we don't have that control at the free level. So you have to do it. That was That makes sense.\r\n\r\nUnknown Speaker 1:57:04 \r\nDave has a question if you're doing this on an existing site, and the clients looking at traffic. Oh, yeah. Okay. So this is the double edged sword. Okay.\r\n\r\nUnknown Speaker 1:57:14 \r\nSo what Dave is asking is essentially, am I gonna see a traffic drop in Google Analytics? If I do this? And the answer is likely yes. And perhaps a significant amount of traffic drop. But the conversation I have with a client is this is actually making your analytics reports more valuable because the traffic that's reaching the site are actually people and not garbage bought traffic, and attack traffic and things like that. So you will see a drop in traffic. But it's this is this will actually make your analytics reports more valuable. Because I mean, think about this, you know, bot traffic isn't likely going to make a conversion. So if you've got a report set up in Google Analytics for tracking conversions, and only 3% of your traffic is converting, well, what if 90% of your traffic is crap traffic? Well, then your conversions go up significantly. Oh, wow. Actually, this is more successful than we thought. Right.\r\n\r\nUnknown Speaker 1:58:10 \r\nSo does that make sense everybody? Here's an example of a way to filter out some of the stuff I probably would not use this on on every site. And you still even after that, we'll have another rule that you can create. And this is for fine tuning, you know, and moving things. along.\r\n\r\nUnknown Speaker 1:58:29 \r\nOkay, good grief. It's almost three o'clock and I got a lot more to do. So I'm gonna move on. Any other questions about this before we move, move ahead.\r\n\r\nUnknown Speaker 1:58:38 \r\nI do want to show you the rate limiting rule here.\r\n\r\nUnknown Speaker 1:58:43 \r\nWe actually may stop here, before tomorrow. So this is a really good rule, I think is super helpful. So in case you weren't watching, we're at security WAF. We were just at custom rules, which is the default page. We're now going to the rate limiting Rules tab. It's going to delete this and start over.\r\n\r\nUnknown Speaker 1:59:03 \r\nYou see it, we're going to create a rule and in the same way here, this is going to be our anti flood, oops, anti flood rule. We're going to edit our expression\r\n\r\nUnknown Speaker 1:59:15 \r\nand we're going to say\r\n\r\nUnknown Speaker 1:59:21 \r\nwhen the rate exceeds 10 requests, at the free level, we only have a 10 second period.\r\n\r\nUnknown Speaker 1:59:29 \r\nSo let's take a look at what we're doing here.\r\n\r\nUnknown Speaker 1:59:34 \r\nWhy not?\r\n\r\nUnknown Speaker 1:59:53 \r\nInteresting, okay, well, oh, see what it's supposed to be. Alright. So, anti flood if it is not a verified bot\r\n\r\nUnknown Speaker 2:00:06 \r\nand\r\n\r\nUnknown Speaker 2:00:09 \r\nthe URI pass contains\r\n\r\nUnknown Speaker 2:00:18 \r\nthe PF not calm and\r\n\r\nUnknown Speaker 2:00:23 \r\nverified bot category is not a search engine crawler.\r\n\r\nUnknown Speaker 2:00:30 \r\nOkay, so what we're saying is, it's not a good bot.\r\n\r\nUnknown Speaker 2:00:34 \r\nIt's coming to the site. This is actually redundant, we could probably get rid of that.\r\n\r\nUnknown Speaker 2:00:39 \r\nInteresting.\r\n\r\nUnknown Speaker 2:00:41 \r\nAnd it's not a search engine crawler, and it's hitting my site more than 10 times like one time a second. Then I want to block it. For as long as possible, which is 10 seconds.\r\n\r\nUnknown Speaker 2:00:56 \r\nOh, you're right. It was missing the opening parenthesis. So there's another correction.\r\n\r\nUnknown Speaker 2:01:03 \r\nSo we'll deploy this and this is going to stop a lot of bot attacks. You know, you need a higher level. Of Cloudflare to fully blocked the traffic. But this at least throttles it back just a little bit.\r\n\r\nUnknown Speaker 2:01:18 \r\nSo that can be helpful.\r\n\r\nUnknown Speaker 2:01:20 \r\nMoving on down here to our bot setting. Again, we want bot fight mode off. We talked about that already. How much further do I have to go? I got a lot of rules to go. Okay, I'm gonna stop right here. And we'll pick this up tomorrow.\r\n\r\nUnknown Speaker 2:01:35 \r\nAll right, pausing for a moment. Questions, comments?\r\n\r\nUnknown Speaker 2:01:41 \r\nAnything unclear and what we've seen today because your homework is if you don't have a Cloudflare account, go set it up. And do that tonight. Before tomorrow. Come on in with a little bit of experience under your belt. It's free. And maybe you start applying some of these settings to a site and you can actually go forward I've given you all the tools you need to kind of follow this and add the additional rules that's there that are there. We will talk through this starting at speed tomorrow.\r\n\r\nUnknown Speaker 2:02:10 \r\nPaul, I would not do this on a client site unless you're brave enough to you.\r\n\r\nUnknown Speaker 2:02:16 \r\nDo it on a site that you control a low value site, just so you can see how it works. I'll everything clients is going to be tomorrow.\r\n\r\nUnknown Speaker 2:02:24 \r\nDoug regarding the WAF. If I block the UK with a managed challenge, and Google is still indexing my site in the search engine results, what happens to a UK visitor when they click the Search link to my website. They're gonna get a managed challenge.\r\n\r\nUnknown Speaker 2:02:40 \r\nYeah, so just to correct so you don't block anything with the Manage challenge. It just puts up this.\r\n\r\nUnknown Speaker 2:02:51 \r\nIt's going to say if I go to try to log in here this screen right here.\r\n\r\nUnknown Speaker 2:02:58 \r\nWell, eventually who?\r\n\r\nUnknown Speaker 2:03:05 \r\nThis, this screen right there. That whole process was a managed challenge. I didn't have to click anything because it already knew that my was legitimate. But any traffic that you present a managed challenge. So if the rule is if the traffic's coming from the UK, then give a man a challenge. It's there. It's not blocked, you just have to pass through the gateway pass through the turnstile to get in. So if a user is outside your set geographic areas in Cloudflare for a challenge, they'll still see their search result. They'll click it, they'll pass you the challenge, they'll act they'll access the website. Yeah, it does put a barrier you know they have to pass through. Now you know, if you want to block the traffic altogether, you can do that. Just make the action block instead of manage challenge.\r\n\r\nUnknown Speaker 2:03:56 \r\nI wouldn't do that typically, you know, the goal for filtering traffic is generally I want to get rid of bot traffic that's coming from GeoIP sources that are not generally where my customers are going to come from. So that cuts out a lot of the bot traffic at that geo level. Does that make sense? Everybody?\r\n\r\nUnknown Speaker 2:04:19 \r\nAll right. Any other questions? Before we call it a day?\r\n\r\nUnknown Speaker 2:04:27 \r\nOkay, so everybody, all right.\r\n\r\nUnknown Speaker 2:04:32 \r\nOkay, Karen, can you copy all these settings and roles from one site to another? Wouldn't that be great?\r\n\r\nUnknown Speaker 2:04:40 \r\nThat would be great, wouldn't it? And the answer is no. You can't they have to be set up individually. I know right? It may be one day that will let us do that. I don't even think in the premium version. Paul. I've not seen that.\r\n\r\nUnknown Speaker 2:04:54 \r\nBut here's here's the thing.\r\n\r\nUnknown Speaker 2:04:58 \r\nI really really got deep into Cloudflare last fall, when in the process of migrating to a new server we just decided to put all of our clients under Cloudflare in that process.\r\n\r\nUnknown Speaker 2:05:10 \r\nSo we moved, you know, plus or minus 100 sites through Cloudflare and onto the new server. And once you start doing this, like I can move a site to Cloudflare pretty much in my head now and it takes just five minutes or so it's done. Boom, boom, boom, boom, you kind of get used to what the settings are.\r\n\r\nUnknown Speaker 2:05:30 \r\nIt's not it. It looks like a lot at the first glance. But as you're seeing from where we went from all the things, and page by page now down to just the things that need to change. There are far less and at the end of the document by the way at the end of the document to here and resource number two, here is the Cloudflare setup process. And I'll walk you through exactly the things to change. And that's it.\r\n\r\nUnknown Speaker 2:06:06 \r\nIt takes just a few minutes once you get used to how this works.\r\n\r\nUnknown Speaker 2:06:10 \r\nDo I have ASN or IPs for managed WP? No. So this is a good question. Alright. So you will at the beginning before you do your first site what are all the services that I use? Right? And so it's reached out let's just say manage WP I don't know if they have a public list.\r\n\r\nUnknown Speaker 2:06:36 \r\nLet's see right here. So you'll a lot of times find posts like this. What are the IP oh look, here they are.\r\n\r\nUnknown Speaker 2:06:45 \r\nAnd a whole bunch of others. So there's a oh my gosh, Holy mackerel. There's a bunch of them. So, you know, here's a list and and I would verify with the support. So send in a ticket and make sure you have the actual\r\n\r\nUnknown Speaker 2:07:02 \r\nIP set and you can add those to your skip rule that so it always skips that traffic.\r\n\r\nUnknown Speaker 2:07:13 \r\nAnd so my actual skip rule is more thorough than this one because I got a bunch of IPs and things like that.\r\n\r\nUnknown Speaker 2:07:21 \r\nYeah.\r\n\r\nUnknown Speaker 2:07:23 \r\nAnd Dave is correct. You want to go conservative at the beginning for sure. Again, this is with much power comes great responsibility. Implement slowly make make sure you one side tested that you're not blocking legitimate traffic. But once you get these dialed in, you can boop boop boop just apply them to your other sites.\r\n\r\nUnknown Speaker 2:07:46 \r\nYeah, Ahrefs it's eight, like H refs. In particular. They don't tend to want to help you because they don't want to block you or give you ways to block their traffic. What I would suggest doing if a traffic is being blocked, then look at your events. Like do a scan so you know kind of about the time when the event would hit. Then you can look at your event log and probably even filter it with your block rule.\r\n\r\nUnknown Speaker 2:08:16 \r\nAnd hit that hit the traffic that fits your block rule and see if Oh, that's coming from this range of IP addresses or this ASN or whatever.\r\n\r\nUnknown Speaker 2:08:28 \r\nAnd go from there.\r\n\r\nUnknown Speaker 2:08:30 \r\nSo sometimes you can back end it and figure out but there's there's no easy way that I found oh, here's the magic list of IP addresses or whatever.\r\n\r\nUnknown Speaker 2:08:40 \r\nIt's just not very easy.\r\n\r\nUnknown Speaker 2:08:43 \r\nYeah.\r\n\r\nUnknown Speaker 2:08:46 \r\nTanya, oh, how do you know if you're blocking legit traffic? Good question. That's not a stupid question. So I would watch you know the first so when you implement the for the first time you know, put it on your own site or something else site where the impact is going to be low, but that you have enough traffic to actually generate some decent results. And just look at the events and see what's happening. That's how for example, on the skip rule here, I realized oh, no, I've got let's see, hang on, hang on. I know it was the block rule.\r\n\r\nUnknown Speaker 2:09:30 \r\nThis one, it you know, I saw this query string coming up a lot in the block rule. And that's a legitimate, I realize, oh, blocking this and I don't need to be blocking this. So I added a rule to get around it right.\r\n\r\nUnknown Speaker 2:09:47 \r\nSo, Stacy, you find out when the clients customers complain is not exactly incorrect. Like it's that's pretty right. It some of it is a little bit of trial by error, but that's the way it is for firewall rules, okay. And that's why for example, implement these rules with here. Don't just wholesale drop these rules in thinking what could possibly go wrong because the answer to that question is a lot. But once you get them dialed in for your use case, you have really powerful, really powerful tracking.\r\n\r\nUnknown Speaker 2:10:22 \r\nOr filtering. Yeah. Okay. Anybody else? Before we move? Wrap it up for today?\r\n\r\nUnknown Speaker 2:10:34 \r\nOkay, so homework policy when you migrate a site to Cloudflare do you remove them from the Yep, we're gonna cover that tomorrow. Migration is tomorrow\r\n\r\nUnknown Speaker 2:10:48 \r\nokay, Karen, I have tried to enable copy in the chat. For whatever reason zoom webinars just does not allow that. And I don't know why and we've tried, but give the as soon as the We the chat ends up as a file on the replay page, where you can open it up and grab whatever.\r\n\r\nUnknown Speaker 2:11:09 \r\nYeah, it isn't zoom meetings. This is a zoom webinar, and it's different and I don't know why I've talked to zoom support there. No help. It's yeah, it's a thing and I've not been able to solve it. I'm apparently too dumb to figure that out. Because I've tried zoom settings are horrendous. They're worse than Cloudflare and that's saying a lot Okay, all right. Let's go to Wrap it Up homework for tonight. Add a site, drop it in you know your your site or just spin up a site in try adding some of these settings, we will step through. We'll go through the rest of the recommended settings tomorrow. And then we will put that into practice by actually migrating a site's DNS into Cloudflare tomorrow. That will probably take most of our time and then because we'll do it step by step, and then we'll do we'll wrap up with tips and tricks and whatever questions are left. So that's where we're going. Congratulations, you survived day one. You have endured the firehose of things and it gets really practical from here. All right. So I will see you back here tomorrow. One o'clock central time for part two of Cloudflare for agencies here on solid Academy, where we go further together.\r\n\r\nNathan Ingram 0:04 \r\nAll right, everybody. So welcome, welcome. So how about some feedback from yesterday? Did you learn anything? What was your biggest takeaway? Aha. I assume that we're going to do live demo today. So sure, you'll just go into watching the demo without having the basic foundation of knowledge. So sure there's value without watching the replay.\r\n\r\nAll right, let's get these captions connected. There. All right. Oh, goodness. Gotcha. All right. Link bundle is in the chat. Of course handbook if you need to download that. It is updated by the way from yesterday. So make sure you grab the current copy. I probably need to update the link bundle to reflect that\r\n\r\nall right, well, good. That's good news. So really, really glad to hear that. All right. Welcome, everybody as you're coming on in find a seat, get ready to go. Links are in the chat. The course handbook has been updated since yesterday. The fix the two little typos that I had. Those are now fixed and going and a third that I just recognized. All in the WAF rules. So that's all correct. Now. Make sure you read download that course handbook. Just so you have the correct things. All right. We got a lot of the handbook Yes, one handbook for both days. 40 pages of Cloudflare goodness. or 40 pages of Cloudflare. Comma, goodness, exclamation point. That's a lot of Cloudflare. Oh, it's gonna be a long day when I'm entertaining myself already. Okay. So let me hear from you in the chat. What was your biggest takeaway from yesterday if you survived and had lived to tell the tale\r\n\r\nPaul that will be office hours tomorrow, or week or if we have some time at the end. That's funny. Love it. All right, couple of minutes before we get started, welcome, everybody. Glad you're all here. Make sure you download the fresh copy of the course handbook that has three corrections in and around the WAF rules. Just a couple typos and that space problem and so forth. Yeah, look, there are everybody that I'm constantly finding new ideas for rules. I'm going to talk about that at the beginning as we get started here, because there's some really interesting chatter in the admin bar about rules and stuff going on right now. On a reference that\r\n\r\nhey, look at that foul, awesome. How about that? It's small. It's the little things right. Alright folks, two minutes to go. If you're just joining us in zoom, open up the chat. Say hi. Let me know what your biggest takeaway from yesterday was. Did you get in there and try to set up a site yesterday. Did you do any of that? Thanks still broke? Yeah, yeah. Little bit of tripod. Doug. You did it. Awesome. Yes, Doug, indeed. Cloudflare SSL? Yeah. Very good.\r\n\r\nYep, good stuff there. All right, about a minute away, y'all. We got a long way to go today. Long way to go. The handout is updated. Yes. So please read download the course handbook it fixes those typos or like there was a space that shouldn't have been at a line break and that sort of thing. All that is fixed in working in this latest version. Phoebe. So we are you did you you would get a challenge at WP admin if you use the rules that I provided that the the challenge rule by default is going to protect the WordPress login page. That's what allows you not to need a CAPTCHA on the login page. So I want all traffic that hits the WP admin to get challenged.\r\n\r\nAlright, just about ready to start everybody. Yeah, Paul, I saw on that note, and I don't know why that would happen. That's really weird. It feels like it feels like that's a browser. Cookie issue. here and what do you mean it looks weird after the challenge\r\n\r\nno formatting Okay, so that's interesting.\r\n\r\nI've never seen that happen. Sounds like there's some sort of a an optimization issue like the CSS isn't getting loaded for some reason. Where are you hosting? It could be related to your hosting environment. cloudways GS? Ah could be something in the breeze plugin. I would look and make sure that the breeze are using cloud where cloudways Breeze. Yeah, so see if it has that. The connection to Cloudflare that I mentioned with the caching so that it's empty incorrectly the cache I've never used breeze so I can't speak to that one. Yeah, always. It's awesome. That's it. It's not just reason the optimization plugins are some that frequently cause problems. Okay, let's get started. I got a long way to go today. Well, Happy Wednesday everybody. Welcome back to day two of the Cloudflare for agencies course here on solid Academy. My name is Nathan Ingram, and we went a long way yesterday, as we looked at what in the world is Cloudflare how does it all work? We went page by page through the settings just to give you kind of a lay of the land of you know all the things that are there. And then we started with recommended settings yesterday. So that's what we're going to pick up today. We got all the way down to speed we've worked through the Cloudflare WAF rules, and we've made our way down to speed now, I do want to mention that I have updated the course handbook from yesterday. I'm going to drop that link in the chat once again. This fixes those couple of types of the like the linebreak typo I noticed also there's some quotation marks that got styled like outwards and not straight quotation marks and one of the rules. So those things are fixed, and it's there in the updated link that's there in the chat. If you're watching this on the replay. The link that's downloadable on the course page has will be correct for you so that's all there and ready to go. So here's where we're going today. We are going to pick up with our recommended settings at the speed portion which we see on the screen now. Then we're going to set up a site in Cloudflare live and just go through the process using the checklist that is in the resource number two at the end of the course handbook. So we'll be just walking through that checklist. And then we'll the final hour we made that that setup process may actually bleed into the second hour so we'll just kind of see how that works. And take a break at some point in the middle. And then at the very end we'll have the the tips and things that I've learned and basically things that I've messed up along the way and how you could not do that. And how to work with clients and you know, had multiple accounts and all that sort of thing and how's the best way to do that. So that's where we're heading today. As always, if you have questions, if the question is about something we're talking about right now, just drop it in the chat. I'll do my best to see that and talk about it. Otherwise, put it in the q&a, and we'll deal with those at the end of each hour. All right. Well, let's get started, shall we? So we finished up yesterday with our various rules around security with our custom WAF rules, and then an anti flood rate limiting rule and making sure we have bought fight mode off. So now we're going to get to our speed sections. Let me get Cloudflare open and Windows arrange and all of that. All right, so we are now here under speed. And we're gonna go speed and then optimization. So right here under optimization, there's a number of different tabs, and we're going to pick up with content optimization. Now this is an area that they have in the past few months rearranged. So if you haven't looked at Cloudflare in a while, you'll notice this is different and that's because it's different. They move things around and they do this all the time. So let's look at what should be on so we like Brotli this is going to be one of the things it's in the setup guide or the quickstart guide that we'll run through in a minute. Whenever you add a site to Cloudflare Brotli is good to have on it just makes HTTPS connections quicker. We talked about Cloudflare font so we like those those are on early hints we looked at which preloads pages when you hover over a link that's on rocket loader off because it can break WordPress JavaScript pretty easily. And we're gonna auto minify all three boxes here JavaScript, CSS and HTML. And then we're gonna go back to the top, the tab for protocol optimization. And we're going to turn zero RTT on. Now basically what that does is if a person has already visited your site, it makes reconnecting to the site quicker. It's just it saves a step. In the security in the HTTP protocol process. Good speeds things up. If you want to read more about it, just Google zero RTT. And you can learn more. So not a lot to change here in the optimization section. But we do have some things to look at under caching. So let's take a look at caching and our recommended settings here. So we're going to start out with configuration and look at our browser cache. So I believe I can't remember what the default setting is here but we want this to be 30 days. One month or 30 days is what Google recommends in order to receive to get good marks on their tools. We want to make sure your browser cache is set for one month. We want our crawler hints to be on so this is basically the index now protocol and so Cloudflare will do that for you which is really great. It lets certain search engines that support index now know that changes have been made to your website. So go come crawl it. It basically proactively tell search engines to crawl new content so that's good. And we want always online which pushes the site over to the Internet Archive for us. We want that on as well. So now, there may be some times where you don't want always online on if it's a very large ecommerce site with 1000s of products, rolling that and adding it to the Wayback Machine might be taxing on the server. Or if the site is changed all the time. There's every single site I have is always online. But if you have a massive site, it might create some performance issues. So you might want to toggle it off but likely every site you're going to want on here. Alright, let's look at some caching rules. These are very, very helpful. So let's say you have a site in development, or for some reason you have a site and you do not want to use the Cloudflare cache at all. How do we turn the Cloudflare cache off? 100% of the time whether it's in development, or I just don't want it because by default, the Cloudflare cache is on. So we need a rule that's going to say always turn the cache off and afford unfortunately, there's not like a toggle to turn on and off the cache. I don't know why there's just not. So what is a rule that we can create? Well, I've settled on this one that basically says if the incoming request is HTTPS, and that is yes, then bypass the cache. So this is, you know, basically every single request coming in to any site that I manage, is going to come in under HTTPS. And with that rule, this site will not be cached at all period by CloudFlare, because we're going to bypass the cache here and with browser TTL. Now, this is a rule that you only want to implement if you don't want the site cached at all. Does that make sense to everybody? So you know, on our dev server, for example, we don't want Cloudflare caching, like Cloudflare manages the DNS on our dev server because we want the security, but I don't want any Cloudflare caching on any sites. that are under development. So we have this rule that turns off caching completely. Does that make sense to everybody? So this is probably not a rule that you want on a live site. But for dev sites, yes. 100%. So here's one that you probably will want to use. Maybe there are pages on your site that don't ever need to be cached. So for example, with an E commerce site, I never want the cart page cached by CloudFlare, or the checkout page. So here we've got URI path contains cart your app path contains checkout, you can continue to stack these up if there are other different URLs that you don't want to be cached. So when these things match, then I want to bypass cache for Cloudflare. And at the browser cache, right, so just no caching of these frequently changing dynamic type pages. Don't want those cash. So cash rules are super helpful. I Paul Yes. Membership dashboards, things like this. This though, these are the sorts of things that you'll want to put in a rule like this one. You have a lot of rules here actually. So 10 available caching rules at the free level. So you can really add things Yeah, in anything like LMS site membership site where you don't want to cash in really it. It's\r\n\r\nit's really more like check out, you know, forms that Process Payment, perhaps maybe events like Melanie's mentioning in the chat. It depends. So if you run into an issue where oh my gosh, my events page is not updating why? Oh, it's Cloudflare. Well, we can just turn it off here at the edit with a cache rule. That makes sense to everybody. They're super useful. To debug these caching issues. All right, so we mentioned this yesterday, we're gonna have our tiered cache. We're gonna go here, and just make sure that the tiered cache topology is set for smart and again, what that does is it moves the assets to the Cloudflare data center closest to the person requesting the the site so it basically shortens the load time, so it's good you always want to have that on. Alright, let's scroll down to our next section, which is rules. We're not getting into workers routes, that's not a route however you pronounce it. That's not something we're going to look at. But there's a couple of really good page rules that we're going to look at here that I recommend. The first is this one, which says our URL is going to be our domain name. star dot domain name. So this will catch any subdomains also an anything after the repeat admin. So basically, I want this rule to impact anything in the WordPress admin area for the main site and then any subdomains that I might have under this Cloudflare account. So I want security level high, which means that if somebody tries to come in it's also you know, it's gonna look at that browser more with more scrutiny and maybe present a challenge. If it detects any issues. I want that for anything in the WP admin I'm also going to completely bypass the Cloudflare cache. I don't want anything in WP admin cached by Cloudflare. I just don't want that. And then I also want this here disabled performance. Any performance related optimizations that Cloudflare might do? I don't want that for my WP admin because that can tend to get in the way of things and break admin functions and hash things that shouldn't be cached. And, you know, you get weirdness in the back end sometimes. So this says anything in the admin, I want to make these changes and it's a really helpful rule. This makes sense to everybody. This is a good one and you do have to fill in your specific domain name here, or it won't work. You can't just say star.wp admin. I tried that. It's got to have the actual site name. Alright, another really helpful rule. I really really liked this one. This is the email obfuscation rule. Again, a lot of folks in the years past we've done WordPress shortcodes, that obfuscate email addresses where they can't be scraped by website scrapers. Cloudflare has this built in at the network level, which I really like. And the neat thing about it is you can apply it only to certain pages with a rule, so we can say, all right, if it's the Contact page, then I want to turn on email obfuscation. Well, why wouldn't I just want this on the whole site? The reason is because it loads an extra little piece of JavaScript that can affect load time, so it won't affect it very much. But I mean, why load the JavaScript on a page that doesn't have email addresses, right. So if you have a contact page that has email addresses, turn this on, or maybe it's a team, page or series of pages. Like you have, you know, your domain slash team slash person's name, then you can do something like this I'm pointing at my screen like you can see that this so anything that follows team then this for like a team bio page, you can obfuscate the email addresses their policy, if the site has an email address in the footer. You want this on every page? Yes. And I wouldn't put email addresses in the footer. I would much rather have people fill out a contact form and send email but yes, if it's in the footer, every page where there's an email address, you could load this and if that's the case, then you can actually just turn it on for the site. Yeah, okay. So these two rules make sense. You got your WP admin and you got your email obfuscation. You got a bunch of page rules that you can do some other things with. There's actually sorry only three, three page rules. So we still have one extra one here. And you can do a lot with these Okey dokey. Everybody good so far on this? Because that's it. That was all of the rules are all of the recommended settings. So we didn't get that fully finished yesterday, but we got it done today. And now we get to actually do the thing. Okay. So I want to give you the overview of what this migration process looks like. And then we're going to skip to the end of the document where the actual checklist is, and by the way, if you're just coming in the course handbook is updated from yesterday. And so you're gonna want to redownload that because I fixed a couple of little glitches with the WAF rules. Okay, so here is our process. And again, it is a checklist is in resource to you can copy that part out, you know, make it your own, whatever. So, big picture, okay. We're going to add the site to Cloudflare. And then we're going to walk through the Quickstart process. These are the common, most recommended settings to set up. We're going to add the name servers that Cloudflare gives us over in our domain registrar. Then we're going to pause the site on Cloudflare. This is critical if you don't do this, you're going to get SSL issues in almost every case, then we're going to go through. Here's our items for the quickstart guide. We're going to go through all the rules and settings that we need to add. We're going to wait for our SSL to generate and then we're going to resume the site on Cloudflare. That's the big picture. How this is going to work. So let's go down and take a look at our resource scrolling scrolling right here. This is page 38 of our guide. And here's what we're going to do. So I have this domain set up and this is just a Kadence Starter Site that I have inflated on to WP one dot Dev. Now this is a domain that lives at GoDaddy. And so that may be a place where you see a lot of domains that you have, right and so this is just as simple and basic of a domain swap or DNS change as I can show you with a typical common registrar. Okay. So we're not going to walk through this whole process. So what I want to do I want to get back here to home, which I did just by clicking this arrow I'm in WP Nathan. Now I can go back now I'm at my account home, or I can go up here to this little user icon and hit account home. It's at that point where I can add a site. Okay, so we're going to add the site to Cloudflare by entering the domain, selecting the free tier and confirming our plan, but let's add the site right here. And by the way, if you added a site to Cloudflare a few weeks ago, this is now completely different. They have totally changed this adding a site flow as they do. I mentioned this yesterday Cloudflare changes things like worse than Google and that's saying a lot so just be aware of that. If you're white if you're following this video six months from now they've probably moved some things around. They're all there you know, and you can probably find them pretty easy but it's it's very likely to change. So we're going to enter in our WP one dot dev domain name here. Continue. We're going to select our plan scroll all the way down to free and click that and confirm and we're confirming and Okay, let's so we're going to start our Quick Scan. Now at this point what's going to happen Cloudflare is going to go out and it's going to attempt to find all or as many of the DNS records as possible for this domain. I'm going to click Start click Scan. Now here's the thing. Don't ever trust Cloudflare scan because it is likely going to miss some things. So it's now picked up in a record and to CNAME so there's definitely more than that. And we're just going to keep moving. So if you can't bypass that scan, I wish you could but you can't. It's going to do its best to find records and plug those in to your DNS settings. But now we've gone through our quick scan and we're going to hit continue and we're going to start the domain activation. So right here, we're going to add the provided name servers to our domain. So here's our two name servers that Cloudflare has given us a copy the first one, I'm going to go over here to godaddy under DNS, and go to name servers. This will be different for every registrar. We're going to change this to my own name servers, and copy and our two different name servers. Oops, two here, save and continue. Okay, now over here, I'm gonna hit continue and continue.\r\n\r\nSo now we come to our overview page immediately right now before you do anything else. Pause Cloudflare on the site, because otherwise what can happen is traffic can start flowing to your domain before Cloudflare generates an SSL certificate and you'll get that security warning in browsers by pausing Cloudflare at this point, what that does is stop Cloudflare it doesn't stop it from generating a certificate but it doesn't use the Cloudflare certificate. So we're not using any Cloudflare features right now because the site is paused. Don't forget that step or you're going just it's inevitable that you're going to get you know a security warning. Okay, so pause Cloudflare Now let's go through our quickstart guide. Let's see right here. So we're going to review the settings in our quickstart guide and get started. So we want to keep this on Yes. All these settings are here. Save this. Always use HTTPS Yes. Do we want to enable Brotli? Yes, just basically all the recommended settings we want on and finish. Boom. Okay, so we are good. And now we're going to go down to our DNS. Now Cloudflare has imported some records, right. So we've got this going on here. Um, you know, what I forgot to do is I forgot to open up my email. Let me grab that one second, folks, because we're gonna get an email from Cloudflare at some point very soon, telling us that the site is working. I've got to log into my email, my solid Academy solid email here one second, everybody. I have 8000 Google accounts as perhaps you do. as well. And there it is, okay. All right. So there's my solid email. We'll put that over here and we'll just wait on that. Okay. So now we're at the point of validating our DNS records. So here in GoDaddy, if we look at our DNS, there, there's a lot more than it found. There's not many actually. There's an A record and some other things, you know, nor if this is a site you're already managing. Maybe you have postmark records or some other transactional email or google verification or office 365, all all those verification records, right? You're going to want to make sure that what's here in CloudFlare, matches 100%. What is at your current DNS provider? Okay. Many Melani that's a brilliant idea is to screenshot this and add it to a record someplace. So better even than this is the ability to export my DNS. So let's see here. Many registrar's have the option to export DNS records. If they do you absolutely want to do this. If they don't, it sucks because you have to hand enter every one of them it's really awful. But here I can say Export zone file. Even GoDaddy will let you export the DNS. So I want to export this zone file and boom, there it went. It is now right here as a text file that just downloaded to back. It is right here, simple text file. So I can take this and go right here to import and export and just drop it in. And now I have all of my records and they it now matches perfectly. So that is super helpful when you have a ton of records. If you are running your DNS through a cpanel server, we're going to come back to that at the end because there is a there's a way to actually export out of cPanel if cPanel is actually running your your DNS All right, but for now we know that these match because we've done a good Import and Export Now a couple of things we want to look at. Many times your export will contain name server records, these name server records, these pertain to GoDaddy domain control.com. These are GoDaddy, we're not using GoDaddy. name servers anymore, so I can delete these our name servers or at Cloudflare. We don't need these records anymore so we can safely delete those. The other thing is, if you have in the Cloudflare import when it pulls in all those records, if you import record, you know this import file is going to contain some duplicate records. Cloudflare is smart enough not to import duplicates, so it didn't used to be by the way used to import duplicates, you have to go in and delete your duplicates. It now is smart enough not to create double records, which is awesome. But in many cases, you're still going to have to add those records one by one because, you know this old antiquated registrar doesn't support exporting of DNS, which is just really annoying but Paul is saying Don't forget to turn off some records that need the original. I'm not quite sure what you mean there, Paul. But you're gonna The key here so you don't mess up DNS is at the end of all this. My DNS records in Cloudflare need to match my DNS records with whatever the registrar is now. Other than the name servers, the DNS records you can delete just like we just did, but everything else needs to match 100% Otherwise you might break their email or something like that.\r\n\r\nSo yes, the for example, if there are see names that come in, like right here, this here's another one we can delete. This is a GoDaddy domain connects that we don't need that. We can delete this. Any that are there other registrar's that have specific records. We're not using that anymore, so we can delete this and if it's a CNAME generally, any CNAME other than the www record we want to proc we do not want to proxy correct. So this is a really simple DNS setup because there's no email or anything there. Okay, everybody good on this part, moving DNS records in hopefully you can export them and import them otherwise. This is also helpful if you can if DNS is currently managed by another Cloudflare account, then you can export the records out of the current Cloudflare account and import them into to your Cloudflare account. Sue if there's email Yeah, yeah, so like all the MX records, all the text validation records CNAME records that are all all the DNS needs to match exactly. Unless it has to do with, you know, like the name servers or like these GoDaddy specific records that we don't need anymore, but all the other records need to match exactly. You'll probably find that Cloudflare their import gets about 90%. But it will typically especially if it's a complicated DNS setup, it will typically Miss TXT records, like the valid validation records. It usually gets all the C names and the A records, but it misses it tends to miss the TXT records. Okay, everybody, good. All right. So at this point, it's usually taken, you know, five minutes or so to get our DNS all lined up. So now we're gonna go check and see where we are with our SSL. So we're going to click on here, and let's just look at our edge certificates to see okay, so right here, this is showing us it's in process. So this is live demo. I don't know how this is gonna go, okay. If this breaks, we'll fix it. We'll figure it out. But right here, notice that the SSL has not yet been generated for this domain. So we don't want traffic coming through Cloudflare yet, so let's just move on with our settings and we'll keep watching this edge certificate to see if it's ever finished. So we want to go down to minimum TLS of 1.31 dot O is the default for some reason. So we're going to make that 1.3. Now we're going to go down and add our WAF rules. Just following our checklist here. There's my use your four suggested rules that I've given you or your own variations. So we'll go to Security and WAF. Now again, as I mentioned yesterday, I've got this shortcut set up in my text expander CF one. Here's our manage challenge rule. So what I do in my text expander I have this title here. And so I'll copy cut that and put it up there and this is going to be a managed challenge. Boom, and deploy the quick that was that was done. We're going to create rule number two. I'm going to use my shortcode otherwise, you can copy and paste from your notes. There's our second rule the title, cut and paste up here. So choose the action skip and check all the boxes. All the all the boxes just like that deploy great our rule number three now this one has the the variable in it that fills in my domain I've got that. So these are our block rules. Deploy and one more rule\r\n\r\nthese are our crawler blocks. And this gets a block deploy. So you see how quickly it goes. If you have something like text expander or in my case type desk or one of these macro type programs, apps on your on your computer. It just makes these rules go really fast. Otherwise, you can just copy paste, that's fine too. But we've got all those rules added. Does that make sense? Everybody? Got our rules added there. Any questions about that? If so, ask in the chat. If not, I'm going to keep going under security and bots we want to make sure that bot fight mode is off. It should be by default. I always want to make sure of that because that is it can it causes so many headaches. Speed. Oh, you ask a question. Okay, Paul, I explained why I use the web as a prefix. Is there a possibility of some sort of mix up? If we do not have a prefix? No. This is just for convenience, knowing that these are our rules. So we do have some clients that get into Cloudflare and do some things themselves. If you're the only one that's going to be in Cloudflare it doesn't matter but I prefix everything with be WWE, you know functions code all that is just a habit. So this just lets me know these are our rules. Okay, speed. Let's go back to these rules we just covered so speed optimization, content optimization, only the things we need to change here are Cloudflare fonts are on early hints are on check all three boxes on auto minify boom, boom, boom. And we want to go up to protocol optimization and turn zero RTT on. Great. Now let's look at caching. Let's see configuration crawler hints. Okay, browser cache is one month that's the default. That's awesome. Let's see crawler hints are on always online is on. We'll go over to cache rules. Is there anything we want to fix with our cache? Probably not on this one. It's not an ecommerce site. And you know, it's not in development. So there's no cache rules. To set up here for this one. We do though, want to go into tier two cache and turn on our smart tear topology. Okay, now go down to rules and we're going to add our WP admin rule. Let's see page rules and we're going to be star that dopey one dot dev slash WP admin come on admin star. The settings will be about we spell that correctly. All right, first thing we want to do cache level is bypass then it was performance is disabled and our browser integrity check. Oh, no, it was security. Security level is high. Alright, so there's our DP admin rule. And let's go ahead and add a contact page rule\r\n\r\nand we're going to want email occupation on our contact page. On you can add these rules or not just depending on your setup like we've talked about. Thanks. We got our page rules added. Now we're waiting for SSL generations out look, I've got a an email from Cloudflare. It's now active Boom. That's awesome. Let's see if our SSL certificate generated so you may have the email that says it's active active meaning Cloudflare has detected that its name servers are now being used for the domain. So GoDaddy has gone ahead and updated the name servers and Cloudflare sees that so they're connected. Now that doesn't necessarily mean the certificate is generated yet. So let's go take a look under SSL edge certificates. I look it's active boom, perfect. Okay. As soon as this is active, that means the certificate is there and we can unpause Cloudflare. So we're watching for an email that Cloudflare is protecting. We're watching at edge certificates for the universal SSL right here to be active and it can take time. Okay, so let's talk about what happens if it's if it takes some time. Officially, Cloudflare says this can take 24 hours I've never ever had it take that long. You have had to take a few hours in this was you know, this was actually right after remember last year Cloudflare had that data center issue. It a lot of these things were delayed after that. Usually now it's just like what you just saw, it generally just takes a few minutes. And you're good to go. But it can take a few hours. That's nothing to worry about. Now. If you if you get hours and hours and hours and out like the next morning if it's still not working. Then what I would suggest that you do. Let's see I've given a pointer that put those notes troubleshooting down here, okay, so here's how to troubleshoot if you're stuck on pending validation after an hour. So make sure that you delete those NS records. I've found that sometimes when my sometimes when I'm not getting my certificate generated, it's been because I accidentally left those those NS records in the DNS, that old name server, and that can mess around with validating traffic. So make sure that the NS records are deleted like we showed earlier. Also, again, officially it can take 24 hours. If it's still waiting after 24 hours, go down here, here on edge certificates and down at the bottom. Disable doo doo doo doo doo right here. Disable universal SSL, click that button, wait a couple of minutes for things to the dust to settle. Then you re enable it and it starts that validation process again, and I've never had it not work the second time. So that's maybe that's just lucky on my part. But generally that fix is something that stuck. And I've only had that happen like once or twice and all the sites and that was actually a long time ago. So that's a good way of troubleshooting. If you're still having issues then it's time to go to Cloudflare community and ask them questions. But now, we've got our SSL generated so we're good to go there. So we're going to pick up the process when you see the SSL is there under edge. Right here the universal one now we don't have to wait for that saw this question a minute. ago. We don't have to wait for the backup certificate to get set that can take a little bit of time. We have a good SSL, we're good to go. So now we're going to resume the site on Cloudflare. So back to overview and scroll down to the bottom of the page again, enable the Cloudflare on the site. It is now enabled. And okay, here's where it was before and notice that this is what I had up before we made this move. So connection secure. And this is a Let's Encrypt certificate which which the server generated. Now if we refresh this page, and we look at that certificate, we should see a Google certificate now. So let's do a hard refresh. And actually, Chrome may have cached that certificate, which is fine. Yeah, Chrome cache that certificate if we go let's go into the browser, and you can see that it's the Google cert and for some reason Firefox is taking all day to start. Here we go. All right.\r\n\r\nAll right. So let's see. Where is oh, I clicked the wrong thing. There we go. Now it's still interesting. All right. So it's still showing the Let's Encrypt certificate. That's interesting. I wonder why that is.\r\n\r\nWe can also check with what's my dns.com. Job. Okay, and we are on Cloudflare. So the world is seeing that it's under Cloudflare. When you see to these two IP addresses, that's cloud flares, backup IP address, that's what you want. And so it is it is seeing everywhere in the DNS shows. It's running through Cloudflare. So we're good. I'm not sure why it's not showing that let's or white showing that Let's Encrypt. Let me try it in Safari. Just to see I wonder if I loaded that site in Firefox and it still has it cached. That's interesting. We know it's working though. That's what's that's the most important thing.\r\n\r\nYeah, no, that's interesting. Let's take a look at Oh, because here make sure that you set it to full Am I following my instructions? Now, I didn't follow my instructions. So we would have checked that right here. If we set this to full then I bet that's going to change our SSL certificate helps to follow your own instructions. Now it's still showing. I'm not sure why that is. Well, let me just get back to following my instructions and we'll move on. So we've resumed the site on Cloudflare right. Now we're going to enable DNS sec. So you don't want to do this until Cloudflare has traffic for your site. But we're gonna go here under DNS settings, enable DNS sec. Right here, and again, this is the little bit of code, you're going to add to the registrar to validate that Cloudflare does have legitimate control over the DNS. So this is all the stuff that Cloudflare gives you. You don't necessarily need all of it in every registrar is gonna be a little different. But here in GoDaddy, you just scroll over to DNS sec. And we can turn this on\r\n\r\nnot when I'm around, hang on, hang on, hang on. Go Daddy. It's under DNS, DNS records. And oh, hang on. My goodness gracious. Let me refresh this page.\r\n\r\nRight here, DNS records is what we want. So I had to refresh the GoDaddy page because prior it was it was loaded prior to knowing that GoDaddy had handed off the name servers to Cloudflare. But now we've refreshed this and there is a DNS record tab most registrar's are going to have this. You click that and we're going to add the DNS record. So first, we demonstrated this yesterday but first we add the Key Tag and this is all out of order. But Key Tag is here. The algorithm is 13 the digest type is two. And the digest is this string of characters and that's all we're going to need. Save All right, and it may take a minute, but we're going to click Confirm and it needs to wait it's going to look for this and we'll come back to this in a minute. But it will eventually validate that record with the record at the registrar. Why do you have to add this on GoDaddy? Because GoDaddy is the domain registrar for this domain name. If Cloudflare is your domain registrar you just click a button and it works. It's really simple. And then at the end, we go through and we verify our encryption method. SSL overview bool good to go. All right. So we've just added the site to Cloudflare. wasn't that complicated? Was it I'm gonna pause for a minute questions or comments\r\n\r\nthis is when nothing goes wrong. Oh, if they are all this easy, and they usually aren't terribly complicated\r\n\r\nAll right. Other questions how question is How hard is it to move your domain to Cloudflare I can't really demonstrate that because I don't want to move any domains to Cloudflare right now, but it's really pretty simple. We're going to cover domain registrar things in just a minute in the second hour today. We'll talk more about it then. All right, any other questions before we take a break? That actually took less time than I thought it would? We are now completely set up. If we go to WP admin here we'll get to manage challenge as we would expect. Boom. Good. All good logging in. Yep. and log in. There I am. Pretty cool. I Su ever ever worked with inom? Yes, they do not have an export tool. And generally here's what I found. The more the more the back end of your domain registrar looks like 2004 The less likely they're going to have a DNS record export. CEU I don't know if e nam has a DS dropped down or not. inom is pretty old school on the back end, as you know. They really need to and that's a good reason to not be with Vietnam anymore. And maybe to move domain registration to Cloudflare. We're going to talk about domain registration at Cloudflare the next hour. But yeah, Network Solutions is really bad enough. I'm really bad. Yeah, I don't know. So those are some of the ones I've never used Dotster or web dot actually Dotster I used like 8000 years ago. I haven't used them recently. I don't know in it tends to what I've noticed is if the UI in the domain registration looks fairly modern like this, it's more likely they're going to support exporting of records. If it looks awful, like 1995 or whatever, then they probably don't. Yeah. What do you do about DNS if there's no option if the registrar doesn't support it, they don't support it. And again, that's DNS records. have been around for a while and they're an important part of Domain validation. And if your registrar doesn't support it, I mean, I would start looking for new registrar. Yeah. All right. Any other questions before we take a break? Okay, there is a multi part question here.\r\n\r\nOkay, um So first question here is in regard to the WAF rule, the skip good traffic rule. Does we watch your website have a whitelist of IPs? I can't find them anywhere and Thomas is not getting back. No, I'm not aware of one. But I don't think the rules block them. There's I don't think there's anything in a rule that's going to block that traffic. But so it's a good if you put a rule in and if they're getting blocked. This is an exercise of looking at the event and find what it's trying to do and then allow that but I don't have any specific whitelist for we watch. Second question is about Pay Pal. Do we use the ASN for Pay Pal, as you added at the bottom of the dock? Or do we need to find the API or the web? And I'm guessing what you mean. I'm not sure who's asking this question that came in as an anonymous attendee. Or do we and I think what you mean is the web hook. So and I'll reiterate what I said yesterday about this. Oh, no problem, Karen. So I so let's see, as things are good. web hook URL is better. Because as NS I mean, maybe there's they might change or something might happen. So it's good to add the ASN. But if you know like, there's always going to be a pattern in the Pay Pal web hook for their IPN or whatever. Then try to get the little snippet of that web hook like I showed with the WooCommerce or the Gravity Forms stripe web hook, get that little snippet and always allow that traffic that way you're, you're certain that it's not going to get blocked. Does that make sense? And number three, I added all the H refs IP to a Cloudflare list and then added the list to the good bots rule. Today. I got a report that the score was cut in half. Robots. txt is not accessible. Okay, so that okay, so something is still blocking H refs, for you, Karen. And so it could be the country rule. I've had this happen. So some like you can have, let's, let's let's look at our rules here. So, if we look at our rules, oh, there we go. So we've got block rules, right? Let's just say that for whatever reason, your list of IP addresses, it's not in that or it's not coming in that way. And you're blocking based on country and maybe a traffic that's coming in from a country it's not in your allowed list or whatever. So what I would recommend that you do this is this goes back to the refining of rules. Look at your block rules like this. We've already gotten some hits on our block rule. Look at your block rule and see if you can find the Ahrefs traffic and see what it was doing. That was causing the block to happen and then use that to inform a skip rule. And unfortunately, there's not an easy way around this. You just have to investigate and but once you find that, the thing that allows it to skip then you can use that all the rest of your sites. So this is goes back to yesterday when I was saying of, you know, get it right for a good typical site, and then you can use that rule for your setup on all the rest of your sites. Does that make sense? I wish I had like a silver bullet answer, but that's just not the way WAF rules work. Unfortunately, 364 IP addresses Holy mackerel, yeah. So what I would look for instead of that, find it here. You know, does H refs have a user agent? They likely do. Matter of fact, let's just look. So rather than let's see. Yes. So here's their user agent. So maybe what you would do here is say instead of that ginormous block of IP addresses we can just as easily say, in our allow our skip rule here or user agent contains a tres bot. Like this. And see if that doesn't help. Make sure all of your other see this. This is why the order matters because the skip rule comes in number two. And if you are, if you've identified correctly, that traffic, it's going to skip all your block rules and everything else that's there. So we can deploy this and now ah, refs should be able to scan our site. Give that a try and see. Again, this is just kind of have to experiment and find what works for each of the various things. I really, really wish there was an easier way to do this. I've not found it and it could be that I've just not stumbled upon the right method. But in lots of practical hands on work I've not found an easier way to do this. Other than, Oh, here's a good way to disallow to skip the traffic and now it's not a problem anymore. And we know that going forward now. Okay, question from Paul. When looking at security events, can you see what the trigger values are? That caused the rule to get triggered? Not really. Like we can see here, there's three block events that have already happened since we set the site up. And so here, we've got this block, and so you kind of have to look at what's going on.\r\n\r\nLet's look at this block rule. am I allowing Canada?\r\n\r\nOh duck you got blocked sorry about that.\r\n\r\nUnknown Speaker 59:55 \r\nInteresting.\r\n\r\nNathan Ingram 1:00:16 \r\nDoug, when you saw the site, could you see images? Weird?\r\n\r\nI'm not sure. But yeah, this is how you would identify Paul you you. It doesn't tell you what about the traffic triggered the log but looking at the details, you can probably narrow it down again, I wish there was an easier way All right.\r\n\r\nStacey, yeah, you probably you got to dopey admin without a managed challenge. Probably because, okay, again, if you get to someplace without a managed challenge then Cloudflare has been watching your browser and it knows you don't need challenging. Like that's that's okay. It's a managed challenge. It's not an every time challenge.\r\n\r\nBut generally, like, here's a raw browser. If I try to go to the WP admin, it's going to give it a managed challenge because it doesn't know this browser.\r\n\r\nBut if I go back there, see there if I go back to this page, it's probably not going to challenge it again. Because I've already passed the challenge. Yeah, it's a managed challenge. So Cloudflare manages whether or not it wants to challenge the traffic based on the fact that it's processing billions and billions and billions of requests every day. Okay, well, let's take a break here. It is straight, just right about to be two o'clock Central. Let's take a five minute break. We'll come back with the final bit here, which is scrolling, scrolling, scrolling, scrolling, all the tips and tricks, cetera, et cetera, right there. Cloudflare tips and tools and tips that starting at page 32. We'll have a good q&a time at the end, and that'll be it. So we'll take a break five minutes back at five minutes. After two Central Time.\r\n\r\n32nd warning folks, we're back in 30 seconds.\r\n\r\nAll right, we're back for the final hour of Cloudflare for agencies got a long way in the last few hours together and everybody's still alive. Seems like that's, that's really good. Okay, so in this last bit of time we have together we'll do plenty of time for q&a and also go through some of the tools and tips that I think are helpful to know about Cloudflare. A question came in during the break from Paul, with the rules and effect is this where you no longer set the reCAPTCHA and solid security. So the answer to that question is yes. Because in our WAF rule, we are we have a managed challenge. That's going to challenge any of our WP login now when I when we talk about no longer set the reCAPTCHA for the login page, okay? If you are using solid security to protect your comment forum or whatever. And by the way, are y'all listening? Can we can I share something just between you and me? There may be some ecommerce protections that are coming in solid security maybe that's maybe so this you'll want that those in place right. So this Manage challenge protects the login page if you're using solid security and and turnstile reCAPTCHA, or whatever other recaptures for comments or registration or that sort of thing, then, you know, you either want to put those pages into your rule here or continue to use the CAPTCHA rule. The CAPTCHA is there installed security. Does that make sense Paul? But it's it is redundant. To set a CAPTCHA on a page where they've already had the past through a managed challenge to get there. Does that make sense? Everybody? Nobody's talking in the chat. That's okay. All right. So I'm gonna move on okay. Everybody's gone to sleep. That's okay. All right. So the other thing I'll mention is this and this is a very important note. These as you've seen already web application firewall rules are very flexible and need to be changed for your use case. And may be modified over time, right? The firewall rules that I have in place now work really, really well. But I'm likely going to modify those as I learn new things and you probably will too. So one thing I would watch, for example, there's an ongoing discussion right now in the admin bar. From Troy Glancy Troy is really good at this sort of thing. And he's at his far original Cloudflare rules from a couple of years ago are the ones that kind of got me looking into this to begin with. And he's actually perfected several others and he's going to post at some point soon. So I would recommend if you're in the admin bar, watch this post. Just search for Cloudflare in the admin bar, it'll pop right up and see what his advice is on this right because he may very well and probably will have some ideas for things I haven't seen or thought of yet. So you know, borrow and steal the best firewall rules from others, just with the remembrance that firewall rules can block legitimate traffic. So don't just wholesale apply them to everything. Make sure you know what you're doing. Right. So don't consider these rules or settings even as a silver bullet. I've tried to give you some perspective on when and where and how to apply those rules. Does that make sense? Okay, so let's look now at some Cloudflare tools and tips. So we're going to start with the Cloudflare WordPress plugin. So let's go there. And we're just going to add it to this new WP one dot dev site. So we're just going to search for Cloudflare Cloudflare. And it'll be the official Cloudflare plugin right here. Now, disclaimer, I don't use this plugin, but it is it is there and it's free and you might like it. It's particularly helpful if you don't have a performance optimization plugin. So let's go back to Cloudflare and are actually settings under Settings and Cloudflare. Unlike many plugins, what you're going to do, we're going to sign in, we need our email, which is Nathan and ithemes.com and a global token. So you always find those that your account home. And actually it's where is that it's at profile, actually my profile in API tokens. I'm going to create a token for WordPress. I'm gonna rename this to WP one dot dev so I know which side it is. Scroll down, continue to summary, create token and there's my token. And I'm going to paste that over into here. And save. Now Cloudflare is connected to my site now basically what this plugin does is bringing some of the Cloudflare dashboard functions into WordPress. So you know I can automatically apply Cloudflare settings that are best for WordPress if I want. I don't want to do that. So I've already done that over in Cloudflare. But I can go here to settings for example. And I can turn on development mode just right here from within WordPress. It's got some interesting little things. I don't use this because I prefer just to go to the Cloudflare dashboard to manage my settings. But this plugin does exist. It's pretty, you know it has it has some good use cases and you might just want to play around with it. Like, oh, there's a button right here to get into. I'm under attack mode, right from the WordPress dashboard. So it's there, it's available, it's free. You connect it with an API key just like I showed you. And you know, it can be helpful in certain circumstances where I would recommend though that you add Cloudflare is into whatever WordPress performance plugin that you have chosen. So in our case, we use Lightspeed as an agency because we use Lightspeed server on our server. You might be using we had the discussion earlier about cloud ways breeze, you might be using hummingbird or DEP rocket or whatever. Each of these have a little area for Cloudflare most good WordPress performance plugins have some sort of Cloudflare integration and you know, like right here, the API token I just created, you'd go through that same process, create the token and drop it in with your email address and the domain and it'll be connected. Now why would you want to do this? The reason is, most of these WordPress performance plugins, you know, they've got caching and you know, optimization of JavaScript and all that stuff. And they're smart enough to know, okay, when WordPress runs in Update, clear the cache, okay. Or if you edit a page, we're the cache Cloudflare sitting up here at the network level has no idea that you've made those changes here on WordPress. So the assets that it has cached up here at the network level might differ from what's at WordPress. And the end result is you go to the site, the CSS looks wonky or things just aren't right. So we need something that's going to connect Cloudflare and our WordPress performance plugin so that in effect, in our case, like we're using Lightspeed, so whenever we run plug in updates, Lightspeed clears the local cache, and it clears the Cloudflare cache, so that everything stays in sync and that's what you want. So do not let me just underscore this. Do not use the Cloudflare cache. If you have a performance plugin at the WordPress level that isn't connected in some way to Cloudflare. Because what you will see you'll go to the site one day, and the CSS will be all wonky. And it's because the caches are different and that's what's happened. Does that make sense to everybody? Don't use a WordPress performance plugin and the Cloudflare cache unless you've connected them together. With an API key. Otherwise bad things happen.\r\n\r\nAs Sue is asking, How did I get to the screen? What screen are we talking about? This is the doc Oh, lightspeed. This is just a screenshot. This is in the document. This is just a screenshot. Of the Lightspeed cache settings. It is under CDN in lightspeed. It's in a different spot in every WordPress performance plugin. So just look through your plugin of choice and you'll likely find Cloudflare settings virtually all the good ones support Cloudflare. Oh, okay. So if your server uses Lightspeed, you go under Lightspeed cache on the admin bar, go to the CDN, tab, or link and you'll see it down toward the bottom. The Lightspeed cache Yep, good. Everybody. Okay with this makes sense? Does Perf Matters not connect? I'm shocked at that.\r\n\r\nInteresting, yeah, I don't use perf matters. So I can't speak to that. But you'll definitely want to visit with them on that. So it probably this primarily affects hashing. And I don't Perf Matters doesn't do caching, right. It only does asset optimization. Like, okay, so you may not need Cloudflare connection in that case. So this really, this really comes into play. When it comes to Caching, caching those assets in various places. So if the changes that Perf Matters makes are likely pulled up to Cloudflare anyway, but I would I would still if you're, if in whatever WordPress performance plugin you use, if you don't see Cloudflare settings, reach out to their support and make sure there's not going to be a conflict. That would be my recommendation. Okay, everybody good on that. Does that make sense? Because you will come in one day or you'll get an email from your client. Hey, everything looks weird and wonky and you'll go in there and the CSS is all jacked up. And it's because the cache is wrong. Or worse than that. It'll look fine for you, but it will look wonky for everybody else. And so you know, it's just, it's, it's a Cloudflare cache issue. And what you have to do is go out and let me just show this. This is if you hit that problem, go into your website, go into cache, and configuration and purge everything, and it's probably going to look just fine. Because that's going to cause it to go in and pull assets back up and refresh everything and then connect your performance plugin to Cloudflare and it likely will not happen again. Okay, everybody, good to move on. Everybody has gone to take a nap. Okay. Let's move on and talk about clients and Cloudflare so this is one of the big questions. So if we move our DNS into CloudFlare, can we give clients access? And the answer is yes. And it's beautifully simple. It is so simple. So I delegate access to the Cloudflare DNS to any client who requests it. We have many clients who for various reasons, need to manage their own DNS that didn't used to be the case, when we served a much simpler level of client. They just wanted us to do everything, and many still do. But we also have a lot of clients that manage their own. So we give them access and so here's how you do it. You're gonna go up here to the account icon in the top right, you're gonna go to Account home and scrolling, scrolling, manage account and members. So right here, we can invite members to join our account. So let's invite Nathan to join our account. Nathan at boom. A fan at Nathan ingram.com. I can't type. There we go. And what are we going to do we want to include it can be all domains that are in this Cloudflare account probably don't want to do that. A specific domain Yes, I want to give Nathan access to WP one dot Dev. Well, what if I have multiple domains that Nathan needs access to a domain group? Oh, no, sorry, a specific domain. And I'll just add another one. Or actually we'll do it this include a specific domain. Okay, Nathan needs access to both of these domains that are in my account. What level generally I'm gonna give them domain administrator access, you can restrict it to just DNS if that's all they need. But in these cases, I want my the clients that are going to want Cloudflare access are going to need to have control of everything. Just like I would make sure clients have access to their own domain name. Same thing. I'm going to grant domain administrator rights continue to summary. Yes, yes, yes. Invite an email was just been sent to my other email address that would give me access to that, that this email address. Nathan at Nathan ingram.com doesn't have a Cloudflare account. So I would go through a flow of setting up a Cloudflare account. And it's just that easy. If you want to get rid of their access, you just hit edit and you revoke access x let's see. Let's see. How do we do this? It's a delete. Yeah, cancel the invite. Or at this point, we would like here's this, I can. Here's one where I've given other email address access, and I can remove access from somebody if I want. So pretty helpful. Yes, so Ben, like Dennis saying, this is like a reverse way of giving a client their own account. And it's not their own account. It's you're giving them access to domains in this account, that's yours. But either way they in the end, they have the access that they need, and it's super easy to do this. What's also helpful is you can enforce to FA SO by toggling this on, you can force anyone that you add to this account to add to FA to their account. So I always turn that on. It's not on for this one because this is a test account. Class since client domains are registered with Cloudflare I had them set up account and delegate access to me that works too. Yeah, either way that that works. But the delegation is really simple and smooth. And Cloudflare as you just saw, it's just click click like and you're done. And it gives everybody everything that they need. Any questions about this part? Are we good? Rolling, rolling. Speaking of domain registrar ah Cloudflare is I think the best place to register domains now. Because they don't make any money on domain registration. They charge you a.com Is $9.77 per year. That is the flat cost of a domain plus the ICANN fees. It's literally they're selling you domains at costs. So if you want to get to domain management, you go here, manage our account home. Domain Registration. We're right here. And we can manage domains. So you can register a domain name here and do a search. It even has the suggested domain names if you want to brainstorm a little bit about Dr. nathan.net. That's pretty funny. Anyway, but you see how cheap they are really at 977 for a.com 494 for a.uk. Anyway, you just go through a registration process. Do you want to transfer a domain in right here? You just they have a flow to bring in domains to Cloudflare this way. Yeah, Stacy. So this is a great spot to move clients that were once at Google domains. And now at Squarespace, move them into Cloudflare it's gonna be cheaper and the UI is really simple. And there's not you know, unlike some registrar's, which shall remain nameless. Nameless. There's not a bunch of crap on the screen to upsell. Yeah, Paul, you pay a year when transferring? Yes. But I think also they give you an extra year.\r\n\r\nLet's see. Seems like I read that somewhere. Oh, this is an interesting little point. I didn't mention this earlier with DNS sec. We went and validated the domain. You have to turn that off before you transfer a domain. So just stick that in your back pocket to remember. You cannot transfer a domain like you have to unlock the domain and turn off DNS sec if you've turned it on, if you're going to transfer Yeah, Stacey, I can't I think you're right there Stacy. Yeah, and classes saying the same thing. I can't find where it says that here but when I've transferred a domain to Cloudflare they add it you pay for a year but they add a year to whatever the current date is. So it's a it's as good of a deal as you're gonna get on a transfer. Okay, class that's a good yeah. If if you're already at the max prepay level, then yeah, they don't add a year but that's generally not the case. So really easy to use them as a registrar and now so here it by the way, here is one caveat with using Cloudflare as the domain registrar, you cannot or let me say it this way. You must use Cloudflare to manage your DNS. If Cloudflare is the registrar, so you can't I don't know why you'd want to but you can't manage DNS elsewhere. If you're registering the domain at Cloudflare. I've never found that to be a problem. But just note that that is that's a thing. Oh, there's something I meant to cover in the last hour and I'm going to do that now. I'm going to scroll back up here in the Cloudflare setup process, okay, so we were here we talked about let's this this issue with importing DNS records. I showed you the process of importing from a DNS provider like we exported the DNS from GoDaddy, import it into Cloudflare. There is something here that I want to show you because it's not immediately apparent. And this is super helpful. So you may like I did have a number of sites where the DNS was actually managed with cPanel cPanel. DNS is great, really easy to use. But there's not a clear way in the cPanel UI to export a domain file. Like we just imported from GoDaddy. I don't know why that is. It's been requested for years, but cPanel has never done it. But there is a way to do it and it will save you time from hand entering all those records. Let me show you how it works. So I'm going to jump over to the WP Nathan's cPanel and just There we go. And what you're going to do, and this is again, this is weird, and I wish they would do this differently, but this is what they do. So we're going to grab a recent cPanel backup, and we're going to go here to backup and just download our most recent full account I just hit the cloud for a rule. I wonder what that's all about. There we go. That was really weird. Okay, so if we have time, we'll go and look at the rule and see what hit that. So here's a recent recent account backup. I'm just going to download this and it's downloading this tarball which is like a zip file. It's downloading it to my desktop\r\n\r\ncan take a minute. You're going it's rather large. It's a gigabyte loading, loading loading. Let's go and Okay, so here is our backup file. All right. Now this is so weird and I wish they would do something different but this is what you can do and it works. So we're going to unzip or uncompressed this tarball again, takes just a minute to do because there's a lot of stuff in here it's a full cPanel account backup. What's got to expand all the things\r\n\r\nYeah, this is a really old backup, but it'll still work for illustrative purposes. Slowly, very, very slowly. There is a file in here that you can use to import but you have to download the whole stupid thing to get there. Moving moving, okay, almost almost. Come on. Come on. There we go. Okay, so once we open up our folder here, we're gonna go to the DNS zones folder. So right here is this uncompressed. There's our DNS zone and look, there's WP nathan.com.db. We're going to rename this to dot txt. So it's just a text file. And yes, I want to use this and now this file can just be imported right into Cloudflare. Just like that. It's a backwards process, but it will allow you to import from cPanel and even as long as that takes to download and whatever that's still better than hand entering DNS records. Yeah.\r\n\r\nPaul is saying you did not have to rename the dbx file. Great. Well, that may have been a change in Cloudflare because you used to have to rename it to dot txt so great if you can import that. I haven't tested this recently. So yeah, if you can enter the.db file then you don't have to rename it. That's great. Good. Good, good news. So that will save you time if you're coming out of cPanel and into Cloudflare. Any questions about that before we move on?\r\n\r\nAll right, let's talk a little about turnstile. So Cloudflare turnstile is a CAPTCHA replacement, that many of you are aware of. It's been integrated into solid security for some time now, and again, think of it as turnstile is the same thing as a managed challenge? Only in widget form that can be added to some sort of form like a login form or a comment form or a checkout form or whatever. So it is the same thing as a managed challenge. It's just a widget instead. So now you do have to create turnstile API keys to use it right and so you do that at so many windows. All right. So we're gonna go to account icon account home, turnstile, account home and scroll down to turns turnstile and here's our keys. Now, here's the catch. Wild Slayer lets you have 10 turnstile keys per account. So, a couple of things. First, you might not need more than 10 turnstyle keysets. So for me, I don't need more with all the sites that we manage because in most sites comments are turned off so we don't need comment protection. We're not using it to protect forms because we use Gravity Forms zero spam, and we're protecting the WordPress login page with a well last rule. So I'm not really using turnstyle API keys at all except for WooCommerce sites, which we protect with the simple Cloudflare turnstyle plugin. And for those we do need turnstyle keys. Now if you need more than 10 just created an account Cloudflare account. So the beautiful thing here is you can create multiple Cloudflare accounts with different email addresses and then what you do is just make them members of each other. So that whatever account you log into has access to all the domains that are in all the accounts and it just makes it really easy to manage. So don't let the account limit necessarily bother you. Because you can just simply create more accounts and link them together as members of each other does that make sense? Everybody? So you create turnstile keys right here just like you would a reCAPTCHA key. The domain does have to be in the this account. And you just go from there any questions about that? pod for turnstile? Super, super helpful. All right. We talked a little bit about this Cloudflare does give a lot for free. They do play certain limitations like 10 turnstyle key pairs per account 50 API keys per account. So we actually limit are the number of domains in any account is 50. Even though you can have unlimited domains in a Cloudflare account, you can only have 50 API keys so we only put 50 domains in an account. So we have multiple accounts that meant that are linked to each other as I described. Because the API keys are needed for to connect Lightspeed to flush the cache. So you can again just like I described, use the same delegation process to to connect those accounts to each other. And it's really easy. So when you log in to any of your accounts, and this is what's really neat, when you go to Account home\r\n\r\nhang on a minute. Let's see profile isn't no hang on. I can't see it here. When you log into account that shared with other accounts. You can actually see all the websites you have access to and find the website very easily that way. I can't demonstrate that on the screen right now. But even you know we have like five different Cloudflare accounts now that we're juggling, but you log into one of them. You can search and find the website you're looking for because it's been we have access to it and you just go right to it. It's really simple to connect those accounts together. That was poor explanation, I think But does that make sense? Any questions about that? Linking Cloudflare accounts makes things super easy. Okay. Paul has a good question in the chat. So let's say you have a client in Cloudflare and you give them account access, and they come back in with I don't know anything about Cloudflare if they want to leave. So at that point, the answer is I'm sorry. That's why you hired me Cloudflare manages your DNS and give their next web provider access to the Cloudflare account and if they don't understand how to use it, I mean, that's on them. Right? I really don't have I mean, Cloudflare is pretty industry standard now and if you don't understand how to use it as a web professional, then you probably need to learn. I don't want that to sound arrogant. I just think that's the way it is. Yeah. If they leave then they leave. Yeah. Is that fair? That's good. Stacey. Yeah, give them a DNS export. Good. Yes, send them to this webinar. I mean, honestly, if you're a web, a web professional, even if you didn't know anything about anything we were doing here, you can log into Cloudflare and see what to do with DNS. It's really simple. If the DNS settings and Cloudflare and I'm not talking about firewall rules and all of that, like oh, so if a client were going to leave me then I would probably set up. Yeah, fit. Let me let me reverse my thinking on this a bit. Paul. If if I was going to offboard, a client whose site is managed on CloudFlare, I would probably set up a new Cloudflare account without any of our firewall or any of the security settings that just had the DNS and move the site to that account and give them access to that because I would I wouldn't want any of our security settings to go forward with them the world whatever's next. So been saying he had to do that on Monday. Yeah.\r\n\r\nYeah, that give them a naked Cloudflare account that just has the DNS in it. All right. Something else that's really neat is Cloudflare email routing. We talked a little bit about this on yesterday, and I've given the whole process there for that. I'm not going to go back and re get into that. Pretty, pretty thorough, but basically Cloudflare lets you set up email addresses without an email server that forward to another address and if they're forwarding to a Gmail account, for example, you can set up a send as address so that it can receive email as info at your domain, and it can send email as info at your domain all that can be done free within the Cloudflare email route routing settings. Let's see it looks like this. The last thing Yep. The last thing I'll mention, and we've already sort of dealt with this is troubleshooting WAF rules, you may run into things. If legitimate traffic is blocked by a WAF rule. Go to that activity log. That's right here. Websites AP Nathan. Wow. Yeah, go to your block rule and see what traffic has come in that's been blocked. Oh, this was maybe this was good traffic. So we need to figure out a way there. How do we let this come through? Now, by the way, don't you know if he's Oh, Google is blocked? Well, I don't think that's the Google bot. That's actually a Google Cloud Server. So a lot of times this may be a compromised server. That's trying to get access to things. So just because you see Google doesn't mean it's legit, or you know, Amazon, AWS or whatever. Sometimes those are legitimate, or they are, they are compromised sites that are hosted on Google's infrastructure. For example, anyway, you look at look at the activity log load entries that pertain to that specific rule by clicking this little number in the analytics here that loads one day, there we go.\r\n\r\nAnd actually, I don't know what this flex potential is, maybe we wanted to allow that so we could add this as into our skip rule or whatever. But the log entries here are what you're going to look at to further refine your your rules. All right. So that brings us to the end of the course. That's it. We've gone a long way in the last few days. We got our site live on Cloudflare. We've got recommended settings and all of these things. Now we've got some time for open q&a. What do you think questions, comments, snide remarks all of them are available at this point. Questions from Paul, okay. All of this setup work is built into the cost of a website for a new client correct or do you factor in a cost for this going forward? How much extra if anything would you charge for doing this? Great question. So I would actually wrote this is a management service. So this is part of security that we provide for the client. And it's part of onboarding a site into our website management process. So I don't charge extra for this. And honestly, it took a little while to go through all of this. But once you start to do this over and over again, you'll migrate a site into Cloudflare in like five minutes, like it'll be. It's pretty quick once you get used to it, and especially if you set up little shortcuts like I did with my TextExpander it really doesn't take long once you get all your rules dialed in and how you like things. It doesn't take long to do. And so I don't charge extra for that it actually what happens is, it saves me work on you know, in the future because the site's being protected and much better. And Tanya Yes, I just dropped in the link in the chat for the updated course handbook. There were three different edits I made around web application firewall rules that were like little typos and some of the quotes were squiggly quotes instead of straight quotes, that sort of thing. That's all fixed. Second question for Paul, how about setting this up for existing clients extra service? And the same answer for me on that when we migrated all of our clients over to Cloudflare back last fall. We didn't charge extra for that because it makes things easier for us to have those clients all in Cloudflare more secure less traffic on the server. All of that. Yeah. When there's nothing as you could certainly charge more for it. I chose not to because it's part of the management service. Do I notify clients? The ones that I thought would be interested? Yes. The ones that just want to know their site is secure. No, no, but you know, we'll raise our rates again here probably in two months. And I'll let them know all these extra things we've done at that point. But in a very, you know, you got to communicate with clients. Some clients don't care about all the little things right. So you don't want to overwhelm them with information. So for the clients that are non technical and they just want to know that we're taking care of their site. I would just mention that we've added a network layer of security that blocks you know, something like I'd worded in such a way that was, you know, a high level a level of security that blocks a lot of bad traffic before it ever hits the site. Just to show them, you know, we're constantly improving their security, and that's what they're paying us for. Others, you know, they have a technical person, the ones that have access to Cloudflare. And by the way, some of those that's a that's an interesting little point here. Some of the, our clients, the ones particularly that have access to Cloudflare our clients that have an internal IT department or things like that. And so there was a bit of a process. So we had a canned email that went out of hey, we're in the process of moving to a new server and in doing this we're also getting all of our DNS uniform. And we want to move everything to Cloudflare. Here's why. In some of them we actually had a you know, a quick call with many of those IT folks like yes, great, let's do it. We'd like Cloudflare you know, we know about it, whatever. And so we just set up the account delegated access, good to go but it really depends on the client and their level of involvement or if they have it people, etc. Doug for the web application firewall, if I use the block action for country equals UK, and Google is still indexing my website in the SERP. What happens to a UK visitor when they click the Search link to my website? Yeah. So the blocking traffic from a different country shouldn't impact your SERP and where your site shows up in the SERPs, what will happen is if you're in the UK and you click the search result, you're now going to WP nathan.com with a geo origin of UK which triggers that firewall rule to present a manage challenge. So we're not challenging Google. We're challenging traffic with an origin and a location where we're saying it needs to be challenged. So that's why you want to modify those rules such that any you know if you have legitimate clients that typically come from other countries, you know, whatever, let me say it this way, whatever countries that you have legitimate customers, clients, whatever in that would be coming to that site, allow those but turning off or only allowing traffic from those known good countries can filter out a lot of garbage traffic bots that are coming in from all over the world.\r\n\r\nPaul is asking how do anonymizer is get affected by geo locations or VPN? I mean, it's if I come in if you if I turn on my VPN right now, and I say I'm in Belgium, and I try to visit a site where the WAF rule only allows US and Canada I'm gonna get a managed challenge because the geolocation is coming in as a different country. Yeah. So anonymizer errs impact weath rules, because they they present as coming from that country, because I mean, they actually are they're routing traffic through a server in another country. So that's just how that works. Generally, though, the bot garbage traffic isn't proxying they're not standing there. They're coming from other parts of the world and it's noticeable\r\n\r\nBen when using support like from India for like WP all import, they need access? Yeah, but you can still challenge that traffic. That's the thing is, we're not blocking traffic from those countries. We're putting a manage challenge in place, meaning people you know, if it's a support technician coming in from a country that hasn't been specifically allowed, they're just gonna get a managed challenge. And they can log in with the you know, it's not blocking the traffic. And so I wouldn't change my WAF rules. If support is coming in from a different country. They'll just pass through the Manage challenge and then do what they need to do. So you're, it's a challenge rule, not a block rule does that make sense?\r\n\r\nThe man is challenge will stop bot traffic because bots don't really have a way to validate a managed challenge yet. But who knows, right? The bots will get better and then Cloudflare will get better and then the bots will get better and the Cloudflare will get better. That's just the way it goes. Right. All right. Anybody else before we wrap this one up? Okay, who's ready to add Cloudflare to some client sites do you have everything you need? Are you equipped to to add a client site to Cloudflare? Any final questions before we wrap up? Awesome. All right. Well, hopefully this was helpful to you. We are back tomorrow for office hours. We joke that in the pre show today that anything that breaks when you add these rules just asked me to borrow in office hours we'll deal with all right, we'll see you back here tomorrow office hours one o'clock central time on solid Academy where we go further together.\r\n\r\nTranscribed by https:\/\/otter.ai\r\n\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:968:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:249:\"\r\n\r\n\r\n\r\n\r\nWelcome to Cloudflare!\r\n\r\nCloudflare Page by Page\r\n\r\nRecommended Cloudflare Settings\r\n\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938374439\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1o7Y8xSGeEx8ZF7yBmMsRat6XNkkjEXWc\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/Xr3bZcpfJBN9iV2YsapSA3avN0Q?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:971:\"a:7:{s:18:\"event_replay_title\";s:5:\"Day 2\";s:25:\"day_description_cloneable\";s:254:\"\r\n\r\n\r\n\r\nRecommended Cloudflare Settings (continued)\r\nMigrating a Site to Cloudflare\r\nMore Cloudflare Tools and Tips\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938814771\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1Nr3wkfCzHZ7Nr4PEzVWhV1lKn40abQUV\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/qIa-JHSQCRIijFOyeMsIQX00B1g?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448512,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \nA proven process for migrating sites into Cloudflare with no mistakes\n\n\n\nOther Cloudflare features like domain registration and email forwarding\n\n\n\nProtips for smoothing out your Cloudflare workflows\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_text":"Unknown Speaker 0:18 \r\nAll right, let me hear from you in the chat. What are you most excited about learning this week in the Cloudflare course?\r\n\r\nUnknown Speaker 0:26 \r\nWhat are you most excited to learn?\r\n\r\nUnknown Speaker 0:32 \r\nAs you answer that I am getting our captions all set.\r\n\r\nUnknown Speaker 0:38 \r\nAlright, captions should now be working for everybody.\r\n\r\nUnknown Speaker 0:43 \r\nFingers crossed\r\n\r\nUnknown Speaker 0:47 \r\nthe whole thing.\r\n\r\nUnknown Speaker 0:49 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:51 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:53 \r\nWe'll see what we can do, Debra. Love it.\r\n\r\nUnknown Speaker 0:59 \r\nAlright folks, we are about four ish minutes away.\r\n\r\nUnknown Speaker 1:06 \r\nFour ish minutes away from getting started with Cloudflare for agencies if you're just joining us in zoom, open up the chat and I'm dropping in once again, the link bundle which has the very large 40 Page course handbook that I've put together for you here. Many many, many things here in the handbook.\r\n\r\nUnknown Speaker 1:32 \r\nAnything you can learn? Yeah, all right.\r\n\r\nUnknown Speaker 1:35 \r\nDefinitely.\r\n\r\nUnknown Speaker 1:37 \r\nYes, Stacy. There are so many things and this is not I'll talk about this as we get started. There's no way this is going to be an exhaustive Cloudflare overview because there are just too many things.\r\n\r\nUnknown Speaker 1:51 \r\nHow much to just do so it doesn't work that way. Like some of these rules, you really do have to decide, you know, what you want to use and so forth. And actually, well, I'm gonna I'm getting ahead of myself. But yeah, some of this is what you want to do for your settings. But I'm gonna give you my recommended things and why. And then you can it should give you a really good basis to make decisions on how you want to implement.\r\n\r\nUnknown Speaker 2:24 \r\nPaul, you make the website and then we'll talk\r\n\r\nUnknown Speaker 2:31 \r\ny'all, I promise once you get into this, it's really not that complicated. Seriously. Once you see how it all fits together.\r\n\r\nUnknown Speaker 2:42 \r\nYeah, I promise it's really not that complicated.\r\n\r\nUnknown Speaker 2:47 \r\nAll right. So if you're just joining us in zoom, welcome, welcome. The chat is open. I'm dropping in once again, the link bundle that has the course handbook. The one the Yes. Yep, of course handbook is there and waiting on you to download also, of course the replay link.\r\n\r\nUnknown Speaker 3:08 \r\nIf you want to go back and rewatch today\r\n\r\nUnknown Speaker 3:16 \r\nmy oldest daughter is currently blowing me up on text messages. So I got to hit the mute button on that.\r\n\r\nUnknown Speaker 3:27 \r\nAlright, y'all just about two minutes ago. hope everybody's doing well hope your week has gotten started. Well check in question today. Let me just hear from you what you are most excited to learn about Cloudflare what you want to know what parts confuse you other than everything, as some folks have said. If there's a particular area I'd love to hear that\r\n\r\nUnknown Speaker 3:52 \r\nOh, Beth. I mean priorities right.\r\n\r\nUnknown Speaker 4:00 \r\nLove it.\r\n\r\nUnknown Speaker 4:02 \r\nYeah, laptop on the beach. Back. Yeah.\r\n\r\nUnknown Speaker 4:07 \r\nActually, Myrtle Beach is gorgeous. This time of year. Good for you, Beth.\r\n\r\nUnknown Speaker 4:15 \r\nturnstyle WAF Yes.\r\n\r\nUnknown Speaker 4:20 \r\nThere's no dancing and Cloudflare\r\n\r\nUnknown Speaker 4:28 \r\nthat's why you take a tablet to the beach, not your laptop.\r\n\r\nUnknown Speaker 4:34 \r\nStacey, that's awesome. That's 100% True. And actually, if you find dancing and Cloudflare just wait because they'll move it to another menu link later or they'll rename it.\r\n\r\nUnknown Speaker 4:48 \r\nYeah, so we'll bet Beth will invent for us the Cloudflare dance which we'll call the turnstile. I love it. Yes, that's it.\r\n\r\nUnknown Speaker 4:59 \r\nDo the turnstile through the turnstile. Alright folks, just about 30 seconds to go. hope everybody's doing well today. Come on in find a seat and grab the course handbook. But to drop the link bundle in once again.\r\n\r\nUnknown Speaker 5:14 \r\ni Yes, exactly. Karen\r\n\r\nUnknown Speaker 5:19 \r\nand what you're talking about there, Karen. There's no easy answer to that. Unfortunately. A lot of the Cloudflare rules that I'm going to give you are pretty good. But you're you're always going to want to fine tune these for your setup. And there's always new suggestions and rules that are coming along. So I'm going to give you what I'm using today. And then you'll have it's it's one of those things that will it's a work in progress. Yeah.\r\n\r\nUnknown Speaker 5:46 \r\nAll right, y'all. It's three minutes after let us get the recording started and we will dive right in.\r\n\r\nUnknown Speaker 5:56 \r\nWell, good afternoon, everybody. Good morning. Good evening, wherever you happen to be around the world. Welcome to this premium course here on solid Academy. Glad you're all here with us for Cloudflare for agencies. So over the next couple of days. We're going to take two hours today two hours tomorrow and unpack Cloudflare through the filter of you manage WordPress sites for clients. So what do you need to know right? And also interestingly, hopefully helpfully, the way that I put this course together is really there's so much that we have to know as WordPress agency owners, right like there's just so many things. And so this is not an exhaustive course on Cloudflare. Like who's got time for that? So what I'm going to give you is an overview of how things work and where the settings are and the big picture of the settings but really, our focus is going to be on okay, what do I need to do to use Cloudflare and leverage all the free stuff in Cloudflare to protect the sites that I manage. So that's where we're headed. And hopefully at the end of this course, you'll have a good idea of what all the things that Cloudflare can do. But really focused in on the practical things that you can do right away to use Cloudflare in your agency.\r\n\r\nUnknown Speaker 7:21 \r\nSo I Karen has asked a great question in the chat just now. This is very different than the Cloudflare livestream I did a couple of years ago or last year, a year and a half, something like that. So I was just I just kind of gotten knee deep into Cloudflare at that point. And so a lot of things have changed since then. This is a much more detailed look. This is I think the first Cloudflare one was like an hour and a half. So just timewise this is a much deeper dive and I've learned a lot since then, and hopefully can give you some better tools and rules and those sorts of things to use. So if you are just now coming in once again, the link bundle is in the chat you're going to want to download this course handbook, it is 40 pages of Cloudflare goodness, and grab that and follow along and I've made it such that you know this is the document you can keep in reference. The table of contents is clickable to jump to, you know the various areas that you want to get to. So hopefully it's a very usable document. All right, so let's dive into what we're going to be talking about. So I mentioned this a little bit earlier and even more in the pre show.\r\n\r\nUnknown Speaker 8:34 \r\nThe idea here is okay, I'm a web agency owner I've heard how Cloudflare is helpful. What do I need to know give me the basics. This is not an exhaustive study of Cloudflare there are far too many things Cloudflare can do to fit into four hours of of course content. So what we want to do is through the lens of what do I need to know as a WordPress website manager about Cloudflare to use it to the best of my ability. If you want a deeper dive Cloudflare has excellent documentation. It's some of the best that I've seen. And you can click the Cloudflare fundamentals link there and it'll take you through all the things if there are pieces that you want to know. So the goal here a no fluff explanation of all the Cloudflare things that you will find the most useful and that you can implement right away in your business of managing WordPress sites. Tomorrow we're going to demonstrate the live setup of a Cloudflare site after we look at some of the basics today. And that's going to include security settings, setting up WAF rules and those sorts of things. So here's the overview we're gonna do and a big overview of what is Cloudflare how does it fit? How do I use it, you know, where does it fit in with solid security and those sorts of things. And then we're going to go through a Cloudflare page by page looking at the various pieces of Cloudflare and how they fit together tomorrow, migrating a site to Cloudflare and then more Cloudflare tools and tips. All right now, this course, assumes that this was on the course intro page. So hopefully you saw this. This assumes that you have a basic understanding of DNS, so I really can't, I'm not going to be able to answer questions about how DNS works in this course. So this is a prerequisite if you need to understand a little bit more about how DNS works. There's a course here we did last year called the web foundations workshop, in which we did an hour on DNS and what the records are and how all that works, et cetera, et cetera. So please let well really I'm just not going to answer questions about DNS in general. If you have those questions, you can grab this prerequisite course it's out there, you can replay it right away. And we're going to focus in on implementing Cloudflare. Alright, so just a couple of housekeeping notes. If you're a see several folks who've just joined us, let me drop in again, our link bundle in the chat force handbook is there. Since I am presenting today, I'm going to be watching the chat as usual. So if you want to ask your questions in the chat, you can do that. It may be that I missed some because I'm presenting. I'll try to catch questions in context. But if I miss one, and it's gone past just stick it in the q&a and we'll get to those at the end of each hour as usual. So all right, let's dive in, shall we? We had some really good check in responses as we were getting ready in the pre show about what you most want to learn. And so let's just start from the top. A lot of folks were like I need to know from the cloud to the flare, the whole thing. So what is Cloudflare?\r\n\r\nUnknown Speaker 11:44 \r\nAt its heart Cloudflare is a web performance and security company. They are they have all sorts of services to secure and protect and accelerate websites. So Cloudflare is sort of like an umbrella. It is a protective barrier between your website and the traffic that comes into your website. And it can shield you from many kinds of online threats just automatically. I Cloudflare. Security Services are comprehensive. They offer protection against DDoS attacks, data breaches, other malicious activities. It works by filtering incoming traffic to your website. So at the heart of all of this is your domain has to have the Cloudflare name servers. So that's how you turn on Cloudflare is by adding the Cloudflare name servers to the domain. So that way, all traffic that goes to the domain has to pass through the filter of Cloudflare and you can think about it sort of like you know, a water filter like we got this new refrigerator when we redid our kitchen a couple of years ago and it's got you know, the fancy water in the door. You know, we're not that usually that fancy kind of people and this is the first fridge we've had like this, but we love it it because there's a water filter in there and it filters out all the impurities and garbage so that we just get really pure water when we put a glass up there. Now Cloudflare sort of works the same way. Think of it in the same way. It's like a traffic filtration system that based on some of the stuff it just knows automatically that this is a bad bot and it filters it out or based on some of the rules that you can set up. It's filtering that traffic through so you get really good pure traffic that actually hits the website.\r\n\r\nUnknown Speaker 13:30 \r\nSo Cloudflare provides free ssl certificates. Also, they use the Google certificate authority as the primary and then sectigo as a secondary. We'll get to all that when we get to the SSL section. They also have a suite of tools designed to optimize website performance, including caching, image optimization, content optimization Cloudflare Cloudflare also provides a CDN that can move your website assets closer to the requester. They have data centers all around the world. So using their CDN even their free CDN, you can move things from your the images and scripts and so forth from your website to the closest point so there's not a lot of jumps between the user and what they're trying to download, which can effectively speed up the website. And the beautiful thing is Cloudflare provides many of its services at no cost with the option to upgrade to more advanced features on a subscription basis. Now a great question in the chat from Dave. So who's monitoring Cloudflare Cloudflare is a private company and so this is you know, like whose basket are you going to put your eggs in? Right? They offer a lot of things for free, but they're making their money. It's a freemium model just like many things that are out there. So you are you have the option to upgrade but a lot of the basic features they're providing at no cost and pushing you towards some of the paid features that can be helpful. So that's how they make their money. I don't know that there's anybody watching Cloudflare like us, they're not like responsible to any governing authority necessarily because they are a private company, but they're used by an immense number of websites. Matter of fact, 32% of the top 1 million sites on the web are using Cloudflare. So that in that way, there's a lot of people watching them from high level, you know, big fortune 500 company websites, so if anything weird is happening, it's likely going to come out but they are a private company. So that is something to take into consideration.\r\n\r\nUnknown Speaker 15:41 \r\nSo a few other interesting Cloudflare statistics, again, more than 15 million websites 32% of the top million websites. Their global network has 300 data centers all over the globe at more than 120 different countries. So the the good thing about that is when traffic is requested by somebody, the hop to the Cloudflare data center is generally very short. They've strategically placed those data centers for that reason. So more than 80% of sites whose reverse proxy we know is Cloudflare. Now what does that mean? It means that if somebody's you know, has started to use proxy, which is hiding the actual IP address of the server, which is a good practice as we'll get into Cloudflare is doing that for more than 80% of sites that are doing this so that is super helpful. It's a huge chunk of the internet relies on Cloudflare to do these things. Also Cloudflare bought blocks look at this number 182 billion threats a day. On average. It's a lot and so simply by virtue of the amount of traffic that they're filtering Cloudflare you know, they, you know, they they just see patterns emerging, and they can protect sites better. It's like, you know, we have Thomas Rafe on here from we watch your website. He's managing over 17 million WordPress sites right now and watching for patterns and you get that much data under your belt, and you can immediately see how you know what's happening, what the trends are, and so forth.\r\n\r\nUnknown Speaker 17:18 \r\nAll right. So why should we use Cloudflare? So the first reason likely and probably the reason that you're here listening is the security benefits. They're just phenomenal. So Cloudflare is free services give you really robust security features at the network level. We'll talk about that in a minute. Like DDoS protection, a web application firewall, again, at the network level, which is where you want those sorts of things. They can also help improve performance with CDN caching, again, moving the downloadable assets closer to the the requester so that those things are fulfilled more quickly. They offer free SSL as we mentioned, they also do DDoS mitigation. There's this great tool in Cloudflare that says I'm under attack, toggle that on and it will effectively stop the impact of a DDoS attack on a website and it works. It's really good. We'll get to that later.\r\n\r\nUnknown Speaker 18:17 \r\nIt's very easy to implement, actually. You just change your name servers and you're into Cloudflare.\r\n\r\nUnknown Speaker 18:24 \r\nThe setup process is straightforward as you'll see as we actually work on that.\r\n\r\nUnknown Speaker 18:30 \r\nLast of all, they do provide some analytics and insights. The statistics in Cloudflare if you are a statistics person, you will love love, love the Statistics reports because it'll show you like on your firewall rules, what's hitting it and you know what the information about that traffic is it can help you further refine your rules. It's really neat once you get some data in there to start digging in and seeing how these turkeys are trying to attack your website. It's really quite interesting. Also, cloud flares analytics are GDPR compliant. They're designed to be privacy first, and so they are GDPR compliant, they state that so that's that's not an issue. So a lot of the confusion that comes in when we start talking about Cloudflare is okay. isn't just installing a WordPress security plug in enough I've been watching it it's really funny. This discussion has come up a number of times in the admin bar just in the last couple of weeks of hey, there's this cloud, this WordPress security plugin and that one and really, isn't it good enough just to install a WordPress security plug in and you're protected? And the answer is no. Heck no. Absolutely not. So let's talk about where Cloudflare fits into all this is Cloudflare a replacement for solid security? Also no. So we need to understand where does Cloudflare fit in the whole matrix of security. So, first of all, Cloudflare becomes active for a site when you change the name servers of a domain name to those that Cloudflare will provide you. So it starts at the name server level, which means Cloudflare at that point becomes responsible for every request that comes into your domain name about you know where does the subdomain live? How's the mail routed? What are the demark records, the txt validation records, all those things? Cloudflare is answering all of those requests. And it's doing it from a security perspective. So you can you can change who gets to make those requests and filter those things out. And so forth. So since all traffic to your website, and everything about that domain name now has to pass through Cloudflare they can filter it. So that's how this all works. Cloudflare can then as a result block a significant portion of malicious traffic before it ever reaches your server. That is the key.\r\n\r\nUnknown Speaker 21:04 \r\nThat is the key. So like, here's your browser, it's gotta pass through Cloudflare to get to your server where the website lives. So this is where we start to talk about a multi layered approach to WordPress security. It is not enough just to have a WordPress security plugin. It's just not because there are jobs that are there are jobs that need to be done to protect WordPress that are better done at a network. level rather than at a WordPress level. So this multi layered approach is something you need to get your mind around. And we've been talking about this now for some time here. On solid Academy. It's not just as simple as installing a plugin. So the best practice for making your site secure is multiple layers of protection. Okay, and each layer has a role that it needs to play and it does that layer best. All right, so let's talk about this. So first, we have network layer level security, which we're going to trust to Cloudflare right so that's wrapping around the whole thing. No traffic gets in until it passes through Cloudflare. Then we go to the server level security, which hopefully is handled by your web hosting provider. So there's certain things that are better done at a server level. We'll get to that in a minute. And then we have our WordPress application level or, or user level security that a really good WordPress security plugin should do. So these are the three layers of security that you should be thinking about when it comes to protecting your WordPress site. So let's unpack those just for a minute. First of all, network security. So Cloudflare is going to mitigate the impact of the distributed denial of service attacks or DDoS. And they can filter out malicious traffic before it ever gets to your server. So if a lot of that traffic can't even get past that Cloudflare wall it makes your server have to work less it makes WordPress have to work less. So it's better to handle all that stuff. Get all the primary garbage filter done at the network level before it even hits the server. So Cloudflare gives you this blanket protection by filtering the websites before a web traffic before it ever gets to the site. Relying on your server alone or worse relying on WordPress alone to filter all the traffic. It takes a lot of resources. Now does solid security have functions that can help to prevent bad traffic? Yes. But that shouldn't be the primary level at which it occurs. If Timothy was here, he tell you the same thing. We want to filter the the lion's share of that out at the network level. So if you do that, it's going to save a lot of valuable server resources. So traffic passes through the network gets to the server. So what role does the server play in this multi layered support? So good web hosting providers implement security measures like server level firewalls, and most importantly in my book is server level file level malware scanning and intrusion detection systems. So I want something at the server level that's actually scanning the files. Now I know that there are some WordPress plugins that provide malware scanning, you don't want a plugin, doing malware scanning. First of all, it's going to be incredibly inefficient at doing that and restricted to only the WordPress install and a lot of malware gets installed out in the server structure and not within WordPress itself.\r\n\r\nUnknown Speaker 24:45 \r\nAlso, if there's malware in WordPress, and the we're in and the the malware scanner exists at the WordPress level, the malware can overwrite. You know, the malware scanner so the malware can actually rewrite the malware scanner saying hey, this is bad and say no, it's actually good. You can ignore that. So you don't want the malware and the scanner. processes running in the same environment. malware scanning needs to happen at the server level, and intrusion detection systems as well. So that's the role of a good server so whoever's providing your server, this is where you have a conversation and say, What malware scanning Do you provide? What intrusion detection services do you provide to keep the server itself safe? Right, so we're filtering out most of the bad traffic at network. We're watching the we're watching the file system and intrusion level at the server. And now we get into WordPress application security. Now WordPress security might have some traffic filtering and blocking features, but that's really the third level like WordPress is consuming a lot of server resources just running and serving pages and doing things. I don't want WordPress to also have to be filtering every bit of bad traffic that comes in. And that's what can cause your website to grind to a halt. If it's getting pounded by login page attacks and all this stuff. I don't want WordPress doing that job at all, or at least as little as possible. Maybe just a few little drops of bad traffic. That have gotten through the other two layers. We pause. Does that make sense to everybody? That this whole approach? Are you getting what I'm saying? Like we want WordPress to do as little work as possible. We want WordPress to do the job of word pressing right not of security. So it's not bad to have those features in the WordPress security plugin. That's why they're included in solid security. But that's like my third level of defense. Okay. All right. So your WordPress security should focus on more specific issues. Starting again, this is exactly what solid Security does, which is why I love it. It is providing vulnerability detection. So I'm scanning my so like Cloudflare is not going to tell me I have vulnerable things in plugins. The server is not going to tell me that it's maybe watching for malware or the malware scanner but if my things and plugins aren't infected yet, I don't know that there's a problem. So I want something like solid security, which is looking at my installed themes and plugins and saying, Oh, this one has a vulnerability. I need to know about that. I need to do virtual patching. I need to do automatic updates if a patch is released, right, so it's doing exactly the job that I want a security plugin doing in WordPress and nothing else. Like the the of the kinds of plugins that exist for WordPress. The most bloat often happens in security plugins and that's why, you know, if you line up a feature list of the things that solid security Pro does, versus some of the other security plugins like it doesn't do as much. Right, exactly. That's the point. You don't want it doing some of those things. You want your server and your network doing those jobs because it's gonna make a more efficient WordPress.\r\n\r\nUnknown Speaker 28:08 \r\nSo WordPress, security should also heavily focus on user security. So we got these great features like you know, the function that bounces out and make sure that the password hasn't been compromised, and that have I been poned database. We're looking at, you know, having to FA for users and pass keys and et cetera, et cetera. We want the users user level security needs to be done by WordPress. So we want that to be done really well by our WordPress security also session cookie protection, right having that like the trusted devices features of solid security that is the perfect use case for a WordPress security plugin. So I want those features in my WordPress security, nothing else that's gonna do you know, be consuming tons and tons of server resources. Okay, so another role for WordPress security is adding in a CAPTCHA for areas that might be prone to attack, like comment form or the WordPress login page. We're actually going to protect that at the network level though. I'll show you that later. But having those captures again, two great use case and job for a WordPress security plugin. Finally, WordPress security plugins can also help you to harden WordPress, by all the little you know there's all those boxes in solid security about don't allow PHP to execute and themes and plugins, you know, turn off the file editor, all those sorts of things. perfect use case for a WordPress security plugin. So, again, think about this in layers. Most of the traffic get that filtered out at the network level so our server doesn't ever have to bother with it. Let our server do the job of file level scanning protection and intrusion detection and let WordPress primarily do the job of just keeping WordPress secure as an application themes and plugins and users.\r\n\r\nUnknown Speaker 30:02 \r\nAnd now we've got a pretty darn good approach to security. I'm gonna pause right there, because that was a, you know, a big firehose of information. I'm gonna pause, make sense questions about this before we move on to the next bit.\r\n\r\nUnknown Speaker 30:17 \r\nYou if you arrange your security approach this way, you're going to have a more efficient server and site and you're going to do a better job all the way around keeping things secure.\r\n\r\nUnknown Speaker 30:31 \r\nMan Polytune m&ms Already Okay.\r\n\r\nUnknown Speaker 30:35 \r\nHope you got a lock then.\r\n\r\nUnknown Speaker 30:38 \r\nYou have any to share with the rest of the class. I'm gonna have to move that around.\r\n\r\nUnknown Speaker 30:41 \r\nAll right. Well, I'm gonna move on then. If you're just joining us link bundle is in the chat that has the course handbook if you want to download this that you're looking at.\r\n\r\nUnknown Speaker 30:49 \r\nAll right, folks, look, we're already on page eight. Moving around, moving right along here.\r\n\r\nUnknown Speaker 30:55 \r\nAll right, now comes the fun part. Cloudflare page by page. So I thought long and hard about how's the best way to do a quick orientation to all the things that Cloudflare can do. And this is what I settled on this Cloudflare page by page. So one second before we get into that, one thing I want to mention is I've added some color coding here. And you know, I was thinking how can I best present this in a quick way to let you know you know what? really to focus on and what not to focus on and so forth.\r\n\r\nUnknown Speaker 31:35 \r\nSo it's basically like this. If I think you're probably going to want to use this feature, it's going to be great. If it's a maybe depending on the circumstance, it's a yellow, if it's probably you're not going to use this there's red. There's also one other emoji in there. That is a money bag and that's it costs money to add this. Those are usually also red because our goal here is to use as much of the free Cloudflare stuff as possible.\r\n\r\nUnknown Speaker 32:01 \r\nSo yeah, that that's, that's the way we're going to approach this now. I'm just looking at timing and where we are in the course of things right now.\r\n\r\nUnknown Speaker 32:11 \r\nOkay.\r\n\r\nUnknown Speaker 32:13 \r\nAll right. This is where it's going to be interesting to see actually how we do this.\r\n\r\nUnknown Speaker 32:24 \r\nOkay, well, let's just, I'm sorry, thinking to myself here and we'll figure out that we may go long in this first hour. So let's look at this Cloudflare page by page. Now if you would like. I would suggest that if you don't have a Cloudflare account, just go quick create one doesn't matter. Just make a make a quick Cloudflare account I'm going to log in to my I iThemes Cloudflare account that I experiment on. I would always recommend that you set up two factor authentication on your Cloudflare install Of course. All right, so what we're going to do is primarily focus on the website settings. We're gonna go down page by page, and I'm gonna explain basically what, what each of them does, just so you have a big picture understanding. Now there's a ton of stuff here. We're currently at the home or the account page you get back here by going to account home. That is this page that we're going to live for most of the course here is in the website settings. So you can you know, you'll add a website you can click that and these are the settings that pertain to the individual websites themselves. And this is where we're going to live for most of the time in this course. So let's take a quick look. Alright, so we're on the overview page, a turn off this ad. Again, you know, they're they make their money by upselling things so I'm constantly closing those boxes. Alright, so the first thing we get, is there an analytics overview. This is kind of helpful if you just want a quick overview of at the network level, what your traffic looks like. You don't get any like, you know where the traffic came from or search terms. It's not about that. It's actually about the stats of the traffic coming in.\r\n\r\nUnknown Speaker 34:12 \r\nYou can set that by days, weeks or months. Something else that's really helpful over here is the Under Attack Mode. So let's just say that you've got a problem on a site you're getting it's an E commerce site and you're getting card testing attacks. Well, I'm just going to toggle that on. And with that one toggle, what's going to happen is every single bit of traffic that comes into the site is going to get a manage challenge from Cloudflare. Now what that looks like is this\r\n\r\nUnknown Speaker 34:45 \r\nso it's going to pass through this challenge. I've got to verify and then move right on. Now that's not ideal, but that will stop a DDoS attack period, because a bot cannot pass Cloudflare turnstile, at least yet. So Todd simply toggling that on is going to stop the DDoS attack it does put a you know that that turnstile pass through manage challenge between every single visitor so it's not ideal to leave on forever. You'll want to add a WAF rule to filter out whatever's attacking you but that this is a great little setting in case something immediately is happening.\r\n\r\nUnknown Speaker 35:29 \r\nIt essentially off.\r\n\r\nUnknown Speaker 35:33 \r\nOkay, the next thing that's helpful here is development mode. So Cloudflare does provide some caching and caching can be absolutely.\r\n\r\nUnknown Speaker 35:43 \r\nYou might use it makes you want to bang your head into the wall sometimes like you you've edited something, it's not showing up then you remember, oh yeah, I've got caching turned on. So if you're making changes to your site, you might just want to toggle this on. And that turns off all caching all optimizations like that, where you're seeing what you see, right. So a lot of times we have to deal with browser caching with WordPress plugin caching. If you have set up.\r\n\r\nUnknown Speaker 36:11 \r\nIf you have set up Cloudflare for your site, you also have Cloudflare caching, it's on by default. So just don't forget that if you want like why isn't why are these changes? Not all? Yeah, Cloudflare caching, so turn on development mode, and that will help you immediately get around that. So very, very helpful. Also, something to draw your attention to here on this overview page is down here at the bottom of the pause Cloudflare. Right here, this is an incredibly important link that we'll get to in the process of adding a site to Cloudflare. You're going to want to click this every time so that you don't get SSL errors. I'll explain that when we get to the process but again, this is your friend. Also if you want to get rid of the site and delete it completely, you can just remove from Cloudflare and it'll it'll kill your whole account.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:59 \r\nYou can set up this you can set up an address here. You just add whatever you want this address to be and where it's going to forward to. And then you validate that email and you're done. And so you can set up these catch you can set up a catch all address or individual addresses. And it'll just forward right to your Gmail account or whatever other free account that you have. And you can also in Gmail, set up a send as address which is really nice. If you want to provide that level of support for your client. Email can come into that Gmail account and they can send as that info at or whatever account with this little process here. So it's really helpful. If a client doesn't want to pay for full email yet you can set up this email routing at really no cost. Cloudflare just handles that traffic for you.\r\n\r\nUnknown Speaker 42:58 \r\nI've given you that whole process right here. If you're interested.\r\n\r\nUnknown Speaker 43:02 \r\nUnder email here also we have demark management you may or may not want to use this. It's free and it's decent demark reporting it's not the best, certainly not the worst. It's really good for free. And it allows you to when you first set it up to add the correct demark record to your DNS, and then it's set up and ready to go. It adds the very basic D equals none demark record if if you have watched those live streams with us recently, it's a very basic level that meets this new Google and Yahoo criteria. So that can all be done from right here. This email security is a more advanced and so paid area.\r\n\r\nUnknown Speaker 43:45 \r\nAll right moving down to SSL. So again, Cloudflare does provide a free ssl certificate for every site that that it's filtering traffic for.\r\n\r\nUnknown Speaker 43:56 \r\nThe first thing you're going to want to look at here is your encryption mode. Now I recommend full there are four levels so you can turn SSL completely off. Don't do that. You can also do flexible which encrypts the traffic between the browser and Cloudflare. But then there's no SSL between Cloudflare and the server. That's for weird scenarios. You don't want to do that. What you want is this one here. This is going to encrypt from the blowout of the browser to Cloudflare with a Google certificate, and then from Cloudflare to the to your server with a self signed certificate at the server. Virtually every server is going to provide a self signed certificate and Cloudflare can use that the encryption tunnel is perfectly it's perfectly secure. There is this full level which says okay, I want to install a trusted like one of those, you know, you buy it certificates on the server. You can do that if you want to or Cloudflare will actually provide you an origin certificate for your server I don't ever do that. It's not necessary for security. As long as there's self sign on the server, which usually is and Cloudflare to the browser is giving Google it's one one clean tunnel.\r\n\r\nUnknown Speaker 45:13 \r\nSo if you have SSL at the server, yeah, that you don't have to worry about it most most of the P SS that are set up by a reputable hosting company like if you have a liquid web VPS it's going to have a self signed certificate on the server and Cloudflare will use that to create encryption.\r\n\r\nUnknown Speaker 45:32 \r\nOkay, all right. So Paul, great question in the chat. That's tomorrow. We're talking about all the whole process and client stuff tomorrow. All right, so this is an area you're going to want to be familiar with here. Other settings here.\r\n\r\nUnknown Speaker 45:49 \r\nWe're gonna go down to let's see, Edge certificates. I do keep this on if they're sometimes you'll get an email. This lets you know if there's anything you can do better with SSL.\r\n\r\nUnknown Speaker 46:03 \r\nIt's helpful. All right, so edge certificates. This says okay, there is an active certificate that's been created for this website. And a backup. This is pretty cool. This tells me that this is a Google trust certificate. This is the primary one so if I go to WP nathan.com And I look at the certificate details here it is valid. It is Google Trust Services right there. So that's what it shows to the user is this Google certificate. If something goes wrong, or there's some weirdness with the Google certificate, it's very unlikely that would ever happen. But if there is then it does have a backup, as this it's a Let's Encrypt certificate here. On the up Nathan it can also be set for set Teego doesn't really matter. Very, very rarely.\r\n\r\nUnknown Speaker 47:00 \r\nWill this backup certificate ever be used?\r\n\r\nUnknown Speaker 47:03 \r\nOkay, so Stacy, Stacy's mentioning here and let me just make let me let me address this. So if you are using CloudFlare, you cannot use Let's Encrypt on your server, because your server isn't it can't validate right or it's the the server isn't controlling the traffic anymore. It's passing through Cloudflare. So you might have Let's Encrypt turned on at your server. But the but like, you may be able to have full strict at the beginning because the Let's Encrypt certificate exists. But eventually that Let's Encrypt certificate is not going to be able to renew in many cases because Cloudflare is in the middle. So that's why I recommend full because there's always a self signed certificate at the server. If you do strict, and something happens to that Let's Encrypt certificate, it's going to create an SSL error. So you don't want that. That's why I'm saying full it's going to be just as secure as having a Let's Encrypt on the server. And you're not going to get those SSL errors Does that make sense?\r\n\r\nUnknown Speaker 48:18 \r\nYeah, so Melanie's encountered that like full string, that sounds great. I want that but you don't want that. It's you want to be able to set this and forever. So yeah, and Stacy, it may be dependent on the host you'll want to know you'll want to look into that. And that's where I just recommend setting it at full and then you want to have any problems.\r\n\r\nUnknown Speaker 48:37 \r\nThere is no limit. Let me say it this way. There is no extra security benefit from full or full strict because the self signed certificate at the server is the same level of encryption as a Let's Encrypt, or you know, your purchased your favorite purchase certificate for whatever. It's generally the same encryption level.\r\n\r\nUnknown Speaker 49:02 \r\nSo it doesn't matter. What's important is what does the user see? And in this case, it's Google first and then you know one of those so does that make sense everybody? Do I need to answer any more questions about that?\r\n\r\nUnknown Speaker 49:15 \r\nFall is easy. It's always going to work unless there's something wrong with your server.\r\n\r\nUnknown Speaker 49:24 \r\nOkay let's keep going. So edge certificates. We talked about these, you're not going to want that cost money. You don't really need it. You don't total TLS this lets you choose like if I toggle this, Oh, I gotta pay. Yeah, it used to let you do this for free. They've changed that. It's another paid feature. This you always want on it's part of the onboarding process that we'll cover tomorrow as we move a site into Cloudflare.\r\n\r\nUnknown Speaker 49:54 \r\nSo, all right, this is a complicated feature that I would not turn on because it's real, real easy to screw things up. And if like, for example, I had a site where I really mess things up on this. Thankfully, it was one of my own, but it took for some traffic almost a month before it straightened out. This is really bad. So it's a way to enforce HTTPS. I'm just going to recommend that you don't use it unless like it can heighten your security. And sometimes, if you have a client that has like a security, like a level of security, they have to reach for their own internal audits or whatever you may have to turn this on. But don't do it if you're planning to make any changes, like migrate the site or change Cloudflare to some other DNS provider because it can lock down it'll lock out traffic. It's just it's very powerful, but also could be very damaging in some cases. So if you're in a scenario where this comes up, you'll want to read more into that minimum TLS version. I'm going to recommend here 1.2 Because it's kind of the it's everybody can use 1.2 But you really might want to consider 1.3. So 1.2 is required for if you're trying to get PCI compliance. You have to have 1.2 layer level of TLS TLS, which is the next level of SSL but really only really, really, really old browsers can't use TLS 1.3. So if you look here, like Internet Explorer can't use.\r\n\r\nUnknown Speaker 51:46 \r\nCan't use TLS 1.3 and Opera Mini like those are the only two browsers. So the chances I mean those are teeny tiny percent. So I'm at the point of where I might just bump everything to 1.3 because it is more secure. It is a little faster.\r\n\r\nUnknown Speaker 52:01 \r\nBut at least 1.2.\r\n\r\nUnknown Speaker 52:06 \r\nAll right, opportunistic encryption, you're going to want to turn that on. I believe that's on by default. You want to enable TLS 1.3, which says, if the browser can support 1.3, use it. That's basically what that's about. I do want to rewrite everything to HTTPS at the network level. That's good. I think that's one by default. I do want to toggle this transparency on what this does is basically, if something if some other server or authority or whatever, issues an SSL certificate for this domain, I'm gonna get an email about it. Where that's helpful is if somebody has hijacked your domain somewhere along the way, or they've got traffic going somewhere something odd is happening. And a certificate gets issued. And I'm not aware of it. I want to be aware of it. So that's what this does. Pretty nice. Works pretty cool.\r\n\r\nUnknown Speaker 52:56 \r\nSo let's see. Moving on down here, the most of the stuff you're not really going to use. You're not going to use this most likely it's complicated scenarios. origin server. This is where if you want to install a Cloudflare generated certificate on your server to do full strict, you can do that here. I don't recommend that it's not super necessary. And then custom host names you're probably not going to use so that gets us all the way through SSL. That was a lot. Let me pause just for a minute. And any questions about this bit, I realized that was a lot. So walking through all the settings is the most tedious part of this, but And my goal here is to kind of set the table and let you know what all is here.\r\n\r\nUnknown Speaker 53:42 \r\nAll right.\r\n\r\nUnknown Speaker 53:44 \r\nLet's move into security. You're gonna live in security a lot. So the main two let places you're going to live in Cloudflare our DNS and security. So security is awesome. I love this area, the events page. This is a log of all the things that have hit my firewall rules. So any event has happened on the server where a firewall a WAF rule was hit by something or whatever.\r\n\r\nUnknown Speaker 54:11 \r\nHere's some examples of some skip rules that I've put into place. And I can see what's going on here.\r\n\r\nUnknown Speaker 54:18 \r\nIt gives me a great amount of detail about what was the IP address that came in? What was the ASN in this case, it is I have a pass a skip rule created for WordPress doing cron, so sometimes the query string here can cause weird security things to go on. And so that's one of the skip rules that I put in.\r\n\r\nUnknown Speaker 54:40 \r\nAnd it's logging here just to show you what that looks like. Here's one look here. Here's something that came in earlier.\r\n\r\nUnknown Speaker 54:48 \r\nAnd this was something from the UK. I don't know what that ASN is but it was trying to get to a weird port like what the heck is this one a 53 I don't even know what that is. This was bad traffic and it got to manage challenge primarily because it was coming from outside the US actually no I've got this setup for to accept UK traffic. So this, this hit Oh no, it hit a challenge right here.\r\n\r\nUnknown Speaker 55:19 \r\nSo it hit a rule that says okay, something's not right here. We're going to challenge this traffic and so it wouldn't have made it through to the site. So this is a great place to look after you've implemented a rule make sure you're not getting legitimate traffic caught or as you are refining your rules later on. Really, really helpful.\r\n\r\nUnknown Speaker 55:40 \r\nHere's something from Netherlands same thing. We'll get into all these as ins and things later. Like look here. They tried to hit XML RPC. This is garbage traffic.\r\n\r\nUnknown Speaker 55:49 \r\nIs there a setting in solid security that turns off XML RPC? Yes. But WordPress would have had to wake up and do something when this traffic and server resources would have been expended. We block this traffic at the network level before it even hit the server. So that's why you do these things. So events is super helpful gives you a lot of good information. Now we move into WAF which stands for web application firewall. Now, these are your this is a place again, you're gonna spend some time here as you're setting up Cloudflare there are five rules available at the free plan. I've suggested four, and so you have room to add your own rule.\r\n\r\nUnknown Speaker 56:28 \r\nSo we'll get into all these rules later. But this is where those are defined and set up. You can actually click the link here and see traffic that just hit that rule. There's a ton of traffic here. Like this first rule here. These are challenges. So you know trying to go to their PII login or my account or if the country is not in Canada or the USA, it's going to get a challenge.\r\n\r\nUnknown Speaker 56:53 \r\nAnd I can go back and look at what traffic actually is hitting that rule by clicking on that number. So it's pretty nice to be able to look and see what all is going on here with my individual rules.\r\n\r\nUnknown Speaker 57:08 \r\nSo I'll give you the rules a little bit later. Now let's keep going here. So those are our custom rules. We also have rate limiting rules and this is pretty neat.\r\n\r\nUnknown Speaker 57:16 \r\nSo you can actually blocked traffic that is pounding away at your website. And we'll go into rate limiting rules later in our recommended settings. But like if there's anything that's hitting my site more than like once a second, I want to block that traffic because there's no legitimate traffic that's going to be making multiple requests per second. Unless it's like a Google bot or something like that. And even it usually throttles back how many requests are being made. So this is a really helpful rule to be able to put into place we'll get into that in the rules section.\r\n\r\nUnknown Speaker 57:53 \r\nHere in tools, there is a the ability to block IP addresses or ranges even over and above the WAF rules themselves. So you can block user agents you have 10 user agent blocking rules if you want to use those. I typically don't but it's there if you want to use it.\r\n\r\nUnknown Speaker 58:15 \r\nMoving down to security the page shield This is a paid feature basically keeps your content safe. Bots feature okay, this is probably the place where most people make a mistake. Bot fight mode on I recommend that you leave this off because of a number of things.\r\n\r\nUnknown Speaker 58:33 \r\nBot fight mode. If there's anything that I've had to troubleshoot more, there's nothing I've had to troubleshoot more than bot fight mode creating problems for X legitimate external connections to websites like web hooks, and, you know, syncing up one thing with another or whatever. It's always bought fight mode. And honestly, bot fight mode gets in the way of a lot of legitimate traffic in an effort to prevent bot traffic. So it's like you know, this ongoing war of how do we keep bots away versus legitimate traffic. It's too heavy handed in my opinion. Also, it adds JavaScript to every single page load on your website, that bot activity and that can actually add as much as two seconds to a page load speed. So just don't do this. Try to get a lot of that traffic out with web application firewall rules, which we'll cover as we move forward. But don't turn this on. It looks like a good idea. It's not a good idea. Don't turn this on is my recommendation. Unless you know what you're doing. There is also in Cloudflare super bot fight mode that actually lets you make some granular changes to the bot fight mode. That's great, but it's an enterprise level. It does cost money.\r\n\r\nUnknown Speaker 59:51 \r\nAlright, let's move on to the DDoS section. This is super helpful. Like let's say you're under attack and you toggle on under attack mode and you can sort it you get to see you know a little bit of what this traffic pattern looks like. You can add a rule here that can stop a lot of those floods that's beyond the scope of this course. But it is there and it's pretty helpful.\r\n\r\nUnknown Speaker 1:00:16 \r\nThere's really good documentation for that's available at this link. And finally, there's some settings here that you may or may not find useful, probably not. The default settings are generally what I use, which is just right here. A security levels essentially off meaning that the average traffic the average user is not going to get a manage challenge to say that I'm human I don't want that in the way of average users. 30 minute, Pat challenged passage meaning like if I'm good, I'm good for the next 30 minutes at least. And then you definitely want this browser integrity check on that just it blocks garbage traffic where there's problems with the requests. So those are all the default settings. You probably don't need to ever change those. But they're there if you do need to.\r\n\r\nUnknown Speaker 1:00:58 \r\nThis access this is actually going away will probably be removed from this menu pretty soon and let me just mention also if you're watching this on a replay and it's like a year from now, a lot of these menu changes may change. Cloudflare is as bad as Google about renaming and moving things and changing it they they change stuff all the time. They literally last week changed the onboarding process for adding a new account. They're constantly changing things and so, you know, the things that I'm talking about here are likely going to be in other places. But yeah, it may not be in exactly the same spot. kind of frustrating.\r\n\r\nUnknown Speaker 1:01:37 \r\nHere under speed, these are some moderately useful things. The observatory is you know, what is my White House speed. So that's kind of cool. I mean, it can show you, you can schedule a test to run at a at certain intervals. It's kind of cool. I like that.\r\n\r\nUnknown Speaker 1:01:56 \r\nYou may or may or may not want to do that. The optimization here not a whole lot to do here. Most of the basic settings are correct, just with the defaults.\r\n\r\nUnknown Speaker 1:02:10 \r\nNot a whole lot you're gonna do here this just gives you an overview of what your settings are. image optimization is now offered by Cloudflare. But if you have a good WordPress image optimizer, which I recommend, do it there do it at the WordPress site like just control your images don't do that off in the cloud. But you can if you want to. It's all here. You are going to want to make some changes here to content optimization Brotli basically speeds up an H an SSL connection. This is part of the onboarding steps that are recommended. We'll get to that tomorrow. This is super cool. So Cloudflare fonts is a recently in the last six months or so added feature. And it basically pulls all the fonts up into the Cloud Flare cloud. So instead of having to go out to Google fonts and download the font Cloudflare fonts, pulls those up into the cloud. So you, you blood, they load faster, and you don't have privacy issues, because Cloudflare is going to deliver that font in a privacy first manner. It's not like you're pulling fonts off of Google server and as a result, the user's IP addresses exposed and all that. So this is great. Just turn it on. It's gonna be faster. It's pretty good. This is also a super cool feature called early hints. And what this is going to do, you may have a WordPress optimizing plugin that does this as well. And actually this may be part of core WordPress going forward. But like when you mouse over a link in the background, the browser starts to load that page already. This does that at the Cloudflare level, which is pretty cool.\r\n\r\nUnknown Speaker 1:03:47 \r\nRocket loader. This is another one of those things that people say oh, it's speed. I'm going to turn don't turn this on. Rocket loader has a bad habit of breaking WordPress, jQuery and other Java scripts. Just don't don't turn that on. It will create problems. That's a red dot for me. And if you Google other WordPress folks talking about this it's a it's a red.it can cause problems.\r\n\r\nUnknown Speaker 1:04:14 \r\nAuto minify yet you want all that on so all your assets are compressed up there at the network level.\r\n\r\nUnknown Speaker 1:04:21 \r\nI mentioned this automatic platform optimization for WordPress. This is a can be really good. It's $5 a month per site. Okay, but with out having to deal with any of those granular performance settings at the WordPress level with plugins like MP rocket or hummingbird or whatever, you can actually push all that up to the cloud and it moves the really big the real benefit here is it moves all of your assets for your website to cloud flares edge CDN, so that it's right as close to the user as possible and it's optimized all it really does a good job at optimizing traffic. So take a look at that. It is expensive. You know, when you put 10 sites on there, it's going to be $50 a month, but it really you know, if you've got a few sites that you're having performance issues out of five bucks a month solves that problem, pass it on to the client and you're done.\r\n\r\nUnknown Speaker 1:05:19 \r\nLet's see.\r\n\r\nUnknown Speaker 1:05:21 \r\nEven ongoing here. Let's see caching. All right. Cloudflare caching. So Cloud for does a good job of caching things the right way. You do get some basic analytics here with an upgrade of a plan. Let's move into configuration. So here is the place where you can purge all the things out of the Cloudflare cache. So if you're having some sort of Cloudflare issue going on, you can come in to caching configuration purge everything. I'm going to mention also later on in the course that a lot of WordPress optimization plugins have a Cloudflare integration, where they will actually you can like for example, I use Lightspeed as a WordPress optimizer. And you add in your API for Cloudflare. And whenever whenever Lightspeed flushes the cache because a page has been updated or there's WordPress updates, it also flushes the Cloudflare cache most good WordPress optimizing plugins like WP Rocket like Perf Matters like hummingbird have Cloudflare integration and you're going to want to use that because what otherwise what you're going to run into is you got one set of assets that are here on the site that the WordPress performance plugin has flushed, but your Cloudflare cache isn't matching and you get wonky CSS, and you don't want that. So that that helps and it solves that problem.\r\n\r\nUnknown Speaker 1:06:44 \r\nLet's see here caching level we kind of leave that alone unless you know what you're doing. browser cache TTL you're gonna want to set this to at least a month. Google requires that those it's set to 30 days or higher. Otherwise, you get that thing you may have seen in Lighthouse of serve static assets with efficient policy, blah, blah, blah. That's this needs to be at least a month. This is helpful if you have a big website that a lot of people have access to. This is a tool that will scan for child sexual abuse material, which is definitely helpful. These next two are really cool crawler hints. Okay, how many of you remember from the Starter Site webinar? We did do every year. We've got that really cool plugin called index now from Bing and it watches changes on your website and let's Bing and let's see which ones it is Bing, duck, duck go Yandex and Naver, which I've never heard of before.\r\n\r\nUnknown Speaker 1:07:43 \r\nAnd yep, so what this does, I've just lost my Here we go. So crawler hints basically adds index now to your site at the Cloudflare level. So as soon as Cloudflare sees you add a new page, it lets all the search engines No, you absolutely want to do this. And it means you cannot use the index now plugin on WordPress, which is kind of cool. Always online this is another one you're gonna want to toggle on.\r\n\r\nUnknown Speaker 1:08:09 \r\nWe've probably all at some point, use the Wayback Machine to go back and look historically at websites. And some websites are there a lot and some are they're just like every once a month or once every few months or whatever. How do you get the site listed on the Wayback Machine what you toggle this on right here and Cloudflare will make sure that the site is saved into the Wayback Machine and if for some reason this your server goes down Cloudflare will know okay, I'm gonna pull the latest copy out of Wayback Machine to serve and it's not the best thing but it's better than the site being down. So this is pretty cool. Definitely want that on. Here's the actual development mode. We looked at that under the overview settings, but this is where the actual toggle is for turning on development mode. And so that's all the configuration things.\r\n\r\nUnknown Speaker 1:09:02 \r\nAll right, cash rules.\r\n\r\nUnknown Speaker 1:09:05 \r\nWe're going to talk about cash rules later. But this is the spot where you can add rule like what if I don't want Cloudflare to cache the site at all? Great. What if I have an E commerce site and I don't want to cache the cart or checkout page, I can do all that here. And I'll give you those rules when we get into that section in a little bit. So tiered cache or the cache rules are very helpful, and the tiered cache is helpful. You're going to want to make sure you enable smart tiered technology that just moves the stuff closest to the user. It's good stuff cash reserve as a paid feature, which you're not going to use. Now if you're getting tired. You're not alone. It is now 207. We've been at this for a little over an hour, but we're coming to the end. There's only a few more things here and then we'll take a break. First of all workers routes don't have to worry about that at all. unlikely you'll use this rules. There's another place for rules. Here's 10 more sets of configuration rules that you can use. Probably not going to use any of those but you certainly can.\r\n\r\nUnknown Speaker 1:10:06 \r\nTransform rules origin rule. These are all ways to deal with rules and traffic. Probably not going to use those unless you have a unique case. Page rules can be helpful.\r\n\r\nUnknown Speaker 1:10:18 \r\nI'll show you some options on when you might want to use those a little bit later.\r\n\r\nUnknown Speaker 1:10:22 \r\nAnd the default settings are just fine. You never have to really change these. So not a whole lot to do here.\r\n\r\nUnknown Speaker 1:10:29 \r\nAnd the rest of this stuff is pretty much read. So let's network you probably won't have to change anything here. Very unlikely that anything will be needed in this area. All the default settings are fine. Traffic is a paid feature. custom pages paid feature apps, it's being deprecated the scrape shield, okay, let's talk about this.\r\n\r\nUnknown Speaker 1:10:53 \r\nSo there's a couple of things. Remember, if you are a long time I iThemes Training solid Academy member we used to have a shortcode that would obfuscate an email address. Cloudflare will actually do this at the network level, so you don't have to hide email addresses at all. It will just automatically obfuscate email addresses from bots that would scrape the site. The problem is it adds some JavaScript which again can potentially add some weight to the page and make the page load slower. So there's a way to apply that with the rule that we'll get to in a little bit. I would not toggle this on for the whole site. I would only have it on with a rule for like the contact page or a team page where email addresses actually appear.\r\n\r\nUnknown Speaker 1:11:38 \r\nhotlink protection this is something I would toggle on because well in certain cases. So if you want to protect your site, like I don't want my images showing up in Google image search, I don't want anybody linking off the site and pulling my images and to show on their site. This is what that does. It will stop that at the network. Level period. But if you are relying on a lot of SEO people, for example.\r\n\r\nUnknown Speaker 1:12:07 \r\nThey rely on an image optimization strategy for SEO like they want people to find the image in Google Images and then go to the page and it's a legitimate SEO strategy. But this will stop that. So depending on what you want to do, this can be super helpful or completely get in the way of an SEO strategy.\r\n\r\nUnknown Speaker 1:12:26 \r\nAll right.\r\n\r\nUnknown Speaker 1:12:29 \r\nxerez so this is super cool, actually, it's way out of scope for this, this live stream in this course. But think of it like this. This is like Google Tag Manager, but at the Cloudflare level. So at the network level, I can actually go in and add code to pages. Like it's really powerful, but it's way out of scope for what we're trying to do today. So you know, it's it's interesting, and if you're super geeky, you want to get into that have added because it's a very powerful tool. And last of all web three, you're probably not ever gonna get into that stuff. All right, so that's all the settings and I'm out of breath.\r\n\r\nUnknown Speaker 1:13:05 \r\nOkay, how let me check in. How are you? Are you are you panting for breath? Are you okay? We've just done this was the fire hose. Okay? Dizzy is legitimate. That's a lot. Okay. And my goal again in that section was simply to give you a lay of the land. There's only a few things in here. If you notice, there's only a few things that you're gonna need to go in. And set. Primarily we're going to focus on DNS, SSL, and security. Those are my main areas. Okay. So, what are we doing next? I am going to give you my recommended settings for each of the areas we're gonna do that probably I hope we can fit that in before 3pm Central. We're going to take a five minute break, because I need to breathe and then we'll do some recommended settings. So we're actually going to go now right back into these areas that we've looked at and I'm going to show you some the actual recommended rules and things like that, that you're gonna want to implement. Now from that tomorrow. We're actually going to migrate a site into Cloudflare and do all this stuff live. Sound good?\r\n\r\nUnknown Speaker 1:14:17 \r\nOkay, so break for five minutes. It is now about to be 12 minutes after so we'll come back at 217 Central time so 17 minutes after and we will be quiet until then.\r\n\r\nUnknown Speaker 1:18:47 \r\n32nd Warning we're back in 30 seconds. From now.\r\n\r\nUnknown Speaker 1:19:32 \r\nAll right, part two, let's talk about some recommended settings. Now. First of all, in this section, there's a couple of caveats. We're going to look at the Cloudflare settings that I use. Okay, these are the ones that I've decided work well for me in my clients. And I'm specifically going to talk about what has changed from the default. Okay, so we just looked at everything. We're going to put a filter in place and now only the things that are going to change from the default settings are what I'm going to cover now with this again, caveat, disclaimer, slash scary warning, scaly emoji grimacing emoji, okay. Is this is this bold enough for you?\r\n\r\nUnknown Speaker 1:20:16 \r\nVery important. These are based on my experience with how we are using Cloudflare currently in my agency. So as with settings, recommendations of any kind at all, you need to test these for your specific use case. Cloud flares tools can block legitimate traffic if they're not used correctly. Okay. Now in my experience, we've had to adjust certain rules in situations where there's external calls to web hooks, certain SEO tools, uptime, monitoring, all sorts of things can be a little different. So I'm providing some very basic settings that we use on all of our sites. They may not be the right settings for your sites. Okay, that's why it's important to look at those event logs, try it on one site, look at the event logs, make sure nothing's getting blocked, etc. So they get sometimes sites require these granular adjustments and it might take a little bit to dial them in so pick a site. Do that one make sure everything's good before you do. We all put 5080 100 sites into all these settings, because they would then have to be changed individually. That's not fun. All right. So Cloudflare can significantly increase your security but with great power comes great responsibility. So just keep all that in mind. Do not blindly apply these settings with under without understanding how they're going to impact your website. So again, educational purposes only, you alone are responsible for the actions you take. In other words, don't call me if you break something or you know, ask an office hours question but Is that Is that a good enough disclaimer?\r\n\r\nUnknown Speaker 1:21:59 \r\nAll right. Let's take a look at DNS records.\r\n\r\nUnknown Speaker 1:22:04 \r\nSo let's move on into this area first. This is one of the places where I mentioned that you'll probably spend some time so here's a pretty typical DNS record setup that's being used for WP Nathan currently. So the first thing you'll notice here is proxied. Now what proxy means, okay, this is the actual IP address of the server. This this little this liquid web VPS that they're up Nathan exists on. But if I go to ping, this address, notice it doesn't give this server IP address. And why is that Cloudflare is proxying the IP address which basically means it's hiding it. So this 104 2147 162 IP address is what the world sees when it says where's that up Nathan located this IP address, but that's not the IP address of the server. This is really good because you unless you know in most cases you're going to want to hide the actual IP address of the server, the real live raw IP address, you're gonna want to hide that from the world. It just puts a layer of security between hackers and your server itself. So that's what proxying does. You can turn this off if you want, but I wouldn't recommend it. So the recommendation is proxy all A records and the CNAME for www.\r\n\r\nUnknown Speaker 1:23:35 \r\nBut other C names like in this case, I don't even know why we still have this one but FTP dot and like this is the postmark record. postmark will not validate this record for the CNAME unless the proxies turned off. So for a lot of C names, especially those used for validation, you're going to want to make sure that proxying is off.\r\n\r\nUnknown Speaker 1:23:59 \r\nUnless you know for sure that proxying isn't going to get in the way of that traffic proxying a CNAME can often get in the way of the server that's handling that traffic knowing that the traffic is correct, and it can cause weird things to happen. So proxy the A records generally proxy do not proxy CNAME records. Now here's another pro tip.\r\n\r\nUnknown Speaker 1:24:21 \r\nIf you like me enjoy having the ability to spin up quick staging sites. I in my case on cPanel I love the WP toolkit. It'll just spin up a quick staging site.\r\n\r\nUnknown Speaker 1:24:32 \r\nYou would normally have to go out and actually create an A record for whatever that subdomain is. But if if most or all of the subdomains you're ever going to create for this domain are going to the same place. They're all on the same server. Then what you can do is just set up a wildcard record. The name has an asterisk and it points here which means unless otherwise defined by another a record that any other traffic, you know, whatever dot DDP nathan.com goes to this server. So it's super helpful. It doesn't prevent you from directing traffic elsewhere. You know we could, you know, we could specifically define a subdomain to go to another IP address. But otherwise, the catch all is pointed to the server and it's really helpful. So add a star record. That's a good thing. All right. We talked about DNS sec. Let me just show you how this works. Here under DNS and sec. Oh, I haven't. I'm going to disable this earlier. Let's that's going to take a minute Doggone it. Sorry about that, y'all.\r\n\r\nUnknown Speaker 1:25:43 \r\nOh, I'm gonna have to remove it from here. Well, I can probably just show you how this works. So here, oh, it's WP one dot Dev. Let me go. Let me get one second. Let me get over to the VP Nathan.\r\n\r\nUnknown Speaker 1:26:01 \r\nAnd I'll show you where this DNS record is set up.\r\n\r\nUnknown Speaker 1:26:06 \r\nSo again, this is GoDaddy. You've all probably use GoDaddy, most other registrar's you're going to be this way as well. Here under DNS, there's a setting for DNS record. And here is the value that Cloudflare gave me I'm going to delete this\r\n\r\nUnknown Speaker 1:26:23 \r\nlet's see how long it takes to create if it sees it right away. Okay, I'm gonna give that just a minute. We'll come back and I'll show you how to create the record. But it's basically Cloudflare is going to give you the value, you put it in over the registrar and that validates your traffic for DNS sec to work correctly. We'll come back to that. In just a minute.\r\n\r\nUnknown Speaker 1:26:42 \r\nAll right, so SSL TLS again, encryption method full I talked about that a lot earlier, so that hopefully that doesn't need any more explanation. Under edge certificates. Always use HTTPS is on and minimum TLS version 1.3 or 1.2. We talked about that earlier. You're probably fine to go 1.3 I've only the really old browsers, right. So all the rest is default settings. And now we get into the WAF rules slightly that we're already past SSL. It's not that hard. Once you see the lay of the land and all the details now we can just focus on the things we need to change. And it's not that terribly complicated. Let's do a quick check for the Yes, right. Oh, okay, good. That's ready. So here's the process are rewinding a bit to do DNS sec. I'm going to click Enable.\r\n\r\nUnknown Speaker 1:27:37 \r\nAlright, here's all the stuff. Let's go over to DNS records and I'm going to add one.\r\n\r\nUnknown Speaker 1:27:45 \r\nAll right, so I need the first the Key Tag and it's not necessarily an order. So Key Tag is here.\r\n\r\nUnknown Speaker 1:27:52 \r\nBoom algorithm is 13. I don't know what that means. I'm just going to put it there. Digest type is this or I can click to copy.\r\n\r\nUnknown Speaker 1:28:06 \r\nOh, that's this digest. Is there and digest type oh two.\r\n\r\nUnknown Speaker 1:28:13 \r\nRight there, I hit Save.\r\n\r\nUnknown Speaker 1:28:19 \r\nAnd it's gonna think about it for a minute.\r\n\r\nUnknown Speaker 1:28:22 \r\nConfirm.\r\n\r\nUnknown Speaker 1:28:24 \r\nAnd it's got to wait and validate. That's all it is. It's just basically it's like adding any other DNS record. And that will help to further validate that the traffic that's coming to my domain is correct.\r\n\r\nUnknown Speaker 1:28:39 \r\nThere it is. Done. Super simple.\r\n\r\nUnknown Speaker 1:28:44 \r\nclass has a great question.\r\n\r\nUnknown Speaker 1:28:46 \r\nThat this process was for a domain that's registered and an external Registrar for Cloudflare. It knows like if you've registered your domain at Cloudflare. We'll talk about Cloudflare for domain registrations tomorrow. But if there's just a button, you push the button it adds the record and validates it's done. It's like a one click thing. That's all you have to do. Pretty neat.\r\n\r\nUnknown Speaker 1:29:06 \r\nOkay, any other questions about that before we move on?\r\n\r\nUnknown Speaker 1:29:12 \r\nAll right, we went through the rest of this full encryption mode edge certificates. Now we're into the fun part which is security. Here are some suggested WAF rules. And um, they're all defined here already, and I'll show you what they look like. So when you get into a WAF rule as you create a rule you have the ability to either do an Expression Builder, which lets you kind of compose with a visual editor like country does not equal you know, it lets you create records like this. And or and you can stack those down. Now notice what's happening here, though. There's an expression preview and so there's this expression that's being created based on the visual here. So let's see if country does not equal United States and I don't know\r\n\r\nUnknown Speaker 1:30:15 \r\nand it's unknown bought, whatever, right? So it continues to build the expression based on what you build up here. Now for these predefined rules. We don't need all like it will take you a while to actually reproduce this rule in the builder, but instead what we can do is this.\r\n\r\nUnknown Speaker 1:30:37 \r\nCopy this expression. I'm going to call this the challengers rule.\r\n\r\nUnknown Speaker 1:30:43 \r\nYou can do edit expression, and just paste in there.\r\n\r\nUnknown Speaker 1:30:49 \r\nAnd what so the action is going to be managed challenge and hit Deploy.\r\n\r\nUnknown Speaker 1:30:59 \r\nAnd look it actually created the rule in the builder. So I can still modify it here if I want to.\r\n\r\nUnknown Speaker 1:31:06 \r\nBut I don't have to actually create it. I can just paste in the expression. And that's what I would recommend that you do for these basic rules. Does that make sense? Does everybody see the process here?\r\n\r\nUnknown Speaker 1:31:20 \r\nI want to pause just for a minute to make sure there any questions?\r\n\r\nUnknown Speaker 1:31:26 \r\nWhat drop down that I choose here? Or action is managed challenge. There's this drop down up here.\r\n\r\nUnknown Speaker 1:31:35 \r\nCan y'all see this drop down on the screen share?\r\n\r\nUnknown Speaker 1:31:40 \r\nOkay, good.\r\n\r\nUnknown Speaker 1:31:42 \r\nSad. Sorry about that. So this is just an example rule. But when you when you put in your challenge rule, you're gonna whatever country you're in, or whatever, like for example, we have one customer that only does business or they they primarily do business in the US, Canada and about seven European countries. And so all those are in this is not in rule, but every other country as a result is going to get a challenge because they're not typically going to get traffic from those countries. And that lets us weed out bot attacks for example, that aren't coming from those those specifically Devine defined countries makes sense. So add, you're gonna want to add the countries that you're typically going to want legitimate traffic from. Right. So that that really helps Karen first drop down on not getting the open field. Oh, okay. All right. So let's start over again.\r\n\r\nUnknown Speaker 1:32:42 \r\nLet me delete this rule that I just created. eally All right. I'm gonna do create rule once again. I'm gonna give this a rule name, call it whatever you want.\r\n\r\nUnknown Speaker 1:32:54 \r\nChallenges, and click right here. Edit expression and paste in there.\r\n\r\nUnknown Speaker 1:33:01 \r\nThen you can save it as a draft if you want or whatever or just click Use Expression Builder and that puts you back into the builder here.\r\n\r\nUnknown Speaker 1:33:08 \r\nSo this edit expression is 100% Your friend i It makes the so much easier.\r\n\r\nUnknown Speaker 1:33:16 \r\nAll right, any other questions? About the process of adding a rule before I go on?\r\n\r\nUnknown Speaker 1:33:27 \r\nOkay, so these rules I've actually added in here already, and I'm just going to go down one by one and show you how they work. And so the first rule is our challenge now by the way, I put in whenever I'm doing a rule i Our prefix for our agency for code we write in for other things is be WW brilliant web works but your own little this what this lets me know is it's our rule. Basically that's why that's there. So I'm going to go here to our challenges rule. And you'll notice it's this first one here, you can edit the rule in the expression if you want and put the two letter country code and if there's more you can just stack amend the expression itself or use the expression builder. Either way. Melanie, does order matter for firewall rules. Yes. And I'll show you that in just a minute. But Cloudflare processes these rules in order. And that's going to matter here in just a minute. Great question.\r\n\r\nUnknown Speaker 1:34:26 \r\nSo here's something I want to talk about. So we've talked about managed challenge already. This is the kind of the interstitial screen that we saw that challenges are you human. It's it's the same thing as Cloudflare turnstile. Okay. Cloudflare turnstile is the Cloudflare managed challenge in a widget that can be applied to just a form or you know, a login or whatever. Okay? So just think about it in those terms. turnstile equals a manage challenge, manage challenge, just full screen. Whereas turnstile is a widget that can be added to a form submit or login or that sort of thing. There are a bunch of other actions that can be taken here. Like I don't want to do anything. I just want to log this traffic. I want to block this traffic altogether. This is a JavaScript challenge. This is the pre managed challenge way that Cloudflare used to block or challenge traffic. I don't use that at all anymore. It's not as good as manage challenge. Use manage challenge. This also the skip this traffic so some way I can notice that this traffic is good and legitimate. I always want to skip it. I have a rule. That action can do that. And interactive challenge again. It's I don't use that at all use manage challenge. That's just the best way to do it. Because a lot of times the Manage challenge if it's has seen what this browser is doing, it knows it's probably legitimate. And so it's you let Cloudflare manage whether or not this user or bot or whatever. Is going to be challenged with a checkbox, right. So just use manage challenge instead of interactive or JavaScript challenge is just better. Does that make sense?\r\n\r\nUnknown Speaker 1:36:11 \r\nOkay, so let's get into each of these. We just look at this one. So this is and by the way, what I like to do is cluster are my rules, usually around what the action is. I only have five rules, right? And so I want to be able to get the most bang for my buck. And so I tend to cluster the rules around what action I want to happen. So I'm going to start with this, this challenge rule. So any kind of traffic that I want to give a challenge to is going to go into this rule. So the first is, and this is probably my favorite rule out of all the Cloudflare rules. It is probably the most helpful rule and that is if you come to the WP any URL that comes in to WP login, so even by the way, like if you're logged out and you used to go to WP admin to log in, it's going to forward you today P login dot PHP, query string blah blah blah. So if the URI path, this is your URI, same thing, essentially is URL. So if the path coming in being requested from the server contains that AP login, I want to challenge that if it it like for here for a WooCommerce as my account is their default login page, right? If you have a membership site, where you've customized a login page, put that URL here. So whatever the login page is, that I want to challenge that traffic. And what that lets me do is like Stacy is saying, it's way better than hiding the login page to try to make it where bots can't find it. That's that's a terrible strategy that doesn't really work. Or it's even better than using something like aI solid security to put a CAPTCHA on the login page. I don't even do that anymore. Because all of that traffic is being challenged at the network level is it bad to use a plugin like solid security to protect the login page with a with a even Cloudflare turnstile? It's not bad, but I want that traffic filtered out at the network level so that the login page doesn't even have to load, right? So do that at the network level. You don't even have to put a CAPTCHA on your login page at all. Just make sure that all your potential login pages are listed here. So if you've got another URL, you could do like, you know URI path contains, you know, login or whatever it is right?\r\n\r\nUnknown Speaker 1:38:41 \r\nAnd just you can keep stacking those up with AND or OR statements.\r\n\r\nUnknown Speaker 1:38:46 \r\nThat makes sense.\r\n\r\nUnknown Speaker 1:38:49 \r\nSo that's our first rule.\r\n\r\nUnknown Speaker 1:38:52 \r\nSecond rule is a skip rule. Now I put these in order of priority in this skip rule will tell you why.\r\n\r\nUnknown Speaker 1:39:02 \r\nThis is a big rule. There's a lot of stuff here. So I've given you the whole rule to copy here. Now right here, notice, boom, this is the IP address of the server. So whenever you know whenever you go to add this rule, you're gonna want to, for your purposes, wherever you're copying from put your server IP address in here, because any request that comes from my server, I don't want Cloudflare to do anything with we want that to happen. So here's our here's our skip rule.\r\n\r\nUnknown Speaker 1:39:37 \r\nSo if it's a known bot, and it has one of these as numbers.\r\n\r\nUnknown Speaker 1:39:47 \r\nLet's talk about AAS numbers for a minute. So an AAS number probably best to be seen here in our events. Let me load our events page.\r\n\r\nUnknown Speaker 1:39:59 \r\nAlright, so here's a skip rule.\r\n\r\nUnknown Speaker 1:40:12 \r\nKaren, if you're getting an error, it's probably because you haven't selected the action here skip.\r\n\r\nUnknown Speaker 1:40:21 \r\nYou did.\r\n\r\nUnknown Speaker 1:40:23 \r\nWell, let's just try copying the expression in and trying it ourselves here\r\n\r\nUnknown Speaker 1:40:39 \r\nYeah, it's working.\r\n\r\nUnknown Speaker 1:40:42 \r\nI don't know check your check your copy because it does work. That's That's odd.\r\n\r\nUnknown Speaker 1:40:49 \r\nAnyhow, so as ns. You can see these right here. So an ASN is think of it this way. It's like a\r\n\r\nUnknown Speaker 1:41:01 \r\nIt's one number that a company like Google can use when Google has hundreds and hundreds or 1000s of IP addresses. And it would be hard for you and they may even change IP addresses from time to time.\r\n\r\nUnknown Speaker 1:41:15 \r\nThis ASN is sort of a placeholder for all of those addresses. So you can create firewall rules based on the ASN and know that it's going to affect all these Google IP addresses. And so there's all these ASN that are listed here are of known services. I've given you a way down here at the very end of the document what to for Sorry, sorry, if I'm making everybody nauseous. So I've given you a table of popular ASNs here. You can also look those up with links like this one, and add your own but these are the most part some of the most popular ones. And many of these are including that firewall rule, but this is one that again, you're going to want to tweak this to have the traffic that that that you want.\r\n\r\nUnknown Speaker 1:42:09 \r\nBut in general, this is going to work.\r\n\r\nUnknown Speaker 1:42:13 \r\nIn general, what I've got here is going to work in most cases, just make sure you update your IP address here. Okay, so got this list of\r\n\r\nUnknown Speaker 1:42:25 \r\ngood ASN so it's a known bot, and it's one of these bots. Okay. It's an there are a lot of Cloudflare bots that are known that I don't want to, you know, have access to the site. Like one of the really bad ones is sem rush. Like they will hit on your site with their bots sometimes. Anyway.\r\n\r\nUnknown Speaker 1:42:50 \r\nSo, yeah.\r\n\r\nUnknown Speaker 1:42:55 \r\nWhy would you want stamps.com Because, if you are if you're, for example, with a WooCommerce connector, you're going to want if you don't exclude stamps.com, the WAF rule will get in the way of WooCommerce talking back and forth to stamps.com.\r\n\r\nUnknown Speaker 1:43:11 \r\nYep, so this is again, if you're anytime you're this is with much power comes great responsibility. Okay, so you're putting a rule and that's going to block traffic. If traffic is being blocked and something's not connecting. Now you go into the event and say, Oh, here's that traffic now I can you know, you can find that ASN to that external service in your event log and then add it to your list of good ones.\r\n\r\nUnknown Speaker 1:43:39 \r\nOkay, so I've added another few things here that are commonly blocked. So for example, if you're using the Gravity Forms stripe add on, okay, then I want to make like this is part of the query string for every that should have\r\n\r\nUnknown Speaker 1:44:02 \r\nyour your web hook for Gravity Forms, always includes Gravity Forms stripe, your webhook for WooCommerce always contains this bit of text. So basically what this is doing is this is a good rule for all sites. So if the traffic is coming to a Gravity Forms web hook or a stripe web hook, if you're using other plugins that have different web hooks, just add them in here. Like this, or replace Gravity Forms with your plugin, that sort of thing. But you're that way, you're letting tret legitimate traffic to that web web hook for the payment processor come through.\r\n\r\nUnknown Speaker 1:44:36 \r\nHere's another one. User Agent is GT metrics or we use better uptime to monitor our site. So user op agent contains better uptime. If you don't use better uptime. Don't use this part of the rule.\r\n\r\nUnknown Speaker 1:44:49 \r\nHere's our server IP address.\r\n\r\nUnknown Speaker 1:44:53 \r\nRight now in Davis, right? If you are if you have other payment processors, whatever that web hook is that they give you just find the particular piece that's not going to change. Like the the WooCommerce stripe. web hook has a whole bunch of characters after this right? But this part is always the same. That way you can create a rule that you don't have to change from site to site.\r\n\r\nUnknown Speaker 1:45:20 \r\nAnd then, you know, here's the IP source address is my server for verified bot category is search engine crawlers or web hooks. Okay, so why, you know, I can choose web hooks here, but I've also specified some web hooks.\r\n\r\nUnknown Speaker 1:45:36 \r\nI know web hook has having that as a rule is good, but I don't necessarily trust that part. Cloudflare is always going to catch all my web hooks with that. So I'm going to specify just to be sure, so this is fine, but I always specifying the actual some contents of that web hook URL. Okay, so does this bit make sense? In that many external SAS calls this you want to, you want to allow those through, okay. Now the action for this is skip.\r\n\r\nUnknown Speaker 1:46:09 \r\nBut make sure that you check and this actually Karen may be where your error is coming from.\r\n\r\nUnknown Speaker 1:46:14 \r\nCheck all the boxes, check all the boxes, otherwise you're not telling it to skip anything.\r\n\r\nUnknown Speaker 1:46:24 \r\nSo we don't if the traffic meets any of this criteria, I always want to skip it. Okay, that was it. Karen Awesome. Now, does that make sense everybody?\r\n\r\nUnknown Speaker 1:46:40 \r\nOkay, one thing here and I don't know how to fix it in the handout. This is very important. Notice how there's a line break here.\r\n\r\nUnknown Speaker 1:46:50 \r\nThis, if you copy this, it creates a problem. I just just noticed this.\r\n\r\nUnknown Speaker 1:46:57 \r\nLet me go into the expression editor and paste this in.\r\n\r\nUnknown Speaker 1:47:03 \r\nSee how there's a space here.\r\n\r\nUnknown Speaker 1:47:06 \r\nMake sure you delete that space. Otherwise, it's not going to match your the exact URL. I'll see if I can update the handbook for that. I'll figure out how to do that. But just for now. If there's a space here, it's not going to match that URL. So make sure it doesn't have a space\r\n\r\nUnknown Speaker 1:47:26 \r\nokay\r\n\r\nUnknown Speaker 1:47:32 \r\nall right. Next okay. This is a locked down WordPress rule. This is pretty refined from lots of different suggestions that I've read and seen and I've tested.\r\n\r\nUnknown Speaker 1:47:45 \r\nAnd it this is pretty darn powerful. So again, this is one of those rules. Okay. If the traffic meets any criteria in this rule, it's going to be blocked period, which means you better be sure that you're not catching the legit traffic here. Okay. But you'll see how this works. So I'll go copying this. And notice there's some instances of the domain name of the site here that you'll want to replace with your domain.\r\n\r\nUnknown Speaker 1:48:15 \r\nBut let's look at what it does.\r\n\r\nUnknown Speaker 1:48:18 \r\nAll right. There's absolutely no reason whatsoever that any site or any match any request from the server should contain WP config if it's not coming from my site, to block that. There's no legitimate reason that should happen or there's no reason like we don't use XML RPC at all ever. So we're gonna block any traffic that comes to XML RPC. Period.\r\n\r\nUnknown Speaker 1:48:46 \r\nSame thing for if the if the, if somebody is trying to get to wp content, and it's not coming from my site. I'm gonna block now that can all that can impact google image searches. So make sure you may not want this if you want the images on your site showing up in Google image search.\r\n\r\nUnknown Speaker 1:49:05 \r\nBut I don't I don't want that so I'm blocking all that traffic. Same thing for WP includes there's a lot you'd be surprised how much traffic comes in matter of fact, let's just I mean, look at this. Look at the traffic that's coming in. From what traffic that tries to come in from.\r\n\r\nUnknown Speaker 1:49:26 \r\nYeah, look at this garbage. Here's traffic that's coming in. I don't even know what this is there trying to access. This is some image. Here's something that's trying to access a lot of this images. There's all this garbage traffic and look at this. What What the heck would anybody need you know, here's some Amazon server that's trying to get to this dopey content, whatever. This is like they're testing for security issues. And we're just blocking all that traffic. Right? And look, there's 192 items in the last 24 hours that have hit this rule. It's crazy.\r\n\r\nUnknown Speaker 1:50:04 \r\nPlease grab this, this this.\r\n\r\nUnknown Speaker 1:50:08 \r\nSo what's happened here is some hacker has spun up in some Amazon server to do this hacking, or it's a site that's been compromised. Crazy and this is WP Nathan, which is a dumb garbage site. Right?\r\n\r\nUnknown Speaker 1:50:29 \r\nAnyway, you see all this stuff, and so this blocks all that garbage traffic. Another thing here if the country's coming in from the Tor network, you're not going to want that that's going to be bot traffic. A lot of by the way. A lot of form spam comes in this way.\r\n\r\nUnknown Speaker 1:50:45 \r\nIf the URL if the if the path contains dopey content and it's a PHP file, I want that out of there. We don't use ASP at all in WordPress so filter that out if the traffic is not a known bot, and it's trying to do anything, post anything on WP Nathan so this is this filters out a lot of of form spam traffic or you're trying to post either things into login fields, or post comments anything like that this just blocked all that traffic. I did add this when I was testing this rule, just to make sure that the host name it's not coming from my site. And it's not in it's not trying WordPress is trying to do a cron I was finding that legitimate WordPress cron jobs were being blocked by this. So that's why I added this extra little bit here.\r\n\r\nUnknown Speaker 1:51:41 \r\nSo here's another one if it's not a known bot, and it's going to admin Ajax admin AJAX is again another bit of forum spam prevention that filters that out. Here it so we're going to filter out post and let's see, why is this this rule is duplicated.\r\n\r\nUnknown Speaker 1:52:01 \r\nLike that out. Sorry about that. And again, there's just an actual I'm posting to the comments. PHP file. So most of this is a form spam and comment spam traffic.\r\n\r\nUnknown Speaker 1:52:16 \r\nDave, on the ASP if you have redesigned a site that was based on this?\r\n\r\nUnknown Speaker 1:52:22 \r\nThat's a great question. So if you are taking over a site that previously had ASP, it was built on ASP, then that's probably something you want to take out. Yeah. Otherwise, it's going to block the traffic completely. You don't want that you want to show a 404 page with hey, we've redesigned blah, blah, blah. So that's a good example of don't just apply these rules wholesale, know what you're doing and know that oh, I need to take out that part of the rule, at least for now. That makes sense, everybody. So the action here is block and you're blocking stuff at the net, the network level, they're going to see a Cloudflare block screen. It's not ever going to even hit your server.\r\n\r\nUnknown Speaker 1:53:02 \r\nLet me show you a little trick. How many of you are using something like text expander or in my case, I use type desk to do like little macros that explode into things, right? Like this macro here that I use, and sometimes you'll see this. Like it'll come in as slides. When I do slides. Type desk explodes into this pre configured bit of text. So I've set up all these Cloudflare rules actually in pipe desk, and some of them have variables. So watch this if I was going to set this rule up for the first time. This is set up as\r\n\r\nUnknown Speaker 1:53:42 \r\nthe F three boom Okay, so it comes in over here. So here's my thing. Oops.\r\n\r\nUnknown Speaker 1:53:57 \r\nSo it I'm gonna have to show this here. Alright, so you have three this, okay, what is my domain? That would be nathan.com.\r\n\r\nUnknown Speaker 1:54:04 \r\nIt fills out with there's variables. So I've set up my exploder to have the variable for the expression of the website. So now when we go into add rules, I have cf One CF two CF three it just drops all the expression in with a variable for the website, right? So I don't have to go in and change that every single time. So that's just a little time saver. Pretty cool.\r\n\r\nUnknown Speaker 1:54:29 \r\nAll right. Here's our next rule.\r\n\r\nUnknown Speaker 1:54:33 \r\nSo we have our skip rule. We get our block rule. Now. This is one I don't know I added this one, just to have something else to show you.\r\n\r\nUnknown Speaker 1:54:44 \r\nHere we go. So this, this can be heavy handed, but it also might be good. This is an example of how do I filter bot traffic? Right. So you may or may not want to use this rule. I don't know. Look what it does. So if it's not the Google bot or the Bing bot or the bot or the Facebook bot or slurp which is Yahoo I think, or Alexa and it's a known bot. So Cloudflare actually has this list of known bots.\r\n\r\nUnknown Speaker 1:55:17 \r\nAnd it's pretty extensive. There's 717 pages of this you can see all the things they do have categories too anyway.\r\n\r\nUnknown Speaker 1:55:31 \r\nSo this is an example of a rule that I probably wouldn't use on every site.\r\n\r\nUnknown Speaker 1:55:36 \r\nBut so if it's a known bot, and it's not one of these, or like a this, the crawler category is AI crawler, then given a man a challenge or you could say give it block. So if you want to stop AI bots crawling your site, you can do it at the network level if you want. And this is a way to do that. So the bot category, there's a lot of different ones here like you can do. Like I don't want any SEO crawlers. Let's see how about is in.\r\n\r\nUnknown Speaker 1:56:09 \r\nI don't want any SEO crawlers. I don't want any AI crawlers.\r\n\r\nUnknown Speaker 1:56:14 \r\nNow this is not Googlebot for example. This is Seo crawlers like sem rush and things like that. Phoebe Why not say if it's not a known bot instead of listing those out great question, because known bot no means it's any track. Just that doesn't say it's a bot and I know what it is. Known bots means it's not in this list of predefined known bots, right? It doesn't say it's a bot and it's unknown. Now there are rules like that. If you upgrade to the enterprise level, you get a lot more control over. I think it's a bot. I don't think it's a bot but we don't have that control at the free level. So you have to do it. That was That makes sense.\r\n\r\nUnknown Speaker 1:57:04 \r\nDave has a question if you're doing this on an existing site, and the clients looking at traffic. Oh, yeah. Okay. So this is the double edged sword. Okay.\r\n\r\nUnknown Speaker 1:57:14 \r\nSo what Dave is asking is essentially, am I gonna see a traffic drop in Google Analytics? If I do this? And the answer is likely yes. And perhaps a significant amount of traffic drop. But the conversation I have with a client is this is actually making your analytics reports more valuable because the traffic that's reaching the site are actually people and not garbage bought traffic, and attack traffic and things like that. So you will see a drop in traffic. But it's this is this will actually make your analytics reports more valuable. Because I mean, think about this, you know, bot traffic isn't likely going to make a conversion. So if you've got a report set up in Google Analytics for tracking conversions, and only 3% of your traffic is converting, well, what if 90% of your traffic is crap traffic? Well, then your conversions go up significantly. Oh, wow. Actually, this is more successful than we thought. Right.\r\n\r\nUnknown Speaker 1:58:10 \r\nSo does that make sense everybody? Here's an example of a way to filter out some of the stuff I probably would not use this on on every site. And you still even after that, we'll have another rule that you can create. And this is for fine tuning, you know, and moving things. along.\r\n\r\nUnknown Speaker 1:58:29 \r\nOkay, good grief. It's almost three o'clock and I got a lot more to do. So I'm gonna move on. Any other questions about this before we move, move ahead.\r\n\r\nUnknown Speaker 1:58:38 \r\nI do want to show you the rate limiting rule here.\r\n\r\nUnknown Speaker 1:58:43 \r\nWe actually may stop here, before tomorrow. So this is a really good rule, I think is super helpful. So in case you weren't watching, we're at security WAF. We were just at custom rules, which is the default page. We're now going to the rate limiting Rules tab. It's going to delete this and start over.\r\n\r\nUnknown Speaker 1:59:03 \r\nYou see it, we're going to create a rule and in the same way here, this is going to be our anti flood, oops, anti flood rule. We're going to edit our expression\r\n\r\nUnknown Speaker 1:59:15 \r\nand we're going to say\r\n\r\nUnknown Speaker 1:59:21 \r\nwhen the rate exceeds 10 requests, at the free level, we only have a 10 second period.\r\n\r\nUnknown Speaker 1:59:29 \r\nSo let's take a look at what we're doing here.\r\n\r\nUnknown Speaker 1:59:34 \r\nWhy not?\r\n\r\nUnknown Speaker 1:59:53 \r\nInteresting, okay, well, oh, see what it's supposed to be. Alright. So, anti flood if it is not a verified bot\r\n\r\nUnknown Speaker 2:00:06 \r\nand\r\n\r\nUnknown Speaker 2:00:09 \r\nthe URI pass contains\r\n\r\nUnknown Speaker 2:00:18 \r\nthe PF not calm and\r\n\r\nUnknown Speaker 2:00:23 \r\nverified bot category is not a search engine crawler.\r\n\r\nUnknown Speaker 2:00:30 \r\nOkay, so what we're saying is, it's not a good bot.\r\n\r\nUnknown Speaker 2:00:34 \r\nIt's coming to the site. This is actually redundant, we could probably get rid of that.\r\n\r\nUnknown Speaker 2:00:39 \r\nInteresting.\r\n\r\nUnknown Speaker 2:00:41 \r\nAnd it's not a search engine crawler, and it's hitting my site more than 10 times like one time a second. Then I want to block it. For as long as possible, which is 10 seconds.\r\n\r\nUnknown Speaker 2:00:56 \r\nOh, you're right. It was missing the opening parenthesis. So there's another correction.\r\n\r\nUnknown Speaker 2:01:03 \r\nSo we'll deploy this and this is going to stop a lot of bot attacks. You know, you need a higher level. Of Cloudflare to fully blocked the traffic. But this at least throttles it back just a little bit.\r\n\r\nUnknown Speaker 2:01:18 \r\nSo that can be helpful.\r\n\r\nUnknown Speaker 2:01:20 \r\nMoving on down here to our bot setting. Again, we want bot fight mode off. We talked about that already. How much further do I have to go? I got a lot of rules to go. Okay, I'm gonna stop right here. And we'll pick this up tomorrow.\r\n\r\nUnknown Speaker 2:01:35 \r\nAll right, pausing for a moment. Questions, comments?\r\n\r\nUnknown Speaker 2:01:41 \r\nAnything unclear and what we've seen today because your homework is if you don't have a Cloudflare account, go set it up. And do that tonight. Before tomorrow. Come on in with a little bit of experience under your belt. It's free. And maybe you start applying some of these settings to a site and you can actually go forward I've given you all the tools you need to kind of follow this and add the additional rules that's there that are there. We will talk through this starting at speed tomorrow.\r\n\r\nUnknown Speaker 2:02:10 \r\nPaul, I would not do this on a client site unless you're brave enough to you.\r\n\r\nUnknown Speaker 2:02:16 \r\nDo it on a site that you control a low value site, just so you can see how it works. I'll everything clients is going to be tomorrow.\r\n\r\nUnknown Speaker 2:02:24 \r\nDoug regarding the WAF. If I block the UK with a managed challenge, and Google is still indexing my site in the search engine results, what happens to a UK visitor when they click the Search link to my website. They're gonna get a managed challenge.\r\n\r\nUnknown Speaker 2:02:40 \r\nYeah, so just to correct so you don't block anything with the Manage challenge. It just puts up this.\r\n\r\nUnknown Speaker 2:02:51 \r\nIt's going to say if I go to try to log in here this screen right here.\r\n\r\nUnknown Speaker 2:02:58 \r\nWell, eventually who?\r\n\r\nUnknown Speaker 2:03:05 \r\nThis, this screen right there. That whole process was a managed challenge. I didn't have to click anything because it already knew that my was legitimate. But any traffic that you present a managed challenge. So if the rule is if the traffic's coming from the UK, then give a man a challenge. It's there. It's not blocked, you just have to pass through the gateway pass through the turnstile to get in. So if a user is outside your set geographic areas in Cloudflare for a challenge, they'll still see their search result. They'll click it, they'll pass you the challenge, they'll act they'll access the website. Yeah, it does put a barrier you know they have to pass through. Now you know, if you want to block the traffic altogether, you can do that. Just make the action block instead of manage challenge.\r\n\r\nUnknown Speaker 2:03:56 \r\nI wouldn't do that typically, you know, the goal for filtering traffic is generally I want to get rid of bot traffic that's coming from GeoIP sources that are not generally where my customers are going to come from. So that cuts out a lot of the bot traffic at that geo level. Does that make sense? Everybody?\r\n\r\nUnknown Speaker 2:04:19 \r\nAll right. Any other questions? Before we call it a day?\r\n\r\nUnknown Speaker 2:04:27 \r\nOkay, so everybody, all right.\r\n\r\nUnknown Speaker 2:04:32 \r\nOkay, Karen, can you copy all these settings and roles from one site to another? Wouldn't that be great?\r\n\r\nUnknown Speaker 2:04:40 \r\nThat would be great, wouldn't it? And the answer is no. You can't they have to be set up individually. I know right? It may be one day that will let us do that. I don't even think in the premium version. Paul. I've not seen that.\r\n\r\nUnknown Speaker 2:04:54 \r\nBut here's here's the thing.\r\n\r\nUnknown Speaker 2:04:58 \r\nI really really got deep into Cloudflare last fall, when in the process of migrating to a new server we just decided to put all of our clients under Cloudflare in that process.\r\n\r\nUnknown Speaker 2:05:10 \r\nSo we moved, you know, plus or minus 100 sites through Cloudflare and onto the new server. And once you start doing this, like I can move a site to Cloudflare pretty much in my head now and it takes just five minutes or so it's done. Boom, boom, boom, boom, you kind of get used to what the settings are.\r\n\r\nUnknown Speaker 2:05:30 \r\nIt's not it. It looks like a lot at the first glance. But as you're seeing from where we went from all the things, and page by page now down to just the things that need to change. There are far less and at the end of the document by the way at the end of the document to here and resource number two, here is the Cloudflare setup process. And I'll walk you through exactly the things to change. And that's it.\r\n\r\nUnknown Speaker 2:06:06 \r\nIt takes just a few minutes once you get used to how this works.\r\n\r\nUnknown Speaker 2:06:10 \r\nDo I have ASN or IPs for managed WP? No. So this is a good question. Alright. So you will at the beginning before you do your first site what are all the services that I use? Right? And so it's reached out let's just say manage WP I don't know if they have a public list.\r\n\r\nUnknown Speaker 2:06:36 \r\nLet's see right here. So you'll a lot of times find posts like this. What are the IP oh look, here they are.\r\n\r\nUnknown Speaker 2:06:45 \r\nAnd a whole bunch of others. So there's a oh my gosh, Holy mackerel. There's a bunch of them. So, you know, here's a list and and I would verify with the support. So send in a ticket and make sure you have the actual\r\n\r\nUnknown Speaker 2:07:02 \r\nIP set and you can add those to your skip rule that so it always skips that traffic.\r\n\r\nUnknown Speaker 2:07:13 \r\nAnd so my actual skip rule is more thorough than this one because I got a bunch of IPs and things like that.\r\n\r\nUnknown Speaker 2:07:21 \r\nYeah.\r\n\r\nUnknown Speaker 2:07:23 \r\nAnd Dave is correct. You want to go conservative at the beginning for sure. Again, this is with much power comes great responsibility. Implement slowly make make sure you one side tested that you're not blocking legitimate traffic. But once you get these dialed in, you can boop boop boop just apply them to your other sites.\r\n\r\nUnknown Speaker 2:07:46 \r\nYeah, Ahrefs it's eight, like H refs. In particular. They don't tend to want to help you because they don't want to block you or give you ways to block their traffic. What I would suggest doing if a traffic is being blocked, then look at your events. Like do a scan so you know kind of about the time when the event would hit. Then you can look at your event log and probably even filter it with your block rule.\r\n\r\nUnknown Speaker 2:08:16 \r\nAnd hit that hit the traffic that fits your block rule and see if Oh, that's coming from this range of IP addresses or this ASN or whatever.\r\n\r\nUnknown Speaker 2:08:28 \r\nAnd go from there.\r\n\r\nUnknown Speaker 2:08:30 \r\nSo sometimes you can back end it and figure out but there's there's no easy way that I found oh, here's the magic list of IP addresses or whatever.\r\n\r\nUnknown Speaker 2:08:40 \r\nIt's just not very easy.\r\n\r\nUnknown Speaker 2:08:43 \r\nYeah.\r\n\r\nUnknown Speaker 2:08:46 \r\nTanya, oh, how do you know if you're blocking legit traffic? Good question. That's not a stupid question. So I would watch you know the first so when you implement the for the first time you know, put it on your own site or something else site where the impact is going to be low, but that you have enough traffic to actually generate some decent results. And just look at the events and see what's happening. That's how for example, on the skip rule here, I realized oh, no, I've got let's see, hang on, hang on. I know it was the block rule.\r\n\r\nUnknown Speaker 2:09:30 \r\nThis one, it you know, I saw this query string coming up a lot in the block rule. And that's a legitimate, I realize, oh, blocking this and I don't need to be blocking this. So I added a rule to get around it right.\r\n\r\nUnknown Speaker 2:09:47 \r\nSo, Stacy, you find out when the clients customers complain is not exactly incorrect. Like it's that's pretty right. It some of it is a little bit of trial by error, but that's the way it is for firewall rules, okay. And that's why for example, implement these rules with here. Don't just wholesale drop these rules in thinking what could possibly go wrong because the answer to that question is a lot. But once you get them dialed in for your use case, you have really powerful, really powerful tracking.\r\n\r\nUnknown Speaker 2:10:22 \r\nOr filtering. Yeah. Okay. Anybody else? Before we move? Wrap it up for today?\r\n\r\nUnknown Speaker 2:10:34 \r\nOkay, so homework policy when you migrate a site to Cloudflare do you remove them from the Yep, we're gonna cover that tomorrow. Migration is tomorrow\r\n\r\nUnknown Speaker 2:10:48 \r\nokay, Karen, I have tried to enable copy in the chat. For whatever reason zoom webinars just does not allow that. And I don't know why and we've tried, but give the as soon as the We the chat ends up as a file on the replay page, where you can open it up and grab whatever.\r\n\r\nUnknown Speaker 2:11:09 \r\nYeah, it isn't zoom meetings. This is a zoom webinar, and it's different and I don't know why I've talked to zoom support there. No help. It's yeah, it's a thing and I've not been able to solve it. I'm apparently too dumb to figure that out. Because I've tried zoom settings are horrendous. They're worse than Cloudflare and that's saying a lot Okay, all right. Let's go to Wrap it Up homework for tonight. Add a site, drop it in you know your your site or just spin up a site in try adding some of these settings, we will step through. We'll go through the rest of the recommended settings tomorrow. And then we will put that into practice by actually migrating a site's DNS into Cloudflare tomorrow. That will probably take most of our time and then because we'll do it step by step, and then we'll do we'll wrap up with tips and tricks and whatever questions are left. So that's where we're going. Congratulations, you survived day one. You have endured the firehose of things and it gets really practical from here. All right. So I will see you back here tomorrow. One o'clock central time for part two of Cloudflare for agencies here on solid Academy, where we go further together.\r\n\r\nNathan Ingram 0:04 \r\nAll right, everybody. So welcome, welcome. So how about some feedback from yesterday? Did you learn anything? What was your biggest takeaway? Aha. I assume that we're going to do live demo today. So sure, you'll just go into watching the demo without having the basic foundation of knowledge. So sure there's value without watching the replay.\r\n\r\nAll right, let's get these captions connected. There. All right. Oh, goodness. Gotcha. All right. Link bundle is in the chat. Of course handbook if you need to download that. It is updated by the way from yesterday. So make sure you grab the current copy. I probably need to update the link bundle to reflect that\r\n\r\nall right, well, good. That's good news. So really, really glad to hear that. All right. Welcome, everybody as you're coming on in find a seat, get ready to go. Links are in the chat. The course handbook has been updated since yesterday. The fix the two little typos that I had. Those are now fixed and going and a third that I just recognized. All in the WAF rules. So that's all correct. Now. Make sure you read download that course handbook. Just so you have the correct things. All right. We got a lot of the handbook Yes, one handbook for both days. 40 pages of Cloudflare goodness. or 40 pages of Cloudflare. Comma, goodness, exclamation point. That's a lot of Cloudflare. Oh, it's gonna be a long day when I'm entertaining myself already. Okay. So let me hear from you in the chat. What was your biggest takeaway from yesterday if you survived and had lived to tell the tale\r\n\r\nPaul that will be office hours tomorrow, or week or if we have some time at the end. That's funny. Love it. All right, couple of minutes before we get started, welcome, everybody. Glad you're all here. Make sure you download the fresh copy of the course handbook that has three corrections in and around the WAF rules. Just a couple typos and that space problem and so forth. Yeah, look, there are everybody that I'm constantly finding new ideas for rules. I'm going to talk about that at the beginning as we get started here, because there's some really interesting chatter in the admin bar about rules and stuff going on right now. On a reference that\r\n\r\nhey, look at that foul, awesome. How about that? It's small. It's the little things right. Alright folks, two minutes to go. If you're just joining us in zoom, open up the chat. Say hi. Let me know what your biggest takeaway from yesterday was. Did you get in there and try to set up a site yesterday. Did you do any of that? Thanks still broke? Yeah, yeah. Little bit of tripod. Doug. You did it. Awesome. Yes, Doug, indeed. Cloudflare SSL? Yeah. Very good.\r\n\r\nYep, good stuff there. All right, about a minute away, y'all. We got a long way to go today. Long way to go. The handout is updated. Yes. So please read download the course handbook it fixes those typos or like there was a space that shouldn't have been at a line break and that sort of thing. All that is fixed in working in this latest version. Phoebe. So we are you did you you would get a challenge at WP admin if you use the rules that I provided that the the challenge rule by default is going to protect the WordPress login page. That's what allows you not to need a CAPTCHA on the login page. So I want all traffic that hits the WP admin to get challenged.\r\n\r\nAlright, just about ready to start everybody. Yeah, Paul, I saw on that note, and I don't know why that would happen. That's really weird. It feels like it feels like that's a browser. Cookie issue. here and what do you mean it looks weird after the challenge\r\n\r\nno formatting Okay, so that's interesting.\r\n\r\nI've never seen that happen. Sounds like there's some sort of a an optimization issue like the CSS isn't getting loaded for some reason. Where are you hosting? It could be related to your hosting environment. cloudways GS? Ah could be something in the breeze plugin. I would look and make sure that the breeze are using cloud where cloudways Breeze. Yeah, so see if it has that. The connection to Cloudflare that I mentioned with the caching so that it's empty incorrectly the cache I've never used breeze so I can't speak to that one. Yeah, always. It's awesome. That's it. It's not just reason the optimization plugins are some that frequently cause problems. Okay, let's get started. I got a long way to go today. Well, Happy Wednesday everybody. Welcome back to day two of the Cloudflare for agencies course here on solid Academy. My name is Nathan Ingram, and we went a long way yesterday, as we looked at what in the world is Cloudflare how does it all work? We went page by page through the settings just to give you kind of a lay of the land of you know all the things that are there. And then we started with recommended settings yesterday. So that's what we're going to pick up today. We got all the way down to speed we've worked through the Cloudflare WAF rules, and we've made our way down to speed now, I do want to mention that I have updated the course handbook from yesterday. I'm going to drop that link in the chat once again. This fixes those couple of types of the like the linebreak typo I noticed also there's some quotation marks that got styled like outwards and not straight quotation marks and one of the rules. So those things are fixed, and it's there in the updated link that's there in the chat. If you're watching this on the replay. The link that's downloadable on the course page has will be correct for you so that's all there and ready to go. So here's where we're going today. We are going to pick up with our recommended settings at the speed portion which we see on the screen now. Then we're going to set up a site in Cloudflare live and just go through the process using the checklist that is in the resource number two at the end of the course handbook. So we'll be just walking through that checklist. And then we'll the final hour we made that that setup process may actually bleed into the second hour so we'll just kind of see how that works. And take a break at some point in the middle. And then at the very end we'll have the the tips and things that I've learned and basically things that I've messed up along the way and how you could not do that. And how to work with clients and you know, had multiple accounts and all that sort of thing and how's the best way to do that. So that's where we're heading today. As always, if you have questions, if the question is about something we're talking about right now, just drop it in the chat. I'll do my best to see that and talk about it. Otherwise, put it in the q&a, and we'll deal with those at the end of each hour. All right. Well, let's get started, shall we? So we finished up yesterday with our various rules around security with our custom WAF rules, and then an anti flood rate limiting rule and making sure we have bought fight mode off. So now we're going to get to our speed sections. Let me get Cloudflare open and Windows arrange and all of that. All right, so we are now here under speed. And we're gonna go speed and then optimization. So right here under optimization, there's a number of different tabs, and we're going to pick up with content optimization. Now this is an area that they have in the past few months rearranged. So if you haven't looked at Cloudflare in a while, you'll notice this is different and that's because it's different. They move things around and they do this all the time. So let's look at what should be on so we like Brotli this is going to be one of the things it's in the setup guide or the quickstart guide that we'll run through in a minute. Whenever you add a site to Cloudflare Brotli is good to have on it just makes HTTPS connections quicker. We talked about Cloudflare font so we like those those are on early hints we looked at which preloads pages when you hover over a link that's on rocket loader off because it can break WordPress JavaScript pretty easily. And we're gonna auto minify all three boxes here JavaScript, CSS and HTML. And then we're gonna go back to the top, the tab for protocol optimization. And we're going to turn zero RTT on. Now basically what that does is if a person has already visited your site, it makes reconnecting to the site quicker. It's just it saves a step. In the security in the HTTP protocol process. Good speeds things up. If you want to read more about it, just Google zero RTT. And you can learn more. So not a lot to change here in the optimization section. But we do have some things to look at under caching. So let's take a look at caching and our recommended settings here. So we're going to start out with configuration and look at our browser cache. So I believe I can't remember what the default setting is here but we want this to be 30 days. One month or 30 days is what Google recommends in order to receive to get good marks on their tools. We want to make sure your browser cache is set for one month. We want our crawler hints to be on so this is basically the index now protocol and so Cloudflare will do that for you which is really great. It lets certain search engines that support index now know that changes have been made to your website. So go come crawl it. It basically proactively tell search engines to crawl new content so that's good. And we want always online which pushes the site over to the Internet Archive for us. We want that on as well. So now, there may be some times where you don't want always online on if it's a very large ecommerce site with 1000s of products, rolling that and adding it to the Wayback Machine might be taxing on the server. Or if the site is changed all the time. There's every single site I have is always online. But if you have a massive site, it might create some performance issues. So you might want to toggle it off but likely every site you're going to want on here. Alright, let's look at some caching rules. These are very, very helpful. So let's say you have a site in development, or for some reason you have a site and you do not want to use the Cloudflare cache at all. How do we turn the Cloudflare cache off? 100% of the time whether it's in development, or I just don't want it because by default, the Cloudflare cache is on. So we need a rule that's going to say always turn the cache off and afford unfortunately, there's not like a toggle to turn on and off the cache. I don't know why there's just not. So what is a rule that we can create? Well, I've settled on this one that basically says if the incoming request is HTTPS, and that is yes, then bypass the cache. So this is, you know, basically every single request coming in to any site that I manage, is going to come in under HTTPS. And with that rule, this site will not be cached at all period by CloudFlare, because we're going to bypass the cache here and with browser TTL. Now, this is a rule that you only want to implement if you don't want the site cached at all. Does that make sense to everybody? So you know, on our dev server, for example, we don't want Cloudflare caching, like Cloudflare manages the DNS on our dev server because we want the security, but I don't want any Cloudflare caching on any sites. that are under development. So we have this rule that turns off caching completely. Does that make sense to everybody? So this is probably not a rule that you want on a live site. But for dev sites, yes. 100%. So here's one that you probably will want to use. Maybe there are pages on your site that don't ever need to be cached. So for example, with an E commerce site, I never want the cart page cached by CloudFlare, or the checkout page. So here we've got URI path contains cart your app path contains checkout, you can continue to stack these up if there are other different URLs that you don't want to be cached. So when these things match, then I want to bypass cache for Cloudflare. And at the browser cache, right, so just no caching of these frequently changing dynamic type pages. Don't want those cash. So cash rules are super helpful. I Paul Yes. Membership dashboards, things like this. This though, these are the sorts of things that you'll want to put in a rule like this one. You have a lot of rules here actually. So 10 available caching rules at the free level. So you can really add things Yeah, in anything like LMS site membership site where you don't want to cash in really it. It's\r\n\r\nit's really more like check out, you know, forms that Process Payment, perhaps maybe events like Melanie's mentioning in the chat. It depends. So if you run into an issue where oh my gosh, my events page is not updating why? Oh, it's Cloudflare. Well, we can just turn it off here at the edit with a cache rule. That makes sense to everybody. They're super useful. To debug these caching issues. All right, so we mentioned this yesterday, we're gonna have our tiered cache. We're gonna go here, and just make sure that the tiered cache topology is set for smart and again, what that does is it moves the assets to the Cloudflare data center closest to the person requesting the the site so it basically shortens the load time, so it's good you always want to have that on. Alright, let's scroll down to our next section, which is rules. We're not getting into workers routes, that's not a route however you pronounce it. That's not something we're going to look at. But there's a couple of really good page rules that we're going to look at here that I recommend. The first is this one, which says our URL is going to be our domain name. star dot domain name. So this will catch any subdomains also an anything after the repeat admin. So basically, I want this rule to impact anything in the WordPress admin area for the main site and then any subdomains that I might have under this Cloudflare account. So I want security level high, which means that if somebody tries to come in it's also you know, it's gonna look at that browser more with more scrutiny and maybe present a challenge. If it detects any issues. I want that for anything in the WP admin I'm also going to completely bypass the Cloudflare cache. I don't want anything in WP admin cached by Cloudflare. I just don't want that. And then I also want this here disabled performance. Any performance related optimizations that Cloudflare might do? I don't want that for my WP admin because that can tend to get in the way of things and break admin functions and hash things that shouldn't be cached. And, you know, you get weirdness in the back end sometimes. So this says anything in the admin, I want to make these changes and it's a really helpful rule. This makes sense to everybody. This is a good one and you do have to fill in your specific domain name here, or it won't work. You can't just say star.wp admin. I tried that. It's got to have the actual site name. Alright, another really helpful rule. I really really liked this one. This is the email obfuscation rule. Again, a lot of folks in the years past we've done WordPress shortcodes, that obfuscate email addresses where they can't be scraped by website scrapers. Cloudflare has this built in at the network level, which I really like. And the neat thing about it is you can apply it only to certain pages with a rule, so we can say, all right, if it's the Contact page, then I want to turn on email obfuscation. Well, why wouldn't I just want this on the whole site? The reason is because it loads an extra little piece of JavaScript that can affect load time, so it won't affect it very much. But I mean, why load the JavaScript on a page that doesn't have email addresses, right. So if you have a contact page that has email addresses, turn this on, or maybe it's a team, page or series of pages. Like you have, you know, your domain slash team slash person's name, then you can do something like this I'm pointing at my screen like you can see that this so anything that follows team then this for like a team bio page, you can obfuscate the email addresses their policy, if the site has an email address in the footer. You want this on every page? Yes. And I wouldn't put email addresses in the footer. I would much rather have people fill out a contact form and send email but yes, if it's in the footer, every page where there's an email address, you could load this and if that's the case, then you can actually just turn it on for the site. Yeah, okay. So these two rules make sense. You got your WP admin and you got your email obfuscation. You got a bunch of page rules that you can do some other things with. There's actually sorry only three, three page rules. So we still have one extra one here. And you can do a lot with these Okey dokey. Everybody good so far on this? Because that's it. That was all of the rules are all of the recommended settings. So we didn't get that fully finished yesterday, but we got it done today. And now we get to actually do the thing. Okay. So I want to give you the overview of what this migration process looks like. And then we're going to skip to the end of the document where the actual checklist is, and by the way, if you're just coming in the course handbook is updated from yesterday. And so you're gonna want to redownload that because I fixed a couple of little glitches with the WAF rules. Okay, so here is our process. And again, it is a checklist is in resource to you can copy that part out, you know, make it your own, whatever. So, big picture, okay. We're going to add the site to Cloudflare. And then we're going to walk through the Quickstart process. These are the common, most recommended settings to set up. We're going to add the name servers that Cloudflare gives us over in our domain registrar. Then we're going to pause the site on Cloudflare. This is critical if you don't do this, you're going to get SSL issues in almost every case, then we're going to go through. Here's our items for the quickstart guide. We're going to go through all the rules and settings that we need to add. We're going to wait for our SSL to generate and then we're going to resume the site on Cloudflare. That's the big picture. How this is going to work. So let's go down and take a look at our resource scrolling scrolling right here. This is page 38 of our guide. And here's what we're going to do. So I have this domain set up and this is just a Kadence Starter Site that I have inflated on to WP one dot Dev. Now this is a domain that lives at GoDaddy. And so that may be a place where you see a lot of domains that you have, right and so this is just as simple and basic of a domain swap or DNS change as I can show you with a typical common registrar. Okay. So we're not going to walk through this whole process. So what I want to do I want to get back here to home, which I did just by clicking this arrow I'm in WP Nathan. Now I can go back now I'm at my account home, or I can go up here to this little user icon and hit account home. It's at that point where I can add a site. Okay, so we're going to add the site to Cloudflare by entering the domain, selecting the free tier and confirming our plan, but let's add the site right here. And by the way, if you added a site to Cloudflare a few weeks ago, this is now completely different. They have totally changed this adding a site flow as they do. I mentioned this yesterday Cloudflare changes things like worse than Google and that's saying a lot so just be aware of that. If you're white if you're following this video six months from now they've probably moved some things around. They're all there you know, and you can probably find them pretty easy but it's it's very likely to change. So we're going to enter in our WP one dot dev domain name here. Continue. We're going to select our plan scroll all the way down to free and click that and confirm and we're confirming and Okay, let's so we're going to start our Quick Scan. Now at this point what's going to happen Cloudflare is going to go out and it's going to attempt to find all or as many of the DNS records as possible for this domain. I'm going to click Start click Scan. Now here's the thing. Don't ever trust Cloudflare scan because it is likely going to miss some things. So it's now picked up in a record and to CNAME so there's definitely more than that. And we're just going to keep moving. So if you can't bypass that scan, I wish you could but you can't. It's going to do its best to find records and plug those in to your DNS settings. But now we've gone through our quick scan and we're going to hit continue and we're going to start the domain activation. So right here, we're going to add the provided name servers to our domain. So here's our two name servers that Cloudflare has given us a copy the first one, I'm going to go over here to godaddy under DNS, and go to name servers. This will be different for every registrar. We're going to change this to my own name servers, and copy and our two different name servers. Oops, two here, save and continue. Okay, now over here, I'm gonna hit continue and continue.\r\n\r\nSo now we come to our overview page immediately right now before you do anything else. Pause Cloudflare on the site, because otherwise what can happen is traffic can start flowing to your domain before Cloudflare generates an SSL certificate and you'll get that security warning in browsers by pausing Cloudflare at this point, what that does is stop Cloudflare it doesn't stop it from generating a certificate but it doesn't use the Cloudflare certificate. So we're not using any Cloudflare features right now because the site is paused. Don't forget that step or you're going just it's inevitable that you're going to get you know a security warning. Okay, so pause Cloudflare Now let's go through our quickstart guide. Let's see right here. So we're going to review the settings in our quickstart guide and get started. So we want to keep this on Yes. All these settings are here. Save this. Always use HTTPS Yes. Do we want to enable Brotli? Yes, just basically all the recommended settings we want on and finish. Boom. Okay, so we are good. And now we're going to go down to our DNS. Now Cloudflare has imported some records, right. So we've got this going on here. Um, you know, what I forgot to do is I forgot to open up my email. Let me grab that one second, folks, because we're gonna get an email from Cloudflare at some point very soon, telling us that the site is working. I've got to log into my email, my solid Academy solid email here one second, everybody. I have 8000 Google accounts as perhaps you do. as well. And there it is, okay. All right. So there's my solid email. We'll put that over here and we'll just wait on that. Okay. So now we're at the point of validating our DNS records. So here in GoDaddy, if we look at our DNS, there, there's a lot more than it found. There's not many actually. There's an A record and some other things, you know, nor if this is a site you're already managing. Maybe you have postmark records or some other transactional email or google verification or office 365, all all those verification records, right? You're going to want to make sure that what's here in CloudFlare, matches 100%. What is at your current DNS provider? Okay. Many Melani that's a brilliant idea is to screenshot this and add it to a record someplace. So better even than this is the ability to export my DNS. So let's see here. Many registrar's have the option to export DNS records. If they do you absolutely want to do this. If they don't, it sucks because you have to hand enter every one of them it's really awful. But here I can say Export zone file. Even GoDaddy will let you export the DNS. So I want to export this zone file and boom, there it went. It is now right here as a text file that just downloaded to back. It is right here, simple text file. So I can take this and go right here to import and export and just drop it in. And now I have all of my records and they it now matches perfectly. So that is super helpful when you have a ton of records. If you are running your DNS through a cpanel server, we're going to come back to that at the end because there is a there's a way to actually export out of cPanel if cPanel is actually running your your DNS All right, but for now we know that these match because we've done a good Import and Export Now a couple of things we want to look at. Many times your export will contain name server records, these name server records, these pertain to GoDaddy domain control.com. These are GoDaddy, we're not using GoDaddy. name servers anymore, so I can delete these our name servers or at Cloudflare. We don't need these records anymore so we can safely delete those. The other thing is, if you have in the Cloudflare import when it pulls in all those records, if you import record, you know this import file is going to contain some duplicate records. Cloudflare is smart enough not to import duplicates, so it didn't used to be by the way used to import duplicates, you have to go in and delete your duplicates. It now is smart enough not to create double records, which is awesome. But in many cases, you're still going to have to add those records one by one because, you know this old antiquated registrar doesn't support exporting of DNS, which is just really annoying but Paul is saying Don't forget to turn off some records that need the original. I'm not quite sure what you mean there, Paul. But you're gonna The key here so you don't mess up DNS is at the end of all this. My DNS records in Cloudflare need to match my DNS records with whatever the registrar is now. Other than the name servers, the DNS records you can delete just like we just did, but everything else needs to match 100% Otherwise you might break their email or something like that.\r\n\r\nSo yes, the for example, if there are see names that come in, like right here, this here's another one we can delete. This is a GoDaddy domain connects that we don't need that. We can delete this. Any that are there other registrar's that have specific records. We're not using that anymore, so we can delete this and if it's a CNAME generally, any CNAME other than the www record we want to proc we do not want to proxy correct. So this is a really simple DNS setup because there's no email or anything there. Okay, everybody good on this part, moving DNS records in hopefully you can export them and import them otherwise. This is also helpful if you can if DNS is currently managed by another Cloudflare account, then you can export the records out of the current Cloudflare account and import them into to your Cloudflare account. Sue if there's email Yeah, yeah, so like all the MX records, all the text validation records CNAME records that are all all the DNS needs to match exactly. Unless it has to do with, you know, like the name servers or like these GoDaddy specific records that we don't need anymore, but all the other records need to match exactly. You'll probably find that Cloudflare their import gets about 90%. But it will typically especially if it's a complicated DNS setup, it will typically Miss TXT records, like the valid validation records. It usually gets all the C names and the A records, but it misses it tends to miss the TXT records. Okay, everybody, good. All right. So at this point, it's usually taken, you know, five minutes or so to get our DNS all lined up. So now we're gonna go check and see where we are with our SSL. So we're going to click on here, and let's just look at our edge certificates to see okay, so right here, this is showing us it's in process. So this is live demo. I don't know how this is gonna go, okay. If this breaks, we'll fix it. We'll figure it out. But right here, notice that the SSL has not yet been generated for this domain. So we don't want traffic coming through Cloudflare yet, so let's just move on with our settings and we'll keep watching this edge certificate to see if it's ever finished. So we want to go down to minimum TLS of 1.31 dot O is the default for some reason. So we're going to make that 1.3. Now we're going to go down and add our WAF rules. Just following our checklist here. There's my use your four suggested rules that I've given you or your own variations. So we'll go to Security and WAF. Now again, as I mentioned yesterday, I've got this shortcut set up in my text expander CF one. Here's our manage challenge rule. So what I do in my text expander I have this title here. And so I'll copy cut that and put it up there and this is going to be a managed challenge. Boom, and deploy the quick that was that was done. We're going to create rule number two. I'm going to use my shortcode otherwise, you can copy and paste from your notes. There's our second rule the title, cut and paste up here. So choose the action skip and check all the boxes. All the all the boxes just like that deploy great our rule number three now this one has the the variable in it that fills in my domain I've got that. So these are our block rules. Deploy and one more rule\r\n\r\nthese are our crawler blocks. And this gets a block deploy. So you see how quickly it goes. If you have something like text expander or in my case type desk or one of these macro type programs, apps on your on your computer. It just makes these rules go really fast. Otherwise, you can just copy paste, that's fine too. But we've got all those rules added. Does that make sense? Everybody? Got our rules added there. Any questions about that? If so, ask in the chat. If not, I'm going to keep going under security and bots we want to make sure that bot fight mode is off. It should be by default. I always want to make sure of that because that is it can it causes so many headaches. Speed. Oh, you ask a question. Okay, Paul, I explained why I use the web as a prefix. Is there a possibility of some sort of mix up? If we do not have a prefix? No. This is just for convenience, knowing that these are our rules. So we do have some clients that get into Cloudflare and do some things themselves. If you're the only one that's going to be in Cloudflare it doesn't matter but I prefix everything with be WWE, you know functions code all that is just a habit. So this just lets me know these are our rules. Okay, speed. Let's go back to these rules we just covered so speed optimization, content optimization, only the things we need to change here are Cloudflare fonts are on early hints are on check all three boxes on auto minify boom, boom, boom. And we want to go up to protocol optimization and turn zero RTT on. Great. Now let's look at caching. Let's see configuration crawler hints. Okay, browser cache is one month that's the default. That's awesome. Let's see crawler hints are on always online is on. We'll go over to cache rules. Is there anything we want to fix with our cache? Probably not on this one. It's not an ecommerce site. And you know, it's not in development. So there's no cache rules. To set up here for this one. We do though, want to go into tier two cache and turn on our smart tear topology. Okay, now go down to rules and we're going to add our WP admin rule. Let's see page rules and we're going to be star that dopey one dot dev slash WP admin come on admin star. The settings will be about we spell that correctly. All right, first thing we want to do cache level is bypass then it was performance is disabled and our browser integrity check. Oh, no, it was security. Security level is high. Alright, so there's our DP admin rule. And let's go ahead and add a contact page rule\r\n\r\nand we're going to want email occupation on our contact page. On you can add these rules or not just depending on your setup like we've talked about. Thanks. We got our page rules added. Now we're waiting for SSL generations out look, I've got a an email from Cloudflare. It's now active Boom. That's awesome. Let's see if our SSL certificate generated so you may have the email that says it's active active meaning Cloudflare has detected that its name servers are now being used for the domain. So GoDaddy has gone ahead and updated the name servers and Cloudflare sees that so they're connected. Now that doesn't necessarily mean the certificate is generated yet. So let's go take a look under SSL edge certificates. I look it's active boom, perfect. Okay. As soon as this is active, that means the certificate is there and we can unpause Cloudflare. So we're watching for an email that Cloudflare is protecting. We're watching at edge certificates for the universal SSL right here to be active and it can take time. Okay, so let's talk about what happens if it's if it takes some time. Officially, Cloudflare says this can take 24 hours I've never ever had it take that long. You have had to take a few hours in this was you know, this was actually right after remember last year Cloudflare had that data center issue. It a lot of these things were delayed after that. Usually now it's just like what you just saw, it generally just takes a few minutes. And you're good to go. But it can take a few hours. That's nothing to worry about. Now. If you if you get hours and hours and hours and out like the next morning if it's still not working. Then what I would suggest that you do. Let's see I've given a pointer that put those notes troubleshooting down here, okay, so here's how to troubleshoot if you're stuck on pending validation after an hour. So make sure that you delete those NS records. I've found that sometimes when my sometimes when I'm not getting my certificate generated, it's been because I accidentally left those those NS records in the DNS, that old name server, and that can mess around with validating traffic. So make sure that the NS records are deleted like we showed earlier. Also, again, officially it can take 24 hours. If it's still waiting after 24 hours, go down here, here on edge certificates and down at the bottom. Disable doo doo doo doo doo right here. Disable universal SSL, click that button, wait a couple of minutes for things to the dust to settle. Then you re enable it and it starts that validation process again, and I've never had it not work the second time. So that's maybe that's just lucky on my part. But generally that fix is something that stuck. And I've only had that happen like once or twice and all the sites and that was actually a long time ago. So that's a good way of troubleshooting. If you're still having issues then it's time to go to Cloudflare community and ask them questions. But now, we've got our SSL generated so we're good to go there. So we're going to pick up the process when you see the SSL is there under edge. Right here the universal one now we don't have to wait for that saw this question a minute. ago. We don't have to wait for the backup certificate to get set that can take a little bit of time. We have a good SSL, we're good to go. So now we're going to resume the site on Cloudflare. So back to overview and scroll down to the bottom of the page again, enable the Cloudflare on the site. It is now enabled. And okay, here's where it was before and notice that this is what I had up before we made this move. So connection secure. And this is a Let's Encrypt certificate which which the server generated. Now if we refresh this page, and we look at that certificate, we should see a Google certificate now. So let's do a hard refresh. And actually, Chrome may have cached that certificate, which is fine. Yeah, Chrome cache that certificate if we go let's go into the browser, and you can see that it's the Google cert and for some reason Firefox is taking all day to start. Here we go. All right.\r\n\r\nAll right. So let's see. Where is oh, I clicked the wrong thing. There we go. Now it's still interesting. All right. So it's still showing the Let's Encrypt certificate. That's interesting. I wonder why that is.\r\n\r\nWe can also check with what's my dns.com. Job. Okay, and we are on Cloudflare. So the world is seeing that it's under Cloudflare. When you see to these two IP addresses, that's cloud flares, backup IP address, that's what you want. And so it is it is seeing everywhere in the DNS shows. It's running through Cloudflare. So we're good. I'm not sure why it's not showing that let's or white showing that Let's Encrypt. Let me try it in Safari. Just to see I wonder if I loaded that site in Firefox and it still has it cached. That's interesting. We know it's working though. That's what's that's the most important thing.\r\n\r\nYeah, no, that's interesting. Let's take a look at Oh, because here make sure that you set it to full Am I following my instructions? Now, I didn't follow my instructions. So we would have checked that right here. If we set this to full then I bet that's going to change our SSL certificate helps to follow your own instructions. Now it's still showing. I'm not sure why that is. Well, let me just get back to following my instructions and we'll move on. So we've resumed the site on Cloudflare right. Now we're going to enable DNS sec. So you don't want to do this until Cloudflare has traffic for your site. But we're gonna go here under DNS settings, enable DNS sec. Right here, and again, this is the little bit of code, you're going to add to the registrar to validate that Cloudflare does have legitimate control over the DNS. So this is all the stuff that Cloudflare gives you. You don't necessarily need all of it in every registrar is gonna be a little different. But here in GoDaddy, you just scroll over to DNS sec. And we can turn this on\r\n\r\nnot when I'm around, hang on, hang on, hang on. Go Daddy. It's under DNS, DNS records. And oh, hang on. My goodness gracious. Let me refresh this page.\r\n\r\nRight here, DNS records is what we want. So I had to refresh the GoDaddy page because prior it was it was loaded prior to knowing that GoDaddy had handed off the name servers to Cloudflare. But now we've refreshed this and there is a DNS record tab most registrar's are going to have this. You click that and we're going to add the DNS record. So first, we demonstrated this yesterday but first we add the Key Tag and this is all out of order. But Key Tag is here. The algorithm is 13 the digest type is two. And the digest is this string of characters and that's all we're going to need. Save All right, and it may take a minute, but we're going to click Confirm and it needs to wait it's going to look for this and we'll come back to this in a minute. But it will eventually validate that record with the record at the registrar. Why do you have to add this on GoDaddy? Because GoDaddy is the domain registrar for this domain name. If Cloudflare is your domain registrar you just click a button and it works. It's really simple. And then at the end, we go through and we verify our encryption method. SSL overview bool good to go. All right. So we've just added the site to Cloudflare. wasn't that complicated? Was it I'm gonna pause for a minute questions or comments\r\n\r\nthis is when nothing goes wrong. Oh, if they are all this easy, and they usually aren't terribly complicated\r\n\r\nAll right. Other questions how question is How hard is it to move your domain to Cloudflare I can't really demonstrate that because I don't want to move any domains to Cloudflare right now, but it's really pretty simple. We're going to cover domain registrar things in just a minute in the second hour today. We'll talk more about it then. All right, any other questions before we take a break? That actually took less time than I thought it would? We are now completely set up. If we go to WP admin here we'll get to manage challenge as we would expect. Boom. Good. All good logging in. Yep. and log in. There I am. Pretty cool. I Su ever ever worked with inom? Yes, they do not have an export tool. And generally here's what I found. The more the more the back end of your domain registrar looks like 2004 The less likely they're going to have a DNS record export. CEU I don't know if e nam has a DS dropped down or not. inom is pretty old school on the back end, as you know. They really need to and that's a good reason to not be with Vietnam anymore. And maybe to move domain registration to Cloudflare. We're going to talk about domain registration at Cloudflare the next hour. But yeah, Network Solutions is really bad enough. I'm really bad. Yeah, I don't know. So those are some of the ones I've never used Dotster or web dot actually Dotster I used like 8000 years ago. I haven't used them recently. I don't know in it tends to what I've noticed is if the UI in the domain registration looks fairly modern like this, it's more likely they're going to support exporting of records. If it looks awful, like 1995 or whatever, then they probably don't. Yeah. What do you do about DNS if there's no option if the registrar doesn't support it, they don't support it. And again, that's DNS records. have been around for a while and they're an important part of Domain validation. And if your registrar doesn't support it, I mean, I would start looking for new registrar. Yeah. All right. Any other questions before we take a break? Okay, there is a multi part question here.\r\n\r\nOkay, um So first question here is in regard to the WAF rule, the skip good traffic rule. Does we watch your website have a whitelist of IPs? I can't find them anywhere and Thomas is not getting back. No, I'm not aware of one. But I don't think the rules block them. There's I don't think there's anything in a rule that's going to block that traffic. But so it's a good if you put a rule in and if they're getting blocked. This is an exercise of looking at the event and find what it's trying to do and then allow that but I don't have any specific whitelist for we watch. Second question is about Pay Pal. Do we use the ASN for Pay Pal, as you added at the bottom of the dock? Or do we need to find the API or the web? And I'm guessing what you mean. I'm not sure who's asking this question that came in as an anonymous attendee. Or do we and I think what you mean is the web hook. So and I'll reiterate what I said yesterday about this. Oh, no problem, Karen. So I so let's see, as things are good. web hook URL is better. Because as NS I mean, maybe there's they might change or something might happen. So it's good to add the ASN. But if you know like, there's always going to be a pattern in the Pay Pal web hook for their IPN or whatever. Then try to get the little snippet of that web hook like I showed with the WooCommerce or the Gravity Forms stripe web hook, get that little snippet and always allow that traffic that way you're, you're certain that it's not going to get blocked. Does that make sense? And number three, I added all the H refs IP to a Cloudflare list and then added the list to the good bots rule. Today. I got a report that the score was cut in half. Robots. txt is not accessible. Okay, so that okay, so something is still blocking H refs, for you, Karen. And so it could be the country rule. I've had this happen. So some like you can have, let's, let's let's look at our rules here. So, if we look at our rules, oh, there we go. So we've got block rules, right? Let's just say that for whatever reason, your list of IP addresses, it's not in that or it's not coming in that way. And you're blocking based on country and maybe a traffic that's coming in from a country it's not in your allowed list or whatever. So what I would recommend that you do this is this goes back to the refining of rules. Look at your block rules like this. We've already gotten some hits on our block rule. Look at your block rule and see if you can find the Ahrefs traffic and see what it was doing. That was causing the block to happen and then use that to inform a skip rule. And unfortunately, there's not an easy way around this. You just have to investigate and but once you find that, the thing that allows it to skip then you can use that all the rest of your sites. So this is goes back to yesterday when I was saying of, you know, get it right for a good typical site, and then you can use that rule for your setup on all the rest of your sites. Does that make sense? I wish I had like a silver bullet answer, but that's just not the way WAF rules work. Unfortunately, 364 IP addresses Holy mackerel, yeah. So what I would look for instead of that, find it here. You know, does H refs have a user agent? They likely do. Matter of fact, let's just look. So rather than let's see. Yes. So here's their user agent. So maybe what you would do here is say instead of that ginormous block of IP addresses we can just as easily say, in our allow our skip rule here or user agent contains a tres bot. Like this. And see if that doesn't help. Make sure all of your other see this. This is why the order matters because the skip rule comes in number two. And if you are, if you've identified correctly, that traffic, it's going to skip all your block rules and everything else that's there. So we can deploy this and now ah, refs should be able to scan our site. Give that a try and see. Again, this is just kind of have to experiment and find what works for each of the various things. I really, really wish there was an easier way to do this. I've not found it and it could be that I've just not stumbled upon the right method. But in lots of practical hands on work I've not found an easier way to do this. Other than, Oh, here's a good way to disallow to skip the traffic and now it's not a problem anymore. And we know that going forward now. Okay, question from Paul. When looking at security events, can you see what the trigger values are? That caused the rule to get triggered? Not really. Like we can see here, there's three block events that have already happened since we set the site up. And so here, we've got this block, and so you kind of have to look at what's going on.\r\n\r\nLet's look at this block rule. am I allowing Canada?\r\n\r\nOh duck you got blocked sorry about that.\r\n\r\nUnknown Speaker 59:55 \r\nInteresting.\r\n\r\nNathan Ingram 1:00:16 \r\nDoug, when you saw the site, could you see images? Weird?\r\n\r\nI'm not sure. But yeah, this is how you would identify Paul you you. It doesn't tell you what about the traffic triggered the log but looking at the details, you can probably narrow it down again, I wish there was an easier way All right.\r\n\r\nStacey, yeah, you probably you got to dopey admin without a managed challenge. Probably because, okay, again, if you get to someplace without a managed challenge then Cloudflare has been watching your browser and it knows you don't need challenging. Like that's that's okay. It's a managed challenge. It's not an every time challenge.\r\n\r\nBut generally, like, here's a raw browser. If I try to go to the WP admin, it's going to give it a managed challenge because it doesn't know this browser.\r\n\r\nBut if I go back there, see there if I go back to this page, it's probably not going to challenge it again. Because I've already passed the challenge. Yeah, it's a managed challenge. So Cloudflare manages whether or not it wants to challenge the traffic based on the fact that it's processing billions and billions and billions of requests every day. Okay, well, let's take a break here. It is straight, just right about to be two o'clock Central. Let's take a five minute break. We'll come back with the final bit here, which is scrolling, scrolling, scrolling, scrolling, all the tips and tricks, cetera, et cetera, right there. Cloudflare tips and tools and tips that starting at page 32. We'll have a good q&a time at the end, and that'll be it. So we'll take a break five minutes back at five minutes. After two Central Time.\r\n\r\n32nd warning folks, we're back in 30 seconds.\r\n\r\nAll right, we're back for the final hour of Cloudflare for agencies got a long way in the last few hours together and everybody's still alive. Seems like that's, that's really good. Okay, so in this last bit of time we have together we'll do plenty of time for q&a and also go through some of the tools and tips that I think are helpful to know about Cloudflare. A question came in during the break from Paul, with the rules and effect is this where you no longer set the reCAPTCHA and solid security. So the answer to that question is yes. Because in our WAF rule, we are we have a managed challenge. That's going to challenge any of our WP login now when I when we talk about no longer set the reCAPTCHA for the login page, okay? If you are using solid security to protect your comment forum or whatever. And by the way, are y'all listening? Can we can I share something just between you and me? There may be some ecommerce protections that are coming in solid security maybe that's maybe so this you'll want that those in place right. So this Manage challenge protects the login page if you're using solid security and and turnstile reCAPTCHA, or whatever other recaptures for comments or registration or that sort of thing, then, you know, you either want to put those pages into your rule here or continue to use the CAPTCHA rule. The CAPTCHA is there installed security. Does that make sense Paul? But it's it is redundant. To set a CAPTCHA on a page where they've already had the past through a managed challenge to get there. Does that make sense? Everybody? Nobody's talking in the chat. That's okay. All right. So I'm gonna move on okay. Everybody's gone to sleep. That's okay. All right. So the other thing I'll mention is this and this is a very important note. These as you've seen already web application firewall rules are very flexible and need to be changed for your use case. And may be modified over time, right? The firewall rules that I have in place now work really, really well. But I'm likely going to modify those as I learn new things and you probably will too. So one thing I would watch, for example, there's an ongoing discussion right now in the admin bar. From Troy Glancy Troy is really good at this sort of thing. And he's at his far original Cloudflare rules from a couple of years ago are the ones that kind of got me looking into this to begin with. And he's actually perfected several others and he's going to post at some point soon. So I would recommend if you're in the admin bar, watch this post. Just search for Cloudflare in the admin bar, it'll pop right up and see what his advice is on this right because he may very well and probably will have some ideas for things I haven't seen or thought of yet. So you know, borrow and steal the best firewall rules from others, just with the remembrance that firewall rules can block legitimate traffic. So don't just wholesale apply them to everything. Make sure you know what you're doing. Right. So don't consider these rules or settings even as a silver bullet. I've tried to give you some perspective on when and where and how to apply those rules. Does that make sense? Okay, so let's look now at some Cloudflare tools and tips. So we're going to start with the Cloudflare WordPress plugin. So let's go there. And we're just going to add it to this new WP one dot dev site. So we're just going to search for Cloudflare Cloudflare. And it'll be the official Cloudflare plugin right here. Now, disclaimer, I don't use this plugin, but it is it is there and it's free and you might like it. It's particularly helpful if you don't have a performance optimization plugin. So let's go back to Cloudflare and are actually settings under Settings and Cloudflare. Unlike many plugins, what you're going to do, we're going to sign in, we need our email, which is Nathan and ithemes.com and a global token. So you always find those that your account home. And actually it's where is that it's at profile, actually my profile in API tokens. I'm going to create a token for WordPress. I'm gonna rename this to WP one dot dev so I know which side it is. Scroll down, continue to summary, create token and there's my token. And I'm going to paste that over into here. And save. Now Cloudflare is connected to my site now basically what this plugin does is bringing some of the Cloudflare dashboard functions into WordPress. So you know I can automatically apply Cloudflare settings that are best for WordPress if I want. I don't want to do that. So I've already done that over in Cloudflare. But I can go here to settings for example. And I can turn on development mode just right here from within WordPress. It's got some interesting little things. I don't use this because I prefer just to go to the Cloudflare dashboard to manage my settings. But this plugin does exist. It's pretty, you know it has it has some good use cases and you might just want to play around with it. Like, oh, there's a button right here to get into. I'm under attack mode, right from the WordPress dashboard. So it's there, it's available, it's free. You connect it with an API key just like I showed you. And you know, it can be helpful in certain circumstances where I would recommend though that you add Cloudflare is into whatever WordPress performance plugin that you have chosen. So in our case, we use Lightspeed as an agency because we use Lightspeed server on our server. You might be using we had the discussion earlier about cloud ways breeze, you might be using hummingbird or DEP rocket or whatever. Each of these have a little area for Cloudflare most good WordPress performance plugins have some sort of Cloudflare integration and you know, like right here, the API token I just created, you'd go through that same process, create the token and drop it in with your email address and the domain and it'll be connected. Now why would you want to do this? The reason is, most of these WordPress performance plugins, you know, they've got caching and you know, optimization of JavaScript and all that stuff. And they're smart enough to know, okay, when WordPress runs in Update, clear the cache, okay. Or if you edit a page, we're the cache Cloudflare sitting up here at the network level has no idea that you've made those changes here on WordPress. So the assets that it has cached up here at the network level might differ from what's at WordPress. And the end result is you go to the site, the CSS looks wonky or things just aren't right. So we need something that's going to connect Cloudflare and our WordPress performance plugin so that in effect, in our case, like we're using Lightspeed, so whenever we run plug in updates, Lightspeed clears the local cache, and it clears the Cloudflare cache, so that everything stays in sync and that's what you want. So do not let me just underscore this. Do not use the Cloudflare cache. If you have a performance plugin at the WordPress level that isn't connected in some way to Cloudflare. Because what you will see you'll go to the site one day, and the CSS will be all wonky. And it's because the caches are different and that's what's happened. Does that make sense to everybody? Don't use a WordPress performance plugin and the Cloudflare cache unless you've connected them together. With an API key. Otherwise bad things happen.\r\n\r\nAs Sue is asking, How did I get to the screen? What screen are we talking about? This is the doc Oh, lightspeed. This is just a screenshot. This is in the document. This is just a screenshot. Of the Lightspeed cache settings. It is under CDN in lightspeed. It's in a different spot in every WordPress performance plugin. So just look through your plugin of choice and you'll likely find Cloudflare settings virtually all the good ones support Cloudflare. Oh, okay. So if your server uses Lightspeed, you go under Lightspeed cache on the admin bar, go to the CDN, tab, or link and you'll see it down toward the bottom. The Lightspeed cache Yep, good. Everybody. Okay with this makes sense? Does Perf Matters not connect? I'm shocked at that.\r\n\r\nInteresting, yeah, I don't use perf matters. So I can't speak to that. But you'll definitely want to visit with them on that. So it probably this primarily affects hashing. And I don't Perf Matters doesn't do caching, right. It only does asset optimization. Like, okay, so you may not need Cloudflare connection in that case. So this really, this really comes into play. When it comes to Caching, caching those assets in various places. So if the changes that Perf Matters makes are likely pulled up to Cloudflare anyway, but I would I would still if you're, if in whatever WordPress performance plugin you use, if you don't see Cloudflare settings, reach out to their support and make sure there's not going to be a conflict. That would be my recommendation. Okay, everybody good on that. Does that make sense? Because you will come in one day or you'll get an email from your client. Hey, everything looks weird and wonky and you'll go in there and the CSS is all jacked up. And it's because the cache is wrong. Or worse than that. It'll look fine for you, but it will look wonky for everybody else. And so you know, it's just, it's, it's a Cloudflare cache issue. And what you have to do is go out and let me just show this. This is if you hit that problem, go into your website, go into cache, and configuration and purge everything, and it's probably going to look just fine. Because that's going to cause it to go in and pull assets back up and refresh everything and then connect your performance plugin to Cloudflare and it likely will not happen again. Okay, everybody, good to move on. Everybody has gone to take a nap. Okay. Let's move on and talk about clients and Cloudflare so this is one of the big questions. So if we move our DNS into CloudFlare, can we give clients access? And the answer is yes. And it's beautifully simple. It is so simple. So I delegate access to the Cloudflare DNS to any client who requests it. We have many clients who for various reasons, need to manage their own DNS that didn't used to be the case, when we served a much simpler level of client. They just wanted us to do everything, and many still do. But we also have a lot of clients that manage their own. So we give them access and so here's how you do it. You're gonna go up here to the account icon in the top right, you're gonna go to Account home and scrolling, scrolling, manage account and members. So right here, we can invite members to join our account. So let's invite Nathan to join our account. Nathan at boom. A fan at Nathan ingram.com. I can't type. There we go. And what are we going to do we want to include it can be all domains that are in this Cloudflare account probably don't want to do that. A specific domain Yes, I want to give Nathan access to WP one dot Dev. Well, what if I have multiple domains that Nathan needs access to a domain group? Oh, no, sorry, a specific domain. And I'll just add another one. Or actually we'll do it this include a specific domain. Okay, Nathan needs access to both of these domains that are in my account. What level generally I'm gonna give them domain administrator access, you can restrict it to just DNS if that's all they need. But in these cases, I want my the clients that are going to want Cloudflare access are going to need to have control of everything. Just like I would make sure clients have access to their own domain name. Same thing. I'm going to grant domain administrator rights continue to summary. Yes, yes, yes. Invite an email was just been sent to my other email address that would give me access to that, that this email address. Nathan at Nathan ingram.com doesn't have a Cloudflare account. So I would go through a flow of setting up a Cloudflare account. And it's just that easy. If you want to get rid of their access, you just hit edit and you revoke access x let's see. Let's see. How do we do this? It's a delete. Yeah, cancel the invite. Or at this point, we would like here's this, I can. Here's one where I've given other email address access, and I can remove access from somebody if I want. So pretty helpful. Yes, so Ben, like Dennis saying, this is like a reverse way of giving a client their own account. And it's not their own account. It's you're giving them access to domains in this account, that's yours. But either way they in the end, they have the access that they need, and it's super easy to do this. What's also helpful is you can enforce to FA SO by toggling this on, you can force anyone that you add to this account to add to FA to their account. So I always turn that on. It's not on for this one because this is a test account. Class since client domains are registered with Cloudflare I had them set up account and delegate access to me that works too. Yeah, either way that that works. But the delegation is really simple and smooth. And Cloudflare as you just saw, it's just click click like and you're done. And it gives everybody everything that they need. Any questions about this part? Are we good? Rolling, rolling. Speaking of domain registrar ah Cloudflare is I think the best place to register domains now. Because they don't make any money on domain registration. They charge you a.com Is $9.77 per year. That is the flat cost of a domain plus the ICANN fees. It's literally they're selling you domains at costs. So if you want to get to domain management, you go here, manage our account home. Domain Registration. We're right here. And we can manage domains. So you can register a domain name here and do a search. It even has the suggested domain names if you want to brainstorm a little bit about Dr. nathan.net. That's pretty funny. Anyway, but you see how cheap they are really at 977 for a.com 494 for a.uk. Anyway, you just go through a registration process. Do you want to transfer a domain in right here? You just they have a flow to bring in domains to Cloudflare this way. Yeah, Stacy. So this is a great spot to move clients that were once at Google domains. And now at Squarespace, move them into Cloudflare it's gonna be cheaper and the UI is really simple. And there's not you know, unlike some registrar's, which shall remain nameless. Nameless. There's not a bunch of crap on the screen to upsell. Yeah, Paul, you pay a year when transferring? Yes. But I think also they give you an extra year.\r\n\r\nLet's see. Seems like I read that somewhere. Oh, this is an interesting little point. I didn't mention this earlier with DNS sec. We went and validated the domain. You have to turn that off before you transfer a domain. So just stick that in your back pocket to remember. You cannot transfer a domain like you have to unlock the domain and turn off DNS sec if you've turned it on, if you're going to transfer Yeah, Stacey, I can't I think you're right there Stacy. Yeah, and classes saying the same thing. I can't find where it says that here but when I've transferred a domain to Cloudflare they add it you pay for a year but they add a year to whatever the current date is. So it's a it's as good of a deal as you're gonna get on a transfer. Okay, class that's a good yeah. If if you're already at the max prepay level, then yeah, they don't add a year but that's generally not the case. So really easy to use them as a registrar and now so here it by the way, here is one caveat with using Cloudflare as the domain registrar, you cannot or let me say it this way. You must use Cloudflare to manage your DNS. If Cloudflare is the registrar, so you can't I don't know why you'd want to but you can't manage DNS elsewhere. If you're registering the domain at Cloudflare. I've never found that to be a problem. But just note that that is that's a thing. Oh, there's something I meant to cover in the last hour and I'm going to do that now. I'm going to scroll back up here in the Cloudflare setup process, okay, so we were here we talked about let's this this issue with importing DNS records. I showed you the process of importing from a DNS provider like we exported the DNS from GoDaddy, import it into Cloudflare. There is something here that I want to show you because it's not immediately apparent. And this is super helpful. So you may like I did have a number of sites where the DNS was actually managed with cPanel cPanel. DNS is great, really easy to use. But there's not a clear way in the cPanel UI to export a domain file. Like we just imported from GoDaddy. I don't know why that is. It's been requested for years, but cPanel has never done it. But there is a way to do it and it will save you time from hand entering all those records. Let me show you how it works. So I'm going to jump over to the WP Nathan's cPanel and just There we go. And what you're going to do, and this is again, this is weird, and I wish they would do this differently, but this is what they do. So we're going to grab a recent cPanel backup, and we're going to go here to backup and just download our most recent full account I just hit the cloud for a rule. I wonder what that's all about. There we go. That was really weird. Okay, so if we have time, we'll go and look at the rule and see what hit that. So here's a recent recent account backup. I'm just going to download this and it's downloading this tarball which is like a zip file. It's downloading it to my desktop\r\n\r\ncan take a minute. You're going it's rather large. It's a gigabyte loading, loading loading. Let's go and Okay, so here is our backup file. All right. Now this is so weird and I wish they would do something different but this is what you can do and it works. So we're going to unzip or uncompressed this tarball again, takes just a minute to do because there's a lot of stuff in here it's a full cPanel account backup. What's got to expand all the things\r\n\r\nYeah, this is a really old backup, but it'll still work for illustrative purposes. Slowly, very, very slowly. There is a file in here that you can use to import but you have to download the whole stupid thing to get there. Moving moving, okay, almost almost. Come on. Come on. There we go. Okay, so once we open up our folder here, we're gonna go to the DNS zones folder. So right here is this uncompressed. There's our DNS zone and look, there's WP nathan.com.db. We're going to rename this to dot txt. So it's just a text file. And yes, I want to use this and now this file can just be imported right into Cloudflare. Just like that. It's a backwards process, but it will allow you to import from cPanel and even as long as that takes to download and whatever that's still better than hand entering DNS records. Yeah.\r\n\r\nPaul is saying you did not have to rename the dbx file. Great. Well, that may have been a change in Cloudflare because you used to have to rename it to dot txt so great if you can import that. I haven't tested this recently. So yeah, if you can enter the.db file then you don't have to rename it. That's great. Good. Good, good news. So that will save you time if you're coming out of cPanel and into Cloudflare. Any questions about that before we move on?\r\n\r\nAll right, let's talk a little about turnstile. So Cloudflare turnstile is a CAPTCHA replacement, that many of you are aware of. It's been integrated into solid security for some time now, and again, think of it as turnstile is the same thing as a managed challenge? Only in widget form that can be added to some sort of form like a login form or a comment form or a checkout form or whatever. So it is the same thing as a managed challenge. It's just a widget instead. So now you do have to create turnstile API keys to use it right and so you do that at so many windows. All right. So we're gonna go to account icon account home, turnstile, account home and scroll down to turns turnstile and here's our keys. Now, here's the catch. Wild Slayer lets you have 10 turnstile keys per account. So, a couple of things. First, you might not need more than 10 turnstyle keysets. So for me, I don't need more with all the sites that we manage because in most sites comments are turned off so we don't need comment protection. We're not using it to protect forms because we use Gravity Forms zero spam, and we're protecting the WordPress login page with a well last rule. So I'm not really using turnstyle API keys at all except for WooCommerce sites, which we protect with the simple Cloudflare turnstyle plugin. And for those we do need turnstyle keys. Now if you need more than 10 just created an account Cloudflare account. So the beautiful thing here is you can create multiple Cloudflare accounts with different email addresses and then what you do is just make them members of each other. So that whatever account you log into has access to all the domains that are in all the accounts and it just makes it really easy to manage. So don't let the account limit necessarily bother you. Because you can just simply create more accounts and link them together as members of each other does that make sense? Everybody? So you create turnstile keys right here just like you would a reCAPTCHA key. The domain does have to be in the this account. And you just go from there any questions about that? pod for turnstile? Super, super helpful. All right. We talked a little bit about this Cloudflare does give a lot for free. They do play certain limitations like 10 turnstyle key pairs per account 50 API keys per account. So we actually limit are the number of domains in any account is 50. Even though you can have unlimited domains in a Cloudflare account, you can only have 50 API keys so we only put 50 domains in an account. So we have multiple accounts that meant that are linked to each other as I described. Because the API keys are needed for to connect Lightspeed to flush the cache. So you can again just like I described, use the same delegation process to to connect those accounts to each other. And it's really easy. So when you log in to any of your accounts, and this is what's really neat, when you go to Account home\r\n\r\nhang on a minute. Let's see profile isn't no hang on. I can't see it here. When you log into account that shared with other accounts. You can actually see all the websites you have access to and find the website very easily that way. I can't demonstrate that on the screen right now. But even you know we have like five different Cloudflare accounts now that we're juggling, but you log into one of them. You can search and find the website you're looking for because it's been we have access to it and you just go right to it. It's really simple to connect those accounts together. That was poor explanation, I think But does that make sense? Any questions about that? Linking Cloudflare accounts makes things super easy. Okay. Paul has a good question in the chat. So let's say you have a client in Cloudflare and you give them account access, and they come back in with I don't know anything about Cloudflare if they want to leave. So at that point, the answer is I'm sorry. That's why you hired me Cloudflare manages your DNS and give their next web provider access to the Cloudflare account and if they don't understand how to use it, I mean, that's on them. Right? I really don't have I mean, Cloudflare is pretty industry standard now and if you don't understand how to use it as a web professional, then you probably need to learn. I don't want that to sound arrogant. I just think that's the way it is. Yeah. If they leave then they leave. Yeah. Is that fair? That's good. Stacey. Yeah, give them a DNS export. Good. Yes, send them to this webinar. I mean, honestly, if you're a web, a web professional, even if you didn't know anything about anything we were doing here, you can log into Cloudflare and see what to do with DNS. It's really simple. If the DNS settings and Cloudflare and I'm not talking about firewall rules and all of that, like oh, so if a client were going to leave me then I would probably set up. Yeah, fit. Let me let me reverse my thinking on this a bit. Paul. If if I was going to offboard, a client whose site is managed on CloudFlare, I would probably set up a new Cloudflare account without any of our firewall or any of the security settings that just had the DNS and move the site to that account and give them access to that because I would I wouldn't want any of our security settings to go forward with them the world whatever's next. So been saying he had to do that on Monday. Yeah.\r\n\r\nYeah, that give them a naked Cloudflare account that just has the DNS in it. All right. Something else that's really neat is Cloudflare email routing. We talked a little bit about this on yesterday, and I've given the whole process there for that. I'm not going to go back and re get into that. Pretty, pretty thorough, but basically Cloudflare lets you set up email addresses without an email server that forward to another address and if they're forwarding to a Gmail account, for example, you can set up a send as address so that it can receive email as info at your domain, and it can send email as info at your domain all that can be done free within the Cloudflare email route routing settings. Let's see it looks like this. The last thing Yep. The last thing I'll mention, and we've already sort of dealt with this is troubleshooting WAF rules, you may run into things. If legitimate traffic is blocked by a WAF rule. Go to that activity log. That's right here. Websites AP Nathan. Wow. Yeah, go to your block rule and see what traffic has come in that's been blocked. Oh, this was maybe this was good traffic. So we need to figure out a way there. How do we let this come through? Now, by the way, don't you know if he's Oh, Google is blocked? Well, I don't think that's the Google bot. That's actually a Google Cloud Server. So a lot of times this may be a compromised server. That's trying to get access to things. So just because you see Google doesn't mean it's legit, or you know, Amazon, AWS or whatever. Sometimes those are legitimate, or they are, they are compromised sites that are hosted on Google's infrastructure. For example, anyway, you look at look at the activity log load entries that pertain to that specific rule by clicking this little number in the analytics here that loads one day, there we go.\r\n\r\nAnd actually, I don't know what this flex potential is, maybe we wanted to allow that so we could add this as into our skip rule or whatever. But the log entries here are what you're going to look at to further refine your your rules. All right. So that brings us to the end of the course. That's it. We've gone a long way in the last few days. We got our site live on Cloudflare. We've got recommended settings and all of these things. Now we've got some time for open q&a. What do you think questions, comments, snide remarks all of them are available at this point. Questions from Paul, okay. All of this setup work is built into the cost of a website for a new client correct or do you factor in a cost for this going forward? How much extra if anything would you charge for doing this? Great question. So I would actually wrote this is a management service. So this is part of security that we provide for the client. And it's part of onboarding a site into our website management process. So I don't charge extra for this. And honestly, it took a little while to go through all of this. But once you start to do this over and over again, you'll migrate a site into Cloudflare in like five minutes, like it'll be. It's pretty quick once you get used to it, and especially if you set up little shortcuts like I did with my TextExpander it really doesn't take long once you get all your rules dialed in and how you like things. It doesn't take long to do. And so I don't charge extra for that it actually what happens is, it saves me work on you know, in the future because the site's being protected and much better. And Tanya Yes, I just dropped in the link in the chat for the updated course handbook. There were three different edits I made around web application firewall rules that were like little typos and some of the quotes were squiggly quotes instead of straight quotes, that sort of thing. That's all fixed. Second question for Paul, how about setting this up for existing clients extra service? And the same answer for me on that when we migrated all of our clients over to Cloudflare back last fall. We didn't charge extra for that because it makes things easier for us to have those clients all in Cloudflare more secure less traffic on the server. All of that. Yeah. When there's nothing as you could certainly charge more for it. I chose not to because it's part of the management service. Do I notify clients? The ones that I thought would be interested? Yes. The ones that just want to know their site is secure. No, no, but you know, we'll raise our rates again here probably in two months. And I'll let them know all these extra things we've done at that point. But in a very, you know, you got to communicate with clients. Some clients don't care about all the little things right. So you don't want to overwhelm them with information. So for the clients that are non technical and they just want to know that we're taking care of their site. I would just mention that we've added a network layer of security that blocks you know, something like I'd worded in such a way that was, you know, a high level a level of security that blocks a lot of bad traffic before it ever hits the site. Just to show them, you know, we're constantly improving their security, and that's what they're paying us for. Others, you know, they have a technical person, the ones that have access to Cloudflare. And by the way, some of those that's a that's an interesting little point here. Some of the, our clients, the ones particularly that have access to Cloudflare our clients that have an internal IT department or things like that. And so there was a bit of a process. So we had a canned email that went out of hey, we're in the process of moving to a new server and in doing this we're also getting all of our DNS uniform. And we want to move everything to Cloudflare. Here's why. In some of them we actually had a you know, a quick call with many of those IT folks like yes, great, let's do it. We'd like Cloudflare you know, we know about it, whatever. And so we just set up the account delegated access, good to go but it really depends on the client and their level of involvement or if they have it people, etc. Doug for the web application firewall, if I use the block action for country equals UK, and Google is still indexing my website in the SERP. What happens to a UK visitor when they click the Search link to my website? Yeah. So the blocking traffic from a different country shouldn't impact your SERP and where your site shows up in the SERPs, what will happen is if you're in the UK and you click the search result, you're now going to WP nathan.com with a geo origin of UK which triggers that firewall rule to present a manage challenge. So we're not challenging Google. We're challenging traffic with an origin and a location where we're saying it needs to be challenged. So that's why you want to modify those rules such that any you know if you have legitimate clients that typically come from other countries, you know, whatever, let me say it this way, whatever countries that you have legitimate customers, clients, whatever in that would be coming to that site, allow those but turning off or only allowing traffic from those known good countries can filter out a lot of garbage traffic bots that are coming in from all over the world.\r\n\r\nPaul is asking how do anonymizer is get affected by geo locations or VPN? I mean, it's if I come in if you if I turn on my VPN right now, and I say I'm in Belgium, and I try to visit a site where the WAF rule only allows US and Canada I'm gonna get a managed challenge because the geolocation is coming in as a different country. Yeah. So anonymizer errs impact weath rules, because they they present as coming from that country, because I mean, they actually are they're routing traffic through a server in another country. So that's just how that works. Generally, though, the bot garbage traffic isn't proxying they're not standing there. They're coming from other parts of the world and it's noticeable\r\n\r\nBen when using support like from India for like WP all import, they need access? Yeah, but you can still challenge that traffic. That's the thing is, we're not blocking traffic from those countries. We're putting a manage challenge in place, meaning people you know, if it's a support technician coming in from a country that hasn't been specifically allowed, they're just gonna get a managed challenge. And they can log in with the you know, it's not blocking the traffic. And so I wouldn't change my WAF rules. If support is coming in from a different country. They'll just pass through the Manage challenge and then do what they need to do. So you're, it's a challenge rule, not a block rule does that make sense?\r\n\r\nThe man is challenge will stop bot traffic because bots don't really have a way to validate a managed challenge yet. But who knows, right? The bots will get better and then Cloudflare will get better and then the bots will get better and the Cloudflare will get better. That's just the way it goes. Right. All right. Anybody else before we wrap this one up? Okay, who's ready to add Cloudflare to some client sites do you have everything you need? Are you equipped to to add a client site to Cloudflare? Any final questions before we wrap up? Awesome. All right. Well, hopefully this was helpful to you. We are back tomorrow for office hours. We joke that in the pre show today that anything that breaks when you add these rules just asked me to borrow in office hours we'll deal with all right, we'll see you back here tomorrow office hours one o'clock central time on solid Academy where we go further together.\r\n\r\nTranscribed by https:\/\/otter.ai\r\n\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:968:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:249:\"\r\n\r\n\r\n\r\n\r\nWelcome to Cloudflare!\r\n\r\nCloudflare Page by Page\r\n\r\nRecommended Cloudflare Settings\r\n\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938374439\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1o7Y8xSGeEx8ZF7yBmMsRat6XNkkjEXWc\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/Xr3bZcpfJBN9iV2YsapSA3avN0Q?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:971:\"a:7:{s:18:\"event_replay_title\";s:5:\"Day 2\";s:25:\"day_description_cloneable\";s:254:\"\r\n\r\n\r\n\r\nRecommended Cloudflare Settings (continued)\r\nMigrating a Site to Cloudflare\r\nMore Cloudflare Tools and Tips\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938814771\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1Nr3wkfCzHZ7Nr4PEzVWhV1lKn40abQUV\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/qIa-JHSQCRIijFOyeMsIQX00B1g?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448512,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \nHow to set up important WAF rules\n\n\n\nA proven process for migrating sites into Cloudflare with no mistakes\n\n\n\nOther Cloudflare features like domain registration and email forwarding\n\n\n\nProtips for smoothing out your Cloudflare workflows\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_text":"Unknown Speaker 0:18 \r\nAll right, let me hear from you in the chat. What are you most excited about learning this week in the Cloudflare course?\r\n\r\nUnknown Speaker 0:26 \r\nWhat are you most excited to learn?\r\n\r\nUnknown Speaker 0:32 \r\nAs you answer that I am getting our captions all set.\r\n\r\nUnknown Speaker 0:38 \r\nAlright, captions should now be working for everybody.\r\n\r\nUnknown Speaker 0:43 \r\nFingers crossed\r\n\r\nUnknown Speaker 0:47 \r\nthe whole thing.\r\n\r\nUnknown Speaker 0:49 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:51 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:53 \r\nWe'll see what we can do, Debra. Love it.\r\n\r\nUnknown Speaker 0:59 \r\nAlright folks, we are about four ish minutes away.\r\n\r\nUnknown Speaker 1:06 \r\nFour ish minutes away from getting started with Cloudflare for agencies if you're just joining us in zoom, open up the chat and I'm dropping in once again, the link bundle which has the very large 40 Page course handbook that I've put together for you here. Many many, many things here in the handbook.\r\n\r\nUnknown Speaker 1:32 \r\nAnything you can learn? Yeah, all right.\r\n\r\nUnknown Speaker 1:35 \r\nDefinitely.\r\n\r\nUnknown Speaker 1:37 \r\nYes, Stacy. There are so many things and this is not I'll talk about this as we get started. There's no way this is going to be an exhaustive Cloudflare overview because there are just too many things.\r\n\r\nUnknown Speaker 1:51 \r\nHow much to just do so it doesn't work that way. Like some of these rules, you really do have to decide, you know, what you want to use and so forth. And actually, well, I'm gonna I'm getting ahead of myself. But yeah, some of this is what you want to do for your settings. But I'm gonna give you my recommended things and why. And then you can it should give you a really good basis to make decisions on how you want to implement.\r\n\r\nUnknown Speaker 2:24 \r\nPaul, you make the website and then we'll talk\r\n\r\nUnknown Speaker 2:31 \r\ny'all, I promise once you get into this, it's really not that complicated. Seriously. Once you see how it all fits together.\r\n\r\nUnknown Speaker 2:42 \r\nYeah, I promise it's really not that complicated.\r\n\r\nUnknown Speaker 2:47 \r\nAll right. So if you're just joining us in zoom, welcome, welcome. The chat is open. I'm dropping in once again, the link bundle that has the course handbook. The one the Yes. Yep, of course handbook is there and waiting on you to download also, of course the replay link.\r\n\r\nUnknown Speaker 3:08 \r\nIf you want to go back and rewatch today\r\n\r\nUnknown Speaker 3:16 \r\nmy oldest daughter is currently blowing me up on text messages. So I got to hit the mute button on that.\r\n\r\nUnknown Speaker 3:27 \r\nAlright, y'all just about two minutes ago. hope everybody's doing well hope your week has gotten started. Well check in question today. Let me just hear from you what you are most excited to learn about Cloudflare what you want to know what parts confuse you other than everything, as some folks have said. If there's a particular area I'd love to hear that\r\n\r\nUnknown Speaker 3:52 \r\nOh, Beth. I mean priorities right.\r\n\r\nUnknown Speaker 4:00 \r\nLove it.\r\n\r\nUnknown Speaker 4:02 \r\nYeah, laptop on the beach. Back. Yeah.\r\n\r\nUnknown Speaker 4:07 \r\nActually, Myrtle Beach is gorgeous. This time of year. Good for you, Beth.\r\n\r\nUnknown Speaker 4:15 \r\nturnstyle WAF Yes.\r\n\r\nUnknown Speaker 4:20 \r\nThere's no dancing and Cloudflare\r\n\r\nUnknown Speaker 4:28 \r\nthat's why you take a tablet to the beach, not your laptop.\r\n\r\nUnknown Speaker 4:34 \r\nStacey, that's awesome. That's 100% True. And actually, if you find dancing and Cloudflare just wait because they'll move it to another menu link later or they'll rename it.\r\n\r\nUnknown Speaker 4:48 \r\nYeah, so we'll bet Beth will invent for us the Cloudflare dance which we'll call the turnstile. I love it. Yes, that's it.\r\n\r\nUnknown Speaker 4:59 \r\nDo the turnstile through the turnstile. Alright folks, just about 30 seconds to go. hope everybody's doing well today. Come on in find a seat and grab the course handbook. But to drop the link bundle in once again.\r\n\r\nUnknown Speaker 5:14 \r\ni Yes, exactly. Karen\r\n\r\nUnknown Speaker 5:19 \r\nand what you're talking about there, Karen. There's no easy answer to that. Unfortunately. A lot of the Cloudflare rules that I'm going to give you are pretty good. But you're you're always going to want to fine tune these for your setup. And there's always new suggestions and rules that are coming along. So I'm going to give you what I'm using today. And then you'll have it's it's one of those things that will it's a work in progress. Yeah.\r\n\r\nUnknown Speaker 5:46 \r\nAll right, y'all. It's three minutes after let us get the recording started and we will dive right in.\r\n\r\nUnknown Speaker 5:56 \r\nWell, good afternoon, everybody. Good morning. Good evening, wherever you happen to be around the world. Welcome to this premium course here on solid Academy. Glad you're all here with us for Cloudflare for agencies. So over the next couple of days. We're going to take two hours today two hours tomorrow and unpack Cloudflare through the filter of you manage WordPress sites for clients. So what do you need to know right? And also interestingly, hopefully helpfully, the way that I put this course together is really there's so much that we have to know as WordPress agency owners, right like there's just so many things. And so this is not an exhaustive course on Cloudflare. Like who's got time for that? So what I'm going to give you is an overview of how things work and where the settings are and the big picture of the settings but really, our focus is going to be on okay, what do I need to do to use Cloudflare and leverage all the free stuff in Cloudflare to protect the sites that I manage. So that's where we're headed. And hopefully at the end of this course, you'll have a good idea of what all the things that Cloudflare can do. But really focused in on the practical things that you can do right away to use Cloudflare in your agency.\r\n\r\nUnknown Speaker 7:21 \r\nSo I Karen has asked a great question in the chat just now. This is very different than the Cloudflare livestream I did a couple of years ago or last year, a year and a half, something like that. So I was just I just kind of gotten knee deep into Cloudflare at that point. And so a lot of things have changed since then. This is a much more detailed look. This is I think the first Cloudflare one was like an hour and a half. So just timewise this is a much deeper dive and I've learned a lot since then, and hopefully can give you some better tools and rules and those sorts of things to use. So if you are just now coming in once again, the link bundle is in the chat you're going to want to download this course handbook, it is 40 pages of Cloudflare goodness, and grab that and follow along and I've made it such that you know this is the document you can keep in reference. The table of contents is clickable to jump to, you know the various areas that you want to get to. So hopefully it's a very usable document. All right, so let's dive into what we're going to be talking about. So I mentioned this a little bit earlier and even more in the pre show.\r\n\r\nUnknown Speaker 8:34 \r\nThe idea here is okay, I'm a web agency owner I've heard how Cloudflare is helpful. What do I need to know give me the basics. This is not an exhaustive study of Cloudflare there are far too many things Cloudflare can do to fit into four hours of of course content. So what we want to do is through the lens of what do I need to know as a WordPress website manager about Cloudflare to use it to the best of my ability. If you want a deeper dive Cloudflare has excellent documentation. It's some of the best that I've seen. And you can click the Cloudflare fundamentals link there and it'll take you through all the things if there are pieces that you want to know. So the goal here a no fluff explanation of all the Cloudflare things that you will find the most useful and that you can implement right away in your business of managing WordPress sites. Tomorrow we're going to demonstrate the live setup of a Cloudflare site after we look at some of the basics today. And that's going to include security settings, setting up WAF rules and those sorts of things. So here's the overview we're gonna do and a big overview of what is Cloudflare how does it fit? How do I use it, you know, where does it fit in with solid security and those sorts of things. And then we're going to go through a Cloudflare page by page looking at the various pieces of Cloudflare and how they fit together tomorrow, migrating a site to Cloudflare and then more Cloudflare tools and tips. All right now, this course, assumes that this was on the course intro page. So hopefully you saw this. This assumes that you have a basic understanding of DNS, so I really can't, I'm not going to be able to answer questions about how DNS works in this course. So this is a prerequisite if you need to understand a little bit more about how DNS works. There's a course here we did last year called the web foundations workshop, in which we did an hour on DNS and what the records are and how all that works, et cetera, et cetera. So please let well really I'm just not going to answer questions about DNS in general. If you have those questions, you can grab this prerequisite course it's out there, you can replay it right away. And we're going to focus in on implementing Cloudflare. Alright, so just a couple of housekeeping notes. If you're a see several folks who've just joined us, let me drop in again, our link bundle in the chat force handbook is there. Since I am presenting today, I'm going to be watching the chat as usual. So if you want to ask your questions in the chat, you can do that. It may be that I missed some because I'm presenting. I'll try to catch questions in context. But if I miss one, and it's gone past just stick it in the q&a and we'll get to those at the end of each hour as usual. So all right, let's dive in, shall we? We had some really good check in responses as we were getting ready in the pre show about what you most want to learn. And so let's just start from the top. A lot of folks were like I need to know from the cloud to the flare, the whole thing. So what is Cloudflare?\r\n\r\nUnknown Speaker 11:44 \r\nAt its heart Cloudflare is a web performance and security company. They are they have all sorts of services to secure and protect and accelerate websites. So Cloudflare is sort of like an umbrella. It is a protective barrier between your website and the traffic that comes into your website. And it can shield you from many kinds of online threats just automatically. I Cloudflare. Security Services are comprehensive. They offer protection against DDoS attacks, data breaches, other malicious activities. It works by filtering incoming traffic to your website. So at the heart of all of this is your domain has to have the Cloudflare name servers. So that's how you turn on Cloudflare is by adding the Cloudflare name servers to the domain. So that way, all traffic that goes to the domain has to pass through the filter of Cloudflare and you can think about it sort of like you know, a water filter like we got this new refrigerator when we redid our kitchen a couple of years ago and it's got you know, the fancy water in the door. You know, we're not that usually that fancy kind of people and this is the first fridge we've had like this, but we love it it because there's a water filter in there and it filters out all the impurities and garbage so that we just get really pure water when we put a glass up there. Now Cloudflare sort of works the same way. Think of it in the same way. It's like a traffic filtration system that based on some of the stuff it just knows automatically that this is a bad bot and it filters it out or based on some of the rules that you can set up. It's filtering that traffic through so you get really good pure traffic that actually hits the website.\r\n\r\nUnknown Speaker 13:30 \r\nSo Cloudflare provides free ssl certificates. Also, they use the Google certificate authority as the primary and then sectigo as a secondary. We'll get to all that when we get to the SSL section. They also have a suite of tools designed to optimize website performance, including caching, image optimization, content optimization Cloudflare Cloudflare also provides a CDN that can move your website assets closer to the requester. They have data centers all around the world. So using their CDN even their free CDN, you can move things from your the images and scripts and so forth from your website to the closest point so there's not a lot of jumps between the user and what they're trying to download, which can effectively speed up the website. And the beautiful thing is Cloudflare provides many of its services at no cost with the option to upgrade to more advanced features on a subscription basis. Now a great question in the chat from Dave. So who's monitoring Cloudflare Cloudflare is a private company and so this is you know, like whose basket are you going to put your eggs in? Right? They offer a lot of things for free, but they're making their money. It's a freemium model just like many things that are out there. So you are you have the option to upgrade but a lot of the basic features they're providing at no cost and pushing you towards some of the paid features that can be helpful. So that's how they make their money. I don't know that there's anybody watching Cloudflare like us, they're not like responsible to any governing authority necessarily because they are a private company, but they're used by an immense number of websites. Matter of fact, 32% of the top 1 million sites on the web are using Cloudflare. So that in that way, there's a lot of people watching them from high level, you know, big fortune 500 company websites, so if anything weird is happening, it's likely going to come out but they are a private company. So that is something to take into consideration.\r\n\r\nUnknown Speaker 15:41 \r\nSo a few other interesting Cloudflare statistics, again, more than 15 million websites 32% of the top million websites. Their global network has 300 data centers all over the globe at more than 120 different countries. So the the good thing about that is when traffic is requested by somebody, the hop to the Cloudflare data center is generally very short. They've strategically placed those data centers for that reason. So more than 80% of sites whose reverse proxy we know is Cloudflare. Now what does that mean? It means that if somebody's you know, has started to use proxy, which is hiding the actual IP address of the server, which is a good practice as we'll get into Cloudflare is doing that for more than 80% of sites that are doing this so that is super helpful. It's a huge chunk of the internet relies on Cloudflare to do these things. Also Cloudflare bought blocks look at this number 182 billion threats a day. On average. It's a lot and so simply by virtue of the amount of traffic that they're filtering Cloudflare you know, they, you know, they they just see patterns emerging, and they can protect sites better. It's like, you know, we have Thomas Rafe on here from we watch your website. He's managing over 17 million WordPress sites right now and watching for patterns and you get that much data under your belt, and you can immediately see how you know what's happening, what the trends are, and so forth.\r\n\r\nUnknown Speaker 17:18 \r\nAll right. So why should we use Cloudflare? So the first reason likely and probably the reason that you're here listening is the security benefits. They're just phenomenal. So Cloudflare is free services give you really robust security features at the network level. We'll talk about that in a minute. Like DDoS protection, a web application firewall, again, at the network level, which is where you want those sorts of things. They can also help improve performance with CDN caching, again, moving the downloadable assets closer to the the requester so that those things are fulfilled more quickly. They offer free SSL as we mentioned, they also do DDoS mitigation. There's this great tool in Cloudflare that says I'm under attack, toggle that on and it will effectively stop the impact of a DDoS attack on a website and it works. It's really good. We'll get to that later.\r\n\r\nUnknown Speaker 18:17 \r\nIt's very easy to implement, actually. You just change your name servers and you're into Cloudflare.\r\n\r\nUnknown Speaker 18:24 \r\nThe setup process is straightforward as you'll see as we actually work on that.\r\n\r\nUnknown Speaker 18:30 \r\nLast of all, they do provide some analytics and insights. The statistics in Cloudflare if you are a statistics person, you will love love, love the Statistics reports because it'll show you like on your firewall rules, what's hitting it and you know what the information about that traffic is it can help you further refine your rules. It's really neat once you get some data in there to start digging in and seeing how these turkeys are trying to attack your website. It's really quite interesting. Also, cloud flares analytics are GDPR compliant. They're designed to be privacy first, and so they are GDPR compliant, they state that so that's that's not an issue. So a lot of the confusion that comes in when we start talking about Cloudflare is okay. isn't just installing a WordPress security plug in enough I've been watching it it's really funny. This discussion has come up a number of times in the admin bar just in the last couple of weeks of hey, there's this cloud, this WordPress security plugin and that one and really, isn't it good enough just to install a WordPress security plug in and you're protected? And the answer is no. Heck no. Absolutely not. So let's talk about where Cloudflare fits into all this is Cloudflare a replacement for solid security? Also no. So we need to understand where does Cloudflare fit in the whole matrix of security. So, first of all, Cloudflare becomes active for a site when you change the name servers of a domain name to those that Cloudflare will provide you. So it starts at the name server level, which means Cloudflare at that point becomes responsible for every request that comes into your domain name about you know where does the subdomain live? How's the mail routed? What are the demark records, the txt validation records, all those things? Cloudflare is answering all of those requests. And it's doing it from a security perspective. So you can you can change who gets to make those requests and filter those things out. And so forth. So since all traffic to your website, and everything about that domain name now has to pass through Cloudflare they can filter it. So that's how this all works. Cloudflare can then as a result block a significant portion of malicious traffic before it ever reaches your server. That is the key.\r\n\r\nUnknown Speaker 21:04 \r\nThat is the key. So like, here's your browser, it's gotta pass through Cloudflare to get to your server where the website lives. So this is where we start to talk about a multi layered approach to WordPress security. It is not enough just to have a WordPress security plugin. It's just not because there are jobs that are there are jobs that need to be done to protect WordPress that are better done at a network. level rather than at a WordPress level. So this multi layered approach is something you need to get your mind around. And we've been talking about this now for some time here. On solid Academy. It's not just as simple as installing a plugin. So the best practice for making your site secure is multiple layers of protection. Okay, and each layer has a role that it needs to play and it does that layer best. All right, so let's talk about this. So first, we have network layer level security, which we're going to trust to Cloudflare right so that's wrapping around the whole thing. No traffic gets in until it passes through Cloudflare. Then we go to the server level security, which hopefully is handled by your web hosting provider. So there's certain things that are better done at a server level. We'll get to that in a minute. And then we have our WordPress application level or, or user level security that a really good WordPress security plugin should do. So these are the three layers of security that you should be thinking about when it comes to protecting your WordPress site. So let's unpack those just for a minute. First of all, network security. So Cloudflare is going to mitigate the impact of the distributed denial of service attacks or DDoS. And they can filter out malicious traffic before it ever gets to your server. So if a lot of that traffic can't even get past that Cloudflare wall it makes your server have to work less it makes WordPress have to work less. So it's better to handle all that stuff. Get all the primary garbage filter done at the network level before it even hits the server. So Cloudflare gives you this blanket protection by filtering the websites before a web traffic before it ever gets to the site. Relying on your server alone or worse relying on WordPress alone to filter all the traffic. It takes a lot of resources. Now does solid security have functions that can help to prevent bad traffic? Yes. But that shouldn't be the primary level at which it occurs. If Timothy was here, he tell you the same thing. We want to filter the the lion's share of that out at the network level. So if you do that, it's going to save a lot of valuable server resources. So traffic passes through the network gets to the server. So what role does the server play in this multi layered support? So good web hosting providers implement security measures like server level firewalls, and most importantly in my book is server level file level malware scanning and intrusion detection systems. So I want something at the server level that's actually scanning the files. Now I know that there are some WordPress plugins that provide malware scanning, you don't want a plugin, doing malware scanning. First of all, it's going to be incredibly inefficient at doing that and restricted to only the WordPress install and a lot of malware gets installed out in the server structure and not within WordPress itself.\r\n\r\nUnknown Speaker 24:45 \r\nAlso, if there's malware in WordPress, and the we're in and the the malware scanner exists at the WordPress level, the malware can overwrite. You know, the malware scanner so the malware can actually rewrite the malware scanner saying hey, this is bad and say no, it's actually good. You can ignore that. So you don't want the malware and the scanner. processes running in the same environment. malware scanning needs to happen at the server level, and intrusion detection systems as well. So that's the role of a good server so whoever's providing your server, this is where you have a conversation and say, What malware scanning Do you provide? What intrusion detection services do you provide to keep the server itself safe? Right, so we're filtering out most of the bad traffic at network. We're watching the we're watching the file system and intrusion level at the server. And now we get into WordPress application security. Now WordPress security might have some traffic filtering and blocking features, but that's really the third level like WordPress is consuming a lot of server resources just running and serving pages and doing things. I don't want WordPress to also have to be filtering every bit of bad traffic that comes in. And that's what can cause your website to grind to a halt. If it's getting pounded by login page attacks and all this stuff. I don't want WordPress doing that job at all, or at least as little as possible. Maybe just a few little drops of bad traffic. That have gotten through the other two layers. We pause. Does that make sense to everybody? That this whole approach? Are you getting what I'm saying? Like we want WordPress to do as little work as possible. We want WordPress to do the job of word pressing right not of security. So it's not bad to have those features in the WordPress security plugin. That's why they're included in solid security. But that's like my third level of defense. Okay. All right. So your WordPress security should focus on more specific issues. Starting again, this is exactly what solid Security does, which is why I love it. It is providing vulnerability detection. So I'm scanning my so like Cloudflare is not going to tell me I have vulnerable things in plugins. The server is not going to tell me that it's maybe watching for malware or the malware scanner but if my things and plugins aren't infected yet, I don't know that there's a problem. So I want something like solid security, which is looking at my installed themes and plugins and saying, Oh, this one has a vulnerability. I need to know about that. I need to do virtual patching. I need to do automatic updates if a patch is released, right, so it's doing exactly the job that I want a security plugin doing in WordPress and nothing else. Like the the of the kinds of plugins that exist for WordPress. The most bloat often happens in security plugins and that's why, you know, if you line up a feature list of the things that solid security Pro does, versus some of the other security plugins like it doesn't do as much. Right, exactly. That's the point. You don't want it doing some of those things. You want your server and your network doing those jobs because it's gonna make a more efficient WordPress.\r\n\r\nUnknown Speaker 28:08 \r\nSo WordPress, security should also heavily focus on user security. So we got these great features like you know, the function that bounces out and make sure that the password hasn't been compromised, and that have I been poned database. We're looking at, you know, having to FA for users and pass keys and et cetera, et cetera. We want the users user level security needs to be done by WordPress. So we want that to be done really well by our WordPress security also session cookie protection, right having that like the trusted devices features of solid security that is the perfect use case for a WordPress security plugin. So I want those features in my WordPress security, nothing else that's gonna do you know, be consuming tons and tons of server resources. Okay, so another role for WordPress security is adding in a CAPTCHA for areas that might be prone to attack, like comment form or the WordPress login page. We're actually going to protect that at the network level though. I'll show you that later. But having those captures again, two great use case and job for a WordPress security plugin. Finally, WordPress security plugins can also help you to harden WordPress, by all the little you know there's all those boxes in solid security about don't allow PHP to execute and themes and plugins, you know, turn off the file editor, all those sorts of things. perfect use case for a WordPress security plugin. So, again, think about this in layers. Most of the traffic get that filtered out at the network level so our server doesn't ever have to bother with it. Let our server do the job of file level scanning protection and intrusion detection and let WordPress primarily do the job of just keeping WordPress secure as an application themes and plugins and users.\r\n\r\nUnknown Speaker 30:02 \r\nAnd now we've got a pretty darn good approach to security. I'm gonna pause right there, because that was a, you know, a big firehose of information. I'm gonna pause, make sense questions about this before we move on to the next bit.\r\n\r\nUnknown Speaker 30:17 \r\nYou if you arrange your security approach this way, you're going to have a more efficient server and site and you're going to do a better job all the way around keeping things secure.\r\n\r\nUnknown Speaker 30:31 \r\nMan Polytune m&ms Already Okay.\r\n\r\nUnknown Speaker 30:35 \r\nHope you got a lock then.\r\n\r\nUnknown Speaker 30:38 \r\nYou have any to share with the rest of the class. I'm gonna have to move that around.\r\n\r\nUnknown Speaker 30:41 \r\nAll right. Well, I'm gonna move on then. If you're just joining us link bundle is in the chat that has the course handbook if you want to download this that you're looking at.\r\n\r\nUnknown Speaker 30:49 \r\nAll right, folks, look, we're already on page eight. Moving around, moving right along here.\r\n\r\nUnknown Speaker 30:55 \r\nAll right, now comes the fun part. Cloudflare page by page. So I thought long and hard about how's the best way to do a quick orientation to all the things that Cloudflare can do. And this is what I settled on this Cloudflare page by page. So one second before we get into that, one thing I want to mention is I've added some color coding here. And you know, I was thinking how can I best present this in a quick way to let you know you know what? really to focus on and what not to focus on and so forth.\r\n\r\nUnknown Speaker 31:35 \r\nSo it's basically like this. If I think you're probably going to want to use this feature, it's going to be great. If it's a maybe depending on the circumstance, it's a yellow, if it's probably you're not going to use this there's red. There's also one other emoji in there. That is a money bag and that's it costs money to add this. Those are usually also red because our goal here is to use as much of the free Cloudflare stuff as possible.\r\n\r\nUnknown Speaker 32:01 \r\nSo yeah, that that's, that's the way we're going to approach this now. I'm just looking at timing and where we are in the course of things right now.\r\n\r\nUnknown Speaker 32:11 \r\nOkay.\r\n\r\nUnknown Speaker 32:13 \r\nAll right. This is where it's going to be interesting to see actually how we do this.\r\n\r\nUnknown Speaker 32:24 \r\nOkay, well, let's just, I'm sorry, thinking to myself here and we'll figure out that we may go long in this first hour. So let's look at this Cloudflare page by page. Now if you would like. I would suggest that if you don't have a Cloudflare account, just go quick create one doesn't matter. Just make a make a quick Cloudflare account I'm going to log in to my I iThemes Cloudflare account that I experiment on. I would always recommend that you set up two factor authentication on your Cloudflare install Of course. All right, so what we're going to do is primarily focus on the website settings. We're gonna go down page by page, and I'm gonna explain basically what, what each of them does, just so you have a big picture understanding. Now there's a ton of stuff here. We're currently at the home or the account page you get back here by going to account home. That is this page that we're going to live for most of the course here is in the website settings. So you can you know, you'll add a website you can click that and these are the settings that pertain to the individual websites themselves. And this is where we're going to live for most of the time in this course. So let's take a quick look. Alright, so we're on the overview page, a turn off this ad. Again, you know, they're they make their money by upselling things so I'm constantly closing those boxes. Alright, so the first thing we get, is there an analytics overview. This is kind of helpful if you just want a quick overview of at the network level, what your traffic looks like. You don't get any like, you know where the traffic came from or search terms. It's not about that. It's actually about the stats of the traffic coming in.\r\n\r\nUnknown Speaker 34:12 \r\nYou can set that by days, weeks or months. Something else that's really helpful over here is the Under Attack Mode. So let's just say that you've got a problem on a site you're getting it's an E commerce site and you're getting card testing attacks. Well, I'm just going to toggle that on. And with that one toggle, what's going to happen is every single bit of traffic that comes into the site is going to get a manage challenge from Cloudflare. Now what that looks like is this\r\n\r\nUnknown Speaker 34:45 \r\nso it's going to pass through this challenge. I've got to verify and then move right on. Now that's not ideal, but that will stop a DDoS attack period, because a bot cannot pass Cloudflare turnstile, at least yet. So Todd simply toggling that on is going to stop the DDoS attack it does put a you know that that turnstile pass through manage challenge between every single visitor so it's not ideal to leave on forever. You'll want to add a WAF rule to filter out whatever's attacking you but that this is a great little setting in case something immediately is happening.\r\n\r\nUnknown Speaker 35:29 \r\nIt essentially off.\r\n\r\nUnknown Speaker 35:33 \r\nOkay, the next thing that's helpful here is development mode. So Cloudflare does provide some caching and caching can be absolutely.\r\n\r\nUnknown Speaker 35:43 \r\nYou might use it makes you want to bang your head into the wall sometimes like you you've edited something, it's not showing up then you remember, oh yeah, I've got caching turned on. So if you're making changes to your site, you might just want to toggle this on. And that turns off all caching all optimizations like that, where you're seeing what you see, right. So a lot of times we have to deal with browser caching with WordPress plugin caching. If you have set up.\r\n\r\nUnknown Speaker 36:11 \r\nIf you have set up Cloudflare for your site, you also have Cloudflare caching, it's on by default. So just don't forget that if you want like why isn't why are these changes? Not all? Yeah, Cloudflare caching, so turn on development mode, and that will help you immediately get around that. So very, very helpful. Also, something to draw your attention to here on this overview page is down here at the bottom of the pause Cloudflare. Right here, this is an incredibly important link that we'll get to in the process of adding a site to Cloudflare. You're going to want to click this every time so that you don't get SSL errors. I'll explain that when we get to the process but again, this is your friend. Also if you want to get rid of the site and delete it completely, you can just remove from Cloudflare and it'll it'll kill your whole account.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:59 \r\nYou can set up this you can set up an address here. You just add whatever you want this address to be and where it's going to forward to. And then you validate that email and you're done. And so you can set up these catch you can set up a catch all address or individual addresses. And it'll just forward right to your Gmail account or whatever other free account that you have. And you can also in Gmail, set up a send as address which is really nice. If you want to provide that level of support for your client. Email can come into that Gmail account and they can send as that info at or whatever account with this little process here. So it's really helpful. If a client doesn't want to pay for full email yet you can set up this email routing at really no cost. Cloudflare just handles that traffic for you.\r\n\r\nUnknown Speaker 42:58 \r\nI've given you that whole process right here. If you're interested.\r\n\r\nUnknown Speaker 43:02 \r\nUnder email here also we have demark management you may or may not want to use this. It's free and it's decent demark reporting it's not the best, certainly not the worst. It's really good for free. And it allows you to when you first set it up to add the correct demark record to your DNS, and then it's set up and ready to go. It adds the very basic D equals none demark record if if you have watched those live streams with us recently, it's a very basic level that meets this new Google and Yahoo criteria. So that can all be done from right here. This email security is a more advanced and so paid area.\r\n\r\nUnknown Speaker 43:45 \r\nAll right moving down to SSL. So again, Cloudflare does provide a free ssl certificate for every site that that it's filtering traffic for.\r\n\r\nUnknown Speaker 43:56 \r\nThe first thing you're going to want to look at here is your encryption mode. Now I recommend full there are four levels so you can turn SSL completely off. Don't do that. You can also do flexible which encrypts the traffic between the browser and Cloudflare. But then there's no SSL between Cloudflare and the server. That's for weird scenarios. You don't want to do that. What you want is this one here. This is going to encrypt from the blowout of the browser to Cloudflare with a Google certificate, and then from Cloudflare to the to your server with a self signed certificate at the server. Virtually every server is going to provide a self signed certificate and Cloudflare can use that the encryption tunnel is perfectly it's perfectly secure. There is this full level which says okay, I want to install a trusted like one of those, you know, you buy it certificates on the server. You can do that if you want to or Cloudflare will actually provide you an origin certificate for your server I don't ever do that. It's not necessary for security. As long as there's self sign on the server, which usually is and Cloudflare to the browser is giving Google it's one one clean tunnel.\r\n\r\nUnknown Speaker 45:13 \r\nSo if you have SSL at the server, yeah, that you don't have to worry about it most most of the P SS that are set up by a reputable hosting company like if you have a liquid web VPS it's going to have a self signed certificate on the server and Cloudflare will use that to create encryption.\r\n\r\nUnknown Speaker 45:32 \r\nOkay, all right. So Paul, great question in the chat. That's tomorrow. We're talking about all the whole process and client stuff tomorrow. All right, so this is an area you're going to want to be familiar with here. Other settings here.\r\n\r\nUnknown Speaker 45:49 \r\nWe're gonna go down to let's see, Edge certificates. I do keep this on if they're sometimes you'll get an email. This lets you know if there's anything you can do better with SSL.\r\n\r\nUnknown Speaker 46:03 \r\nIt's helpful. All right, so edge certificates. This says okay, there is an active certificate that's been created for this website. And a backup. This is pretty cool. This tells me that this is a Google trust certificate. This is the primary one so if I go to WP nathan.com And I look at the certificate details here it is valid. It is Google Trust Services right there. So that's what it shows to the user is this Google certificate. If something goes wrong, or there's some weirdness with the Google certificate, it's very unlikely that would ever happen. But if there is then it does have a backup, as this it's a Let's Encrypt certificate here. On the up Nathan it can also be set for set Teego doesn't really matter. Very, very rarely.\r\n\r\nUnknown Speaker 47:00 \r\nWill this backup certificate ever be used?\r\n\r\nUnknown Speaker 47:03 \r\nOkay, so Stacy, Stacy's mentioning here and let me just make let me let me address this. So if you are using CloudFlare, you cannot use Let's Encrypt on your server, because your server isn't it can't validate right or it's the the server isn't controlling the traffic anymore. It's passing through Cloudflare. So you might have Let's Encrypt turned on at your server. But the but like, you may be able to have full strict at the beginning because the Let's Encrypt certificate exists. But eventually that Let's Encrypt certificate is not going to be able to renew in many cases because Cloudflare is in the middle. So that's why I recommend full because there's always a self signed certificate at the server. If you do strict, and something happens to that Let's Encrypt certificate, it's going to create an SSL error. So you don't want that. That's why I'm saying full it's going to be just as secure as having a Let's Encrypt on the server. And you're not going to get those SSL errors Does that make sense?\r\n\r\nUnknown Speaker 48:18 \r\nYeah, so Melanie's encountered that like full string, that sounds great. I want that but you don't want that. It's you want to be able to set this and forever. So yeah, and Stacy, it may be dependent on the host you'll want to know you'll want to look into that. And that's where I just recommend setting it at full and then you want to have any problems.\r\n\r\nUnknown Speaker 48:37 \r\nThere is no limit. Let me say it this way. There is no extra security benefit from full or full strict because the self signed certificate at the server is the same level of encryption as a Let's Encrypt, or you know, your purchased your favorite purchase certificate for whatever. It's generally the same encryption level.\r\n\r\nUnknown Speaker 49:02 \r\nSo it doesn't matter. What's important is what does the user see? And in this case, it's Google first and then you know one of those so does that make sense everybody? Do I need to answer any more questions about that?\r\n\r\nUnknown Speaker 49:15 \r\nFall is easy. It's always going to work unless there's something wrong with your server.\r\n\r\nUnknown Speaker 49:24 \r\nOkay let's keep going. So edge certificates. We talked about these, you're not going to want that cost money. You don't really need it. You don't total TLS this lets you choose like if I toggle this, Oh, I gotta pay. Yeah, it used to let you do this for free. They've changed that. It's another paid feature. This you always want on it's part of the onboarding process that we'll cover tomorrow as we move a site into Cloudflare.\r\n\r\nUnknown Speaker 49:54 \r\nSo, all right, this is a complicated feature that I would not turn on because it's real, real easy to screw things up. And if like, for example, I had a site where I really mess things up on this. Thankfully, it was one of my own, but it took for some traffic almost a month before it straightened out. This is really bad. So it's a way to enforce HTTPS. I'm just going to recommend that you don't use it unless like it can heighten your security. And sometimes, if you have a client that has like a security, like a level of security, they have to reach for their own internal audits or whatever you may have to turn this on. But don't do it if you're planning to make any changes, like migrate the site or change Cloudflare to some other DNS provider because it can lock down it'll lock out traffic. It's just it's very powerful, but also could be very damaging in some cases. So if you're in a scenario where this comes up, you'll want to read more into that minimum TLS version. I'm going to recommend here 1.2 Because it's kind of the it's everybody can use 1.2 But you really might want to consider 1.3. So 1.2 is required for if you're trying to get PCI compliance. You have to have 1.2 layer level of TLS TLS, which is the next level of SSL but really only really, really, really old browsers can't use TLS 1.3. So if you look here, like Internet Explorer can't use.\r\n\r\nUnknown Speaker 51:46 \r\nCan't use TLS 1.3 and Opera Mini like those are the only two browsers. So the chances I mean those are teeny tiny percent. So I'm at the point of where I might just bump everything to 1.3 because it is more secure. It is a little faster.\r\n\r\nUnknown Speaker 52:01 \r\nBut at least 1.2.\r\n\r\nUnknown Speaker 52:06 \r\nAll right, opportunistic encryption, you're going to want to turn that on. I believe that's on by default. You want to enable TLS 1.3, which says, if the browser can support 1.3, use it. That's basically what that's about. I do want to rewrite everything to HTTPS at the network level. That's good. I think that's one by default. I do want to toggle this transparency on what this does is basically, if something if some other server or authority or whatever, issues an SSL certificate for this domain, I'm gonna get an email about it. Where that's helpful is if somebody has hijacked your domain somewhere along the way, or they've got traffic going somewhere something odd is happening. And a certificate gets issued. And I'm not aware of it. I want to be aware of it. So that's what this does. Pretty nice. Works pretty cool.\r\n\r\nUnknown Speaker 52:56 \r\nSo let's see. Moving on down here, the most of the stuff you're not really going to use. You're not going to use this most likely it's complicated scenarios. origin server. This is where if you want to install a Cloudflare generated certificate on your server to do full strict, you can do that here. I don't recommend that it's not super necessary. And then custom host names you're probably not going to use so that gets us all the way through SSL. That was a lot. Let me pause just for a minute. And any questions about this bit, I realized that was a lot. So walking through all the settings is the most tedious part of this, but And my goal here is to kind of set the table and let you know what all is here.\r\n\r\nUnknown Speaker 53:42 \r\nAll right.\r\n\r\nUnknown Speaker 53:44 \r\nLet's move into security. You're gonna live in security a lot. So the main two let places you're going to live in Cloudflare our DNS and security. So security is awesome. I love this area, the events page. This is a log of all the things that have hit my firewall rules. So any event has happened on the server where a firewall a WAF rule was hit by something or whatever.\r\n\r\nUnknown Speaker 54:11 \r\nHere's some examples of some skip rules that I've put into place. And I can see what's going on here.\r\n\r\nUnknown Speaker 54:18 \r\nIt gives me a great amount of detail about what was the IP address that came in? What was the ASN in this case, it is I have a pass a skip rule created for WordPress doing cron, so sometimes the query string here can cause weird security things to go on. And so that's one of the skip rules that I put in.\r\n\r\nUnknown Speaker 54:40 \r\nAnd it's logging here just to show you what that looks like. Here's one look here. Here's something that came in earlier.\r\n\r\nUnknown Speaker 54:48 \r\nAnd this was something from the UK. I don't know what that ASN is but it was trying to get to a weird port like what the heck is this one a 53 I don't even know what that is. This was bad traffic and it got to manage challenge primarily because it was coming from outside the US actually no I've got this setup for to accept UK traffic. So this, this hit Oh no, it hit a challenge right here.\r\n\r\nUnknown Speaker 55:19 \r\nSo it hit a rule that says okay, something's not right here. We're going to challenge this traffic and so it wouldn't have made it through to the site. So this is a great place to look after you've implemented a rule make sure you're not getting legitimate traffic caught or as you are refining your rules later on. Really, really helpful.\r\n\r\nUnknown Speaker 55:40 \r\nHere's something from Netherlands same thing. We'll get into all these as ins and things later. Like look here. They tried to hit XML RPC. This is garbage traffic.\r\n\r\nUnknown Speaker 55:49 \r\nIs there a setting in solid security that turns off XML RPC? Yes. But WordPress would have had to wake up and do something when this traffic and server resources would have been expended. We block this traffic at the network level before it even hit the server. So that's why you do these things. So events is super helpful gives you a lot of good information. Now we move into WAF which stands for web application firewall. Now, these are your this is a place again, you're gonna spend some time here as you're setting up Cloudflare there are five rules available at the free plan. I've suggested four, and so you have room to add your own rule.\r\n\r\nUnknown Speaker 56:28 \r\nSo we'll get into all these rules later. But this is where those are defined and set up. You can actually click the link here and see traffic that just hit that rule. There's a ton of traffic here. Like this first rule here. These are challenges. So you know trying to go to their PII login or my account or if the country is not in Canada or the USA, it's going to get a challenge.\r\n\r\nUnknown Speaker 56:53 \r\nAnd I can go back and look at what traffic actually is hitting that rule by clicking on that number. So it's pretty nice to be able to look and see what all is going on here with my individual rules.\r\n\r\nUnknown Speaker 57:08 \r\nSo I'll give you the rules a little bit later. Now let's keep going here. So those are our custom rules. We also have rate limiting rules and this is pretty neat.\r\n\r\nUnknown Speaker 57:16 \r\nSo you can actually blocked traffic that is pounding away at your website. And we'll go into rate limiting rules later in our recommended settings. But like if there's anything that's hitting my site more than like once a second, I want to block that traffic because there's no legitimate traffic that's going to be making multiple requests per second. Unless it's like a Google bot or something like that. And even it usually throttles back how many requests are being made. So this is a really helpful rule to be able to put into place we'll get into that in the rules section.\r\n\r\nUnknown Speaker 57:53 \r\nHere in tools, there is a the ability to block IP addresses or ranges even over and above the WAF rules themselves. So you can block user agents you have 10 user agent blocking rules if you want to use those. I typically don't but it's there if you want to use it.\r\n\r\nUnknown Speaker 58:15 \r\nMoving down to security the page shield This is a paid feature basically keeps your content safe. Bots feature okay, this is probably the place where most people make a mistake. Bot fight mode on I recommend that you leave this off because of a number of things.\r\n\r\nUnknown Speaker 58:33 \r\nBot fight mode. If there's anything that I've had to troubleshoot more, there's nothing I've had to troubleshoot more than bot fight mode creating problems for X legitimate external connections to websites like web hooks, and, you know, syncing up one thing with another or whatever. It's always bought fight mode. And honestly, bot fight mode gets in the way of a lot of legitimate traffic in an effort to prevent bot traffic. So it's like you know, this ongoing war of how do we keep bots away versus legitimate traffic. It's too heavy handed in my opinion. Also, it adds JavaScript to every single page load on your website, that bot activity and that can actually add as much as two seconds to a page load speed. So just don't do this. Try to get a lot of that traffic out with web application firewall rules, which we'll cover as we move forward. But don't turn this on. It looks like a good idea. It's not a good idea. Don't turn this on is my recommendation. Unless you know what you're doing. There is also in Cloudflare super bot fight mode that actually lets you make some granular changes to the bot fight mode. That's great, but it's an enterprise level. It does cost money.\r\n\r\nUnknown Speaker 59:51 \r\nAlright, let's move on to the DDoS section. This is super helpful. Like let's say you're under attack and you toggle on under attack mode and you can sort it you get to see you know a little bit of what this traffic pattern looks like. You can add a rule here that can stop a lot of those floods that's beyond the scope of this course. But it is there and it's pretty helpful.\r\n\r\nUnknown Speaker 1:00:16 \r\nThere's really good documentation for that's available at this link. And finally, there's some settings here that you may or may not find useful, probably not. The default settings are generally what I use, which is just right here. A security levels essentially off meaning that the average traffic the average user is not going to get a manage challenge to say that I'm human I don't want that in the way of average users. 30 minute, Pat challenged passage meaning like if I'm good, I'm good for the next 30 minutes at least. And then you definitely want this browser integrity check on that just it blocks garbage traffic where there's problems with the requests. So those are all the default settings. You probably don't need to ever change those. But they're there if you do need to.\r\n\r\nUnknown Speaker 1:00:58 \r\nThis access this is actually going away will probably be removed from this menu pretty soon and let me just mention also if you're watching this on a replay and it's like a year from now, a lot of these menu changes may change. Cloudflare is as bad as Google about renaming and moving things and changing it they they change stuff all the time. They literally last week changed the onboarding process for adding a new account. They're constantly changing things and so, you know, the things that I'm talking about here are likely going to be in other places. But yeah, it may not be in exactly the same spot. kind of frustrating.\r\n\r\nUnknown Speaker 1:01:37 \r\nHere under speed, these are some moderately useful things. The observatory is you know, what is my White House speed. So that's kind of cool. I mean, it can show you, you can schedule a test to run at a at certain intervals. It's kind of cool. I like that.\r\n\r\nUnknown Speaker 1:01:56 \r\nYou may or may or may not want to do that. The optimization here not a whole lot to do here. Most of the basic settings are correct, just with the defaults.\r\n\r\nUnknown Speaker 1:02:10 \r\nNot a whole lot you're gonna do here this just gives you an overview of what your settings are. image optimization is now offered by Cloudflare. But if you have a good WordPress image optimizer, which I recommend, do it there do it at the WordPress site like just control your images don't do that off in the cloud. But you can if you want to. It's all here. You are going to want to make some changes here to content optimization Brotli basically speeds up an H an SSL connection. This is part of the onboarding steps that are recommended. We'll get to that tomorrow. This is super cool. So Cloudflare fonts is a recently in the last six months or so added feature. And it basically pulls all the fonts up into the Cloud Flare cloud. So instead of having to go out to Google fonts and download the font Cloudflare fonts, pulls those up into the cloud. So you, you blood, they load faster, and you don't have privacy issues, because Cloudflare is going to deliver that font in a privacy first manner. It's not like you're pulling fonts off of Google server and as a result, the user's IP addresses exposed and all that. So this is great. Just turn it on. It's gonna be faster. It's pretty good. This is also a super cool feature called early hints. And what this is going to do, you may have a WordPress optimizing plugin that does this as well. And actually this may be part of core WordPress going forward. But like when you mouse over a link in the background, the browser starts to load that page already. This does that at the Cloudflare level, which is pretty cool.\r\n\r\nUnknown Speaker 1:03:47 \r\nRocket loader. This is another one of those things that people say oh, it's speed. I'm going to turn don't turn this on. Rocket loader has a bad habit of breaking WordPress, jQuery and other Java scripts. Just don't don't turn that on. It will create problems. That's a red dot for me. And if you Google other WordPress folks talking about this it's a it's a red.it can cause problems.\r\n\r\nUnknown Speaker 1:04:14 \r\nAuto minify yet you want all that on so all your assets are compressed up there at the network level.\r\n\r\nUnknown Speaker 1:04:21 \r\nI mentioned this automatic platform optimization for WordPress. This is a can be really good. It's $5 a month per site. Okay, but with out having to deal with any of those granular performance settings at the WordPress level with plugins like MP rocket or hummingbird or whatever, you can actually push all that up to the cloud and it moves the really big the real benefit here is it moves all of your assets for your website to cloud flares edge CDN, so that it's right as close to the user as possible and it's optimized all it really does a good job at optimizing traffic. So take a look at that. It is expensive. You know, when you put 10 sites on there, it's going to be $50 a month, but it really you know, if you've got a few sites that you're having performance issues out of five bucks a month solves that problem, pass it on to the client and you're done.\r\n\r\nUnknown Speaker 1:05:19 \r\nLet's see.\r\n\r\nUnknown Speaker 1:05:21 \r\nEven ongoing here. Let's see caching. All right. Cloudflare caching. So Cloud for does a good job of caching things the right way. You do get some basic analytics here with an upgrade of a plan. Let's move into configuration. So here is the place where you can purge all the things out of the Cloudflare cache. So if you're having some sort of Cloudflare issue going on, you can come in to caching configuration purge everything. I'm going to mention also later on in the course that a lot of WordPress optimization plugins have a Cloudflare integration, where they will actually you can like for example, I use Lightspeed as a WordPress optimizer. And you add in your API for Cloudflare. And whenever whenever Lightspeed flushes the cache because a page has been updated or there's WordPress updates, it also flushes the Cloudflare cache most good WordPress optimizing plugins like WP Rocket like Perf Matters like hummingbird have Cloudflare integration and you're going to want to use that because what otherwise what you're going to run into is you got one set of assets that are here on the site that the WordPress performance plugin has flushed, but your Cloudflare cache isn't matching and you get wonky CSS, and you don't want that. So that that helps and it solves that problem.\r\n\r\nUnknown Speaker 1:06:44 \r\nLet's see here caching level we kind of leave that alone unless you know what you're doing. browser cache TTL you're gonna want to set this to at least a month. Google requires that those it's set to 30 days or higher. Otherwise, you get that thing you may have seen in Lighthouse of serve static assets with efficient policy, blah, blah, blah. That's this needs to be at least a month. This is helpful if you have a big website that a lot of people have access to. This is a tool that will scan for child sexual abuse material, which is definitely helpful. These next two are really cool crawler hints. Okay, how many of you remember from the Starter Site webinar? We did do every year. We've got that really cool plugin called index now from Bing and it watches changes on your website and let's Bing and let's see which ones it is Bing, duck, duck go Yandex and Naver, which I've never heard of before.\r\n\r\nUnknown Speaker 1:07:43 \r\nAnd yep, so what this does, I've just lost my Here we go. So crawler hints basically adds index now to your site at the Cloudflare level. So as soon as Cloudflare sees you add a new page, it lets all the search engines No, you absolutely want to do this. And it means you cannot use the index now plugin on WordPress, which is kind of cool. Always online this is another one you're gonna want to toggle on.\r\n\r\nUnknown Speaker 1:08:09 \r\nWe've probably all at some point, use the Wayback Machine to go back and look historically at websites. And some websites are there a lot and some are they're just like every once a month or once every few months or whatever. How do you get the site listed on the Wayback Machine what you toggle this on right here and Cloudflare will make sure that the site is saved into the Wayback Machine and if for some reason this your server goes down Cloudflare will know okay, I'm gonna pull the latest copy out of Wayback Machine to serve and it's not the best thing but it's better than the site being down. So this is pretty cool. Definitely want that on. Here's the actual development mode. We looked at that under the overview settings, but this is where the actual toggle is for turning on development mode. And so that's all the configuration things.\r\n\r\nUnknown Speaker 1:09:02 \r\nAll right, cash rules.\r\n\r\nUnknown Speaker 1:09:05 \r\nWe're going to talk about cash rules later. But this is the spot where you can add rule like what if I don't want Cloudflare to cache the site at all? Great. What if I have an E commerce site and I don't want to cache the cart or checkout page, I can do all that here. And I'll give you those rules when we get into that section in a little bit. So tiered cache or the cache rules are very helpful, and the tiered cache is helpful. You're going to want to make sure you enable smart tiered technology that just moves the stuff closest to the user. It's good stuff cash reserve as a paid feature, which you're not going to use. Now if you're getting tired. You're not alone. It is now 207. We've been at this for a little over an hour, but we're coming to the end. There's only a few more things here and then we'll take a break. First of all workers routes don't have to worry about that at all. unlikely you'll use this rules. There's another place for rules. Here's 10 more sets of configuration rules that you can use. Probably not going to use any of those but you certainly can.\r\n\r\nUnknown Speaker 1:10:06 \r\nTransform rules origin rule. These are all ways to deal with rules and traffic. Probably not going to use those unless you have a unique case. Page rules can be helpful.\r\n\r\nUnknown Speaker 1:10:18 \r\nI'll show you some options on when you might want to use those a little bit later.\r\n\r\nUnknown Speaker 1:10:22 \r\nAnd the default settings are just fine. You never have to really change these. So not a whole lot to do here.\r\n\r\nUnknown Speaker 1:10:29 \r\nAnd the rest of this stuff is pretty much read. So let's network you probably won't have to change anything here. Very unlikely that anything will be needed in this area. All the default settings are fine. Traffic is a paid feature. custom pages paid feature apps, it's being deprecated the scrape shield, okay, let's talk about this.\r\n\r\nUnknown Speaker 1:10:53 \r\nSo there's a couple of things. Remember, if you are a long time I iThemes Training solid Academy member we used to have a shortcode that would obfuscate an email address. Cloudflare will actually do this at the network level, so you don't have to hide email addresses at all. It will just automatically obfuscate email addresses from bots that would scrape the site. The problem is it adds some JavaScript which again can potentially add some weight to the page and make the page load slower. So there's a way to apply that with the rule that we'll get to in a little bit. I would not toggle this on for the whole site. I would only have it on with a rule for like the contact page or a team page where email addresses actually appear.\r\n\r\nUnknown Speaker 1:11:38 \r\nhotlink protection this is something I would toggle on because well in certain cases. So if you want to protect your site, like I don't want my images showing up in Google image search, I don't want anybody linking off the site and pulling my images and to show on their site. This is what that does. It will stop that at the network. Level period. But if you are relying on a lot of SEO people, for example.\r\n\r\nUnknown Speaker 1:12:07 \r\nThey rely on an image optimization strategy for SEO like they want people to find the image in Google Images and then go to the page and it's a legitimate SEO strategy. But this will stop that. So depending on what you want to do, this can be super helpful or completely get in the way of an SEO strategy.\r\n\r\nUnknown Speaker 1:12:26 \r\nAll right.\r\n\r\nUnknown Speaker 1:12:29 \r\nxerez so this is super cool, actually, it's way out of scope for this, this live stream in this course. But think of it like this. This is like Google Tag Manager, but at the Cloudflare level. So at the network level, I can actually go in and add code to pages. Like it's really powerful, but it's way out of scope for what we're trying to do today. So you know, it's it's interesting, and if you're super geeky, you want to get into that have added because it's a very powerful tool. And last of all web three, you're probably not ever gonna get into that stuff. All right, so that's all the settings and I'm out of breath.\r\n\r\nUnknown Speaker 1:13:05 \r\nOkay, how let me check in. How are you? Are you are you panting for breath? Are you okay? We've just done this was the fire hose. Okay? Dizzy is legitimate. That's a lot. Okay. And my goal again in that section was simply to give you a lay of the land. There's only a few things in here. If you notice, there's only a few things that you're gonna need to go in. And set. Primarily we're going to focus on DNS, SSL, and security. Those are my main areas. Okay. So, what are we doing next? I am going to give you my recommended settings for each of the areas we're gonna do that probably I hope we can fit that in before 3pm Central. We're going to take a five minute break, because I need to breathe and then we'll do some recommended settings. So we're actually going to go now right back into these areas that we've looked at and I'm going to show you some the actual recommended rules and things like that, that you're gonna want to implement. Now from that tomorrow. We're actually going to migrate a site into Cloudflare and do all this stuff live. Sound good?\r\n\r\nUnknown Speaker 1:14:17 \r\nOkay, so break for five minutes. It is now about to be 12 minutes after so we'll come back at 217 Central time so 17 minutes after and we will be quiet until then.\r\n\r\nUnknown Speaker 1:18:47 \r\n32nd Warning we're back in 30 seconds. From now.\r\n\r\nUnknown Speaker 1:19:32 \r\nAll right, part two, let's talk about some recommended settings. Now. First of all, in this section, there's a couple of caveats. We're going to look at the Cloudflare settings that I use. Okay, these are the ones that I've decided work well for me in my clients. And I'm specifically going to talk about what has changed from the default. Okay, so we just looked at everything. We're going to put a filter in place and now only the things that are going to change from the default settings are what I'm going to cover now with this again, caveat, disclaimer, slash scary warning, scaly emoji grimacing emoji, okay. Is this is this bold enough for you?\r\n\r\nUnknown Speaker 1:20:16 \r\nVery important. These are based on my experience with how we are using Cloudflare currently in my agency. So as with settings, recommendations of any kind at all, you need to test these for your specific use case. Cloud flares tools can block legitimate traffic if they're not used correctly. Okay. Now in my experience, we've had to adjust certain rules in situations where there's external calls to web hooks, certain SEO tools, uptime, monitoring, all sorts of things can be a little different. So I'm providing some very basic settings that we use on all of our sites. They may not be the right settings for your sites. Okay, that's why it's important to look at those event logs, try it on one site, look at the event logs, make sure nothing's getting blocked, etc. So they get sometimes sites require these granular adjustments and it might take a little bit to dial them in so pick a site. Do that one make sure everything's good before you do. We all put 5080 100 sites into all these settings, because they would then have to be changed individually. That's not fun. All right. So Cloudflare can significantly increase your security but with great power comes great responsibility. So just keep all that in mind. Do not blindly apply these settings with under without understanding how they're going to impact your website. So again, educational purposes only, you alone are responsible for the actions you take. In other words, don't call me if you break something or you know, ask an office hours question but Is that Is that a good enough disclaimer?\r\n\r\nUnknown Speaker 1:21:59 \r\nAll right. Let's take a look at DNS records.\r\n\r\nUnknown Speaker 1:22:04 \r\nSo let's move on into this area first. This is one of the places where I mentioned that you'll probably spend some time so here's a pretty typical DNS record setup that's being used for WP Nathan currently. So the first thing you'll notice here is proxied. Now what proxy means, okay, this is the actual IP address of the server. This this little this liquid web VPS that they're up Nathan exists on. But if I go to ping, this address, notice it doesn't give this server IP address. And why is that Cloudflare is proxying the IP address which basically means it's hiding it. So this 104 2147 162 IP address is what the world sees when it says where's that up Nathan located this IP address, but that's not the IP address of the server. This is really good because you unless you know in most cases you're going to want to hide the actual IP address of the server, the real live raw IP address, you're gonna want to hide that from the world. It just puts a layer of security between hackers and your server itself. So that's what proxying does. You can turn this off if you want, but I wouldn't recommend it. So the recommendation is proxy all A records and the CNAME for www.\r\n\r\nUnknown Speaker 1:23:35 \r\nBut other C names like in this case, I don't even know why we still have this one but FTP dot and like this is the postmark record. postmark will not validate this record for the CNAME unless the proxies turned off. So for a lot of C names, especially those used for validation, you're going to want to make sure that proxying is off.\r\n\r\nUnknown Speaker 1:23:59 \r\nUnless you know for sure that proxying isn't going to get in the way of that traffic proxying a CNAME can often get in the way of the server that's handling that traffic knowing that the traffic is correct, and it can cause weird things to happen. So proxy the A records generally proxy do not proxy CNAME records. Now here's another pro tip.\r\n\r\nUnknown Speaker 1:24:21 \r\nIf you like me enjoy having the ability to spin up quick staging sites. I in my case on cPanel I love the WP toolkit. It'll just spin up a quick staging site.\r\n\r\nUnknown Speaker 1:24:32 \r\nYou would normally have to go out and actually create an A record for whatever that subdomain is. But if if most or all of the subdomains you're ever going to create for this domain are going to the same place. They're all on the same server. Then what you can do is just set up a wildcard record. The name has an asterisk and it points here which means unless otherwise defined by another a record that any other traffic, you know, whatever dot DDP nathan.com goes to this server. So it's super helpful. It doesn't prevent you from directing traffic elsewhere. You know we could, you know, we could specifically define a subdomain to go to another IP address. But otherwise, the catch all is pointed to the server and it's really helpful. So add a star record. That's a good thing. All right. We talked about DNS sec. Let me just show you how this works. Here under DNS and sec. Oh, I haven't. I'm going to disable this earlier. Let's that's going to take a minute Doggone it. Sorry about that, y'all.\r\n\r\nUnknown Speaker 1:25:43 \r\nOh, I'm gonna have to remove it from here. Well, I can probably just show you how this works. So here, oh, it's WP one dot Dev. Let me go. Let me get one second. Let me get over to the VP Nathan.\r\n\r\nUnknown Speaker 1:26:01 \r\nAnd I'll show you where this DNS record is set up.\r\n\r\nUnknown Speaker 1:26:06 \r\nSo again, this is GoDaddy. You've all probably use GoDaddy, most other registrar's you're going to be this way as well. Here under DNS, there's a setting for DNS record. And here is the value that Cloudflare gave me I'm going to delete this\r\n\r\nUnknown Speaker 1:26:23 \r\nlet's see how long it takes to create if it sees it right away. Okay, I'm gonna give that just a minute. We'll come back and I'll show you how to create the record. But it's basically Cloudflare is going to give you the value, you put it in over the registrar and that validates your traffic for DNS sec to work correctly. We'll come back to that. In just a minute.\r\n\r\nUnknown Speaker 1:26:42 \r\nAll right, so SSL TLS again, encryption method full I talked about that a lot earlier, so that hopefully that doesn't need any more explanation. Under edge certificates. Always use HTTPS is on and minimum TLS version 1.3 or 1.2. We talked about that earlier. You're probably fine to go 1.3 I've only the really old browsers, right. So all the rest is default settings. And now we get into the WAF rules slightly that we're already past SSL. It's not that hard. Once you see the lay of the land and all the details now we can just focus on the things we need to change. And it's not that terribly complicated. Let's do a quick check for the Yes, right. Oh, okay, good. That's ready. So here's the process are rewinding a bit to do DNS sec. I'm going to click Enable.\r\n\r\nUnknown Speaker 1:27:37 \r\nAlright, here's all the stuff. Let's go over to DNS records and I'm going to add one.\r\n\r\nUnknown Speaker 1:27:45 \r\nAll right, so I need the first the Key Tag and it's not necessarily an order. So Key Tag is here.\r\n\r\nUnknown Speaker 1:27:52 \r\nBoom algorithm is 13. I don't know what that means. I'm just going to put it there. Digest type is this or I can click to copy.\r\n\r\nUnknown Speaker 1:28:06 \r\nOh, that's this digest. Is there and digest type oh two.\r\n\r\nUnknown Speaker 1:28:13 \r\nRight there, I hit Save.\r\n\r\nUnknown Speaker 1:28:19 \r\nAnd it's gonna think about it for a minute.\r\n\r\nUnknown Speaker 1:28:22 \r\nConfirm.\r\n\r\nUnknown Speaker 1:28:24 \r\nAnd it's got to wait and validate. That's all it is. It's just basically it's like adding any other DNS record. And that will help to further validate that the traffic that's coming to my domain is correct.\r\n\r\nUnknown Speaker 1:28:39 \r\nThere it is. Done. Super simple.\r\n\r\nUnknown Speaker 1:28:44 \r\nclass has a great question.\r\n\r\nUnknown Speaker 1:28:46 \r\nThat this process was for a domain that's registered and an external Registrar for Cloudflare. It knows like if you've registered your domain at Cloudflare. We'll talk about Cloudflare for domain registrations tomorrow. But if there's just a button, you push the button it adds the record and validates it's done. It's like a one click thing. That's all you have to do. Pretty neat.\r\n\r\nUnknown Speaker 1:29:06 \r\nOkay, any other questions about that before we move on?\r\n\r\nUnknown Speaker 1:29:12 \r\nAll right, we went through the rest of this full encryption mode edge certificates. Now we're into the fun part which is security. Here are some suggested WAF rules. And um, they're all defined here already, and I'll show you what they look like. So when you get into a WAF rule as you create a rule you have the ability to either do an Expression Builder, which lets you kind of compose with a visual editor like country does not equal you know, it lets you create records like this. And or and you can stack those down. Now notice what's happening here, though. There's an expression preview and so there's this expression that's being created based on the visual here. So let's see if country does not equal United States and I don't know\r\n\r\nUnknown Speaker 1:30:15 \r\nand it's unknown bought, whatever, right? So it continues to build the expression based on what you build up here. Now for these predefined rules. We don't need all like it will take you a while to actually reproduce this rule in the builder, but instead what we can do is this.\r\n\r\nUnknown Speaker 1:30:37 \r\nCopy this expression. I'm going to call this the challengers rule.\r\n\r\nUnknown Speaker 1:30:43 \r\nYou can do edit expression, and just paste in there.\r\n\r\nUnknown Speaker 1:30:49 \r\nAnd what so the action is going to be managed challenge and hit Deploy.\r\n\r\nUnknown Speaker 1:30:59 \r\nAnd look it actually created the rule in the builder. So I can still modify it here if I want to.\r\n\r\nUnknown Speaker 1:31:06 \r\nBut I don't have to actually create it. I can just paste in the expression. And that's what I would recommend that you do for these basic rules. Does that make sense? Does everybody see the process here?\r\n\r\nUnknown Speaker 1:31:20 \r\nI want to pause just for a minute to make sure there any questions?\r\n\r\nUnknown Speaker 1:31:26 \r\nWhat drop down that I choose here? Or action is managed challenge. There's this drop down up here.\r\n\r\nUnknown Speaker 1:31:35 \r\nCan y'all see this drop down on the screen share?\r\n\r\nUnknown Speaker 1:31:40 \r\nOkay, good.\r\n\r\nUnknown Speaker 1:31:42 \r\nSad. Sorry about that. So this is just an example rule. But when you when you put in your challenge rule, you're gonna whatever country you're in, or whatever, like for example, we have one customer that only does business or they they primarily do business in the US, Canada and about seven European countries. And so all those are in this is not in rule, but every other country as a result is going to get a challenge because they're not typically going to get traffic from those countries. And that lets us weed out bot attacks for example, that aren't coming from those those specifically Devine defined countries makes sense. So add, you're gonna want to add the countries that you're typically going to want legitimate traffic from. Right. So that that really helps Karen first drop down on not getting the open field. Oh, okay. All right. So let's start over again.\r\n\r\nUnknown Speaker 1:32:42 \r\nLet me delete this rule that I just created. eally All right. I'm gonna do create rule once again. I'm gonna give this a rule name, call it whatever you want.\r\n\r\nUnknown Speaker 1:32:54 \r\nChallenges, and click right here. Edit expression and paste in there.\r\n\r\nUnknown Speaker 1:33:01 \r\nThen you can save it as a draft if you want or whatever or just click Use Expression Builder and that puts you back into the builder here.\r\n\r\nUnknown Speaker 1:33:08 \r\nSo this edit expression is 100% Your friend i It makes the so much easier.\r\n\r\nUnknown Speaker 1:33:16 \r\nAll right, any other questions? About the process of adding a rule before I go on?\r\n\r\nUnknown Speaker 1:33:27 \r\nOkay, so these rules I've actually added in here already, and I'm just going to go down one by one and show you how they work. And so the first rule is our challenge now by the way, I put in whenever I'm doing a rule i Our prefix for our agency for code we write in for other things is be WW brilliant web works but your own little this what this lets me know is it's our rule. Basically that's why that's there. So I'm going to go here to our challenges rule. And you'll notice it's this first one here, you can edit the rule in the expression if you want and put the two letter country code and if there's more you can just stack amend the expression itself or use the expression builder. Either way. Melanie, does order matter for firewall rules. Yes. And I'll show you that in just a minute. But Cloudflare processes these rules in order. And that's going to matter here in just a minute. Great question.\r\n\r\nUnknown Speaker 1:34:26 \r\nSo here's something I want to talk about. So we've talked about managed challenge already. This is the kind of the interstitial screen that we saw that challenges are you human. It's it's the same thing as Cloudflare turnstile. Okay. Cloudflare turnstile is the Cloudflare managed challenge in a widget that can be applied to just a form or you know, a login or whatever. Okay? So just think about it in those terms. turnstile equals a manage challenge, manage challenge, just full screen. Whereas turnstile is a widget that can be added to a form submit or login or that sort of thing. There are a bunch of other actions that can be taken here. Like I don't want to do anything. I just want to log this traffic. I want to block this traffic altogether. This is a JavaScript challenge. This is the pre managed challenge way that Cloudflare used to block or challenge traffic. I don't use that at all anymore. It's not as good as manage challenge. Use manage challenge. This also the skip this traffic so some way I can notice that this traffic is good and legitimate. I always want to skip it. I have a rule. That action can do that. And interactive challenge again. It's I don't use that at all use manage challenge. That's just the best way to do it. Because a lot of times the Manage challenge if it's has seen what this browser is doing, it knows it's probably legitimate. And so it's you let Cloudflare manage whether or not this user or bot or whatever. Is going to be challenged with a checkbox, right. So just use manage challenge instead of interactive or JavaScript challenge is just better. Does that make sense?\r\n\r\nUnknown Speaker 1:36:11 \r\nOkay, so let's get into each of these. We just look at this one. So this is and by the way, what I like to do is cluster are my rules, usually around what the action is. I only have five rules, right? And so I want to be able to get the most bang for my buck. And so I tend to cluster the rules around what action I want to happen. So I'm going to start with this, this challenge rule. So any kind of traffic that I want to give a challenge to is going to go into this rule. So the first is, and this is probably my favorite rule out of all the Cloudflare rules. It is probably the most helpful rule and that is if you come to the WP any URL that comes in to WP login, so even by the way, like if you're logged out and you used to go to WP admin to log in, it's going to forward you today P login dot PHP, query string blah blah blah. So if the URI path, this is your URI, same thing, essentially is URL. So if the path coming in being requested from the server contains that AP login, I want to challenge that if it it like for here for a WooCommerce as my account is their default login page, right? If you have a membership site, where you've customized a login page, put that URL here. So whatever the login page is, that I want to challenge that traffic. And what that lets me do is like Stacy is saying, it's way better than hiding the login page to try to make it where bots can't find it. That's that's a terrible strategy that doesn't really work. Or it's even better than using something like aI solid security to put a CAPTCHA on the login page. I don't even do that anymore. Because all of that traffic is being challenged at the network level is it bad to use a plugin like solid security to protect the login page with a with a even Cloudflare turnstile? It's not bad, but I want that traffic filtered out at the network level so that the login page doesn't even have to load, right? So do that at the network level. You don't even have to put a CAPTCHA on your login page at all. Just make sure that all your potential login pages are listed here. So if you've got another URL, you could do like, you know URI path contains, you know, login or whatever it is right?\r\n\r\nUnknown Speaker 1:38:41 \r\nAnd just you can keep stacking those up with AND or OR statements.\r\n\r\nUnknown Speaker 1:38:46 \r\nThat makes sense.\r\n\r\nUnknown Speaker 1:38:49 \r\nSo that's our first rule.\r\n\r\nUnknown Speaker 1:38:52 \r\nSecond rule is a skip rule. Now I put these in order of priority in this skip rule will tell you why.\r\n\r\nUnknown Speaker 1:39:02 \r\nThis is a big rule. There's a lot of stuff here. So I've given you the whole rule to copy here. Now right here, notice, boom, this is the IP address of the server. So whenever you know whenever you go to add this rule, you're gonna want to, for your purposes, wherever you're copying from put your server IP address in here, because any request that comes from my server, I don't want Cloudflare to do anything with we want that to happen. So here's our here's our skip rule.\r\n\r\nUnknown Speaker 1:39:37 \r\nSo if it's a known bot, and it has one of these as numbers.\r\n\r\nUnknown Speaker 1:39:47 \r\nLet's talk about AAS numbers for a minute. So an AAS number probably best to be seen here in our events. Let me load our events page.\r\n\r\nUnknown Speaker 1:39:59 \r\nAlright, so here's a skip rule.\r\n\r\nUnknown Speaker 1:40:12 \r\nKaren, if you're getting an error, it's probably because you haven't selected the action here skip.\r\n\r\nUnknown Speaker 1:40:21 \r\nYou did.\r\n\r\nUnknown Speaker 1:40:23 \r\nWell, let's just try copying the expression in and trying it ourselves here\r\n\r\nUnknown Speaker 1:40:39 \r\nYeah, it's working.\r\n\r\nUnknown Speaker 1:40:42 \r\nI don't know check your check your copy because it does work. That's That's odd.\r\n\r\nUnknown Speaker 1:40:49 \r\nAnyhow, so as ns. You can see these right here. So an ASN is think of it this way. It's like a\r\n\r\nUnknown Speaker 1:41:01 \r\nIt's one number that a company like Google can use when Google has hundreds and hundreds or 1000s of IP addresses. And it would be hard for you and they may even change IP addresses from time to time.\r\n\r\nUnknown Speaker 1:41:15 \r\nThis ASN is sort of a placeholder for all of those addresses. So you can create firewall rules based on the ASN and know that it's going to affect all these Google IP addresses. And so there's all these ASN that are listed here are of known services. I've given you a way down here at the very end of the document what to for Sorry, sorry, if I'm making everybody nauseous. So I've given you a table of popular ASNs here. You can also look those up with links like this one, and add your own but these are the most part some of the most popular ones. And many of these are including that firewall rule, but this is one that again, you're going to want to tweak this to have the traffic that that that you want.\r\n\r\nUnknown Speaker 1:42:09 \r\nBut in general, this is going to work.\r\n\r\nUnknown Speaker 1:42:13 \r\nIn general, what I've got here is going to work in most cases, just make sure you update your IP address here. Okay, so got this list of\r\n\r\nUnknown Speaker 1:42:25 \r\ngood ASN so it's a known bot, and it's one of these bots. Okay. It's an there are a lot of Cloudflare bots that are known that I don't want to, you know, have access to the site. Like one of the really bad ones is sem rush. Like they will hit on your site with their bots sometimes. Anyway.\r\n\r\nUnknown Speaker 1:42:50 \r\nSo, yeah.\r\n\r\nUnknown Speaker 1:42:55 \r\nWhy would you want stamps.com Because, if you are if you're, for example, with a WooCommerce connector, you're going to want if you don't exclude stamps.com, the WAF rule will get in the way of WooCommerce talking back and forth to stamps.com.\r\n\r\nUnknown Speaker 1:43:11 \r\nYep, so this is again, if you're anytime you're this is with much power comes great responsibility. Okay, so you're putting a rule and that's going to block traffic. If traffic is being blocked and something's not connecting. Now you go into the event and say, Oh, here's that traffic now I can you know, you can find that ASN to that external service in your event log and then add it to your list of good ones.\r\n\r\nUnknown Speaker 1:43:39 \r\nOkay, so I've added another few things here that are commonly blocked. So for example, if you're using the Gravity Forms stripe add on, okay, then I want to make like this is part of the query string for every that should have\r\n\r\nUnknown Speaker 1:44:02 \r\nyour your web hook for Gravity Forms, always includes Gravity Forms stripe, your webhook for WooCommerce always contains this bit of text. So basically what this is doing is this is a good rule for all sites. So if the traffic is coming to a Gravity Forms web hook or a stripe web hook, if you're using other plugins that have different web hooks, just add them in here. Like this, or replace Gravity Forms with your plugin, that sort of thing. But you're that way, you're letting tret legitimate traffic to that web web hook for the payment processor come through.\r\n\r\nUnknown Speaker 1:44:36 \r\nHere's another one. User Agent is GT metrics or we use better uptime to monitor our site. So user op agent contains better uptime. If you don't use better uptime. Don't use this part of the rule.\r\n\r\nUnknown Speaker 1:44:49 \r\nHere's our server IP address.\r\n\r\nUnknown Speaker 1:44:53 \r\nRight now in Davis, right? If you are if you have other payment processors, whatever that web hook is that they give you just find the particular piece that's not going to change. Like the the WooCommerce stripe. web hook has a whole bunch of characters after this right? But this part is always the same. That way you can create a rule that you don't have to change from site to site.\r\n\r\nUnknown Speaker 1:45:20 \r\nAnd then, you know, here's the IP source address is my server for verified bot category is search engine crawlers or web hooks. Okay, so why, you know, I can choose web hooks here, but I've also specified some web hooks.\r\n\r\nUnknown Speaker 1:45:36 \r\nI know web hook has having that as a rule is good, but I don't necessarily trust that part. Cloudflare is always going to catch all my web hooks with that. So I'm going to specify just to be sure, so this is fine, but I always specifying the actual some contents of that web hook URL. Okay, so does this bit make sense? In that many external SAS calls this you want to, you want to allow those through, okay. Now the action for this is skip.\r\n\r\nUnknown Speaker 1:46:09 \r\nBut make sure that you check and this actually Karen may be where your error is coming from.\r\n\r\nUnknown Speaker 1:46:14 \r\nCheck all the boxes, check all the boxes, otherwise you're not telling it to skip anything.\r\n\r\nUnknown Speaker 1:46:24 \r\nSo we don't if the traffic meets any of this criteria, I always want to skip it. Okay, that was it. Karen Awesome. Now, does that make sense everybody?\r\n\r\nUnknown Speaker 1:46:40 \r\nOkay, one thing here and I don't know how to fix it in the handout. This is very important. Notice how there's a line break here.\r\n\r\nUnknown Speaker 1:46:50 \r\nThis, if you copy this, it creates a problem. I just just noticed this.\r\n\r\nUnknown Speaker 1:46:57 \r\nLet me go into the expression editor and paste this in.\r\n\r\nUnknown Speaker 1:47:03 \r\nSee how there's a space here.\r\n\r\nUnknown Speaker 1:47:06 \r\nMake sure you delete that space. Otherwise, it's not going to match your the exact URL. I'll see if I can update the handbook for that. I'll figure out how to do that. But just for now. If there's a space here, it's not going to match that URL. So make sure it doesn't have a space\r\n\r\nUnknown Speaker 1:47:26 \r\nokay\r\n\r\nUnknown Speaker 1:47:32 \r\nall right. Next okay. This is a locked down WordPress rule. This is pretty refined from lots of different suggestions that I've read and seen and I've tested.\r\n\r\nUnknown Speaker 1:47:45 \r\nAnd it this is pretty darn powerful. So again, this is one of those rules. Okay. If the traffic meets any criteria in this rule, it's going to be blocked period, which means you better be sure that you're not catching the legit traffic here. Okay. But you'll see how this works. So I'll go copying this. And notice there's some instances of the domain name of the site here that you'll want to replace with your domain.\r\n\r\nUnknown Speaker 1:48:15 \r\nBut let's look at what it does.\r\n\r\nUnknown Speaker 1:48:18 \r\nAll right. There's absolutely no reason whatsoever that any site or any match any request from the server should contain WP config if it's not coming from my site, to block that. There's no legitimate reason that should happen or there's no reason like we don't use XML RPC at all ever. So we're gonna block any traffic that comes to XML RPC. Period.\r\n\r\nUnknown Speaker 1:48:46 \r\nSame thing for if the if the, if somebody is trying to get to wp content, and it's not coming from my site. I'm gonna block now that can all that can impact google image searches. So make sure you may not want this if you want the images on your site showing up in Google image search.\r\n\r\nUnknown Speaker 1:49:05 \r\nBut I don't I don't want that so I'm blocking all that traffic. Same thing for WP includes there's a lot you'd be surprised how much traffic comes in matter of fact, let's just I mean, look at this. Look at the traffic that's coming in. From what traffic that tries to come in from.\r\n\r\nUnknown Speaker 1:49:26 \r\nYeah, look at this garbage. Here's traffic that's coming in. I don't even know what this is there trying to access. This is some image. Here's something that's trying to access a lot of this images. There's all this garbage traffic and look at this. What What the heck would anybody need you know, here's some Amazon server that's trying to get to this dopey content, whatever. This is like they're testing for security issues. And we're just blocking all that traffic. Right? And look, there's 192 items in the last 24 hours that have hit this rule. It's crazy.\r\n\r\nUnknown Speaker 1:50:04 \r\nPlease grab this, this this.\r\n\r\nUnknown Speaker 1:50:08 \r\nSo what's happened here is some hacker has spun up in some Amazon server to do this hacking, or it's a site that's been compromised. Crazy and this is WP Nathan, which is a dumb garbage site. Right?\r\n\r\nUnknown Speaker 1:50:29 \r\nAnyway, you see all this stuff, and so this blocks all that garbage traffic. Another thing here if the country's coming in from the Tor network, you're not going to want that that's going to be bot traffic. A lot of by the way. A lot of form spam comes in this way.\r\n\r\nUnknown Speaker 1:50:45 \r\nIf the URL if the if the path contains dopey content and it's a PHP file, I want that out of there. We don't use ASP at all in WordPress so filter that out if the traffic is not a known bot, and it's trying to do anything, post anything on WP Nathan so this is this filters out a lot of of form spam traffic or you're trying to post either things into login fields, or post comments anything like that this just blocked all that traffic. I did add this when I was testing this rule, just to make sure that the host name it's not coming from my site. And it's not in it's not trying WordPress is trying to do a cron I was finding that legitimate WordPress cron jobs were being blocked by this. So that's why I added this extra little bit here.\r\n\r\nUnknown Speaker 1:51:41 \r\nSo here's another one if it's not a known bot, and it's going to admin Ajax admin AJAX is again another bit of forum spam prevention that filters that out. Here it so we're going to filter out post and let's see, why is this this rule is duplicated.\r\n\r\nUnknown Speaker 1:52:01 \r\nLike that out. Sorry about that. And again, there's just an actual I'm posting to the comments. PHP file. So most of this is a form spam and comment spam traffic.\r\n\r\nUnknown Speaker 1:52:16 \r\nDave, on the ASP if you have redesigned a site that was based on this?\r\n\r\nUnknown Speaker 1:52:22 \r\nThat's a great question. So if you are taking over a site that previously had ASP, it was built on ASP, then that's probably something you want to take out. Yeah. Otherwise, it's going to block the traffic completely. You don't want that you want to show a 404 page with hey, we've redesigned blah, blah, blah. So that's a good example of don't just apply these rules wholesale, know what you're doing and know that oh, I need to take out that part of the rule, at least for now. That makes sense, everybody. So the action here is block and you're blocking stuff at the net, the network level, they're going to see a Cloudflare block screen. It's not ever going to even hit your server.\r\n\r\nUnknown Speaker 1:53:02 \r\nLet me show you a little trick. How many of you are using something like text expander or in my case, I use type desk to do like little macros that explode into things, right? Like this macro here that I use, and sometimes you'll see this. Like it'll come in as slides. When I do slides. Type desk explodes into this pre configured bit of text. So I've set up all these Cloudflare rules actually in pipe desk, and some of them have variables. So watch this if I was going to set this rule up for the first time. This is set up as\r\n\r\nUnknown Speaker 1:53:42 \r\nthe F three boom Okay, so it comes in over here. So here's my thing. Oops.\r\n\r\nUnknown Speaker 1:53:57 \r\nSo it I'm gonna have to show this here. Alright, so you have three this, okay, what is my domain? That would be nathan.com.\r\n\r\nUnknown Speaker 1:54:04 \r\nIt fills out with there's variables. So I've set up my exploder to have the variable for the expression of the website. So now when we go into add rules, I have cf One CF two CF three it just drops all the expression in with a variable for the website, right? So I don't have to go in and change that every single time. So that's just a little time saver. Pretty cool.\r\n\r\nUnknown Speaker 1:54:29 \r\nAll right. Here's our next rule.\r\n\r\nUnknown Speaker 1:54:33 \r\nSo we have our skip rule. We get our block rule. Now. This is one I don't know I added this one, just to have something else to show you.\r\n\r\nUnknown Speaker 1:54:44 \r\nHere we go. So this, this can be heavy handed, but it also might be good. This is an example of how do I filter bot traffic? Right. So you may or may not want to use this rule. I don't know. Look what it does. So if it's not the Google bot or the Bing bot or the bot or the Facebook bot or slurp which is Yahoo I think, or Alexa and it's a known bot. So Cloudflare actually has this list of known bots.\r\n\r\nUnknown Speaker 1:55:17 \r\nAnd it's pretty extensive. There's 717 pages of this you can see all the things they do have categories too anyway.\r\n\r\nUnknown Speaker 1:55:31 \r\nSo this is an example of a rule that I probably wouldn't use on every site.\r\n\r\nUnknown Speaker 1:55:36 \r\nBut so if it's a known bot, and it's not one of these, or like a this, the crawler category is AI crawler, then given a man a challenge or you could say give it block. So if you want to stop AI bots crawling your site, you can do it at the network level if you want. And this is a way to do that. So the bot category, there's a lot of different ones here like you can do. Like I don't want any SEO crawlers. Let's see how about is in.\r\n\r\nUnknown Speaker 1:56:09 \r\nI don't want any SEO crawlers. I don't want any AI crawlers.\r\n\r\nUnknown Speaker 1:56:14 \r\nNow this is not Googlebot for example. This is Seo crawlers like sem rush and things like that. Phoebe Why not say if it's not a known bot instead of listing those out great question, because known bot no means it's any track. Just that doesn't say it's a bot and I know what it is. Known bots means it's not in this list of predefined known bots, right? It doesn't say it's a bot and it's unknown. Now there are rules like that. If you upgrade to the enterprise level, you get a lot more control over. I think it's a bot. I don't think it's a bot but we don't have that control at the free level. So you have to do it. That was That makes sense.\r\n\r\nUnknown Speaker 1:57:04 \r\nDave has a question if you're doing this on an existing site, and the clients looking at traffic. Oh, yeah. Okay. So this is the double edged sword. Okay.\r\n\r\nUnknown Speaker 1:57:14 \r\nSo what Dave is asking is essentially, am I gonna see a traffic drop in Google Analytics? If I do this? And the answer is likely yes. And perhaps a significant amount of traffic drop. But the conversation I have with a client is this is actually making your analytics reports more valuable because the traffic that's reaching the site are actually people and not garbage bought traffic, and attack traffic and things like that. So you will see a drop in traffic. But it's this is this will actually make your analytics reports more valuable. Because I mean, think about this, you know, bot traffic isn't likely going to make a conversion. So if you've got a report set up in Google Analytics for tracking conversions, and only 3% of your traffic is converting, well, what if 90% of your traffic is crap traffic? Well, then your conversions go up significantly. Oh, wow. Actually, this is more successful than we thought. Right.\r\n\r\nUnknown Speaker 1:58:10 \r\nSo does that make sense everybody? Here's an example of a way to filter out some of the stuff I probably would not use this on on every site. And you still even after that, we'll have another rule that you can create. And this is for fine tuning, you know, and moving things. along.\r\n\r\nUnknown Speaker 1:58:29 \r\nOkay, good grief. It's almost three o'clock and I got a lot more to do. So I'm gonna move on. Any other questions about this before we move, move ahead.\r\n\r\nUnknown Speaker 1:58:38 \r\nI do want to show you the rate limiting rule here.\r\n\r\nUnknown Speaker 1:58:43 \r\nWe actually may stop here, before tomorrow. So this is a really good rule, I think is super helpful. So in case you weren't watching, we're at security WAF. We were just at custom rules, which is the default page. We're now going to the rate limiting Rules tab. It's going to delete this and start over.\r\n\r\nUnknown Speaker 1:59:03 \r\nYou see it, we're going to create a rule and in the same way here, this is going to be our anti flood, oops, anti flood rule. We're going to edit our expression\r\n\r\nUnknown Speaker 1:59:15 \r\nand we're going to say\r\n\r\nUnknown Speaker 1:59:21 \r\nwhen the rate exceeds 10 requests, at the free level, we only have a 10 second period.\r\n\r\nUnknown Speaker 1:59:29 \r\nSo let's take a look at what we're doing here.\r\n\r\nUnknown Speaker 1:59:34 \r\nWhy not?\r\n\r\nUnknown Speaker 1:59:53 \r\nInteresting, okay, well, oh, see what it's supposed to be. Alright. So, anti flood if it is not a verified bot\r\n\r\nUnknown Speaker 2:00:06 \r\nand\r\n\r\nUnknown Speaker 2:00:09 \r\nthe URI pass contains\r\n\r\nUnknown Speaker 2:00:18 \r\nthe PF not calm and\r\n\r\nUnknown Speaker 2:00:23 \r\nverified bot category is not a search engine crawler.\r\n\r\nUnknown Speaker 2:00:30 \r\nOkay, so what we're saying is, it's not a good bot.\r\n\r\nUnknown Speaker 2:00:34 \r\nIt's coming to the site. This is actually redundant, we could probably get rid of that.\r\n\r\nUnknown Speaker 2:00:39 \r\nInteresting.\r\n\r\nUnknown Speaker 2:00:41 \r\nAnd it's not a search engine crawler, and it's hitting my site more than 10 times like one time a second. Then I want to block it. For as long as possible, which is 10 seconds.\r\n\r\nUnknown Speaker 2:00:56 \r\nOh, you're right. It was missing the opening parenthesis. So there's another correction.\r\n\r\nUnknown Speaker 2:01:03 \r\nSo we'll deploy this and this is going to stop a lot of bot attacks. You know, you need a higher level. Of Cloudflare to fully blocked the traffic. But this at least throttles it back just a little bit.\r\n\r\nUnknown Speaker 2:01:18 \r\nSo that can be helpful.\r\n\r\nUnknown Speaker 2:01:20 \r\nMoving on down here to our bot setting. Again, we want bot fight mode off. We talked about that already. How much further do I have to go? I got a lot of rules to go. Okay, I'm gonna stop right here. And we'll pick this up tomorrow.\r\n\r\nUnknown Speaker 2:01:35 \r\nAll right, pausing for a moment. Questions, comments?\r\n\r\nUnknown Speaker 2:01:41 \r\nAnything unclear and what we've seen today because your homework is if you don't have a Cloudflare account, go set it up. And do that tonight. Before tomorrow. Come on in with a little bit of experience under your belt. It's free. And maybe you start applying some of these settings to a site and you can actually go forward I've given you all the tools you need to kind of follow this and add the additional rules that's there that are there. We will talk through this starting at speed tomorrow.\r\n\r\nUnknown Speaker 2:02:10 \r\nPaul, I would not do this on a client site unless you're brave enough to you.\r\n\r\nUnknown Speaker 2:02:16 \r\nDo it on a site that you control a low value site, just so you can see how it works. I'll everything clients is going to be tomorrow.\r\n\r\nUnknown Speaker 2:02:24 \r\nDoug regarding the WAF. If I block the UK with a managed challenge, and Google is still indexing my site in the search engine results, what happens to a UK visitor when they click the Search link to my website. They're gonna get a managed challenge.\r\n\r\nUnknown Speaker 2:02:40 \r\nYeah, so just to correct so you don't block anything with the Manage challenge. It just puts up this.\r\n\r\nUnknown Speaker 2:02:51 \r\nIt's going to say if I go to try to log in here this screen right here.\r\n\r\nUnknown Speaker 2:02:58 \r\nWell, eventually who?\r\n\r\nUnknown Speaker 2:03:05 \r\nThis, this screen right there. That whole process was a managed challenge. I didn't have to click anything because it already knew that my was legitimate. But any traffic that you present a managed challenge. So if the rule is if the traffic's coming from the UK, then give a man a challenge. It's there. It's not blocked, you just have to pass through the gateway pass through the turnstile to get in. So if a user is outside your set geographic areas in Cloudflare for a challenge, they'll still see their search result. They'll click it, they'll pass you the challenge, they'll act they'll access the website. Yeah, it does put a barrier you know they have to pass through. Now you know, if you want to block the traffic altogether, you can do that. Just make the action block instead of manage challenge.\r\n\r\nUnknown Speaker 2:03:56 \r\nI wouldn't do that typically, you know, the goal for filtering traffic is generally I want to get rid of bot traffic that's coming from GeoIP sources that are not generally where my customers are going to come from. So that cuts out a lot of the bot traffic at that geo level. Does that make sense? Everybody?\r\n\r\nUnknown Speaker 2:04:19 \r\nAll right. Any other questions? Before we call it a day?\r\n\r\nUnknown Speaker 2:04:27 \r\nOkay, so everybody, all right.\r\n\r\nUnknown Speaker 2:04:32 \r\nOkay, Karen, can you copy all these settings and roles from one site to another? Wouldn't that be great?\r\n\r\nUnknown Speaker 2:04:40 \r\nThat would be great, wouldn't it? And the answer is no. You can't they have to be set up individually. I know right? It may be one day that will let us do that. I don't even think in the premium version. Paul. I've not seen that.\r\n\r\nUnknown Speaker 2:04:54 \r\nBut here's here's the thing.\r\n\r\nUnknown Speaker 2:04:58 \r\nI really really got deep into Cloudflare last fall, when in the process of migrating to a new server we just decided to put all of our clients under Cloudflare in that process.\r\n\r\nUnknown Speaker 2:05:10 \r\nSo we moved, you know, plus or minus 100 sites through Cloudflare and onto the new server. And once you start doing this, like I can move a site to Cloudflare pretty much in my head now and it takes just five minutes or so it's done. Boom, boom, boom, boom, you kind of get used to what the settings are.\r\n\r\nUnknown Speaker 2:05:30 \r\nIt's not it. It looks like a lot at the first glance. But as you're seeing from where we went from all the things, and page by page now down to just the things that need to change. There are far less and at the end of the document by the way at the end of the document to here and resource number two, here is the Cloudflare setup process. And I'll walk you through exactly the things to change. And that's it.\r\n\r\nUnknown Speaker 2:06:06 \r\nIt takes just a few minutes once you get used to how this works.\r\n\r\nUnknown Speaker 2:06:10 \r\nDo I have ASN or IPs for managed WP? No. So this is a good question. Alright. So you will at the beginning before you do your first site what are all the services that I use? Right? And so it's reached out let's just say manage WP I don't know if they have a public list.\r\n\r\nUnknown Speaker 2:06:36 \r\nLet's see right here. So you'll a lot of times find posts like this. What are the IP oh look, here they are.\r\n\r\nUnknown Speaker 2:06:45 \r\nAnd a whole bunch of others. So there's a oh my gosh, Holy mackerel. There's a bunch of them. So, you know, here's a list and and I would verify with the support. So send in a ticket and make sure you have the actual\r\n\r\nUnknown Speaker 2:07:02 \r\nIP set and you can add those to your skip rule that so it always skips that traffic.\r\n\r\nUnknown Speaker 2:07:13 \r\nAnd so my actual skip rule is more thorough than this one because I got a bunch of IPs and things like that.\r\n\r\nUnknown Speaker 2:07:21 \r\nYeah.\r\n\r\nUnknown Speaker 2:07:23 \r\nAnd Dave is correct. You want to go conservative at the beginning for sure. Again, this is with much power comes great responsibility. Implement slowly make make sure you one side tested that you're not blocking legitimate traffic. But once you get these dialed in, you can boop boop boop just apply them to your other sites.\r\n\r\nUnknown Speaker 2:07:46 \r\nYeah, Ahrefs it's eight, like H refs. In particular. They don't tend to want to help you because they don't want to block you or give you ways to block their traffic. What I would suggest doing if a traffic is being blocked, then look at your events. Like do a scan so you know kind of about the time when the event would hit. Then you can look at your event log and probably even filter it with your block rule.\r\n\r\nUnknown Speaker 2:08:16 \r\nAnd hit that hit the traffic that fits your block rule and see if Oh, that's coming from this range of IP addresses or this ASN or whatever.\r\n\r\nUnknown Speaker 2:08:28 \r\nAnd go from there.\r\n\r\nUnknown Speaker 2:08:30 \r\nSo sometimes you can back end it and figure out but there's there's no easy way that I found oh, here's the magic list of IP addresses or whatever.\r\n\r\nUnknown Speaker 2:08:40 \r\nIt's just not very easy.\r\n\r\nUnknown Speaker 2:08:43 \r\nYeah.\r\n\r\nUnknown Speaker 2:08:46 \r\nTanya, oh, how do you know if you're blocking legit traffic? Good question. That's not a stupid question. So I would watch you know the first so when you implement the for the first time you know, put it on your own site or something else site where the impact is going to be low, but that you have enough traffic to actually generate some decent results. And just look at the events and see what's happening. That's how for example, on the skip rule here, I realized oh, no, I've got let's see, hang on, hang on. I know it was the block rule.\r\n\r\nUnknown Speaker 2:09:30 \r\nThis one, it you know, I saw this query string coming up a lot in the block rule. And that's a legitimate, I realize, oh, blocking this and I don't need to be blocking this. So I added a rule to get around it right.\r\n\r\nUnknown Speaker 2:09:47 \r\nSo, Stacy, you find out when the clients customers complain is not exactly incorrect. Like it's that's pretty right. It some of it is a little bit of trial by error, but that's the way it is for firewall rules, okay. And that's why for example, implement these rules with here. Don't just wholesale drop these rules in thinking what could possibly go wrong because the answer to that question is a lot. But once you get them dialed in for your use case, you have really powerful, really powerful tracking.\r\n\r\nUnknown Speaker 2:10:22 \r\nOr filtering. Yeah. Okay. Anybody else? Before we move? Wrap it up for today?\r\n\r\nUnknown Speaker 2:10:34 \r\nOkay, so homework policy when you migrate a site to Cloudflare do you remove them from the Yep, we're gonna cover that tomorrow. Migration is tomorrow\r\n\r\nUnknown Speaker 2:10:48 \r\nokay, Karen, I have tried to enable copy in the chat. For whatever reason zoom webinars just does not allow that. And I don't know why and we've tried, but give the as soon as the We the chat ends up as a file on the replay page, where you can open it up and grab whatever.\r\n\r\nUnknown Speaker 2:11:09 \r\nYeah, it isn't zoom meetings. This is a zoom webinar, and it's different and I don't know why I've talked to zoom support there. No help. It's yeah, it's a thing and I've not been able to solve it. I'm apparently too dumb to figure that out. Because I've tried zoom settings are horrendous. They're worse than Cloudflare and that's saying a lot Okay, all right. Let's go to Wrap it Up homework for tonight. Add a site, drop it in you know your your site or just spin up a site in try adding some of these settings, we will step through. We'll go through the rest of the recommended settings tomorrow. And then we will put that into practice by actually migrating a site's DNS into Cloudflare tomorrow. That will probably take most of our time and then because we'll do it step by step, and then we'll do we'll wrap up with tips and tricks and whatever questions are left. So that's where we're going. Congratulations, you survived day one. You have endured the firehose of things and it gets really practical from here. All right. So I will see you back here tomorrow. One o'clock central time for part two of Cloudflare for agencies here on solid Academy, where we go further together.\r\n\r\nNathan Ingram 0:04 \r\nAll right, everybody. So welcome, welcome. So how about some feedback from yesterday? Did you learn anything? What was your biggest takeaway? Aha. I assume that we're going to do live demo today. So sure, you'll just go into watching the demo without having the basic foundation of knowledge. So sure there's value without watching the replay.\r\n\r\nAll right, let's get these captions connected. There. All right. Oh, goodness. Gotcha. All right. Link bundle is in the chat. Of course handbook if you need to download that. It is updated by the way from yesterday. So make sure you grab the current copy. I probably need to update the link bundle to reflect that\r\n\r\nall right, well, good. That's good news. So really, really glad to hear that. All right. Welcome, everybody as you're coming on in find a seat, get ready to go. Links are in the chat. The course handbook has been updated since yesterday. The fix the two little typos that I had. Those are now fixed and going and a third that I just recognized. All in the WAF rules. So that's all correct. Now. Make sure you read download that course handbook. Just so you have the correct things. All right. We got a lot of the handbook Yes, one handbook for both days. 40 pages of Cloudflare goodness. or 40 pages of Cloudflare. Comma, goodness, exclamation point. That's a lot of Cloudflare. Oh, it's gonna be a long day when I'm entertaining myself already. Okay. So let me hear from you in the chat. What was your biggest takeaway from yesterday if you survived and had lived to tell the tale\r\n\r\nPaul that will be office hours tomorrow, or week or if we have some time at the end. That's funny. Love it. All right, couple of minutes before we get started, welcome, everybody. Glad you're all here. Make sure you download the fresh copy of the course handbook that has three corrections in and around the WAF rules. Just a couple typos and that space problem and so forth. Yeah, look, there are everybody that I'm constantly finding new ideas for rules. I'm going to talk about that at the beginning as we get started here, because there's some really interesting chatter in the admin bar about rules and stuff going on right now. On a reference that\r\n\r\nhey, look at that foul, awesome. How about that? It's small. It's the little things right. Alright folks, two minutes to go. If you're just joining us in zoom, open up the chat. Say hi. Let me know what your biggest takeaway from yesterday was. Did you get in there and try to set up a site yesterday. Did you do any of that? Thanks still broke? Yeah, yeah. Little bit of tripod. Doug. You did it. Awesome. Yes, Doug, indeed. Cloudflare SSL? Yeah. Very good.\r\n\r\nYep, good stuff there. All right, about a minute away, y'all. We got a long way to go today. Long way to go. The handout is updated. Yes. So please read download the course handbook it fixes those typos or like there was a space that shouldn't have been at a line break and that sort of thing. All that is fixed in working in this latest version. Phoebe. So we are you did you you would get a challenge at WP admin if you use the rules that I provided that the the challenge rule by default is going to protect the WordPress login page. That's what allows you not to need a CAPTCHA on the login page. So I want all traffic that hits the WP admin to get challenged.\r\n\r\nAlright, just about ready to start everybody. Yeah, Paul, I saw on that note, and I don't know why that would happen. That's really weird. It feels like it feels like that's a browser. Cookie issue. here and what do you mean it looks weird after the challenge\r\n\r\nno formatting Okay, so that's interesting.\r\n\r\nI've never seen that happen. Sounds like there's some sort of a an optimization issue like the CSS isn't getting loaded for some reason. Where are you hosting? It could be related to your hosting environment. cloudways GS? Ah could be something in the breeze plugin. I would look and make sure that the breeze are using cloud where cloudways Breeze. Yeah, so see if it has that. The connection to Cloudflare that I mentioned with the caching so that it's empty incorrectly the cache I've never used breeze so I can't speak to that one. Yeah, always. It's awesome. That's it. It's not just reason the optimization plugins are some that frequently cause problems. Okay, let's get started. I got a long way to go today. Well, Happy Wednesday everybody. Welcome back to day two of the Cloudflare for agencies course here on solid Academy. My name is Nathan Ingram, and we went a long way yesterday, as we looked at what in the world is Cloudflare how does it all work? We went page by page through the settings just to give you kind of a lay of the land of you know all the things that are there. And then we started with recommended settings yesterday. So that's what we're going to pick up today. We got all the way down to speed we've worked through the Cloudflare WAF rules, and we've made our way down to speed now, I do want to mention that I have updated the course handbook from yesterday. I'm going to drop that link in the chat once again. This fixes those couple of types of the like the linebreak typo I noticed also there's some quotation marks that got styled like outwards and not straight quotation marks and one of the rules. So those things are fixed, and it's there in the updated link that's there in the chat. If you're watching this on the replay. The link that's downloadable on the course page has will be correct for you so that's all there and ready to go. So here's where we're going today. We are going to pick up with our recommended settings at the speed portion which we see on the screen now. Then we're going to set up a site in Cloudflare live and just go through the process using the checklist that is in the resource number two at the end of the course handbook. So we'll be just walking through that checklist. And then we'll the final hour we made that that setup process may actually bleed into the second hour so we'll just kind of see how that works. And take a break at some point in the middle. And then at the very end we'll have the the tips and things that I've learned and basically things that I've messed up along the way and how you could not do that. And how to work with clients and you know, had multiple accounts and all that sort of thing and how's the best way to do that. So that's where we're heading today. As always, if you have questions, if the question is about something we're talking about right now, just drop it in the chat. I'll do my best to see that and talk about it. Otherwise, put it in the q&a, and we'll deal with those at the end of each hour. All right. Well, let's get started, shall we? So we finished up yesterday with our various rules around security with our custom WAF rules, and then an anti flood rate limiting rule and making sure we have bought fight mode off. So now we're going to get to our speed sections. Let me get Cloudflare open and Windows arrange and all of that. All right, so we are now here under speed. And we're gonna go speed and then optimization. So right here under optimization, there's a number of different tabs, and we're going to pick up with content optimization. Now this is an area that they have in the past few months rearranged. So if you haven't looked at Cloudflare in a while, you'll notice this is different and that's because it's different. They move things around and they do this all the time. So let's look at what should be on so we like Brotli this is going to be one of the things it's in the setup guide or the quickstart guide that we'll run through in a minute. Whenever you add a site to Cloudflare Brotli is good to have on it just makes HTTPS connections quicker. We talked about Cloudflare font so we like those those are on early hints we looked at which preloads pages when you hover over a link that's on rocket loader off because it can break WordPress JavaScript pretty easily. And we're gonna auto minify all three boxes here JavaScript, CSS and HTML. And then we're gonna go back to the top, the tab for protocol optimization. And we're going to turn zero RTT on. Now basically what that does is if a person has already visited your site, it makes reconnecting to the site quicker. It's just it saves a step. In the security in the HTTP protocol process. Good speeds things up. If you want to read more about it, just Google zero RTT. And you can learn more. So not a lot to change here in the optimization section. But we do have some things to look at under caching. So let's take a look at caching and our recommended settings here. So we're going to start out with configuration and look at our browser cache. So I believe I can't remember what the default setting is here but we want this to be 30 days. One month or 30 days is what Google recommends in order to receive to get good marks on their tools. We want to make sure your browser cache is set for one month. We want our crawler hints to be on so this is basically the index now protocol and so Cloudflare will do that for you which is really great. It lets certain search engines that support index now know that changes have been made to your website. So go come crawl it. It basically proactively tell search engines to crawl new content so that's good. And we want always online which pushes the site over to the Internet Archive for us. We want that on as well. So now, there may be some times where you don't want always online on if it's a very large ecommerce site with 1000s of products, rolling that and adding it to the Wayback Machine might be taxing on the server. Or if the site is changed all the time. There's every single site I have is always online. But if you have a massive site, it might create some performance issues. So you might want to toggle it off but likely every site you're going to want on here. Alright, let's look at some caching rules. These are very, very helpful. So let's say you have a site in development, or for some reason you have a site and you do not want to use the Cloudflare cache at all. How do we turn the Cloudflare cache off? 100% of the time whether it's in development, or I just don't want it because by default, the Cloudflare cache is on. So we need a rule that's going to say always turn the cache off and afford unfortunately, there's not like a toggle to turn on and off the cache. I don't know why there's just not. So what is a rule that we can create? Well, I've settled on this one that basically says if the incoming request is HTTPS, and that is yes, then bypass the cache. So this is, you know, basically every single request coming in to any site that I manage, is going to come in under HTTPS. And with that rule, this site will not be cached at all period by CloudFlare, because we're going to bypass the cache here and with browser TTL. Now, this is a rule that you only want to implement if you don't want the site cached at all. Does that make sense to everybody? So you know, on our dev server, for example, we don't want Cloudflare caching, like Cloudflare manages the DNS on our dev server because we want the security, but I don't want any Cloudflare caching on any sites. that are under development. So we have this rule that turns off caching completely. Does that make sense to everybody? So this is probably not a rule that you want on a live site. But for dev sites, yes. 100%. So here's one that you probably will want to use. Maybe there are pages on your site that don't ever need to be cached. So for example, with an E commerce site, I never want the cart page cached by CloudFlare, or the checkout page. So here we've got URI path contains cart your app path contains checkout, you can continue to stack these up if there are other different URLs that you don't want to be cached. So when these things match, then I want to bypass cache for Cloudflare. And at the browser cache, right, so just no caching of these frequently changing dynamic type pages. Don't want those cash. So cash rules are super helpful. I Paul Yes. Membership dashboards, things like this. This though, these are the sorts of things that you'll want to put in a rule like this one. You have a lot of rules here actually. So 10 available caching rules at the free level. So you can really add things Yeah, in anything like LMS site membership site where you don't want to cash in really it. It's\r\n\r\nit's really more like check out, you know, forms that Process Payment, perhaps maybe events like Melanie's mentioning in the chat. It depends. So if you run into an issue where oh my gosh, my events page is not updating why? Oh, it's Cloudflare. Well, we can just turn it off here at the edit with a cache rule. That makes sense to everybody. They're super useful. To debug these caching issues. All right, so we mentioned this yesterday, we're gonna have our tiered cache. We're gonna go here, and just make sure that the tiered cache topology is set for smart and again, what that does is it moves the assets to the Cloudflare data center closest to the person requesting the the site so it basically shortens the load time, so it's good you always want to have that on. Alright, let's scroll down to our next section, which is rules. We're not getting into workers routes, that's not a route however you pronounce it. That's not something we're going to look at. But there's a couple of really good page rules that we're going to look at here that I recommend. The first is this one, which says our URL is going to be our domain name. star dot domain name. So this will catch any subdomains also an anything after the repeat admin. So basically, I want this rule to impact anything in the WordPress admin area for the main site and then any subdomains that I might have under this Cloudflare account. So I want security level high, which means that if somebody tries to come in it's also you know, it's gonna look at that browser more with more scrutiny and maybe present a challenge. If it detects any issues. I want that for anything in the WP admin I'm also going to completely bypass the Cloudflare cache. I don't want anything in WP admin cached by Cloudflare. I just don't want that. And then I also want this here disabled performance. Any performance related optimizations that Cloudflare might do? I don't want that for my WP admin because that can tend to get in the way of things and break admin functions and hash things that shouldn't be cached. And, you know, you get weirdness in the back end sometimes. So this says anything in the admin, I want to make these changes and it's a really helpful rule. This makes sense to everybody. This is a good one and you do have to fill in your specific domain name here, or it won't work. You can't just say star.wp admin. I tried that. It's got to have the actual site name. Alright, another really helpful rule. I really really liked this one. This is the email obfuscation rule. Again, a lot of folks in the years past we've done WordPress shortcodes, that obfuscate email addresses where they can't be scraped by website scrapers. Cloudflare has this built in at the network level, which I really like. And the neat thing about it is you can apply it only to certain pages with a rule, so we can say, all right, if it's the Contact page, then I want to turn on email obfuscation. Well, why wouldn't I just want this on the whole site? The reason is because it loads an extra little piece of JavaScript that can affect load time, so it won't affect it very much. But I mean, why load the JavaScript on a page that doesn't have email addresses, right. So if you have a contact page that has email addresses, turn this on, or maybe it's a team, page or series of pages. Like you have, you know, your domain slash team slash person's name, then you can do something like this I'm pointing at my screen like you can see that this so anything that follows team then this for like a team bio page, you can obfuscate the email addresses their policy, if the site has an email address in the footer. You want this on every page? Yes. And I wouldn't put email addresses in the footer. I would much rather have people fill out a contact form and send email but yes, if it's in the footer, every page where there's an email address, you could load this and if that's the case, then you can actually just turn it on for the site. Yeah, okay. So these two rules make sense. You got your WP admin and you got your email obfuscation. You got a bunch of page rules that you can do some other things with. There's actually sorry only three, three page rules. So we still have one extra one here. And you can do a lot with these Okey dokey. Everybody good so far on this? Because that's it. That was all of the rules are all of the recommended settings. So we didn't get that fully finished yesterday, but we got it done today. And now we get to actually do the thing. Okay. So I want to give you the overview of what this migration process looks like. And then we're going to skip to the end of the document where the actual checklist is, and by the way, if you're just coming in the course handbook is updated from yesterday. And so you're gonna want to redownload that because I fixed a couple of little glitches with the WAF rules. Okay, so here is our process. And again, it is a checklist is in resource to you can copy that part out, you know, make it your own, whatever. So, big picture, okay. We're going to add the site to Cloudflare. And then we're going to walk through the Quickstart process. These are the common, most recommended settings to set up. We're going to add the name servers that Cloudflare gives us over in our domain registrar. Then we're going to pause the site on Cloudflare. This is critical if you don't do this, you're going to get SSL issues in almost every case, then we're going to go through. Here's our items for the quickstart guide. We're going to go through all the rules and settings that we need to add. We're going to wait for our SSL to generate and then we're going to resume the site on Cloudflare. That's the big picture. How this is going to work. So let's go down and take a look at our resource scrolling scrolling right here. This is page 38 of our guide. And here's what we're going to do. So I have this domain set up and this is just a Kadence Starter Site that I have inflated on to WP one dot Dev. Now this is a domain that lives at GoDaddy. And so that may be a place where you see a lot of domains that you have, right and so this is just as simple and basic of a domain swap or DNS change as I can show you with a typical common registrar. Okay. So we're not going to walk through this whole process. So what I want to do I want to get back here to home, which I did just by clicking this arrow I'm in WP Nathan. Now I can go back now I'm at my account home, or I can go up here to this little user icon and hit account home. It's at that point where I can add a site. Okay, so we're going to add the site to Cloudflare by entering the domain, selecting the free tier and confirming our plan, but let's add the site right here. And by the way, if you added a site to Cloudflare a few weeks ago, this is now completely different. They have totally changed this adding a site flow as they do. I mentioned this yesterday Cloudflare changes things like worse than Google and that's saying a lot so just be aware of that. If you're white if you're following this video six months from now they've probably moved some things around. They're all there you know, and you can probably find them pretty easy but it's it's very likely to change. So we're going to enter in our WP one dot dev domain name here. Continue. We're going to select our plan scroll all the way down to free and click that and confirm and we're confirming and Okay, let's so we're going to start our Quick Scan. Now at this point what's going to happen Cloudflare is going to go out and it's going to attempt to find all or as many of the DNS records as possible for this domain. I'm going to click Start click Scan. Now here's the thing. Don't ever trust Cloudflare scan because it is likely going to miss some things. So it's now picked up in a record and to CNAME so there's definitely more than that. And we're just going to keep moving. So if you can't bypass that scan, I wish you could but you can't. It's going to do its best to find records and plug those in to your DNS settings. But now we've gone through our quick scan and we're going to hit continue and we're going to start the domain activation. So right here, we're going to add the provided name servers to our domain. So here's our two name servers that Cloudflare has given us a copy the first one, I'm going to go over here to godaddy under DNS, and go to name servers. This will be different for every registrar. We're going to change this to my own name servers, and copy and our two different name servers. Oops, two here, save and continue. Okay, now over here, I'm gonna hit continue and continue.\r\n\r\nSo now we come to our overview page immediately right now before you do anything else. Pause Cloudflare on the site, because otherwise what can happen is traffic can start flowing to your domain before Cloudflare generates an SSL certificate and you'll get that security warning in browsers by pausing Cloudflare at this point, what that does is stop Cloudflare it doesn't stop it from generating a certificate but it doesn't use the Cloudflare certificate. So we're not using any Cloudflare features right now because the site is paused. Don't forget that step or you're going just it's inevitable that you're going to get you know a security warning. Okay, so pause Cloudflare Now let's go through our quickstart guide. Let's see right here. So we're going to review the settings in our quickstart guide and get started. So we want to keep this on Yes. All these settings are here. Save this. Always use HTTPS Yes. Do we want to enable Brotli? Yes, just basically all the recommended settings we want on and finish. Boom. Okay, so we are good. And now we're going to go down to our DNS. Now Cloudflare has imported some records, right. So we've got this going on here. Um, you know, what I forgot to do is I forgot to open up my email. Let me grab that one second, folks, because we're gonna get an email from Cloudflare at some point very soon, telling us that the site is working. I've got to log into my email, my solid Academy solid email here one second, everybody. I have 8000 Google accounts as perhaps you do. as well. And there it is, okay. All right. So there's my solid email. We'll put that over here and we'll just wait on that. Okay. So now we're at the point of validating our DNS records. So here in GoDaddy, if we look at our DNS, there, there's a lot more than it found. There's not many actually. There's an A record and some other things, you know, nor if this is a site you're already managing. Maybe you have postmark records or some other transactional email or google verification or office 365, all all those verification records, right? You're going to want to make sure that what's here in CloudFlare, matches 100%. What is at your current DNS provider? Okay. Many Melani that's a brilliant idea is to screenshot this and add it to a record someplace. So better even than this is the ability to export my DNS. So let's see here. Many registrar's have the option to export DNS records. If they do you absolutely want to do this. If they don't, it sucks because you have to hand enter every one of them it's really awful. But here I can say Export zone file. Even GoDaddy will let you export the DNS. So I want to export this zone file and boom, there it went. It is now right here as a text file that just downloaded to back. It is right here, simple text file. So I can take this and go right here to import and export and just drop it in. And now I have all of my records and they it now matches perfectly. So that is super helpful when you have a ton of records. If you are running your DNS through a cpanel server, we're going to come back to that at the end because there is a there's a way to actually export out of cPanel if cPanel is actually running your your DNS All right, but for now we know that these match because we've done a good Import and Export Now a couple of things we want to look at. Many times your export will contain name server records, these name server records, these pertain to GoDaddy domain control.com. These are GoDaddy, we're not using GoDaddy. name servers anymore, so I can delete these our name servers or at Cloudflare. We don't need these records anymore so we can safely delete those. The other thing is, if you have in the Cloudflare import when it pulls in all those records, if you import record, you know this import file is going to contain some duplicate records. Cloudflare is smart enough not to import duplicates, so it didn't used to be by the way used to import duplicates, you have to go in and delete your duplicates. It now is smart enough not to create double records, which is awesome. But in many cases, you're still going to have to add those records one by one because, you know this old antiquated registrar doesn't support exporting of DNS, which is just really annoying but Paul is saying Don't forget to turn off some records that need the original. I'm not quite sure what you mean there, Paul. But you're gonna The key here so you don't mess up DNS is at the end of all this. My DNS records in Cloudflare need to match my DNS records with whatever the registrar is now. Other than the name servers, the DNS records you can delete just like we just did, but everything else needs to match 100% Otherwise you might break their email or something like that.\r\n\r\nSo yes, the for example, if there are see names that come in, like right here, this here's another one we can delete. This is a GoDaddy domain connects that we don't need that. We can delete this. Any that are there other registrar's that have specific records. We're not using that anymore, so we can delete this and if it's a CNAME generally, any CNAME other than the www record we want to proc we do not want to proxy correct. So this is a really simple DNS setup because there's no email or anything there. Okay, everybody good on this part, moving DNS records in hopefully you can export them and import them otherwise. This is also helpful if you can if DNS is currently managed by another Cloudflare account, then you can export the records out of the current Cloudflare account and import them into to your Cloudflare account. Sue if there's email Yeah, yeah, so like all the MX records, all the text validation records CNAME records that are all all the DNS needs to match exactly. Unless it has to do with, you know, like the name servers or like these GoDaddy specific records that we don't need anymore, but all the other records need to match exactly. You'll probably find that Cloudflare their import gets about 90%. But it will typically especially if it's a complicated DNS setup, it will typically Miss TXT records, like the valid validation records. It usually gets all the C names and the A records, but it misses it tends to miss the TXT records. Okay, everybody, good. All right. So at this point, it's usually taken, you know, five minutes or so to get our DNS all lined up. So now we're gonna go check and see where we are with our SSL. So we're going to click on here, and let's just look at our edge certificates to see okay, so right here, this is showing us it's in process. So this is live demo. I don't know how this is gonna go, okay. If this breaks, we'll fix it. We'll figure it out. But right here, notice that the SSL has not yet been generated for this domain. So we don't want traffic coming through Cloudflare yet, so let's just move on with our settings and we'll keep watching this edge certificate to see if it's ever finished. So we want to go down to minimum TLS of 1.31 dot O is the default for some reason. So we're going to make that 1.3. Now we're going to go down and add our WAF rules. Just following our checklist here. There's my use your four suggested rules that I've given you or your own variations. So we'll go to Security and WAF. Now again, as I mentioned yesterday, I've got this shortcut set up in my text expander CF one. Here's our manage challenge rule. So what I do in my text expander I have this title here. And so I'll copy cut that and put it up there and this is going to be a managed challenge. Boom, and deploy the quick that was that was done. We're going to create rule number two. I'm going to use my shortcode otherwise, you can copy and paste from your notes. There's our second rule the title, cut and paste up here. So choose the action skip and check all the boxes. All the all the boxes just like that deploy great our rule number three now this one has the the variable in it that fills in my domain I've got that. So these are our block rules. Deploy and one more rule\r\n\r\nthese are our crawler blocks. And this gets a block deploy. So you see how quickly it goes. If you have something like text expander or in my case type desk or one of these macro type programs, apps on your on your computer. It just makes these rules go really fast. Otherwise, you can just copy paste, that's fine too. But we've got all those rules added. Does that make sense? Everybody? Got our rules added there. Any questions about that? If so, ask in the chat. If not, I'm going to keep going under security and bots we want to make sure that bot fight mode is off. It should be by default. I always want to make sure of that because that is it can it causes so many headaches. Speed. Oh, you ask a question. Okay, Paul, I explained why I use the web as a prefix. Is there a possibility of some sort of mix up? If we do not have a prefix? No. This is just for convenience, knowing that these are our rules. So we do have some clients that get into Cloudflare and do some things themselves. If you're the only one that's going to be in Cloudflare it doesn't matter but I prefix everything with be WWE, you know functions code all that is just a habit. So this just lets me know these are our rules. Okay, speed. Let's go back to these rules we just covered so speed optimization, content optimization, only the things we need to change here are Cloudflare fonts are on early hints are on check all three boxes on auto minify boom, boom, boom. And we want to go up to protocol optimization and turn zero RTT on. Great. Now let's look at caching. Let's see configuration crawler hints. Okay, browser cache is one month that's the default. That's awesome. Let's see crawler hints are on always online is on. We'll go over to cache rules. Is there anything we want to fix with our cache? Probably not on this one. It's not an ecommerce site. And you know, it's not in development. So there's no cache rules. To set up here for this one. We do though, want to go into tier two cache and turn on our smart tear topology. Okay, now go down to rules and we're going to add our WP admin rule. Let's see page rules and we're going to be star that dopey one dot dev slash WP admin come on admin star. The settings will be about we spell that correctly. All right, first thing we want to do cache level is bypass then it was performance is disabled and our browser integrity check. Oh, no, it was security. Security level is high. Alright, so there's our DP admin rule. And let's go ahead and add a contact page rule\r\n\r\nand we're going to want email occupation on our contact page. On you can add these rules or not just depending on your setup like we've talked about. Thanks. We got our page rules added. Now we're waiting for SSL generations out look, I've got a an email from Cloudflare. It's now active Boom. That's awesome. Let's see if our SSL certificate generated so you may have the email that says it's active active meaning Cloudflare has detected that its name servers are now being used for the domain. So GoDaddy has gone ahead and updated the name servers and Cloudflare sees that so they're connected. Now that doesn't necessarily mean the certificate is generated yet. So let's go take a look under SSL edge certificates. I look it's active boom, perfect. Okay. As soon as this is active, that means the certificate is there and we can unpause Cloudflare. So we're watching for an email that Cloudflare is protecting. We're watching at edge certificates for the universal SSL right here to be active and it can take time. Okay, so let's talk about what happens if it's if it takes some time. Officially, Cloudflare says this can take 24 hours I've never ever had it take that long. You have had to take a few hours in this was you know, this was actually right after remember last year Cloudflare had that data center issue. It a lot of these things were delayed after that. Usually now it's just like what you just saw, it generally just takes a few minutes. And you're good to go. But it can take a few hours. That's nothing to worry about. Now. If you if you get hours and hours and hours and out like the next morning if it's still not working. Then what I would suggest that you do. Let's see I've given a pointer that put those notes troubleshooting down here, okay, so here's how to troubleshoot if you're stuck on pending validation after an hour. So make sure that you delete those NS records. I've found that sometimes when my sometimes when I'm not getting my certificate generated, it's been because I accidentally left those those NS records in the DNS, that old name server, and that can mess around with validating traffic. So make sure that the NS records are deleted like we showed earlier. Also, again, officially it can take 24 hours. If it's still waiting after 24 hours, go down here, here on edge certificates and down at the bottom. Disable doo doo doo doo doo right here. Disable universal SSL, click that button, wait a couple of minutes for things to the dust to settle. Then you re enable it and it starts that validation process again, and I've never had it not work the second time. So that's maybe that's just lucky on my part. But generally that fix is something that stuck. And I've only had that happen like once or twice and all the sites and that was actually a long time ago. So that's a good way of troubleshooting. If you're still having issues then it's time to go to Cloudflare community and ask them questions. But now, we've got our SSL generated so we're good to go there. So we're going to pick up the process when you see the SSL is there under edge. Right here the universal one now we don't have to wait for that saw this question a minute. ago. We don't have to wait for the backup certificate to get set that can take a little bit of time. We have a good SSL, we're good to go. So now we're going to resume the site on Cloudflare. So back to overview and scroll down to the bottom of the page again, enable the Cloudflare on the site. It is now enabled. And okay, here's where it was before and notice that this is what I had up before we made this move. So connection secure. And this is a Let's Encrypt certificate which which the server generated. Now if we refresh this page, and we look at that certificate, we should see a Google certificate now. So let's do a hard refresh. And actually, Chrome may have cached that certificate, which is fine. Yeah, Chrome cache that certificate if we go let's go into the browser, and you can see that it's the Google cert and for some reason Firefox is taking all day to start. Here we go. All right.\r\n\r\nAll right. So let's see. Where is oh, I clicked the wrong thing. There we go. Now it's still interesting. All right. So it's still showing the Let's Encrypt certificate. That's interesting. I wonder why that is.\r\n\r\nWe can also check with what's my dns.com. Job. Okay, and we are on Cloudflare. So the world is seeing that it's under Cloudflare. When you see to these two IP addresses, that's cloud flares, backup IP address, that's what you want. And so it is it is seeing everywhere in the DNS shows. It's running through Cloudflare. So we're good. I'm not sure why it's not showing that let's or white showing that Let's Encrypt. Let me try it in Safari. Just to see I wonder if I loaded that site in Firefox and it still has it cached. That's interesting. We know it's working though. That's what's that's the most important thing.\r\n\r\nYeah, no, that's interesting. Let's take a look at Oh, because here make sure that you set it to full Am I following my instructions? Now, I didn't follow my instructions. So we would have checked that right here. If we set this to full then I bet that's going to change our SSL certificate helps to follow your own instructions. Now it's still showing. I'm not sure why that is. Well, let me just get back to following my instructions and we'll move on. So we've resumed the site on Cloudflare right. Now we're going to enable DNS sec. So you don't want to do this until Cloudflare has traffic for your site. But we're gonna go here under DNS settings, enable DNS sec. Right here, and again, this is the little bit of code, you're going to add to the registrar to validate that Cloudflare does have legitimate control over the DNS. So this is all the stuff that Cloudflare gives you. You don't necessarily need all of it in every registrar is gonna be a little different. But here in GoDaddy, you just scroll over to DNS sec. And we can turn this on\r\n\r\nnot when I'm around, hang on, hang on, hang on. Go Daddy. It's under DNS, DNS records. And oh, hang on. My goodness gracious. Let me refresh this page.\r\n\r\nRight here, DNS records is what we want. So I had to refresh the GoDaddy page because prior it was it was loaded prior to knowing that GoDaddy had handed off the name servers to Cloudflare. But now we've refreshed this and there is a DNS record tab most registrar's are going to have this. You click that and we're going to add the DNS record. So first, we demonstrated this yesterday but first we add the Key Tag and this is all out of order. But Key Tag is here. The algorithm is 13 the digest type is two. And the digest is this string of characters and that's all we're going to need. Save All right, and it may take a minute, but we're going to click Confirm and it needs to wait it's going to look for this and we'll come back to this in a minute. But it will eventually validate that record with the record at the registrar. Why do you have to add this on GoDaddy? Because GoDaddy is the domain registrar for this domain name. If Cloudflare is your domain registrar you just click a button and it works. It's really simple. And then at the end, we go through and we verify our encryption method. SSL overview bool good to go. All right. So we've just added the site to Cloudflare. wasn't that complicated? Was it I'm gonna pause for a minute questions or comments\r\n\r\nthis is when nothing goes wrong. Oh, if they are all this easy, and they usually aren't terribly complicated\r\n\r\nAll right. Other questions how question is How hard is it to move your domain to Cloudflare I can't really demonstrate that because I don't want to move any domains to Cloudflare right now, but it's really pretty simple. We're going to cover domain registrar things in just a minute in the second hour today. We'll talk more about it then. All right, any other questions before we take a break? That actually took less time than I thought it would? We are now completely set up. If we go to WP admin here we'll get to manage challenge as we would expect. Boom. Good. All good logging in. Yep. and log in. There I am. Pretty cool. I Su ever ever worked with inom? Yes, they do not have an export tool. And generally here's what I found. The more the more the back end of your domain registrar looks like 2004 The less likely they're going to have a DNS record export. CEU I don't know if e nam has a DS dropped down or not. inom is pretty old school on the back end, as you know. They really need to and that's a good reason to not be with Vietnam anymore. And maybe to move domain registration to Cloudflare. We're going to talk about domain registration at Cloudflare the next hour. But yeah, Network Solutions is really bad enough. I'm really bad. Yeah, I don't know. So those are some of the ones I've never used Dotster or web dot actually Dotster I used like 8000 years ago. I haven't used them recently. I don't know in it tends to what I've noticed is if the UI in the domain registration looks fairly modern like this, it's more likely they're going to support exporting of records. If it looks awful, like 1995 or whatever, then they probably don't. Yeah. What do you do about DNS if there's no option if the registrar doesn't support it, they don't support it. And again, that's DNS records. have been around for a while and they're an important part of Domain validation. And if your registrar doesn't support it, I mean, I would start looking for new registrar. Yeah. All right. Any other questions before we take a break? Okay, there is a multi part question here.\r\n\r\nOkay, um So first question here is in regard to the WAF rule, the skip good traffic rule. Does we watch your website have a whitelist of IPs? I can't find them anywhere and Thomas is not getting back. No, I'm not aware of one. But I don't think the rules block them. There's I don't think there's anything in a rule that's going to block that traffic. But so it's a good if you put a rule in and if they're getting blocked. This is an exercise of looking at the event and find what it's trying to do and then allow that but I don't have any specific whitelist for we watch. Second question is about Pay Pal. Do we use the ASN for Pay Pal, as you added at the bottom of the dock? Or do we need to find the API or the web? And I'm guessing what you mean. I'm not sure who's asking this question that came in as an anonymous attendee. Or do we and I think what you mean is the web hook. So and I'll reiterate what I said yesterday about this. Oh, no problem, Karen. So I so let's see, as things are good. web hook URL is better. Because as NS I mean, maybe there's they might change or something might happen. So it's good to add the ASN. But if you know like, there's always going to be a pattern in the Pay Pal web hook for their IPN or whatever. Then try to get the little snippet of that web hook like I showed with the WooCommerce or the Gravity Forms stripe web hook, get that little snippet and always allow that traffic that way you're, you're certain that it's not going to get blocked. Does that make sense? And number three, I added all the H refs IP to a Cloudflare list and then added the list to the good bots rule. Today. I got a report that the score was cut in half. Robots. txt is not accessible. Okay, so that okay, so something is still blocking H refs, for you, Karen. And so it could be the country rule. I've had this happen. So some like you can have, let's, let's let's look at our rules here. So, if we look at our rules, oh, there we go. So we've got block rules, right? Let's just say that for whatever reason, your list of IP addresses, it's not in that or it's not coming in that way. And you're blocking based on country and maybe a traffic that's coming in from a country it's not in your allowed list or whatever. So what I would recommend that you do this is this goes back to the refining of rules. Look at your block rules like this. We've already gotten some hits on our block rule. Look at your block rule and see if you can find the Ahrefs traffic and see what it was doing. That was causing the block to happen and then use that to inform a skip rule. And unfortunately, there's not an easy way around this. You just have to investigate and but once you find that, the thing that allows it to skip then you can use that all the rest of your sites. So this is goes back to yesterday when I was saying of, you know, get it right for a good typical site, and then you can use that rule for your setup on all the rest of your sites. Does that make sense? I wish I had like a silver bullet answer, but that's just not the way WAF rules work. Unfortunately, 364 IP addresses Holy mackerel, yeah. So what I would look for instead of that, find it here. You know, does H refs have a user agent? They likely do. Matter of fact, let's just look. So rather than let's see. Yes. So here's their user agent. So maybe what you would do here is say instead of that ginormous block of IP addresses we can just as easily say, in our allow our skip rule here or user agent contains a tres bot. Like this. And see if that doesn't help. Make sure all of your other see this. This is why the order matters because the skip rule comes in number two. And if you are, if you've identified correctly, that traffic, it's going to skip all your block rules and everything else that's there. So we can deploy this and now ah, refs should be able to scan our site. Give that a try and see. Again, this is just kind of have to experiment and find what works for each of the various things. I really, really wish there was an easier way to do this. I've not found it and it could be that I've just not stumbled upon the right method. But in lots of practical hands on work I've not found an easier way to do this. Other than, Oh, here's a good way to disallow to skip the traffic and now it's not a problem anymore. And we know that going forward now. Okay, question from Paul. When looking at security events, can you see what the trigger values are? That caused the rule to get triggered? Not really. Like we can see here, there's three block events that have already happened since we set the site up. And so here, we've got this block, and so you kind of have to look at what's going on.\r\n\r\nLet's look at this block rule. am I allowing Canada?\r\n\r\nOh duck you got blocked sorry about that.\r\n\r\nUnknown Speaker 59:55 \r\nInteresting.\r\n\r\nNathan Ingram 1:00:16 \r\nDoug, when you saw the site, could you see images? Weird?\r\n\r\nI'm not sure. But yeah, this is how you would identify Paul you you. It doesn't tell you what about the traffic triggered the log but looking at the details, you can probably narrow it down again, I wish there was an easier way All right.\r\n\r\nStacey, yeah, you probably you got to dopey admin without a managed challenge. Probably because, okay, again, if you get to someplace without a managed challenge then Cloudflare has been watching your browser and it knows you don't need challenging. Like that's that's okay. It's a managed challenge. It's not an every time challenge.\r\n\r\nBut generally, like, here's a raw browser. If I try to go to the WP admin, it's going to give it a managed challenge because it doesn't know this browser.\r\n\r\nBut if I go back there, see there if I go back to this page, it's probably not going to challenge it again. Because I've already passed the challenge. Yeah, it's a managed challenge. So Cloudflare manages whether or not it wants to challenge the traffic based on the fact that it's processing billions and billions and billions of requests every day. Okay, well, let's take a break here. It is straight, just right about to be two o'clock Central. Let's take a five minute break. We'll come back with the final bit here, which is scrolling, scrolling, scrolling, scrolling, all the tips and tricks, cetera, et cetera, right there. Cloudflare tips and tools and tips that starting at page 32. We'll have a good q&a time at the end, and that'll be it. So we'll take a break five minutes back at five minutes. After two Central Time.\r\n\r\n32nd warning folks, we're back in 30 seconds.\r\n\r\nAll right, we're back for the final hour of Cloudflare for agencies got a long way in the last few hours together and everybody's still alive. Seems like that's, that's really good. Okay, so in this last bit of time we have together we'll do plenty of time for q&a and also go through some of the tools and tips that I think are helpful to know about Cloudflare. A question came in during the break from Paul, with the rules and effect is this where you no longer set the reCAPTCHA and solid security. So the answer to that question is yes. Because in our WAF rule, we are we have a managed challenge. That's going to challenge any of our WP login now when I when we talk about no longer set the reCAPTCHA for the login page, okay? If you are using solid security to protect your comment forum or whatever. And by the way, are y'all listening? Can we can I share something just between you and me? There may be some ecommerce protections that are coming in solid security maybe that's maybe so this you'll want that those in place right. So this Manage challenge protects the login page if you're using solid security and and turnstile reCAPTCHA, or whatever other recaptures for comments or registration or that sort of thing, then, you know, you either want to put those pages into your rule here or continue to use the CAPTCHA rule. The CAPTCHA is there installed security. Does that make sense Paul? But it's it is redundant. To set a CAPTCHA on a page where they've already had the past through a managed challenge to get there. Does that make sense? Everybody? Nobody's talking in the chat. That's okay. All right. So I'm gonna move on okay. Everybody's gone to sleep. That's okay. All right. So the other thing I'll mention is this and this is a very important note. These as you've seen already web application firewall rules are very flexible and need to be changed for your use case. And may be modified over time, right? The firewall rules that I have in place now work really, really well. But I'm likely going to modify those as I learn new things and you probably will too. So one thing I would watch, for example, there's an ongoing discussion right now in the admin bar. From Troy Glancy Troy is really good at this sort of thing. And he's at his far original Cloudflare rules from a couple of years ago are the ones that kind of got me looking into this to begin with. And he's actually perfected several others and he's going to post at some point soon. So I would recommend if you're in the admin bar, watch this post. Just search for Cloudflare in the admin bar, it'll pop right up and see what his advice is on this right because he may very well and probably will have some ideas for things I haven't seen or thought of yet. So you know, borrow and steal the best firewall rules from others, just with the remembrance that firewall rules can block legitimate traffic. So don't just wholesale apply them to everything. Make sure you know what you're doing. Right. So don't consider these rules or settings even as a silver bullet. I've tried to give you some perspective on when and where and how to apply those rules. Does that make sense? Okay, so let's look now at some Cloudflare tools and tips. So we're going to start with the Cloudflare WordPress plugin. So let's go there. And we're just going to add it to this new WP one dot dev site. So we're just going to search for Cloudflare Cloudflare. And it'll be the official Cloudflare plugin right here. Now, disclaimer, I don't use this plugin, but it is it is there and it's free and you might like it. It's particularly helpful if you don't have a performance optimization plugin. So let's go back to Cloudflare and are actually settings under Settings and Cloudflare. Unlike many plugins, what you're going to do, we're going to sign in, we need our email, which is Nathan and ithemes.com and a global token. So you always find those that your account home. And actually it's where is that it's at profile, actually my profile in API tokens. I'm going to create a token for WordPress. I'm gonna rename this to WP one dot dev so I know which side it is. Scroll down, continue to summary, create token and there's my token. And I'm going to paste that over into here. And save. Now Cloudflare is connected to my site now basically what this plugin does is bringing some of the Cloudflare dashboard functions into WordPress. So you know I can automatically apply Cloudflare settings that are best for WordPress if I want. I don't want to do that. So I've already done that over in Cloudflare. But I can go here to settings for example. And I can turn on development mode just right here from within WordPress. It's got some interesting little things. I don't use this because I prefer just to go to the Cloudflare dashboard to manage my settings. But this plugin does exist. It's pretty, you know it has it has some good use cases and you might just want to play around with it. Like, oh, there's a button right here to get into. I'm under attack mode, right from the WordPress dashboard. So it's there, it's available, it's free. You connect it with an API key just like I showed you. And you know, it can be helpful in certain circumstances where I would recommend though that you add Cloudflare is into whatever WordPress performance plugin that you have chosen. So in our case, we use Lightspeed as an agency because we use Lightspeed server on our server. You might be using we had the discussion earlier about cloud ways breeze, you might be using hummingbird or DEP rocket or whatever. Each of these have a little area for Cloudflare most good WordPress performance plugins have some sort of Cloudflare integration and you know, like right here, the API token I just created, you'd go through that same process, create the token and drop it in with your email address and the domain and it'll be connected. Now why would you want to do this? The reason is, most of these WordPress performance plugins, you know, they've got caching and you know, optimization of JavaScript and all that stuff. And they're smart enough to know, okay, when WordPress runs in Update, clear the cache, okay. Or if you edit a page, we're the cache Cloudflare sitting up here at the network level has no idea that you've made those changes here on WordPress. So the assets that it has cached up here at the network level might differ from what's at WordPress. And the end result is you go to the site, the CSS looks wonky or things just aren't right. So we need something that's going to connect Cloudflare and our WordPress performance plugin so that in effect, in our case, like we're using Lightspeed, so whenever we run plug in updates, Lightspeed clears the local cache, and it clears the Cloudflare cache, so that everything stays in sync and that's what you want. So do not let me just underscore this. Do not use the Cloudflare cache. If you have a performance plugin at the WordPress level that isn't connected in some way to Cloudflare. Because what you will see you'll go to the site one day, and the CSS will be all wonky. And it's because the caches are different and that's what's happened. Does that make sense to everybody? Don't use a WordPress performance plugin and the Cloudflare cache unless you've connected them together. With an API key. Otherwise bad things happen.\r\n\r\nAs Sue is asking, How did I get to the screen? What screen are we talking about? This is the doc Oh, lightspeed. This is just a screenshot. This is in the document. This is just a screenshot. Of the Lightspeed cache settings. It is under CDN in lightspeed. It's in a different spot in every WordPress performance plugin. So just look through your plugin of choice and you'll likely find Cloudflare settings virtually all the good ones support Cloudflare. Oh, okay. So if your server uses Lightspeed, you go under Lightspeed cache on the admin bar, go to the CDN, tab, or link and you'll see it down toward the bottom. The Lightspeed cache Yep, good. Everybody. Okay with this makes sense? Does Perf Matters not connect? I'm shocked at that.\r\n\r\nInteresting, yeah, I don't use perf matters. So I can't speak to that. But you'll definitely want to visit with them on that. So it probably this primarily affects hashing. And I don't Perf Matters doesn't do caching, right. It only does asset optimization. Like, okay, so you may not need Cloudflare connection in that case. So this really, this really comes into play. When it comes to Caching, caching those assets in various places. So if the changes that Perf Matters makes are likely pulled up to Cloudflare anyway, but I would I would still if you're, if in whatever WordPress performance plugin you use, if you don't see Cloudflare settings, reach out to their support and make sure there's not going to be a conflict. That would be my recommendation. Okay, everybody good on that. Does that make sense? Because you will come in one day or you'll get an email from your client. Hey, everything looks weird and wonky and you'll go in there and the CSS is all jacked up. And it's because the cache is wrong. Or worse than that. It'll look fine for you, but it will look wonky for everybody else. And so you know, it's just, it's, it's a Cloudflare cache issue. And what you have to do is go out and let me just show this. This is if you hit that problem, go into your website, go into cache, and configuration and purge everything, and it's probably going to look just fine. Because that's going to cause it to go in and pull assets back up and refresh everything and then connect your performance plugin to Cloudflare and it likely will not happen again. Okay, everybody, good to move on. Everybody has gone to take a nap. Okay. Let's move on and talk about clients and Cloudflare so this is one of the big questions. So if we move our DNS into CloudFlare, can we give clients access? And the answer is yes. And it's beautifully simple. It is so simple. So I delegate access to the Cloudflare DNS to any client who requests it. We have many clients who for various reasons, need to manage their own DNS that didn't used to be the case, when we served a much simpler level of client. They just wanted us to do everything, and many still do. But we also have a lot of clients that manage their own. So we give them access and so here's how you do it. You're gonna go up here to the account icon in the top right, you're gonna go to Account home and scrolling, scrolling, manage account and members. So right here, we can invite members to join our account. So let's invite Nathan to join our account. Nathan at boom. A fan at Nathan ingram.com. I can't type. There we go. And what are we going to do we want to include it can be all domains that are in this Cloudflare account probably don't want to do that. A specific domain Yes, I want to give Nathan access to WP one dot Dev. Well, what if I have multiple domains that Nathan needs access to a domain group? Oh, no, sorry, a specific domain. And I'll just add another one. Or actually we'll do it this include a specific domain. Okay, Nathan needs access to both of these domains that are in my account. What level generally I'm gonna give them domain administrator access, you can restrict it to just DNS if that's all they need. But in these cases, I want my the clients that are going to want Cloudflare access are going to need to have control of everything. Just like I would make sure clients have access to their own domain name. Same thing. I'm going to grant domain administrator rights continue to summary. Yes, yes, yes. Invite an email was just been sent to my other email address that would give me access to that, that this email address. Nathan at Nathan ingram.com doesn't have a Cloudflare account. So I would go through a flow of setting up a Cloudflare account. And it's just that easy. If you want to get rid of their access, you just hit edit and you revoke access x let's see. Let's see. How do we do this? It's a delete. Yeah, cancel the invite. Or at this point, we would like here's this, I can. Here's one where I've given other email address access, and I can remove access from somebody if I want. So pretty helpful. Yes, so Ben, like Dennis saying, this is like a reverse way of giving a client their own account. And it's not their own account. It's you're giving them access to domains in this account, that's yours. But either way they in the end, they have the access that they need, and it's super easy to do this. What's also helpful is you can enforce to FA SO by toggling this on, you can force anyone that you add to this account to add to FA to their account. So I always turn that on. It's not on for this one because this is a test account. Class since client domains are registered with Cloudflare I had them set up account and delegate access to me that works too. Yeah, either way that that works. But the delegation is really simple and smooth. And Cloudflare as you just saw, it's just click click like and you're done. And it gives everybody everything that they need. Any questions about this part? Are we good? Rolling, rolling. Speaking of domain registrar ah Cloudflare is I think the best place to register domains now. Because they don't make any money on domain registration. They charge you a.com Is $9.77 per year. That is the flat cost of a domain plus the ICANN fees. It's literally they're selling you domains at costs. So if you want to get to domain management, you go here, manage our account home. Domain Registration. We're right here. And we can manage domains. So you can register a domain name here and do a search. It even has the suggested domain names if you want to brainstorm a little bit about Dr. nathan.net. That's pretty funny. Anyway, but you see how cheap they are really at 977 for a.com 494 for a.uk. Anyway, you just go through a registration process. Do you want to transfer a domain in right here? You just they have a flow to bring in domains to Cloudflare this way. Yeah, Stacy. So this is a great spot to move clients that were once at Google domains. And now at Squarespace, move them into Cloudflare it's gonna be cheaper and the UI is really simple. And there's not you know, unlike some registrar's, which shall remain nameless. Nameless. There's not a bunch of crap on the screen to upsell. Yeah, Paul, you pay a year when transferring? Yes. But I think also they give you an extra year.\r\n\r\nLet's see. Seems like I read that somewhere. Oh, this is an interesting little point. I didn't mention this earlier with DNS sec. We went and validated the domain. You have to turn that off before you transfer a domain. So just stick that in your back pocket to remember. You cannot transfer a domain like you have to unlock the domain and turn off DNS sec if you've turned it on, if you're going to transfer Yeah, Stacey, I can't I think you're right there Stacy. Yeah, and classes saying the same thing. I can't find where it says that here but when I've transferred a domain to Cloudflare they add it you pay for a year but they add a year to whatever the current date is. So it's a it's as good of a deal as you're gonna get on a transfer. Okay, class that's a good yeah. If if you're already at the max prepay level, then yeah, they don't add a year but that's generally not the case. So really easy to use them as a registrar and now so here it by the way, here is one caveat with using Cloudflare as the domain registrar, you cannot or let me say it this way. You must use Cloudflare to manage your DNS. If Cloudflare is the registrar, so you can't I don't know why you'd want to but you can't manage DNS elsewhere. If you're registering the domain at Cloudflare. I've never found that to be a problem. But just note that that is that's a thing. Oh, there's something I meant to cover in the last hour and I'm going to do that now. I'm going to scroll back up here in the Cloudflare setup process, okay, so we were here we talked about let's this this issue with importing DNS records. I showed you the process of importing from a DNS provider like we exported the DNS from GoDaddy, import it into Cloudflare. There is something here that I want to show you because it's not immediately apparent. And this is super helpful. So you may like I did have a number of sites where the DNS was actually managed with cPanel cPanel. DNS is great, really easy to use. But there's not a clear way in the cPanel UI to export a domain file. Like we just imported from GoDaddy. I don't know why that is. It's been requested for years, but cPanel has never done it. But there is a way to do it and it will save you time from hand entering all those records. Let me show you how it works. So I'm going to jump over to the WP Nathan's cPanel and just There we go. And what you're going to do, and this is again, this is weird, and I wish they would do this differently, but this is what they do. So we're going to grab a recent cPanel backup, and we're going to go here to backup and just download our most recent full account I just hit the cloud for a rule. I wonder what that's all about. There we go. That was really weird. Okay, so if we have time, we'll go and look at the rule and see what hit that. So here's a recent recent account backup. I'm just going to download this and it's downloading this tarball which is like a zip file. It's downloading it to my desktop\r\n\r\ncan take a minute. You're going it's rather large. It's a gigabyte loading, loading loading. Let's go and Okay, so here is our backup file. All right. Now this is so weird and I wish they would do something different but this is what you can do and it works. So we're going to unzip or uncompressed this tarball again, takes just a minute to do because there's a lot of stuff in here it's a full cPanel account backup. What's got to expand all the things\r\n\r\nYeah, this is a really old backup, but it'll still work for illustrative purposes. Slowly, very, very slowly. There is a file in here that you can use to import but you have to download the whole stupid thing to get there. Moving moving, okay, almost almost. Come on. Come on. There we go. Okay, so once we open up our folder here, we're gonna go to the DNS zones folder. So right here is this uncompressed. There's our DNS zone and look, there's WP nathan.com.db. We're going to rename this to dot txt. So it's just a text file. And yes, I want to use this and now this file can just be imported right into Cloudflare. Just like that. It's a backwards process, but it will allow you to import from cPanel and even as long as that takes to download and whatever that's still better than hand entering DNS records. Yeah.\r\n\r\nPaul is saying you did not have to rename the dbx file. Great. Well, that may have been a change in Cloudflare because you used to have to rename it to dot txt so great if you can import that. I haven't tested this recently. So yeah, if you can enter the.db file then you don't have to rename it. That's great. Good. Good, good news. So that will save you time if you're coming out of cPanel and into Cloudflare. Any questions about that before we move on?\r\n\r\nAll right, let's talk a little about turnstile. So Cloudflare turnstile is a CAPTCHA replacement, that many of you are aware of. It's been integrated into solid security for some time now, and again, think of it as turnstile is the same thing as a managed challenge? Only in widget form that can be added to some sort of form like a login form or a comment form or a checkout form or whatever. So it is the same thing as a managed challenge. It's just a widget instead. So now you do have to create turnstile API keys to use it right and so you do that at so many windows. All right. So we're gonna go to account icon account home, turnstile, account home and scroll down to turns turnstile and here's our keys. Now, here's the catch. Wild Slayer lets you have 10 turnstile keys per account. So, a couple of things. First, you might not need more than 10 turnstyle keysets. So for me, I don't need more with all the sites that we manage because in most sites comments are turned off so we don't need comment protection. We're not using it to protect forms because we use Gravity Forms zero spam, and we're protecting the WordPress login page with a well last rule. So I'm not really using turnstyle API keys at all except for WooCommerce sites, which we protect with the simple Cloudflare turnstyle plugin. And for those we do need turnstyle keys. Now if you need more than 10 just created an account Cloudflare account. So the beautiful thing here is you can create multiple Cloudflare accounts with different email addresses and then what you do is just make them members of each other. So that whatever account you log into has access to all the domains that are in all the accounts and it just makes it really easy to manage. So don't let the account limit necessarily bother you. Because you can just simply create more accounts and link them together as members of each other does that make sense? Everybody? So you create turnstile keys right here just like you would a reCAPTCHA key. The domain does have to be in the this account. And you just go from there any questions about that? pod for turnstile? Super, super helpful. All right. We talked a little bit about this Cloudflare does give a lot for free. They do play certain limitations like 10 turnstyle key pairs per account 50 API keys per account. So we actually limit are the number of domains in any account is 50. Even though you can have unlimited domains in a Cloudflare account, you can only have 50 API keys so we only put 50 domains in an account. So we have multiple accounts that meant that are linked to each other as I described. Because the API keys are needed for to connect Lightspeed to flush the cache. So you can again just like I described, use the same delegation process to to connect those accounts to each other. And it's really easy. So when you log in to any of your accounts, and this is what's really neat, when you go to Account home\r\n\r\nhang on a minute. Let's see profile isn't no hang on. I can't see it here. When you log into account that shared with other accounts. You can actually see all the websites you have access to and find the website very easily that way. I can't demonstrate that on the screen right now. But even you know we have like five different Cloudflare accounts now that we're juggling, but you log into one of them. You can search and find the website you're looking for because it's been we have access to it and you just go right to it. It's really simple to connect those accounts together. That was poor explanation, I think But does that make sense? Any questions about that? Linking Cloudflare accounts makes things super easy. Okay. Paul has a good question in the chat. So let's say you have a client in Cloudflare and you give them account access, and they come back in with I don't know anything about Cloudflare if they want to leave. So at that point, the answer is I'm sorry. That's why you hired me Cloudflare manages your DNS and give their next web provider access to the Cloudflare account and if they don't understand how to use it, I mean, that's on them. Right? I really don't have I mean, Cloudflare is pretty industry standard now and if you don't understand how to use it as a web professional, then you probably need to learn. I don't want that to sound arrogant. I just think that's the way it is. Yeah. If they leave then they leave. Yeah. Is that fair? That's good. Stacey. Yeah, give them a DNS export. Good. Yes, send them to this webinar. I mean, honestly, if you're a web, a web professional, even if you didn't know anything about anything we were doing here, you can log into Cloudflare and see what to do with DNS. It's really simple. If the DNS settings and Cloudflare and I'm not talking about firewall rules and all of that, like oh, so if a client were going to leave me then I would probably set up. Yeah, fit. Let me let me reverse my thinking on this a bit. Paul. If if I was going to offboard, a client whose site is managed on CloudFlare, I would probably set up a new Cloudflare account without any of our firewall or any of the security settings that just had the DNS and move the site to that account and give them access to that because I would I wouldn't want any of our security settings to go forward with them the world whatever's next. So been saying he had to do that on Monday. Yeah.\r\n\r\nYeah, that give them a naked Cloudflare account that just has the DNS in it. All right. Something else that's really neat is Cloudflare email routing. We talked a little bit about this on yesterday, and I've given the whole process there for that. I'm not going to go back and re get into that. Pretty, pretty thorough, but basically Cloudflare lets you set up email addresses without an email server that forward to another address and if they're forwarding to a Gmail account, for example, you can set up a send as address so that it can receive email as info at your domain, and it can send email as info at your domain all that can be done free within the Cloudflare email route routing settings. Let's see it looks like this. The last thing Yep. The last thing I'll mention, and we've already sort of dealt with this is troubleshooting WAF rules, you may run into things. If legitimate traffic is blocked by a WAF rule. Go to that activity log. That's right here. Websites AP Nathan. Wow. Yeah, go to your block rule and see what traffic has come in that's been blocked. Oh, this was maybe this was good traffic. So we need to figure out a way there. How do we let this come through? Now, by the way, don't you know if he's Oh, Google is blocked? Well, I don't think that's the Google bot. That's actually a Google Cloud Server. So a lot of times this may be a compromised server. That's trying to get access to things. So just because you see Google doesn't mean it's legit, or you know, Amazon, AWS or whatever. Sometimes those are legitimate, or they are, they are compromised sites that are hosted on Google's infrastructure. For example, anyway, you look at look at the activity log load entries that pertain to that specific rule by clicking this little number in the analytics here that loads one day, there we go.\r\n\r\nAnd actually, I don't know what this flex potential is, maybe we wanted to allow that so we could add this as into our skip rule or whatever. But the log entries here are what you're going to look at to further refine your your rules. All right. So that brings us to the end of the course. That's it. We've gone a long way in the last few days. We got our site live on Cloudflare. We've got recommended settings and all of these things. Now we've got some time for open q&a. What do you think questions, comments, snide remarks all of them are available at this point. Questions from Paul, okay. All of this setup work is built into the cost of a website for a new client correct or do you factor in a cost for this going forward? How much extra if anything would you charge for doing this? Great question. So I would actually wrote this is a management service. So this is part of security that we provide for the client. And it's part of onboarding a site into our website management process. So I don't charge extra for this. And honestly, it took a little while to go through all of this. But once you start to do this over and over again, you'll migrate a site into Cloudflare in like five minutes, like it'll be. It's pretty quick once you get used to it, and especially if you set up little shortcuts like I did with my TextExpander it really doesn't take long once you get all your rules dialed in and how you like things. It doesn't take long to do. And so I don't charge extra for that it actually what happens is, it saves me work on you know, in the future because the site's being protected and much better. And Tanya Yes, I just dropped in the link in the chat for the updated course handbook. There were three different edits I made around web application firewall rules that were like little typos and some of the quotes were squiggly quotes instead of straight quotes, that sort of thing. That's all fixed. Second question for Paul, how about setting this up for existing clients extra service? And the same answer for me on that when we migrated all of our clients over to Cloudflare back last fall. We didn't charge extra for that because it makes things easier for us to have those clients all in Cloudflare more secure less traffic on the server. All of that. Yeah. When there's nothing as you could certainly charge more for it. I chose not to because it's part of the management service. Do I notify clients? The ones that I thought would be interested? Yes. The ones that just want to know their site is secure. No, no, but you know, we'll raise our rates again here probably in two months. And I'll let them know all these extra things we've done at that point. But in a very, you know, you got to communicate with clients. Some clients don't care about all the little things right. So you don't want to overwhelm them with information. So for the clients that are non technical and they just want to know that we're taking care of their site. I would just mention that we've added a network layer of security that blocks you know, something like I'd worded in such a way that was, you know, a high level a level of security that blocks a lot of bad traffic before it ever hits the site. Just to show them, you know, we're constantly improving their security, and that's what they're paying us for. Others, you know, they have a technical person, the ones that have access to Cloudflare. And by the way, some of those that's a that's an interesting little point here. Some of the, our clients, the ones particularly that have access to Cloudflare our clients that have an internal IT department or things like that. And so there was a bit of a process. So we had a canned email that went out of hey, we're in the process of moving to a new server and in doing this we're also getting all of our DNS uniform. And we want to move everything to Cloudflare. Here's why. In some of them we actually had a you know, a quick call with many of those IT folks like yes, great, let's do it. We'd like Cloudflare you know, we know about it, whatever. And so we just set up the account delegated access, good to go but it really depends on the client and their level of involvement or if they have it people, etc. Doug for the web application firewall, if I use the block action for country equals UK, and Google is still indexing my website in the SERP. What happens to a UK visitor when they click the Search link to my website? Yeah. So the blocking traffic from a different country shouldn't impact your SERP and where your site shows up in the SERPs, what will happen is if you're in the UK and you click the search result, you're now going to WP nathan.com with a geo origin of UK which triggers that firewall rule to present a manage challenge. So we're not challenging Google. We're challenging traffic with an origin and a location where we're saying it needs to be challenged. So that's why you want to modify those rules such that any you know if you have legitimate clients that typically come from other countries, you know, whatever, let me say it this way, whatever countries that you have legitimate customers, clients, whatever in that would be coming to that site, allow those but turning off or only allowing traffic from those known good countries can filter out a lot of garbage traffic bots that are coming in from all over the world.\r\n\r\nPaul is asking how do anonymizer is get affected by geo locations or VPN? I mean, it's if I come in if you if I turn on my VPN right now, and I say I'm in Belgium, and I try to visit a site where the WAF rule only allows US and Canada I'm gonna get a managed challenge because the geolocation is coming in as a different country. Yeah. So anonymizer errs impact weath rules, because they they present as coming from that country, because I mean, they actually are they're routing traffic through a server in another country. So that's just how that works. Generally, though, the bot garbage traffic isn't proxying they're not standing there. They're coming from other parts of the world and it's noticeable\r\n\r\nBen when using support like from India for like WP all import, they need access? Yeah, but you can still challenge that traffic. That's the thing is, we're not blocking traffic from those countries. We're putting a manage challenge in place, meaning people you know, if it's a support technician coming in from a country that hasn't been specifically allowed, they're just gonna get a managed challenge. And they can log in with the you know, it's not blocking the traffic. And so I wouldn't change my WAF rules. If support is coming in from a different country. They'll just pass through the Manage challenge and then do what they need to do. So you're, it's a challenge rule, not a block rule does that make sense?\r\n\r\nThe man is challenge will stop bot traffic because bots don't really have a way to validate a managed challenge yet. But who knows, right? The bots will get better and then Cloudflare will get better and then the bots will get better and the Cloudflare will get better. That's just the way it goes. Right. All right. Anybody else before we wrap this one up? Okay, who's ready to add Cloudflare to some client sites do you have everything you need? Are you equipped to to add a client site to Cloudflare? Any final questions before we wrap up? Awesome. All right. Well, hopefully this was helpful to you. We are back tomorrow for office hours. We joke that in the pre show today that anything that breaks when you add these rules just asked me to borrow in office hours we'll deal with all right, we'll see you back here tomorrow office hours one o'clock central time on solid Academy where we go further together.\r\n\r\nTranscribed by https:\/\/otter.ai\r\n\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:968:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:249:\"\r\n\r\n\r\n\r\n\r\nWelcome to Cloudflare!\r\n\r\nCloudflare Page by Page\r\n\r\nRecommended Cloudflare Settings\r\n\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938374439\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1o7Y8xSGeEx8ZF7yBmMsRat6XNkkjEXWc\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/Xr3bZcpfJBN9iV2YsapSA3avN0Q?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:971:\"a:7:{s:18:\"event_replay_title\";s:5:\"Day 2\";s:25:\"day_description_cloneable\";s:254:\"\r\n\r\n\r\n\r\nRecommended Cloudflare Settings (continued)\r\nMigrating a Site to Cloudflare\r\nMore Cloudflare Tools and Tips\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938814771\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1Nr3wkfCzHZ7Nr4PEzVWhV1lKn40abQUV\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/qIa-JHSQCRIijFOyeMsIQX00B1g?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448512,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \nHow to set up Cloudflare for WordPress client sites\n\n\n\nHow to set up important WAF rules\n\n\n\nA proven process for migrating sites into Cloudflare with no mistakes\n\n\n\nOther Cloudflare features like domain registration and email forwarding\n\n\n\nProtips for smoothing out your Cloudflare workflows\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_text":"Unknown Speaker 0:18 \r\nAll right, let me hear from you in the chat. What are you most excited about learning this week in the Cloudflare course?\r\n\r\nUnknown Speaker 0:26 \r\nWhat are you most excited to learn?\r\n\r\nUnknown Speaker 0:32 \r\nAs you answer that I am getting our captions all set.\r\n\r\nUnknown Speaker 0:38 \r\nAlright, captions should now be working for everybody.\r\n\r\nUnknown Speaker 0:43 \r\nFingers crossed\r\n\r\nUnknown Speaker 0:47 \r\nthe whole thing.\r\n\r\nUnknown Speaker 0:49 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:51 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:53 \r\nWe'll see what we can do, Debra. Love it.\r\n\r\nUnknown Speaker 0:59 \r\nAlright folks, we are about four ish minutes away.\r\n\r\nUnknown Speaker 1:06 \r\nFour ish minutes away from getting started with Cloudflare for agencies if you're just joining us in zoom, open up the chat and I'm dropping in once again, the link bundle which has the very large 40 Page course handbook that I've put together for you here. Many many, many things here in the handbook.\r\n\r\nUnknown Speaker 1:32 \r\nAnything you can learn? Yeah, all right.\r\n\r\nUnknown Speaker 1:35 \r\nDefinitely.\r\n\r\nUnknown Speaker 1:37 \r\nYes, Stacy. There are so many things and this is not I'll talk about this as we get started. There's no way this is going to be an exhaustive Cloudflare overview because there are just too many things.\r\n\r\nUnknown Speaker 1:51 \r\nHow much to just do so it doesn't work that way. Like some of these rules, you really do have to decide, you know, what you want to use and so forth. And actually, well, I'm gonna I'm getting ahead of myself. But yeah, some of this is what you want to do for your settings. But I'm gonna give you my recommended things and why. And then you can it should give you a really good basis to make decisions on how you want to implement.\r\n\r\nUnknown Speaker 2:24 \r\nPaul, you make the website and then we'll talk\r\n\r\nUnknown Speaker 2:31 \r\ny'all, I promise once you get into this, it's really not that complicated. Seriously. Once you see how it all fits together.\r\n\r\nUnknown Speaker 2:42 \r\nYeah, I promise it's really not that complicated.\r\n\r\nUnknown Speaker 2:47 \r\nAll right. So if you're just joining us in zoom, welcome, welcome. The chat is open. I'm dropping in once again, the link bundle that has the course handbook. The one the Yes. Yep, of course handbook is there and waiting on you to download also, of course the replay link.\r\n\r\nUnknown Speaker 3:08 \r\nIf you want to go back and rewatch today\r\n\r\nUnknown Speaker 3:16 \r\nmy oldest daughter is currently blowing me up on text messages. So I got to hit the mute button on that.\r\n\r\nUnknown Speaker 3:27 \r\nAlright, y'all just about two minutes ago. hope everybody's doing well hope your week has gotten started. Well check in question today. Let me just hear from you what you are most excited to learn about Cloudflare what you want to know what parts confuse you other than everything, as some folks have said. If there's a particular area I'd love to hear that\r\n\r\nUnknown Speaker 3:52 \r\nOh, Beth. I mean priorities right.\r\n\r\nUnknown Speaker 4:00 \r\nLove it.\r\n\r\nUnknown Speaker 4:02 \r\nYeah, laptop on the beach. Back. Yeah.\r\n\r\nUnknown Speaker 4:07 \r\nActually, Myrtle Beach is gorgeous. This time of year. Good for you, Beth.\r\n\r\nUnknown Speaker 4:15 \r\nturnstyle WAF Yes.\r\n\r\nUnknown Speaker 4:20 \r\nThere's no dancing and Cloudflare\r\n\r\nUnknown Speaker 4:28 \r\nthat's why you take a tablet to the beach, not your laptop.\r\n\r\nUnknown Speaker 4:34 \r\nStacey, that's awesome. That's 100% True. And actually, if you find dancing and Cloudflare just wait because they'll move it to another menu link later or they'll rename it.\r\n\r\nUnknown Speaker 4:48 \r\nYeah, so we'll bet Beth will invent for us the Cloudflare dance which we'll call the turnstile. I love it. Yes, that's it.\r\n\r\nUnknown Speaker 4:59 \r\nDo the turnstile through the turnstile. Alright folks, just about 30 seconds to go. hope everybody's doing well today. Come on in find a seat and grab the course handbook. But to drop the link bundle in once again.\r\n\r\nUnknown Speaker 5:14 \r\ni Yes, exactly. Karen\r\n\r\nUnknown Speaker 5:19 \r\nand what you're talking about there, Karen. There's no easy answer to that. Unfortunately. A lot of the Cloudflare rules that I'm going to give you are pretty good. But you're you're always going to want to fine tune these for your setup. And there's always new suggestions and rules that are coming along. So I'm going to give you what I'm using today. And then you'll have it's it's one of those things that will it's a work in progress. Yeah.\r\n\r\nUnknown Speaker 5:46 \r\nAll right, y'all. It's three minutes after let us get the recording started and we will dive right in.\r\n\r\nUnknown Speaker 5:56 \r\nWell, good afternoon, everybody. Good morning. Good evening, wherever you happen to be around the world. Welcome to this premium course here on solid Academy. Glad you're all here with us for Cloudflare for agencies. So over the next couple of days. We're going to take two hours today two hours tomorrow and unpack Cloudflare through the filter of you manage WordPress sites for clients. So what do you need to know right? And also interestingly, hopefully helpfully, the way that I put this course together is really there's so much that we have to know as WordPress agency owners, right like there's just so many things. And so this is not an exhaustive course on Cloudflare. Like who's got time for that? So what I'm going to give you is an overview of how things work and where the settings are and the big picture of the settings but really, our focus is going to be on okay, what do I need to do to use Cloudflare and leverage all the free stuff in Cloudflare to protect the sites that I manage. So that's where we're headed. And hopefully at the end of this course, you'll have a good idea of what all the things that Cloudflare can do. But really focused in on the practical things that you can do right away to use Cloudflare in your agency.\r\n\r\nUnknown Speaker 7:21 \r\nSo I Karen has asked a great question in the chat just now. This is very different than the Cloudflare livestream I did a couple of years ago or last year, a year and a half, something like that. So I was just I just kind of gotten knee deep into Cloudflare at that point. And so a lot of things have changed since then. This is a much more detailed look. This is I think the first Cloudflare one was like an hour and a half. So just timewise this is a much deeper dive and I've learned a lot since then, and hopefully can give you some better tools and rules and those sorts of things to use. So if you are just now coming in once again, the link bundle is in the chat you're going to want to download this course handbook, it is 40 pages of Cloudflare goodness, and grab that and follow along and I've made it such that you know this is the document you can keep in reference. The table of contents is clickable to jump to, you know the various areas that you want to get to. So hopefully it's a very usable document. All right, so let's dive into what we're going to be talking about. So I mentioned this a little bit earlier and even more in the pre show.\r\n\r\nUnknown Speaker 8:34 \r\nThe idea here is okay, I'm a web agency owner I've heard how Cloudflare is helpful. What do I need to know give me the basics. This is not an exhaustive study of Cloudflare there are far too many things Cloudflare can do to fit into four hours of of course content. So what we want to do is through the lens of what do I need to know as a WordPress website manager about Cloudflare to use it to the best of my ability. If you want a deeper dive Cloudflare has excellent documentation. It's some of the best that I've seen. And you can click the Cloudflare fundamentals link there and it'll take you through all the things if there are pieces that you want to know. So the goal here a no fluff explanation of all the Cloudflare things that you will find the most useful and that you can implement right away in your business of managing WordPress sites. Tomorrow we're going to demonstrate the live setup of a Cloudflare site after we look at some of the basics today. And that's going to include security settings, setting up WAF rules and those sorts of things. So here's the overview we're gonna do and a big overview of what is Cloudflare how does it fit? How do I use it, you know, where does it fit in with solid security and those sorts of things. And then we're going to go through a Cloudflare page by page looking at the various pieces of Cloudflare and how they fit together tomorrow, migrating a site to Cloudflare and then more Cloudflare tools and tips. All right now, this course, assumes that this was on the course intro page. So hopefully you saw this. This assumes that you have a basic understanding of DNS, so I really can't, I'm not going to be able to answer questions about how DNS works in this course. So this is a prerequisite if you need to understand a little bit more about how DNS works. There's a course here we did last year called the web foundations workshop, in which we did an hour on DNS and what the records are and how all that works, et cetera, et cetera. So please let well really I'm just not going to answer questions about DNS in general. If you have those questions, you can grab this prerequisite course it's out there, you can replay it right away. And we're going to focus in on implementing Cloudflare. Alright, so just a couple of housekeeping notes. If you're a see several folks who've just joined us, let me drop in again, our link bundle in the chat force handbook is there. Since I am presenting today, I'm going to be watching the chat as usual. So if you want to ask your questions in the chat, you can do that. It may be that I missed some because I'm presenting. I'll try to catch questions in context. But if I miss one, and it's gone past just stick it in the q&a and we'll get to those at the end of each hour as usual. So all right, let's dive in, shall we? We had some really good check in responses as we were getting ready in the pre show about what you most want to learn. And so let's just start from the top. A lot of folks were like I need to know from the cloud to the flare, the whole thing. So what is Cloudflare?\r\n\r\nUnknown Speaker 11:44 \r\nAt its heart Cloudflare is a web performance and security company. They are they have all sorts of services to secure and protect and accelerate websites. So Cloudflare is sort of like an umbrella. It is a protective barrier between your website and the traffic that comes into your website. And it can shield you from many kinds of online threats just automatically. I Cloudflare. Security Services are comprehensive. They offer protection against DDoS attacks, data breaches, other malicious activities. It works by filtering incoming traffic to your website. So at the heart of all of this is your domain has to have the Cloudflare name servers. So that's how you turn on Cloudflare is by adding the Cloudflare name servers to the domain. So that way, all traffic that goes to the domain has to pass through the filter of Cloudflare and you can think about it sort of like you know, a water filter like we got this new refrigerator when we redid our kitchen a couple of years ago and it's got you know, the fancy water in the door. You know, we're not that usually that fancy kind of people and this is the first fridge we've had like this, but we love it it because there's a water filter in there and it filters out all the impurities and garbage so that we just get really pure water when we put a glass up there. Now Cloudflare sort of works the same way. Think of it in the same way. It's like a traffic filtration system that based on some of the stuff it just knows automatically that this is a bad bot and it filters it out or based on some of the rules that you can set up. It's filtering that traffic through so you get really good pure traffic that actually hits the website.\r\n\r\nUnknown Speaker 13:30 \r\nSo Cloudflare provides free ssl certificates. Also, they use the Google certificate authority as the primary and then sectigo as a secondary. We'll get to all that when we get to the SSL section. They also have a suite of tools designed to optimize website performance, including caching, image optimization, content optimization Cloudflare Cloudflare also provides a CDN that can move your website assets closer to the requester. They have data centers all around the world. So using their CDN even their free CDN, you can move things from your the images and scripts and so forth from your website to the closest point so there's not a lot of jumps between the user and what they're trying to download, which can effectively speed up the website. And the beautiful thing is Cloudflare provides many of its services at no cost with the option to upgrade to more advanced features on a subscription basis. Now a great question in the chat from Dave. So who's monitoring Cloudflare Cloudflare is a private company and so this is you know, like whose basket are you going to put your eggs in? Right? They offer a lot of things for free, but they're making their money. It's a freemium model just like many things that are out there. So you are you have the option to upgrade but a lot of the basic features they're providing at no cost and pushing you towards some of the paid features that can be helpful. So that's how they make their money. I don't know that there's anybody watching Cloudflare like us, they're not like responsible to any governing authority necessarily because they are a private company, but they're used by an immense number of websites. Matter of fact, 32% of the top 1 million sites on the web are using Cloudflare. So that in that way, there's a lot of people watching them from high level, you know, big fortune 500 company websites, so if anything weird is happening, it's likely going to come out but they are a private company. So that is something to take into consideration.\r\n\r\nUnknown Speaker 15:41 \r\nSo a few other interesting Cloudflare statistics, again, more than 15 million websites 32% of the top million websites. Their global network has 300 data centers all over the globe at more than 120 different countries. So the the good thing about that is when traffic is requested by somebody, the hop to the Cloudflare data center is generally very short. They've strategically placed those data centers for that reason. So more than 80% of sites whose reverse proxy we know is Cloudflare. Now what does that mean? It means that if somebody's you know, has started to use proxy, which is hiding the actual IP address of the server, which is a good practice as we'll get into Cloudflare is doing that for more than 80% of sites that are doing this so that is super helpful. It's a huge chunk of the internet relies on Cloudflare to do these things. Also Cloudflare bought blocks look at this number 182 billion threats a day. On average. It's a lot and so simply by virtue of the amount of traffic that they're filtering Cloudflare you know, they, you know, they they just see patterns emerging, and they can protect sites better. It's like, you know, we have Thomas Rafe on here from we watch your website. He's managing over 17 million WordPress sites right now and watching for patterns and you get that much data under your belt, and you can immediately see how you know what's happening, what the trends are, and so forth.\r\n\r\nUnknown Speaker 17:18 \r\nAll right. So why should we use Cloudflare? So the first reason likely and probably the reason that you're here listening is the security benefits. They're just phenomenal. So Cloudflare is free services give you really robust security features at the network level. We'll talk about that in a minute. Like DDoS protection, a web application firewall, again, at the network level, which is where you want those sorts of things. They can also help improve performance with CDN caching, again, moving the downloadable assets closer to the the requester so that those things are fulfilled more quickly. They offer free SSL as we mentioned, they also do DDoS mitigation. There's this great tool in Cloudflare that says I'm under attack, toggle that on and it will effectively stop the impact of a DDoS attack on a website and it works. It's really good. We'll get to that later.\r\n\r\nUnknown Speaker 18:17 \r\nIt's very easy to implement, actually. You just change your name servers and you're into Cloudflare.\r\n\r\nUnknown Speaker 18:24 \r\nThe setup process is straightforward as you'll see as we actually work on that.\r\n\r\nUnknown Speaker 18:30 \r\nLast of all, they do provide some analytics and insights. The statistics in Cloudflare if you are a statistics person, you will love love, love the Statistics reports because it'll show you like on your firewall rules, what's hitting it and you know what the information about that traffic is it can help you further refine your rules. It's really neat once you get some data in there to start digging in and seeing how these turkeys are trying to attack your website. It's really quite interesting. Also, cloud flares analytics are GDPR compliant. They're designed to be privacy first, and so they are GDPR compliant, they state that so that's that's not an issue. So a lot of the confusion that comes in when we start talking about Cloudflare is okay. isn't just installing a WordPress security plug in enough I've been watching it it's really funny. This discussion has come up a number of times in the admin bar just in the last couple of weeks of hey, there's this cloud, this WordPress security plugin and that one and really, isn't it good enough just to install a WordPress security plug in and you're protected? And the answer is no. Heck no. Absolutely not. So let's talk about where Cloudflare fits into all this is Cloudflare a replacement for solid security? Also no. So we need to understand where does Cloudflare fit in the whole matrix of security. So, first of all, Cloudflare becomes active for a site when you change the name servers of a domain name to those that Cloudflare will provide you. So it starts at the name server level, which means Cloudflare at that point becomes responsible for every request that comes into your domain name about you know where does the subdomain live? How's the mail routed? What are the demark records, the txt validation records, all those things? Cloudflare is answering all of those requests. And it's doing it from a security perspective. So you can you can change who gets to make those requests and filter those things out. And so forth. So since all traffic to your website, and everything about that domain name now has to pass through Cloudflare they can filter it. So that's how this all works. Cloudflare can then as a result block a significant portion of malicious traffic before it ever reaches your server. That is the key.\r\n\r\nUnknown Speaker 21:04 \r\nThat is the key. So like, here's your browser, it's gotta pass through Cloudflare to get to your server where the website lives. So this is where we start to talk about a multi layered approach to WordPress security. It is not enough just to have a WordPress security plugin. It's just not because there are jobs that are there are jobs that need to be done to protect WordPress that are better done at a network. level rather than at a WordPress level. So this multi layered approach is something you need to get your mind around. And we've been talking about this now for some time here. On solid Academy. It's not just as simple as installing a plugin. So the best practice for making your site secure is multiple layers of protection. Okay, and each layer has a role that it needs to play and it does that layer best. All right, so let's talk about this. So first, we have network layer level security, which we're going to trust to Cloudflare right so that's wrapping around the whole thing. No traffic gets in until it passes through Cloudflare. Then we go to the server level security, which hopefully is handled by your web hosting provider. So there's certain things that are better done at a server level. We'll get to that in a minute. And then we have our WordPress application level or, or user level security that a really good WordPress security plugin should do. So these are the three layers of security that you should be thinking about when it comes to protecting your WordPress site. So let's unpack those just for a minute. First of all, network security. So Cloudflare is going to mitigate the impact of the distributed denial of service attacks or DDoS. And they can filter out malicious traffic before it ever gets to your server. So if a lot of that traffic can't even get past that Cloudflare wall it makes your server have to work less it makes WordPress have to work less. So it's better to handle all that stuff. Get all the primary garbage filter done at the network level before it even hits the server. So Cloudflare gives you this blanket protection by filtering the websites before a web traffic before it ever gets to the site. Relying on your server alone or worse relying on WordPress alone to filter all the traffic. It takes a lot of resources. Now does solid security have functions that can help to prevent bad traffic? Yes. But that shouldn't be the primary level at which it occurs. If Timothy was here, he tell you the same thing. We want to filter the the lion's share of that out at the network level. So if you do that, it's going to save a lot of valuable server resources. So traffic passes through the network gets to the server. So what role does the server play in this multi layered support? So good web hosting providers implement security measures like server level firewalls, and most importantly in my book is server level file level malware scanning and intrusion detection systems. So I want something at the server level that's actually scanning the files. Now I know that there are some WordPress plugins that provide malware scanning, you don't want a plugin, doing malware scanning. First of all, it's going to be incredibly inefficient at doing that and restricted to only the WordPress install and a lot of malware gets installed out in the server structure and not within WordPress itself.\r\n\r\nUnknown Speaker 24:45 \r\nAlso, if there's malware in WordPress, and the we're in and the the malware scanner exists at the WordPress level, the malware can overwrite. You know, the malware scanner so the malware can actually rewrite the malware scanner saying hey, this is bad and say no, it's actually good. You can ignore that. So you don't want the malware and the scanner. processes running in the same environment. malware scanning needs to happen at the server level, and intrusion detection systems as well. So that's the role of a good server so whoever's providing your server, this is where you have a conversation and say, What malware scanning Do you provide? What intrusion detection services do you provide to keep the server itself safe? Right, so we're filtering out most of the bad traffic at network. We're watching the we're watching the file system and intrusion level at the server. And now we get into WordPress application security. Now WordPress security might have some traffic filtering and blocking features, but that's really the third level like WordPress is consuming a lot of server resources just running and serving pages and doing things. I don't want WordPress to also have to be filtering every bit of bad traffic that comes in. And that's what can cause your website to grind to a halt. If it's getting pounded by login page attacks and all this stuff. I don't want WordPress doing that job at all, or at least as little as possible. Maybe just a few little drops of bad traffic. That have gotten through the other two layers. We pause. Does that make sense to everybody? That this whole approach? Are you getting what I'm saying? Like we want WordPress to do as little work as possible. We want WordPress to do the job of word pressing right not of security. So it's not bad to have those features in the WordPress security plugin. That's why they're included in solid security. But that's like my third level of defense. Okay. All right. So your WordPress security should focus on more specific issues. Starting again, this is exactly what solid Security does, which is why I love it. It is providing vulnerability detection. So I'm scanning my so like Cloudflare is not going to tell me I have vulnerable things in plugins. The server is not going to tell me that it's maybe watching for malware or the malware scanner but if my things and plugins aren't infected yet, I don't know that there's a problem. So I want something like solid security, which is looking at my installed themes and plugins and saying, Oh, this one has a vulnerability. I need to know about that. I need to do virtual patching. I need to do automatic updates if a patch is released, right, so it's doing exactly the job that I want a security plugin doing in WordPress and nothing else. Like the the of the kinds of plugins that exist for WordPress. The most bloat often happens in security plugins and that's why, you know, if you line up a feature list of the things that solid security Pro does, versus some of the other security plugins like it doesn't do as much. Right, exactly. That's the point. You don't want it doing some of those things. You want your server and your network doing those jobs because it's gonna make a more efficient WordPress.\r\n\r\nUnknown Speaker 28:08 \r\nSo WordPress, security should also heavily focus on user security. So we got these great features like you know, the function that bounces out and make sure that the password hasn't been compromised, and that have I been poned database. We're looking at, you know, having to FA for users and pass keys and et cetera, et cetera. We want the users user level security needs to be done by WordPress. So we want that to be done really well by our WordPress security also session cookie protection, right having that like the trusted devices features of solid security that is the perfect use case for a WordPress security plugin. So I want those features in my WordPress security, nothing else that's gonna do you know, be consuming tons and tons of server resources. Okay, so another role for WordPress security is adding in a CAPTCHA for areas that might be prone to attack, like comment form or the WordPress login page. We're actually going to protect that at the network level though. I'll show you that later. But having those captures again, two great use case and job for a WordPress security plugin. Finally, WordPress security plugins can also help you to harden WordPress, by all the little you know there's all those boxes in solid security about don't allow PHP to execute and themes and plugins, you know, turn off the file editor, all those sorts of things. perfect use case for a WordPress security plugin. So, again, think about this in layers. Most of the traffic get that filtered out at the network level so our server doesn't ever have to bother with it. Let our server do the job of file level scanning protection and intrusion detection and let WordPress primarily do the job of just keeping WordPress secure as an application themes and plugins and users.\r\n\r\nUnknown Speaker 30:02 \r\nAnd now we've got a pretty darn good approach to security. I'm gonna pause right there, because that was a, you know, a big firehose of information. I'm gonna pause, make sense questions about this before we move on to the next bit.\r\n\r\nUnknown Speaker 30:17 \r\nYou if you arrange your security approach this way, you're going to have a more efficient server and site and you're going to do a better job all the way around keeping things secure.\r\n\r\nUnknown Speaker 30:31 \r\nMan Polytune m&ms Already Okay.\r\n\r\nUnknown Speaker 30:35 \r\nHope you got a lock then.\r\n\r\nUnknown Speaker 30:38 \r\nYou have any to share with the rest of the class. I'm gonna have to move that around.\r\n\r\nUnknown Speaker 30:41 \r\nAll right. Well, I'm gonna move on then. If you're just joining us link bundle is in the chat that has the course handbook if you want to download this that you're looking at.\r\n\r\nUnknown Speaker 30:49 \r\nAll right, folks, look, we're already on page eight. Moving around, moving right along here.\r\n\r\nUnknown Speaker 30:55 \r\nAll right, now comes the fun part. Cloudflare page by page. So I thought long and hard about how's the best way to do a quick orientation to all the things that Cloudflare can do. And this is what I settled on this Cloudflare page by page. So one second before we get into that, one thing I want to mention is I've added some color coding here. And you know, I was thinking how can I best present this in a quick way to let you know you know what? really to focus on and what not to focus on and so forth.\r\n\r\nUnknown Speaker 31:35 \r\nSo it's basically like this. If I think you're probably going to want to use this feature, it's going to be great. If it's a maybe depending on the circumstance, it's a yellow, if it's probably you're not going to use this there's red. There's also one other emoji in there. That is a money bag and that's it costs money to add this. Those are usually also red because our goal here is to use as much of the free Cloudflare stuff as possible.\r\n\r\nUnknown Speaker 32:01 \r\nSo yeah, that that's, that's the way we're going to approach this now. I'm just looking at timing and where we are in the course of things right now.\r\n\r\nUnknown Speaker 32:11 \r\nOkay.\r\n\r\nUnknown Speaker 32:13 \r\nAll right. This is where it's going to be interesting to see actually how we do this.\r\n\r\nUnknown Speaker 32:24 \r\nOkay, well, let's just, I'm sorry, thinking to myself here and we'll figure out that we may go long in this first hour. So let's look at this Cloudflare page by page. Now if you would like. I would suggest that if you don't have a Cloudflare account, just go quick create one doesn't matter. Just make a make a quick Cloudflare account I'm going to log in to my I iThemes Cloudflare account that I experiment on. I would always recommend that you set up two factor authentication on your Cloudflare install Of course. All right, so what we're going to do is primarily focus on the website settings. We're gonna go down page by page, and I'm gonna explain basically what, what each of them does, just so you have a big picture understanding. Now there's a ton of stuff here. We're currently at the home or the account page you get back here by going to account home. That is this page that we're going to live for most of the course here is in the website settings. So you can you know, you'll add a website you can click that and these are the settings that pertain to the individual websites themselves. And this is where we're going to live for most of the time in this course. So let's take a quick look. Alright, so we're on the overview page, a turn off this ad. Again, you know, they're they make their money by upselling things so I'm constantly closing those boxes. Alright, so the first thing we get, is there an analytics overview. This is kind of helpful if you just want a quick overview of at the network level, what your traffic looks like. You don't get any like, you know where the traffic came from or search terms. It's not about that. It's actually about the stats of the traffic coming in.\r\n\r\nUnknown Speaker 34:12 \r\nYou can set that by days, weeks or months. Something else that's really helpful over here is the Under Attack Mode. So let's just say that you've got a problem on a site you're getting it's an E commerce site and you're getting card testing attacks. Well, I'm just going to toggle that on. And with that one toggle, what's going to happen is every single bit of traffic that comes into the site is going to get a manage challenge from Cloudflare. Now what that looks like is this\r\n\r\nUnknown Speaker 34:45 \r\nso it's going to pass through this challenge. I've got to verify and then move right on. Now that's not ideal, but that will stop a DDoS attack period, because a bot cannot pass Cloudflare turnstile, at least yet. So Todd simply toggling that on is going to stop the DDoS attack it does put a you know that that turnstile pass through manage challenge between every single visitor so it's not ideal to leave on forever. You'll want to add a WAF rule to filter out whatever's attacking you but that this is a great little setting in case something immediately is happening.\r\n\r\nUnknown Speaker 35:29 \r\nIt essentially off.\r\n\r\nUnknown Speaker 35:33 \r\nOkay, the next thing that's helpful here is development mode. So Cloudflare does provide some caching and caching can be absolutely.\r\n\r\nUnknown Speaker 35:43 \r\nYou might use it makes you want to bang your head into the wall sometimes like you you've edited something, it's not showing up then you remember, oh yeah, I've got caching turned on. So if you're making changes to your site, you might just want to toggle this on. And that turns off all caching all optimizations like that, where you're seeing what you see, right. So a lot of times we have to deal with browser caching with WordPress plugin caching. If you have set up.\r\n\r\nUnknown Speaker 36:11 \r\nIf you have set up Cloudflare for your site, you also have Cloudflare caching, it's on by default. So just don't forget that if you want like why isn't why are these changes? Not all? Yeah, Cloudflare caching, so turn on development mode, and that will help you immediately get around that. So very, very helpful. Also, something to draw your attention to here on this overview page is down here at the bottom of the pause Cloudflare. Right here, this is an incredibly important link that we'll get to in the process of adding a site to Cloudflare. You're going to want to click this every time so that you don't get SSL errors. I'll explain that when we get to the process but again, this is your friend. Also if you want to get rid of the site and delete it completely, you can just remove from Cloudflare and it'll it'll kill your whole account.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:59 \r\nYou can set up this you can set up an address here. You just add whatever you want this address to be and where it's going to forward to. And then you validate that email and you're done. And so you can set up these catch you can set up a catch all address or individual addresses. And it'll just forward right to your Gmail account or whatever other free account that you have. And you can also in Gmail, set up a send as address which is really nice. If you want to provide that level of support for your client. Email can come into that Gmail account and they can send as that info at or whatever account with this little process here. So it's really helpful. If a client doesn't want to pay for full email yet you can set up this email routing at really no cost. Cloudflare just handles that traffic for you.\r\n\r\nUnknown Speaker 42:58 \r\nI've given you that whole process right here. If you're interested.\r\n\r\nUnknown Speaker 43:02 \r\nUnder email here also we have demark management you may or may not want to use this. It's free and it's decent demark reporting it's not the best, certainly not the worst. It's really good for free. And it allows you to when you first set it up to add the correct demark record to your DNS, and then it's set up and ready to go. It adds the very basic D equals none demark record if if you have watched those live streams with us recently, it's a very basic level that meets this new Google and Yahoo criteria. So that can all be done from right here. This email security is a more advanced and so paid area.\r\n\r\nUnknown Speaker 43:45 \r\nAll right moving down to SSL. So again, Cloudflare does provide a free ssl certificate for every site that that it's filtering traffic for.\r\n\r\nUnknown Speaker 43:56 \r\nThe first thing you're going to want to look at here is your encryption mode. Now I recommend full there are four levels so you can turn SSL completely off. Don't do that. You can also do flexible which encrypts the traffic between the browser and Cloudflare. But then there's no SSL between Cloudflare and the server. That's for weird scenarios. You don't want to do that. What you want is this one here. This is going to encrypt from the blowout of the browser to Cloudflare with a Google certificate, and then from Cloudflare to the to your server with a self signed certificate at the server. Virtually every server is going to provide a self signed certificate and Cloudflare can use that the encryption tunnel is perfectly it's perfectly secure. There is this full level which says okay, I want to install a trusted like one of those, you know, you buy it certificates on the server. You can do that if you want to or Cloudflare will actually provide you an origin certificate for your server I don't ever do that. It's not necessary for security. As long as there's self sign on the server, which usually is and Cloudflare to the browser is giving Google it's one one clean tunnel.\r\n\r\nUnknown Speaker 45:13 \r\nSo if you have SSL at the server, yeah, that you don't have to worry about it most most of the P SS that are set up by a reputable hosting company like if you have a liquid web VPS it's going to have a self signed certificate on the server and Cloudflare will use that to create encryption.\r\n\r\nUnknown Speaker 45:32 \r\nOkay, all right. So Paul, great question in the chat. That's tomorrow. We're talking about all the whole process and client stuff tomorrow. All right, so this is an area you're going to want to be familiar with here. Other settings here.\r\n\r\nUnknown Speaker 45:49 \r\nWe're gonna go down to let's see, Edge certificates. I do keep this on if they're sometimes you'll get an email. This lets you know if there's anything you can do better with SSL.\r\n\r\nUnknown Speaker 46:03 \r\nIt's helpful. All right, so edge certificates. This says okay, there is an active certificate that's been created for this website. And a backup. This is pretty cool. This tells me that this is a Google trust certificate. This is the primary one so if I go to WP nathan.com And I look at the certificate details here it is valid. It is Google Trust Services right there. So that's what it shows to the user is this Google certificate. If something goes wrong, or there's some weirdness with the Google certificate, it's very unlikely that would ever happen. But if there is then it does have a backup, as this it's a Let's Encrypt certificate here. On the up Nathan it can also be set for set Teego doesn't really matter. Very, very rarely.\r\n\r\nUnknown Speaker 47:00 \r\nWill this backup certificate ever be used?\r\n\r\nUnknown Speaker 47:03 \r\nOkay, so Stacy, Stacy's mentioning here and let me just make let me let me address this. So if you are using CloudFlare, you cannot use Let's Encrypt on your server, because your server isn't it can't validate right or it's the the server isn't controlling the traffic anymore. It's passing through Cloudflare. So you might have Let's Encrypt turned on at your server. But the but like, you may be able to have full strict at the beginning because the Let's Encrypt certificate exists. But eventually that Let's Encrypt certificate is not going to be able to renew in many cases because Cloudflare is in the middle. So that's why I recommend full because there's always a self signed certificate at the server. If you do strict, and something happens to that Let's Encrypt certificate, it's going to create an SSL error. So you don't want that. That's why I'm saying full it's going to be just as secure as having a Let's Encrypt on the server. And you're not going to get those SSL errors Does that make sense?\r\n\r\nUnknown Speaker 48:18 \r\nYeah, so Melanie's encountered that like full string, that sounds great. I want that but you don't want that. It's you want to be able to set this and forever. So yeah, and Stacy, it may be dependent on the host you'll want to know you'll want to look into that. And that's where I just recommend setting it at full and then you want to have any problems.\r\n\r\nUnknown Speaker 48:37 \r\nThere is no limit. Let me say it this way. There is no extra security benefit from full or full strict because the self signed certificate at the server is the same level of encryption as a Let's Encrypt, or you know, your purchased your favorite purchase certificate for whatever. It's generally the same encryption level.\r\n\r\nUnknown Speaker 49:02 \r\nSo it doesn't matter. What's important is what does the user see? And in this case, it's Google first and then you know one of those so does that make sense everybody? Do I need to answer any more questions about that?\r\n\r\nUnknown Speaker 49:15 \r\nFall is easy. It's always going to work unless there's something wrong with your server.\r\n\r\nUnknown Speaker 49:24 \r\nOkay let's keep going. So edge certificates. We talked about these, you're not going to want that cost money. You don't really need it. You don't total TLS this lets you choose like if I toggle this, Oh, I gotta pay. Yeah, it used to let you do this for free. They've changed that. It's another paid feature. This you always want on it's part of the onboarding process that we'll cover tomorrow as we move a site into Cloudflare.\r\n\r\nUnknown Speaker 49:54 \r\nSo, all right, this is a complicated feature that I would not turn on because it's real, real easy to screw things up. And if like, for example, I had a site where I really mess things up on this. Thankfully, it was one of my own, but it took for some traffic almost a month before it straightened out. This is really bad. So it's a way to enforce HTTPS. I'm just going to recommend that you don't use it unless like it can heighten your security. And sometimes, if you have a client that has like a security, like a level of security, they have to reach for their own internal audits or whatever you may have to turn this on. But don't do it if you're planning to make any changes, like migrate the site or change Cloudflare to some other DNS provider because it can lock down it'll lock out traffic. It's just it's very powerful, but also could be very damaging in some cases. So if you're in a scenario where this comes up, you'll want to read more into that minimum TLS version. I'm going to recommend here 1.2 Because it's kind of the it's everybody can use 1.2 But you really might want to consider 1.3. So 1.2 is required for if you're trying to get PCI compliance. You have to have 1.2 layer level of TLS TLS, which is the next level of SSL but really only really, really, really old browsers can't use TLS 1.3. So if you look here, like Internet Explorer can't use.\r\n\r\nUnknown Speaker 51:46 \r\nCan't use TLS 1.3 and Opera Mini like those are the only two browsers. So the chances I mean those are teeny tiny percent. So I'm at the point of where I might just bump everything to 1.3 because it is more secure. It is a little faster.\r\n\r\nUnknown Speaker 52:01 \r\nBut at least 1.2.\r\n\r\nUnknown Speaker 52:06 \r\nAll right, opportunistic encryption, you're going to want to turn that on. I believe that's on by default. You want to enable TLS 1.3, which says, if the browser can support 1.3, use it. That's basically what that's about. I do want to rewrite everything to HTTPS at the network level. That's good. I think that's one by default. I do want to toggle this transparency on what this does is basically, if something if some other server or authority or whatever, issues an SSL certificate for this domain, I'm gonna get an email about it. Where that's helpful is if somebody has hijacked your domain somewhere along the way, or they've got traffic going somewhere something odd is happening. And a certificate gets issued. And I'm not aware of it. I want to be aware of it. So that's what this does. Pretty nice. Works pretty cool.\r\n\r\nUnknown Speaker 52:56 \r\nSo let's see. Moving on down here, the most of the stuff you're not really going to use. You're not going to use this most likely it's complicated scenarios. origin server. This is where if you want to install a Cloudflare generated certificate on your server to do full strict, you can do that here. I don't recommend that it's not super necessary. And then custom host names you're probably not going to use so that gets us all the way through SSL. That was a lot. Let me pause just for a minute. And any questions about this bit, I realized that was a lot. So walking through all the settings is the most tedious part of this, but And my goal here is to kind of set the table and let you know what all is here.\r\n\r\nUnknown Speaker 53:42 \r\nAll right.\r\n\r\nUnknown Speaker 53:44 \r\nLet's move into security. You're gonna live in security a lot. So the main two let places you're going to live in Cloudflare our DNS and security. So security is awesome. I love this area, the events page. This is a log of all the things that have hit my firewall rules. So any event has happened on the server where a firewall a WAF rule was hit by something or whatever.\r\n\r\nUnknown Speaker 54:11 \r\nHere's some examples of some skip rules that I've put into place. And I can see what's going on here.\r\n\r\nUnknown Speaker 54:18 \r\nIt gives me a great amount of detail about what was the IP address that came in? What was the ASN in this case, it is I have a pass a skip rule created for WordPress doing cron, so sometimes the query string here can cause weird security things to go on. And so that's one of the skip rules that I put in.\r\n\r\nUnknown Speaker 54:40 \r\nAnd it's logging here just to show you what that looks like. Here's one look here. Here's something that came in earlier.\r\n\r\nUnknown Speaker 54:48 \r\nAnd this was something from the UK. I don't know what that ASN is but it was trying to get to a weird port like what the heck is this one a 53 I don't even know what that is. This was bad traffic and it got to manage challenge primarily because it was coming from outside the US actually no I've got this setup for to accept UK traffic. So this, this hit Oh no, it hit a challenge right here.\r\n\r\nUnknown Speaker 55:19 \r\nSo it hit a rule that says okay, something's not right here. We're going to challenge this traffic and so it wouldn't have made it through to the site. So this is a great place to look after you've implemented a rule make sure you're not getting legitimate traffic caught or as you are refining your rules later on. Really, really helpful.\r\n\r\nUnknown Speaker 55:40 \r\nHere's something from Netherlands same thing. We'll get into all these as ins and things later. Like look here. They tried to hit XML RPC. This is garbage traffic.\r\n\r\nUnknown Speaker 55:49 \r\nIs there a setting in solid security that turns off XML RPC? Yes. But WordPress would have had to wake up and do something when this traffic and server resources would have been expended. We block this traffic at the network level before it even hit the server. So that's why you do these things. So events is super helpful gives you a lot of good information. Now we move into WAF which stands for web application firewall. Now, these are your this is a place again, you're gonna spend some time here as you're setting up Cloudflare there are five rules available at the free plan. I've suggested four, and so you have room to add your own rule.\r\n\r\nUnknown Speaker 56:28 \r\nSo we'll get into all these rules later. But this is where those are defined and set up. You can actually click the link here and see traffic that just hit that rule. There's a ton of traffic here. Like this first rule here. These are challenges. So you know trying to go to their PII login or my account or if the country is not in Canada or the USA, it's going to get a challenge.\r\n\r\nUnknown Speaker 56:53 \r\nAnd I can go back and look at what traffic actually is hitting that rule by clicking on that number. So it's pretty nice to be able to look and see what all is going on here with my individual rules.\r\n\r\nUnknown Speaker 57:08 \r\nSo I'll give you the rules a little bit later. Now let's keep going here. So those are our custom rules. We also have rate limiting rules and this is pretty neat.\r\n\r\nUnknown Speaker 57:16 \r\nSo you can actually blocked traffic that is pounding away at your website. And we'll go into rate limiting rules later in our recommended settings. But like if there's anything that's hitting my site more than like once a second, I want to block that traffic because there's no legitimate traffic that's going to be making multiple requests per second. Unless it's like a Google bot or something like that. And even it usually throttles back how many requests are being made. So this is a really helpful rule to be able to put into place we'll get into that in the rules section.\r\n\r\nUnknown Speaker 57:53 \r\nHere in tools, there is a the ability to block IP addresses or ranges even over and above the WAF rules themselves. So you can block user agents you have 10 user agent blocking rules if you want to use those. I typically don't but it's there if you want to use it.\r\n\r\nUnknown Speaker 58:15 \r\nMoving down to security the page shield This is a paid feature basically keeps your content safe. Bots feature okay, this is probably the place where most people make a mistake. Bot fight mode on I recommend that you leave this off because of a number of things.\r\n\r\nUnknown Speaker 58:33 \r\nBot fight mode. If there's anything that I've had to troubleshoot more, there's nothing I've had to troubleshoot more than bot fight mode creating problems for X legitimate external connections to websites like web hooks, and, you know, syncing up one thing with another or whatever. It's always bought fight mode. And honestly, bot fight mode gets in the way of a lot of legitimate traffic in an effort to prevent bot traffic. So it's like you know, this ongoing war of how do we keep bots away versus legitimate traffic. It's too heavy handed in my opinion. Also, it adds JavaScript to every single page load on your website, that bot activity and that can actually add as much as two seconds to a page load speed. So just don't do this. Try to get a lot of that traffic out with web application firewall rules, which we'll cover as we move forward. But don't turn this on. It looks like a good idea. It's not a good idea. Don't turn this on is my recommendation. Unless you know what you're doing. There is also in Cloudflare super bot fight mode that actually lets you make some granular changes to the bot fight mode. That's great, but it's an enterprise level. It does cost money.\r\n\r\nUnknown Speaker 59:51 \r\nAlright, let's move on to the DDoS section. This is super helpful. Like let's say you're under attack and you toggle on under attack mode and you can sort it you get to see you know a little bit of what this traffic pattern looks like. You can add a rule here that can stop a lot of those floods that's beyond the scope of this course. But it is there and it's pretty helpful.\r\n\r\nUnknown Speaker 1:00:16 \r\nThere's really good documentation for that's available at this link. And finally, there's some settings here that you may or may not find useful, probably not. The default settings are generally what I use, which is just right here. A security levels essentially off meaning that the average traffic the average user is not going to get a manage challenge to say that I'm human I don't want that in the way of average users. 30 minute, Pat challenged passage meaning like if I'm good, I'm good for the next 30 minutes at least. And then you definitely want this browser integrity check on that just it blocks garbage traffic where there's problems with the requests. So those are all the default settings. You probably don't need to ever change those. But they're there if you do need to.\r\n\r\nUnknown Speaker 1:00:58 \r\nThis access this is actually going away will probably be removed from this menu pretty soon and let me just mention also if you're watching this on a replay and it's like a year from now, a lot of these menu changes may change. Cloudflare is as bad as Google about renaming and moving things and changing it they they change stuff all the time. They literally last week changed the onboarding process for adding a new account. They're constantly changing things and so, you know, the things that I'm talking about here are likely going to be in other places. But yeah, it may not be in exactly the same spot. kind of frustrating.\r\n\r\nUnknown Speaker 1:01:37 \r\nHere under speed, these are some moderately useful things. The observatory is you know, what is my White House speed. So that's kind of cool. I mean, it can show you, you can schedule a test to run at a at certain intervals. It's kind of cool. I like that.\r\n\r\nUnknown Speaker 1:01:56 \r\nYou may or may or may not want to do that. The optimization here not a whole lot to do here. Most of the basic settings are correct, just with the defaults.\r\n\r\nUnknown Speaker 1:02:10 \r\nNot a whole lot you're gonna do here this just gives you an overview of what your settings are. image optimization is now offered by Cloudflare. But if you have a good WordPress image optimizer, which I recommend, do it there do it at the WordPress site like just control your images don't do that off in the cloud. But you can if you want to. It's all here. You are going to want to make some changes here to content optimization Brotli basically speeds up an H an SSL connection. This is part of the onboarding steps that are recommended. We'll get to that tomorrow. This is super cool. So Cloudflare fonts is a recently in the last six months or so added feature. And it basically pulls all the fonts up into the Cloud Flare cloud. So instead of having to go out to Google fonts and download the font Cloudflare fonts, pulls those up into the cloud. So you, you blood, they load faster, and you don't have privacy issues, because Cloudflare is going to deliver that font in a privacy first manner. It's not like you're pulling fonts off of Google server and as a result, the user's IP addresses exposed and all that. So this is great. Just turn it on. It's gonna be faster. It's pretty good. This is also a super cool feature called early hints. And what this is going to do, you may have a WordPress optimizing plugin that does this as well. And actually this may be part of core WordPress going forward. But like when you mouse over a link in the background, the browser starts to load that page already. This does that at the Cloudflare level, which is pretty cool.\r\n\r\nUnknown Speaker 1:03:47 \r\nRocket loader. This is another one of those things that people say oh, it's speed. I'm going to turn don't turn this on. Rocket loader has a bad habit of breaking WordPress, jQuery and other Java scripts. Just don't don't turn that on. It will create problems. That's a red dot for me. And if you Google other WordPress folks talking about this it's a it's a red.it can cause problems.\r\n\r\nUnknown Speaker 1:04:14 \r\nAuto minify yet you want all that on so all your assets are compressed up there at the network level.\r\n\r\nUnknown Speaker 1:04:21 \r\nI mentioned this automatic platform optimization for WordPress. This is a can be really good. It's $5 a month per site. Okay, but with out having to deal with any of those granular performance settings at the WordPress level with plugins like MP rocket or hummingbird or whatever, you can actually push all that up to the cloud and it moves the really big the real benefit here is it moves all of your assets for your website to cloud flares edge CDN, so that it's right as close to the user as possible and it's optimized all it really does a good job at optimizing traffic. So take a look at that. It is expensive. You know, when you put 10 sites on there, it's going to be $50 a month, but it really you know, if you've got a few sites that you're having performance issues out of five bucks a month solves that problem, pass it on to the client and you're done.\r\n\r\nUnknown Speaker 1:05:19 \r\nLet's see.\r\n\r\nUnknown Speaker 1:05:21 \r\nEven ongoing here. Let's see caching. All right. Cloudflare caching. So Cloud for does a good job of caching things the right way. You do get some basic analytics here with an upgrade of a plan. Let's move into configuration. So here is the place where you can purge all the things out of the Cloudflare cache. So if you're having some sort of Cloudflare issue going on, you can come in to caching configuration purge everything. I'm going to mention also later on in the course that a lot of WordPress optimization plugins have a Cloudflare integration, where they will actually you can like for example, I use Lightspeed as a WordPress optimizer. And you add in your API for Cloudflare. And whenever whenever Lightspeed flushes the cache because a page has been updated or there's WordPress updates, it also flushes the Cloudflare cache most good WordPress optimizing plugins like WP Rocket like Perf Matters like hummingbird have Cloudflare integration and you're going to want to use that because what otherwise what you're going to run into is you got one set of assets that are here on the site that the WordPress performance plugin has flushed, but your Cloudflare cache isn't matching and you get wonky CSS, and you don't want that. So that that helps and it solves that problem.\r\n\r\nUnknown Speaker 1:06:44 \r\nLet's see here caching level we kind of leave that alone unless you know what you're doing. browser cache TTL you're gonna want to set this to at least a month. Google requires that those it's set to 30 days or higher. Otherwise, you get that thing you may have seen in Lighthouse of serve static assets with efficient policy, blah, blah, blah. That's this needs to be at least a month. This is helpful if you have a big website that a lot of people have access to. This is a tool that will scan for child sexual abuse material, which is definitely helpful. These next two are really cool crawler hints. Okay, how many of you remember from the Starter Site webinar? We did do every year. We've got that really cool plugin called index now from Bing and it watches changes on your website and let's Bing and let's see which ones it is Bing, duck, duck go Yandex and Naver, which I've never heard of before.\r\n\r\nUnknown Speaker 1:07:43 \r\nAnd yep, so what this does, I've just lost my Here we go. So crawler hints basically adds index now to your site at the Cloudflare level. So as soon as Cloudflare sees you add a new page, it lets all the search engines No, you absolutely want to do this. And it means you cannot use the index now plugin on WordPress, which is kind of cool. Always online this is another one you're gonna want to toggle on.\r\n\r\nUnknown Speaker 1:08:09 \r\nWe've probably all at some point, use the Wayback Machine to go back and look historically at websites. And some websites are there a lot and some are they're just like every once a month or once every few months or whatever. How do you get the site listed on the Wayback Machine what you toggle this on right here and Cloudflare will make sure that the site is saved into the Wayback Machine and if for some reason this your server goes down Cloudflare will know okay, I'm gonna pull the latest copy out of Wayback Machine to serve and it's not the best thing but it's better than the site being down. So this is pretty cool. Definitely want that on. Here's the actual development mode. We looked at that under the overview settings, but this is where the actual toggle is for turning on development mode. And so that's all the configuration things.\r\n\r\nUnknown Speaker 1:09:02 \r\nAll right, cash rules.\r\n\r\nUnknown Speaker 1:09:05 \r\nWe're going to talk about cash rules later. But this is the spot where you can add rule like what if I don't want Cloudflare to cache the site at all? Great. What if I have an E commerce site and I don't want to cache the cart or checkout page, I can do all that here. And I'll give you those rules when we get into that section in a little bit. So tiered cache or the cache rules are very helpful, and the tiered cache is helpful. You're going to want to make sure you enable smart tiered technology that just moves the stuff closest to the user. It's good stuff cash reserve as a paid feature, which you're not going to use. Now if you're getting tired. You're not alone. It is now 207. We've been at this for a little over an hour, but we're coming to the end. There's only a few more things here and then we'll take a break. First of all workers routes don't have to worry about that at all. unlikely you'll use this rules. There's another place for rules. Here's 10 more sets of configuration rules that you can use. Probably not going to use any of those but you certainly can.\r\n\r\nUnknown Speaker 1:10:06 \r\nTransform rules origin rule. These are all ways to deal with rules and traffic. Probably not going to use those unless you have a unique case. Page rules can be helpful.\r\n\r\nUnknown Speaker 1:10:18 \r\nI'll show you some options on when you might want to use those a little bit later.\r\n\r\nUnknown Speaker 1:10:22 \r\nAnd the default settings are just fine. You never have to really change these. So not a whole lot to do here.\r\n\r\nUnknown Speaker 1:10:29 \r\nAnd the rest of this stuff is pretty much read. So let's network you probably won't have to change anything here. Very unlikely that anything will be needed in this area. All the default settings are fine. Traffic is a paid feature. custom pages paid feature apps, it's being deprecated the scrape shield, okay, let's talk about this.\r\n\r\nUnknown Speaker 1:10:53 \r\nSo there's a couple of things. Remember, if you are a long time I iThemes Training solid Academy member we used to have a shortcode that would obfuscate an email address. Cloudflare will actually do this at the network level, so you don't have to hide email addresses at all. It will just automatically obfuscate email addresses from bots that would scrape the site. The problem is it adds some JavaScript which again can potentially add some weight to the page and make the page load slower. So there's a way to apply that with the rule that we'll get to in a little bit. I would not toggle this on for the whole site. I would only have it on with a rule for like the contact page or a team page where email addresses actually appear.\r\n\r\nUnknown Speaker 1:11:38 \r\nhotlink protection this is something I would toggle on because well in certain cases. So if you want to protect your site, like I don't want my images showing up in Google image search, I don't want anybody linking off the site and pulling my images and to show on their site. This is what that does. It will stop that at the network. Level period. But if you are relying on a lot of SEO people, for example.\r\n\r\nUnknown Speaker 1:12:07 \r\nThey rely on an image optimization strategy for SEO like they want people to find the image in Google Images and then go to the page and it's a legitimate SEO strategy. But this will stop that. So depending on what you want to do, this can be super helpful or completely get in the way of an SEO strategy.\r\n\r\nUnknown Speaker 1:12:26 \r\nAll right.\r\n\r\nUnknown Speaker 1:12:29 \r\nxerez so this is super cool, actually, it's way out of scope for this, this live stream in this course. But think of it like this. This is like Google Tag Manager, but at the Cloudflare level. So at the network level, I can actually go in and add code to pages. Like it's really powerful, but it's way out of scope for what we're trying to do today. So you know, it's it's interesting, and if you're super geeky, you want to get into that have added because it's a very powerful tool. And last of all web three, you're probably not ever gonna get into that stuff. All right, so that's all the settings and I'm out of breath.\r\n\r\nUnknown Speaker 1:13:05 \r\nOkay, how let me check in. How are you? Are you are you panting for breath? Are you okay? We've just done this was the fire hose. Okay? Dizzy is legitimate. That's a lot. Okay. And my goal again in that section was simply to give you a lay of the land. There's only a few things in here. If you notice, there's only a few things that you're gonna need to go in. And set. Primarily we're going to focus on DNS, SSL, and security. Those are my main areas. Okay. So, what are we doing next? I am going to give you my recommended settings for each of the areas we're gonna do that probably I hope we can fit that in before 3pm Central. We're going to take a five minute break, because I need to breathe and then we'll do some recommended settings. So we're actually going to go now right back into these areas that we've looked at and I'm going to show you some the actual recommended rules and things like that, that you're gonna want to implement. Now from that tomorrow. We're actually going to migrate a site into Cloudflare and do all this stuff live. Sound good?\r\n\r\nUnknown Speaker 1:14:17 \r\nOkay, so break for five minutes. It is now about to be 12 minutes after so we'll come back at 217 Central time so 17 minutes after and we will be quiet until then.\r\n\r\nUnknown Speaker 1:18:47 \r\n32nd Warning we're back in 30 seconds. From now.\r\n\r\nUnknown Speaker 1:19:32 \r\nAll right, part two, let's talk about some recommended settings. Now. First of all, in this section, there's a couple of caveats. We're going to look at the Cloudflare settings that I use. Okay, these are the ones that I've decided work well for me in my clients. And I'm specifically going to talk about what has changed from the default. Okay, so we just looked at everything. We're going to put a filter in place and now only the things that are going to change from the default settings are what I'm going to cover now with this again, caveat, disclaimer, slash scary warning, scaly emoji grimacing emoji, okay. Is this is this bold enough for you?\r\n\r\nUnknown Speaker 1:20:16 \r\nVery important. These are based on my experience with how we are using Cloudflare currently in my agency. So as with settings, recommendations of any kind at all, you need to test these for your specific use case. Cloud flares tools can block legitimate traffic if they're not used correctly. Okay. Now in my experience, we've had to adjust certain rules in situations where there's external calls to web hooks, certain SEO tools, uptime, monitoring, all sorts of things can be a little different. So I'm providing some very basic settings that we use on all of our sites. They may not be the right settings for your sites. Okay, that's why it's important to look at those event logs, try it on one site, look at the event logs, make sure nothing's getting blocked, etc. So they get sometimes sites require these granular adjustments and it might take a little bit to dial them in so pick a site. Do that one make sure everything's good before you do. We all put 5080 100 sites into all these settings, because they would then have to be changed individually. That's not fun. All right. So Cloudflare can significantly increase your security but with great power comes great responsibility. So just keep all that in mind. Do not blindly apply these settings with under without understanding how they're going to impact your website. So again, educational purposes only, you alone are responsible for the actions you take. In other words, don't call me if you break something or you know, ask an office hours question but Is that Is that a good enough disclaimer?\r\n\r\nUnknown Speaker 1:21:59 \r\nAll right. Let's take a look at DNS records.\r\n\r\nUnknown Speaker 1:22:04 \r\nSo let's move on into this area first. This is one of the places where I mentioned that you'll probably spend some time so here's a pretty typical DNS record setup that's being used for WP Nathan currently. So the first thing you'll notice here is proxied. Now what proxy means, okay, this is the actual IP address of the server. This this little this liquid web VPS that they're up Nathan exists on. But if I go to ping, this address, notice it doesn't give this server IP address. And why is that Cloudflare is proxying the IP address which basically means it's hiding it. So this 104 2147 162 IP address is what the world sees when it says where's that up Nathan located this IP address, but that's not the IP address of the server. This is really good because you unless you know in most cases you're going to want to hide the actual IP address of the server, the real live raw IP address, you're gonna want to hide that from the world. It just puts a layer of security between hackers and your server itself. So that's what proxying does. You can turn this off if you want, but I wouldn't recommend it. So the recommendation is proxy all A records and the CNAME for www.\r\n\r\nUnknown Speaker 1:23:35 \r\nBut other C names like in this case, I don't even know why we still have this one but FTP dot and like this is the postmark record. postmark will not validate this record for the CNAME unless the proxies turned off. So for a lot of C names, especially those used for validation, you're going to want to make sure that proxying is off.\r\n\r\nUnknown Speaker 1:23:59 \r\nUnless you know for sure that proxying isn't going to get in the way of that traffic proxying a CNAME can often get in the way of the server that's handling that traffic knowing that the traffic is correct, and it can cause weird things to happen. So proxy the A records generally proxy do not proxy CNAME records. Now here's another pro tip.\r\n\r\nUnknown Speaker 1:24:21 \r\nIf you like me enjoy having the ability to spin up quick staging sites. I in my case on cPanel I love the WP toolkit. It'll just spin up a quick staging site.\r\n\r\nUnknown Speaker 1:24:32 \r\nYou would normally have to go out and actually create an A record for whatever that subdomain is. But if if most or all of the subdomains you're ever going to create for this domain are going to the same place. They're all on the same server. Then what you can do is just set up a wildcard record. The name has an asterisk and it points here which means unless otherwise defined by another a record that any other traffic, you know, whatever dot DDP nathan.com goes to this server. So it's super helpful. It doesn't prevent you from directing traffic elsewhere. You know we could, you know, we could specifically define a subdomain to go to another IP address. But otherwise, the catch all is pointed to the server and it's really helpful. So add a star record. That's a good thing. All right. We talked about DNS sec. Let me just show you how this works. Here under DNS and sec. Oh, I haven't. I'm going to disable this earlier. Let's that's going to take a minute Doggone it. Sorry about that, y'all.\r\n\r\nUnknown Speaker 1:25:43 \r\nOh, I'm gonna have to remove it from here. Well, I can probably just show you how this works. So here, oh, it's WP one dot Dev. Let me go. Let me get one second. Let me get over to the VP Nathan.\r\n\r\nUnknown Speaker 1:26:01 \r\nAnd I'll show you where this DNS record is set up.\r\n\r\nUnknown Speaker 1:26:06 \r\nSo again, this is GoDaddy. You've all probably use GoDaddy, most other registrar's you're going to be this way as well. Here under DNS, there's a setting for DNS record. And here is the value that Cloudflare gave me I'm going to delete this\r\n\r\nUnknown Speaker 1:26:23 \r\nlet's see how long it takes to create if it sees it right away. Okay, I'm gonna give that just a minute. We'll come back and I'll show you how to create the record. But it's basically Cloudflare is going to give you the value, you put it in over the registrar and that validates your traffic for DNS sec to work correctly. We'll come back to that. In just a minute.\r\n\r\nUnknown Speaker 1:26:42 \r\nAll right, so SSL TLS again, encryption method full I talked about that a lot earlier, so that hopefully that doesn't need any more explanation. Under edge certificates. Always use HTTPS is on and minimum TLS version 1.3 or 1.2. We talked about that earlier. You're probably fine to go 1.3 I've only the really old browsers, right. So all the rest is default settings. And now we get into the WAF rules slightly that we're already past SSL. It's not that hard. Once you see the lay of the land and all the details now we can just focus on the things we need to change. And it's not that terribly complicated. Let's do a quick check for the Yes, right. Oh, okay, good. That's ready. So here's the process are rewinding a bit to do DNS sec. I'm going to click Enable.\r\n\r\nUnknown Speaker 1:27:37 \r\nAlright, here's all the stuff. Let's go over to DNS records and I'm going to add one.\r\n\r\nUnknown Speaker 1:27:45 \r\nAll right, so I need the first the Key Tag and it's not necessarily an order. So Key Tag is here.\r\n\r\nUnknown Speaker 1:27:52 \r\nBoom algorithm is 13. I don't know what that means. I'm just going to put it there. Digest type is this or I can click to copy.\r\n\r\nUnknown Speaker 1:28:06 \r\nOh, that's this digest. Is there and digest type oh two.\r\n\r\nUnknown Speaker 1:28:13 \r\nRight there, I hit Save.\r\n\r\nUnknown Speaker 1:28:19 \r\nAnd it's gonna think about it for a minute.\r\n\r\nUnknown Speaker 1:28:22 \r\nConfirm.\r\n\r\nUnknown Speaker 1:28:24 \r\nAnd it's got to wait and validate. That's all it is. It's just basically it's like adding any other DNS record. And that will help to further validate that the traffic that's coming to my domain is correct.\r\n\r\nUnknown Speaker 1:28:39 \r\nThere it is. Done. Super simple.\r\n\r\nUnknown Speaker 1:28:44 \r\nclass has a great question.\r\n\r\nUnknown Speaker 1:28:46 \r\nThat this process was for a domain that's registered and an external Registrar for Cloudflare. It knows like if you've registered your domain at Cloudflare. We'll talk about Cloudflare for domain registrations tomorrow. But if there's just a button, you push the button it adds the record and validates it's done. It's like a one click thing. That's all you have to do. Pretty neat.\r\n\r\nUnknown Speaker 1:29:06 \r\nOkay, any other questions about that before we move on?\r\n\r\nUnknown Speaker 1:29:12 \r\nAll right, we went through the rest of this full encryption mode edge certificates. Now we're into the fun part which is security. Here are some suggested WAF rules. And um, they're all defined here already, and I'll show you what they look like. So when you get into a WAF rule as you create a rule you have the ability to either do an Expression Builder, which lets you kind of compose with a visual editor like country does not equal you know, it lets you create records like this. And or and you can stack those down. Now notice what's happening here, though. There's an expression preview and so there's this expression that's being created based on the visual here. So let's see if country does not equal United States and I don't know\r\n\r\nUnknown Speaker 1:30:15 \r\nand it's unknown bought, whatever, right? So it continues to build the expression based on what you build up here. Now for these predefined rules. We don't need all like it will take you a while to actually reproduce this rule in the builder, but instead what we can do is this.\r\n\r\nUnknown Speaker 1:30:37 \r\nCopy this expression. I'm going to call this the challengers rule.\r\n\r\nUnknown Speaker 1:30:43 \r\nYou can do edit expression, and just paste in there.\r\n\r\nUnknown Speaker 1:30:49 \r\nAnd what so the action is going to be managed challenge and hit Deploy.\r\n\r\nUnknown Speaker 1:30:59 \r\nAnd look it actually created the rule in the builder. So I can still modify it here if I want to.\r\n\r\nUnknown Speaker 1:31:06 \r\nBut I don't have to actually create it. I can just paste in the expression. And that's what I would recommend that you do for these basic rules. Does that make sense? Does everybody see the process here?\r\n\r\nUnknown Speaker 1:31:20 \r\nI want to pause just for a minute to make sure there any questions?\r\n\r\nUnknown Speaker 1:31:26 \r\nWhat drop down that I choose here? Or action is managed challenge. There's this drop down up here.\r\n\r\nUnknown Speaker 1:31:35 \r\nCan y'all see this drop down on the screen share?\r\n\r\nUnknown Speaker 1:31:40 \r\nOkay, good.\r\n\r\nUnknown Speaker 1:31:42 \r\nSad. Sorry about that. So this is just an example rule. But when you when you put in your challenge rule, you're gonna whatever country you're in, or whatever, like for example, we have one customer that only does business or they they primarily do business in the US, Canada and about seven European countries. And so all those are in this is not in rule, but every other country as a result is going to get a challenge because they're not typically going to get traffic from those countries. And that lets us weed out bot attacks for example, that aren't coming from those those specifically Devine defined countries makes sense. So add, you're gonna want to add the countries that you're typically going to want legitimate traffic from. Right. So that that really helps Karen first drop down on not getting the open field. Oh, okay. All right. So let's start over again.\r\n\r\nUnknown Speaker 1:32:42 \r\nLet me delete this rule that I just created. eally All right. I'm gonna do create rule once again. I'm gonna give this a rule name, call it whatever you want.\r\n\r\nUnknown Speaker 1:32:54 \r\nChallenges, and click right here. Edit expression and paste in there.\r\n\r\nUnknown Speaker 1:33:01 \r\nThen you can save it as a draft if you want or whatever or just click Use Expression Builder and that puts you back into the builder here.\r\n\r\nUnknown Speaker 1:33:08 \r\nSo this edit expression is 100% Your friend i It makes the so much easier.\r\n\r\nUnknown Speaker 1:33:16 \r\nAll right, any other questions? About the process of adding a rule before I go on?\r\n\r\nUnknown Speaker 1:33:27 \r\nOkay, so these rules I've actually added in here already, and I'm just going to go down one by one and show you how they work. And so the first rule is our challenge now by the way, I put in whenever I'm doing a rule i Our prefix for our agency for code we write in for other things is be WW brilliant web works but your own little this what this lets me know is it's our rule. Basically that's why that's there. So I'm going to go here to our challenges rule. And you'll notice it's this first one here, you can edit the rule in the expression if you want and put the two letter country code and if there's more you can just stack amend the expression itself or use the expression builder. Either way. Melanie, does order matter for firewall rules. Yes. And I'll show you that in just a minute. But Cloudflare processes these rules in order. And that's going to matter here in just a minute. Great question.\r\n\r\nUnknown Speaker 1:34:26 \r\nSo here's something I want to talk about. So we've talked about managed challenge already. This is the kind of the interstitial screen that we saw that challenges are you human. It's it's the same thing as Cloudflare turnstile. Okay. Cloudflare turnstile is the Cloudflare managed challenge in a widget that can be applied to just a form or you know, a login or whatever. Okay? So just think about it in those terms. turnstile equals a manage challenge, manage challenge, just full screen. Whereas turnstile is a widget that can be added to a form submit or login or that sort of thing. There are a bunch of other actions that can be taken here. Like I don't want to do anything. I just want to log this traffic. I want to block this traffic altogether. This is a JavaScript challenge. This is the pre managed challenge way that Cloudflare used to block or challenge traffic. I don't use that at all anymore. It's not as good as manage challenge. Use manage challenge. This also the skip this traffic so some way I can notice that this traffic is good and legitimate. I always want to skip it. I have a rule. That action can do that. And interactive challenge again. It's I don't use that at all use manage challenge. That's just the best way to do it. Because a lot of times the Manage challenge if it's has seen what this browser is doing, it knows it's probably legitimate. And so it's you let Cloudflare manage whether or not this user or bot or whatever. Is going to be challenged with a checkbox, right. So just use manage challenge instead of interactive or JavaScript challenge is just better. Does that make sense?\r\n\r\nUnknown Speaker 1:36:11 \r\nOkay, so let's get into each of these. We just look at this one. So this is and by the way, what I like to do is cluster are my rules, usually around what the action is. I only have five rules, right? And so I want to be able to get the most bang for my buck. And so I tend to cluster the rules around what action I want to happen. So I'm going to start with this, this challenge rule. So any kind of traffic that I want to give a challenge to is going to go into this rule. So the first is, and this is probably my favorite rule out of all the Cloudflare rules. It is probably the most helpful rule and that is if you come to the WP any URL that comes in to WP login, so even by the way, like if you're logged out and you used to go to WP admin to log in, it's going to forward you today P login dot PHP, query string blah blah blah. So if the URI path, this is your URI, same thing, essentially is URL. So if the path coming in being requested from the server contains that AP login, I want to challenge that if it it like for here for a WooCommerce as my account is their default login page, right? If you have a membership site, where you've customized a login page, put that URL here. So whatever the login page is, that I want to challenge that traffic. And what that lets me do is like Stacy is saying, it's way better than hiding the login page to try to make it where bots can't find it. That's that's a terrible strategy that doesn't really work. Or it's even better than using something like aI solid security to put a CAPTCHA on the login page. I don't even do that anymore. Because all of that traffic is being challenged at the network level is it bad to use a plugin like solid security to protect the login page with a with a even Cloudflare turnstile? It's not bad, but I want that traffic filtered out at the network level so that the login page doesn't even have to load, right? So do that at the network level. You don't even have to put a CAPTCHA on your login page at all. Just make sure that all your potential login pages are listed here. So if you've got another URL, you could do like, you know URI path contains, you know, login or whatever it is right?\r\n\r\nUnknown Speaker 1:38:41 \r\nAnd just you can keep stacking those up with AND or OR statements.\r\n\r\nUnknown Speaker 1:38:46 \r\nThat makes sense.\r\n\r\nUnknown Speaker 1:38:49 \r\nSo that's our first rule.\r\n\r\nUnknown Speaker 1:38:52 \r\nSecond rule is a skip rule. Now I put these in order of priority in this skip rule will tell you why.\r\n\r\nUnknown Speaker 1:39:02 \r\nThis is a big rule. There's a lot of stuff here. So I've given you the whole rule to copy here. Now right here, notice, boom, this is the IP address of the server. So whenever you know whenever you go to add this rule, you're gonna want to, for your purposes, wherever you're copying from put your server IP address in here, because any request that comes from my server, I don't want Cloudflare to do anything with we want that to happen. So here's our here's our skip rule.\r\n\r\nUnknown Speaker 1:39:37 \r\nSo if it's a known bot, and it has one of these as numbers.\r\n\r\nUnknown Speaker 1:39:47 \r\nLet's talk about AAS numbers for a minute. So an AAS number probably best to be seen here in our events. Let me load our events page.\r\n\r\nUnknown Speaker 1:39:59 \r\nAlright, so here's a skip rule.\r\n\r\nUnknown Speaker 1:40:12 \r\nKaren, if you're getting an error, it's probably because you haven't selected the action here skip.\r\n\r\nUnknown Speaker 1:40:21 \r\nYou did.\r\n\r\nUnknown Speaker 1:40:23 \r\nWell, let's just try copying the expression in and trying it ourselves here\r\n\r\nUnknown Speaker 1:40:39 \r\nYeah, it's working.\r\n\r\nUnknown Speaker 1:40:42 \r\nI don't know check your check your copy because it does work. That's That's odd.\r\n\r\nUnknown Speaker 1:40:49 \r\nAnyhow, so as ns. You can see these right here. So an ASN is think of it this way. It's like a\r\n\r\nUnknown Speaker 1:41:01 \r\nIt's one number that a company like Google can use when Google has hundreds and hundreds or 1000s of IP addresses. And it would be hard for you and they may even change IP addresses from time to time.\r\n\r\nUnknown Speaker 1:41:15 \r\nThis ASN is sort of a placeholder for all of those addresses. So you can create firewall rules based on the ASN and know that it's going to affect all these Google IP addresses. And so there's all these ASN that are listed here are of known services. I've given you a way down here at the very end of the document what to for Sorry, sorry, if I'm making everybody nauseous. So I've given you a table of popular ASNs here. You can also look those up with links like this one, and add your own but these are the most part some of the most popular ones. And many of these are including that firewall rule, but this is one that again, you're going to want to tweak this to have the traffic that that that you want.\r\n\r\nUnknown Speaker 1:42:09 \r\nBut in general, this is going to work.\r\n\r\nUnknown Speaker 1:42:13 \r\nIn general, what I've got here is going to work in most cases, just make sure you update your IP address here. Okay, so got this list of\r\n\r\nUnknown Speaker 1:42:25 \r\ngood ASN so it's a known bot, and it's one of these bots. Okay. It's an there are a lot of Cloudflare bots that are known that I don't want to, you know, have access to the site. Like one of the really bad ones is sem rush. Like they will hit on your site with their bots sometimes. Anyway.\r\n\r\nUnknown Speaker 1:42:50 \r\nSo, yeah.\r\n\r\nUnknown Speaker 1:42:55 \r\nWhy would you want stamps.com Because, if you are if you're, for example, with a WooCommerce connector, you're going to want if you don't exclude stamps.com, the WAF rule will get in the way of WooCommerce talking back and forth to stamps.com.\r\n\r\nUnknown Speaker 1:43:11 \r\nYep, so this is again, if you're anytime you're this is with much power comes great responsibility. Okay, so you're putting a rule and that's going to block traffic. If traffic is being blocked and something's not connecting. Now you go into the event and say, Oh, here's that traffic now I can you know, you can find that ASN to that external service in your event log and then add it to your list of good ones.\r\n\r\nUnknown Speaker 1:43:39 \r\nOkay, so I've added another few things here that are commonly blocked. So for example, if you're using the Gravity Forms stripe add on, okay, then I want to make like this is part of the query string for every that should have\r\n\r\nUnknown Speaker 1:44:02 \r\nyour your web hook for Gravity Forms, always includes Gravity Forms stripe, your webhook for WooCommerce always contains this bit of text. So basically what this is doing is this is a good rule for all sites. So if the traffic is coming to a Gravity Forms web hook or a stripe web hook, if you're using other plugins that have different web hooks, just add them in here. Like this, or replace Gravity Forms with your plugin, that sort of thing. But you're that way, you're letting tret legitimate traffic to that web web hook for the payment processor come through.\r\n\r\nUnknown Speaker 1:44:36 \r\nHere's another one. User Agent is GT metrics or we use better uptime to monitor our site. So user op agent contains better uptime. If you don't use better uptime. Don't use this part of the rule.\r\n\r\nUnknown Speaker 1:44:49 \r\nHere's our server IP address.\r\n\r\nUnknown Speaker 1:44:53 \r\nRight now in Davis, right? If you are if you have other payment processors, whatever that web hook is that they give you just find the particular piece that's not going to change. Like the the WooCommerce stripe. web hook has a whole bunch of characters after this right? But this part is always the same. That way you can create a rule that you don't have to change from site to site.\r\n\r\nUnknown Speaker 1:45:20 \r\nAnd then, you know, here's the IP source address is my server for verified bot category is search engine crawlers or web hooks. Okay, so why, you know, I can choose web hooks here, but I've also specified some web hooks.\r\n\r\nUnknown Speaker 1:45:36 \r\nI know web hook has having that as a rule is good, but I don't necessarily trust that part. Cloudflare is always going to catch all my web hooks with that. So I'm going to specify just to be sure, so this is fine, but I always specifying the actual some contents of that web hook URL. Okay, so does this bit make sense? In that many external SAS calls this you want to, you want to allow those through, okay. Now the action for this is skip.\r\n\r\nUnknown Speaker 1:46:09 \r\nBut make sure that you check and this actually Karen may be where your error is coming from.\r\n\r\nUnknown Speaker 1:46:14 \r\nCheck all the boxes, check all the boxes, otherwise you're not telling it to skip anything.\r\n\r\nUnknown Speaker 1:46:24 \r\nSo we don't if the traffic meets any of this criteria, I always want to skip it. Okay, that was it. Karen Awesome. Now, does that make sense everybody?\r\n\r\nUnknown Speaker 1:46:40 \r\nOkay, one thing here and I don't know how to fix it in the handout. This is very important. Notice how there's a line break here.\r\n\r\nUnknown Speaker 1:46:50 \r\nThis, if you copy this, it creates a problem. I just just noticed this.\r\n\r\nUnknown Speaker 1:46:57 \r\nLet me go into the expression editor and paste this in.\r\n\r\nUnknown Speaker 1:47:03 \r\nSee how there's a space here.\r\n\r\nUnknown Speaker 1:47:06 \r\nMake sure you delete that space. Otherwise, it's not going to match your the exact URL. I'll see if I can update the handbook for that. I'll figure out how to do that. But just for now. If there's a space here, it's not going to match that URL. So make sure it doesn't have a space\r\n\r\nUnknown Speaker 1:47:26 \r\nokay\r\n\r\nUnknown Speaker 1:47:32 \r\nall right. Next okay. This is a locked down WordPress rule. This is pretty refined from lots of different suggestions that I've read and seen and I've tested.\r\n\r\nUnknown Speaker 1:47:45 \r\nAnd it this is pretty darn powerful. So again, this is one of those rules. Okay. If the traffic meets any criteria in this rule, it's going to be blocked period, which means you better be sure that you're not catching the legit traffic here. Okay. But you'll see how this works. So I'll go copying this. And notice there's some instances of the domain name of the site here that you'll want to replace with your domain.\r\n\r\nUnknown Speaker 1:48:15 \r\nBut let's look at what it does.\r\n\r\nUnknown Speaker 1:48:18 \r\nAll right. There's absolutely no reason whatsoever that any site or any match any request from the server should contain WP config if it's not coming from my site, to block that. There's no legitimate reason that should happen or there's no reason like we don't use XML RPC at all ever. So we're gonna block any traffic that comes to XML RPC. Period.\r\n\r\nUnknown Speaker 1:48:46 \r\nSame thing for if the if the, if somebody is trying to get to wp content, and it's not coming from my site. I'm gonna block now that can all that can impact google image searches. So make sure you may not want this if you want the images on your site showing up in Google image search.\r\n\r\nUnknown Speaker 1:49:05 \r\nBut I don't I don't want that so I'm blocking all that traffic. Same thing for WP includes there's a lot you'd be surprised how much traffic comes in matter of fact, let's just I mean, look at this. Look at the traffic that's coming in. From what traffic that tries to come in from.\r\n\r\nUnknown Speaker 1:49:26 \r\nYeah, look at this garbage. Here's traffic that's coming in. I don't even know what this is there trying to access. This is some image. Here's something that's trying to access a lot of this images. There's all this garbage traffic and look at this. What What the heck would anybody need you know, here's some Amazon server that's trying to get to this dopey content, whatever. This is like they're testing for security issues. And we're just blocking all that traffic. Right? And look, there's 192 items in the last 24 hours that have hit this rule. It's crazy.\r\n\r\nUnknown Speaker 1:50:04 \r\nPlease grab this, this this.\r\n\r\nUnknown Speaker 1:50:08 \r\nSo what's happened here is some hacker has spun up in some Amazon server to do this hacking, or it's a site that's been compromised. Crazy and this is WP Nathan, which is a dumb garbage site. Right?\r\n\r\nUnknown Speaker 1:50:29 \r\nAnyway, you see all this stuff, and so this blocks all that garbage traffic. Another thing here if the country's coming in from the Tor network, you're not going to want that that's going to be bot traffic. A lot of by the way. A lot of form spam comes in this way.\r\n\r\nUnknown Speaker 1:50:45 \r\nIf the URL if the if the path contains dopey content and it's a PHP file, I want that out of there. We don't use ASP at all in WordPress so filter that out if the traffic is not a known bot, and it's trying to do anything, post anything on WP Nathan so this is this filters out a lot of of form spam traffic or you're trying to post either things into login fields, or post comments anything like that this just blocked all that traffic. I did add this when I was testing this rule, just to make sure that the host name it's not coming from my site. And it's not in it's not trying WordPress is trying to do a cron I was finding that legitimate WordPress cron jobs were being blocked by this. So that's why I added this extra little bit here.\r\n\r\nUnknown Speaker 1:51:41 \r\nSo here's another one if it's not a known bot, and it's going to admin Ajax admin AJAX is again another bit of forum spam prevention that filters that out. Here it so we're going to filter out post and let's see, why is this this rule is duplicated.\r\n\r\nUnknown Speaker 1:52:01 \r\nLike that out. Sorry about that. And again, there's just an actual I'm posting to the comments. PHP file. So most of this is a form spam and comment spam traffic.\r\n\r\nUnknown Speaker 1:52:16 \r\nDave, on the ASP if you have redesigned a site that was based on this?\r\n\r\nUnknown Speaker 1:52:22 \r\nThat's a great question. So if you are taking over a site that previously had ASP, it was built on ASP, then that's probably something you want to take out. Yeah. Otherwise, it's going to block the traffic completely. You don't want that you want to show a 404 page with hey, we've redesigned blah, blah, blah. So that's a good example of don't just apply these rules wholesale, know what you're doing and know that oh, I need to take out that part of the rule, at least for now. That makes sense, everybody. So the action here is block and you're blocking stuff at the net, the network level, they're going to see a Cloudflare block screen. It's not ever going to even hit your server.\r\n\r\nUnknown Speaker 1:53:02 \r\nLet me show you a little trick. How many of you are using something like text expander or in my case, I use type desk to do like little macros that explode into things, right? Like this macro here that I use, and sometimes you'll see this. Like it'll come in as slides. When I do slides. Type desk explodes into this pre configured bit of text. So I've set up all these Cloudflare rules actually in pipe desk, and some of them have variables. So watch this if I was going to set this rule up for the first time. This is set up as\r\n\r\nUnknown Speaker 1:53:42 \r\nthe F three boom Okay, so it comes in over here. So here's my thing. Oops.\r\n\r\nUnknown Speaker 1:53:57 \r\nSo it I'm gonna have to show this here. Alright, so you have three this, okay, what is my domain? That would be nathan.com.\r\n\r\nUnknown Speaker 1:54:04 \r\nIt fills out with there's variables. So I've set up my exploder to have the variable for the expression of the website. So now when we go into add rules, I have cf One CF two CF three it just drops all the expression in with a variable for the website, right? So I don't have to go in and change that every single time. So that's just a little time saver. Pretty cool.\r\n\r\nUnknown Speaker 1:54:29 \r\nAll right. Here's our next rule.\r\n\r\nUnknown Speaker 1:54:33 \r\nSo we have our skip rule. We get our block rule. Now. This is one I don't know I added this one, just to have something else to show you.\r\n\r\nUnknown Speaker 1:54:44 \r\nHere we go. So this, this can be heavy handed, but it also might be good. This is an example of how do I filter bot traffic? Right. So you may or may not want to use this rule. I don't know. Look what it does. So if it's not the Google bot or the Bing bot or the bot or the Facebook bot or slurp which is Yahoo I think, or Alexa and it's a known bot. So Cloudflare actually has this list of known bots.\r\n\r\nUnknown Speaker 1:55:17 \r\nAnd it's pretty extensive. There's 717 pages of this you can see all the things they do have categories too anyway.\r\n\r\nUnknown Speaker 1:55:31 \r\nSo this is an example of a rule that I probably wouldn't use on every site.\r\n\r\nUnknown Speaker 1:55:36 \r\nBut so if it's a known bot, and it's not one of these, or like a this, the crawler category is AI crawler, then given a man a challenge or you could say give it block. So if you want to stop AI bots crawling your site, you can do it at the network level if you want. And this is a way to do that. So the bot category, there's a lot of different ones here like you can do. Like I don't want any SEO crawlers. Let's see how about is in.\r\n\r\nUnknown Speaker 1:56:09 \r\nI don't want any SEO crawlers. I don't want any AI crawlers.\r\n\r\nUnknown Speaker 1:56:14 \r\nNow this is not Googlebot for example. This is Seo crawlers like sem rush and things like that. Phoebe Why not say if it's not a known bot instead of listing those out great question, because known bot no means it's any track. Just that doesn't say it's a bot and I know what it is. Known bots means it's not in this list of predefined known bots, right? It doesn't say it's a bot and it's unknown. Now there are rules like that. If you upgrade to the enterprise level, you get a lot more control over. I think it's a bot. I don't think it's a bot but we don't have that control at the free level. So you have to do it. That was That makes sense.\r\n\r\nUnknown Speaker 1:57:04 \r\nDave has a question if you're doing this on an existing site, and the clients looking at traffic. Oh, yeah. Okay. So this is the double edged sword. Okay.\r\n\r\nUnknown Speaker 1:57:14 \r\nSo what Dave is asking is essentially, am I gonna see a traffic drop in Google Analytics? If I do this? And the answer is likely yes. And perhaps a significant amount of traffic drop. But the conversation I have with a client is this is actually making your analytics reports more valuable because the traffic that's reaching the site are actually people and not garbage bought traffic, and attack traffic and things like that. So you will see a drop in traffic. But it's this is this will actually make your analytics reports more valuable. Because I mean, think about this, you know, bot traffic isn't likely going to make a conversion. So if you've got a report set up in Google Analytics for tracking conversions, and only 3% of your traffic is converting, well, what if 90% of your traffic is crap traffic? Well, then your conversions go up significantly. Oh, wow. Actually, this is more successful than we thought. Right.\r\n\r\nUnknown Speaker 1:58:10 \r\nSo does that make sense everybody? Here's an example of a way to filter out some of the stuff I probably would not use this on on every site. And you still even after that, we'll have another rule that you can create. And this is for fine tuning, you know, and moving things. along.\r\n\r\nUnknown Speaker 1:58:29 \r\nOkay, good grief. It's almost three o'clock and I got a lot more to do. So I'm gonna move on. Any other questions about this before we move, move ahead.\r\n\r\nUnknown Speaker 1:58:38 \r\nI do want to show you the rate limiting rule here.\r\n\r\nUnknown Speaker 1:58:43 \r\nWe actually may stop here, before tomorrow. So this is a really good rule, I think is super helpful. So in case you weren't watching, we're at security WAF. We were just at custom rules, which is the default page. We're now going to the rate limiting Rules tab. It's going to delete this and start over.\r\n\r\nUnknown Speaker 1:59:03 \r\nYou see it, we're going to create a rule and in the same way here, this is going to be our anti flood, oops, anti flood rule. We're going to edit our expression\r\n\r\nUnknown Speaker 1:59:15 \r\nand we're going to say\r\n\r\nUnknown Speaker 1:59:21 \r\nwhen the rate exceeds 10 requests, at the free level, we only have a 10 second period.\r\n\r\nUnknown Speaker 1:59:29 \r\nSo let's take a look at what we're doing here.\r\n\r\nUnknown Speaker 1:59:34 \r\nWhy not?\r\n\r\nUnknown Speaker 1:59:53 \r\nInteresting, okay, well, oh, see what it's supposed to be. Alright. So, anti flood if it is not a verified bot\r\n\r\nUnknown Speaker 2:00:06 \r\nand\r\n\r\nUnknown Speaker 2:00:09 \r\nthe URI pass contains\r\n\r\nUnknown Speaker 2:00:18 \r\nthe PF not calm and\r\n\r\nUnknown Speaker 2:00:23 \r\nverified bot category is not a search engine crawler.\r\n\r\nUnknown Speaker 2:00:30 \r\nOkay, so what we're saying is, it's not a good bot.\r\n\r\nUnknown Speaker 2:00:34 \r\nIt's coming to the site. This is actually redundant, we could probably get rid of that.\r\n\r\nUnknown Speaker 2:00:39 \r\nInteresting.\r\n\r\nUnknown Speaker 2:00:41 \r\nAnd it's not a search engine crawler, and it's hitting my site more than 10 times like one time a second. Then I want to block it. For as long as possible, which is 10 seconds.\r\n\r\nUnknown Speaker 2:00:56 \r\nOh, you're right. It was missing the opening parenthesis. So there's another correction.\r\n\r\nUnknown Speaker 2:01:03 \r\nSo we'll deploy this and this is going to stop a lot of bot attacks. You know, you need a higher level. Of Cloudflare to fully blocked the traffic. But this at least throttles it back just a little bit.\r\n\r\nUnknown Speaker 2:01:18 \r\nSo that can be helpful.\r\n\r\nUnknown Speaker 2:01:20 \r\nMoving on down here to our bot setting. Again, we want bot fight mode off. We talked about that already. How much further do I have to go? I got a lot of rules to go. Okay, I'm gonna stop right here. And we'll pick this up tomorrow.\r\n\r\nUnknown Speaker 2:01:35 \r\nAll right, pausing for a moment. Questions, comments?\r\n\r\nUnknown Speaker 2:01:41 \r\nAnything unclear and what we've seen today because your homework is if you don't have a Cloudflare account, go set it up. And do that tonight. Before tomorrow. Come on in with a little bit of experience under your belt. It's free. And maybe you start applying some of these settings to a site and you can actually go forward I've given you all the tools you need to kind of follow this and add the additional rules that's there that are there. We will talk through this starting at speed tomorrow.\r\n\r\nUnknown Speaker 2:02:10 \r\nPaul, I would not do this on a client site unless you're brave enough to you.\r\n\r\nUnknown Speaker 2:02:16 \r\nDo it on a site that you control a low value site, just so you can see how it works. I'll everything clients is going to be tomorrow.\r\n\r\nUnknown Speaker 2:02:24 \r\nDoug regarding the WAF. If I block the UK with a managed challenge, and Google is still indexing my site in the search engine results, what happens to a UK visitor when they click the Search link to my website. They're gonna get a managed challenge.\r\n\r\nUnknown Speaker 2:02:40 \r\nYeah, so just to correct so you don't block anything with the Manage challenge. It just puts up this.\r\n\r\nUnknown Speaker 2:02:51 \r\nIt's going to say if I go to try to log in here this screen right here.\r\n\r\nUnknown Speaker 2:02:58 \r\nWell, eventually who?\r\n\r\nUnknown Speaker 2:03:05 \r\nThis, this screen right there. That whole process was a managed challenge. I didn't have to click anything because it already knew that my was legitimate. But any traffic that you present a managed challenge. So if the rule is if the traffic's coming from the UK, then give a man a challenge. It's there. It's not blocked, you just have to pass through the gateway pass through the turnstile to get in. So if a user is outside your set geographic areas in Cloudflare for a challenge, they'll still see their search result. They'll click it, they'll pass you the challenge, they'll act they'll access the website. Yeah, it does put a barrier you know they have to pass through. Now you know, if you want to block the traffic altogether, you can do that. Just make the action block instead of manage challenge.\r\n\r\nUnknown Speaker 2:03:56 \r\nI wouldn't do that typically, you know, the goal for filtering traffic is generally I want to get rid of bot traffic that's coming from GeoIP sources that are not generally where my customers are going to come from. So that cuts out a lot of the bot traffic at that geo level. Does that make sense? Everybody?\r\n\r\nUnknown Speaker 2:04:19 \r\nAll right. Any other questions? Before we call it a day?\r\n\r\nUnknown Speaker 2:04:27 \r\nOkay, so everybody, all right.\r\n\r\nUnknown Speaker 2:04:32 \r\nOkay, Karen, can you copy all these settings and roles from one site to another? Wouldn't that be great?\r\n\r\nUnknown Speaker 2:04:40 \r\nThat would be great, wouldn't it? And the answer is no. You can't they have to be set up individually. I know right? It may be one day that will let us do that. I don't even think in the premium version. Paul. I've not seen that.\r\n\r\nUnknown Speaker 2:04:54 \r\nBut here's here's the thing.\r\n\r\nUnknown Speaker 2:04:58 \r\nI really really got deep into Cloudflare last fall, when in the process of migrating to a new server we just decided to put all of our clients under Cloudflare in that process.\r\n\r\nUnknown Speaker 2:05:10 \r\nSo we moved, you know, plus or minus 100 sites through Cloudflare and onto the new server. And once you start doing this, like I can move a site to Cloudflare pretty much in my head now and it takes just five minutes or so it's done. Boom, boom, boom, boom, you kind of get used to what the settings are.\r\n\r\nUnknown Speaker 2:05:30 \r\nIt's not it. It looks like a lot at the first glance. But as you're seeing from where we went from all the things, and page by page now down to just the things that need to change. There are far less and at the end of the document by the way at the end of the document to here and resource number two, here is the Cloudflare setup process. And I'll walk you through exactly the things to change. And that's it.\r\n\r\nUnknown Speaker 2:06:06 \r\nIt takes just a few minutes once you get used to how this works.\r\n\r\nUnknown Speaker 2:06:10 \r\nDo I have ASN or IPs for managed WP? No. So this is a good question. Alright. So you will at the beginning before you do your first site what are all the services that I use? Right? And so it's reached out let's just say manage WP I don't know if they have a public list.\r\n\r\nUnknown Speaker 2:06:36 \r\nLet's see right here. So you'll a lot of times find posts like this. What are the IP oh look, here they are.\r\n\r\nUnknown Speaker 2:06:45 \r\nAnd a whole bunch of others. So there's a oh my gosh, Holy mackerel. There's a bunch of them. So, you know, here's a list and and I would verify with the support. So send in a ticket and make sure you have the actual\r\n\r\nUnknown Speaker 2:07:02 \r\nIP set and you can add those to your skip rule that so it always skips that traffic.\r\n\r\nUnknown Speaker 2:07:13 \r\nAnd so my actual skip rule is more thorough than this one because I got a bunch of IPs and things like that.\r\n\r\nUnknown Speaker 2:07:21 \r\nYeah.\r\n\r\nUnknown Speaker 2:07:23 \r\nAnd Dave is correct. You want to go conservative at the beginning for sure. Again, this is with much power comes great responsibility. Implement slowly make make sure you one side tested that you're not blocking legitimate traffic. But once you get these dialed in, you can boop boop boop just apply them to your other sites.\r\n\r\nUnknown Speaker 2:07:46 \r\nYeah, Ahrefs it's eight, like H refs. In particular. They don't tend to want to help you because they don't want to block you or give you ways to block their traffic. What I would suggest doing if a traffic is being blocked, then look at your events. Like do a scan so you know kind of about the time when the event would hit. Then you can look at your event log and probably even filter it with your block rule.\r\n\r\nUnknown Speaker 2:08:16 \r\nAnd hit that hit the traffic that fits your block rule and see if Oh, that's coming from this range of IP addresses or this ASN or whatever.\r\n\r\nUnknown Speaker 2:08:28 \r\nAnd go from there.\r\n\r\nUnknown Speaker 2:08:30 \r\nSo sometimes you can back end it and figure out but there's there's no easy way that I found oh, here's the magic list of IP addresses or whatever.\r\n\r\nUnknown Speaker 2:08:40 \r\nIt's just not very easy.\r\n\r\nUnknown Speaker 2:08:43 \r\nYeah.\r\n\r\nUnknown Speaker 2:08:46 \r\nTanya, oh, how do you know if you're blocking legit traffic? Good question. That's not a stupid question. So I would watch you know the first so when you implement the for the first time you know, put it on your own site or something else site where the impact is going to be low, but that you have enough traffic to actually generate some decent results. And just look at the events and see what's happening. That's how for example, on the skip rule here, I realized oh, no, I've got let's see, hang on, hang on. I know it was the block rule.\r\n\r\nUnknown Speaker 2:09:30 \r\nThis one, it you know, I saw this query string coming up a lot in the block rule. And that's a legitimate, I realize, oh, blocking this and I don't need to be blocking this. So I added a rule to get around it right.\r\n\r\nUnknown Speaker 2:09:47 \r\nSo, Stacy, you find out when the clients customers complain is not exactly incorrect. Like it's that's pretty right. It some of it is a little bit of trial by error, but that's the way it is for firewall rules, okay. And that's why for example, implement these rules with here. Don't just wholesale drop these rules in thinking what could possibly go wrong because the answer to that question is a lot. But once you get them dialed in for your use case, you have really powerful, really powerful tracking.\r\n\r\nUnknown Speaker 2:10:22 \r\nOr filtering. Yeah. Okay. Anybody else? Before we move? Wrap it up for today?\r\n\r\nUnknown Speaker 2:10:34 \r\nOkay, so homework policy when you migrate a site to Cloudflare do you remove them from the Yep, we're gonna cover that tomorrow. Migration is tomorrow\r\n\r\nUnknown Speaker 2:10:48 \r\nokay, Karen, I have tried to enable copy in the chat. For whatever reason zoom webinars just does not allow that. And I don't know why and we've tried, but give the as soon as the We the chat ends up as a file on the replay page, where you can open it up and grab whatever.\r\n\r\nUnknown Speaker 2:11:09 \r\nYeah, it isn't zoom meetings. This is a zoom webinar, and it's different and I don't know why I've talked to zoom support there. No help. It's yeah, it's a thing and I've not been able to solve it. I'm apparently too dumb to figure that out. Because I've tried zoom settings are horrendous. They're worse than Cloudflare and that's saying a lot Okay, all right. Let's go to Wrap it Up homework for tonight. Add a site, drop it in you know your your site or just spin up a site in try adding some of these settings, we will step through. We'll go through the rest of the recommended settings tomorrow. And then we will put that into practice by actually migrating a site's DNS into Cloudflare tomorrow. That will probably take most of our time and then because we'll do it step by step, and then we'll do we'll wrap up with tips and tricks and whatever questions are left. So that's where we're going. Congratulations, you survived day one. You have endured the firehose of things and it gets really practical from here. All right. So I will see you back here tomorrow. One o'clock central time for part two of Cloudflare for agencies here on solid Academy, where we go further together.\r\n\r\nNathan Ingram 0:04 \r\nAll right, everybody. So welcome, welcome. So how about some feedback from yesterday? Did you learn anything? What was your biggest takeaway? Aha. I assume that we're going to do live demo today. So sure, you'll just go into watching the demo without having the basic foundation of knowledge. So sure there's value without watching the replay.\r\n\r\nAll right, let's get these captions connected. There. All right. Oh, goodness. Gotcha. All right. Link bundle is in the chat. Of course handbook if you need to download that. It is updated by the way from yesterday. So make sure you grab the current copy. I probably need to update the link bundle to reflect that\r\n\r\nall right, well, good. That's good news. So really, really glad to hear that. All right. Welcome, everybody as you're coming on in find a seat, get ready to go. Links are in the chat. The course handbook has been updated since yesterday. The fix the two little typos that I had. Those are now fixed and going and a third that I just recognized. All in the WAF rules. So that's all correct. Now. Make sure you read download that course handbook. Just so you have the correct things. All right. We got a lot of the handbook Yes, one handbook for both days. 40 pages of Cloudflare goodness. or 40 pages of Cloudflare. Comma, goodness, exclamation point. That's a lot of Cloudflare. Oh, it's gonna be a long day when I'm entertaining myself already. Okay. So let me hear from you in the chat. What was your biggest takeaway from yesterday if you survived and had lived to tell the tale\r\n\r\nPaul that will be office hours tomorrow, or week or if we have some time at the end. That's funny. Love it. All right, couple of minutes before we get started, welcome, everybody. Glad you're all here. Make sure you download the fresh copy of the course handbook that has three corrections in and around the WAF rules. Just a couple typos and that space problem and so forth. Yeah, look, there are everybody that I'm constantly finding new ideas for rules. I'm going to talk about that at the beginning as we get started here, because there's some really interesting chatter in the admin bar about rules and stuff going on right now. On a reference that\r\n\r\nhey, look at that foul, awesome. How about that? It's small. It's the little things right. Alright folks, two minutes to go. If you're just joining us in zoom, open up the chat. Say hi. Let me know what your biggest takeaway from yesterday was. Did you get in there and try to set up a site yesterday. Did you do any of that? Thanks still broke? Yeah, yeah. Little bit of tripod. Doug. You did it. Awesome. Yes, Doug, indeed. Cloudflare SSL? Yeah. Very good.\r\n\r\nYep, good stuff there. All right, about a minute away, y'all. We got a long way to go today. Long way to go. The handout is updated. Yes. So please read download the course handbook it fixes those typos or like there was a space that shouldn't have been at a line break and that sort of thing. All that is fixed in working in this latest version. Phoebe. So we are you did you you would get a challenge at WP admin if you use the rules that I provided that the the challenge rule by default is going to protect the WordPress login page. That's what allows you not to need a CAPTCHA on the login page. So I want all traffic that hits the WP admin to get challenged.\r\n\r\nAlright, just about ready to start everybody. Yeah, Paul, I saw on that note, and I don't know why that would happen. That's really weird. It feels like it feels like that's a browser. Cookie issue. here and what do you mean it looks weird after the challenge\r\n\r\nno formatting Okay, so that's interesting.\r\n\r\nI've never seen that happen. Sounds like there's some sort of a an optimization issue like the CSS isn't getting loaded for some reason. Where are you hosting? It could be related to your hosting environment. cloudways GS? Ah could be something in the breeze plugin. I would look and make sure that the breeze are using cloud where cloudways Breeze. Yeah, so see if it has that. The connection to Cloudflare that I mentioned with the caching so that it's empty incorrectly the cache I've never used breeze so I can't speak to that one. Yeah, always. It's awesome. That's it. It's not just reason the optimization plugins are some that frequently cause problems. Okay, let's get started. I got a long way to go today. Well, Happy Wednesday everybody. Welcome back to day two of the Cloudflare for agencies course here on solid Academy. My name is Nathan Ingram, and we went a long way yesterday, as we looked at what in the world is Cloudflare how does it all work? We went page by page through the settings just to give you kind of a lay of the land of you know all the things that are there. And then we started with recommended settings yesterday. So that's what we're going to pick up today. We got all the way down to speed we've worked through the Cloudflare WAF rules, and we've made our way down to speed now, I do want to mention that I have updated the course handbook from yesterday. I'm going to drop that link in the chat once again. This fixes those couple of types of the like the linebreak typo I noticed also there's some quotation marks that got styled like outwards and not straight quotation marks and one of the rules. So those things are fixed, and it's there in the updated link that's there in the chat. If you're watching this on the replay. The link that's downloadable on the course page has will be correct for you so that's all there and ready to go. So here's where we're going today. We are going to pick up with our recommended settings at the speed portion which we see on the screen now. Then we're going to set up a site in Cloudflare live and just go through the process using the checklist that is in the resource number two at the end of the course handbook. So we'll be just walking through that checklist. And then we'll the final hour we made that that setup process may actually bleed into the second hour so we'll just kind of see how that works. And take a break at some point in the middle. And then at the very end we'll have the the tips and things that I've learned and basically things that I've messed up along the way and how you could not do that. And how to work with clients and you know, had multiple accounts and all that sort of thing and how's the best way to do that. So that's where we're heading today. As always, if you have questions, if the question is about something we're talking about right now, just drop it in the chat. I'll do my best to see that and talk about it. Otherwise, put it in the q&a, and we'll deal with those at the end of each hour. All right. Well, let's get started, shall we? So we finished up yesterday with our various rules around security with our custom WAF rules, and then an anti flood rate limiting rule and making sure we have bought fight mode off. So now we're going to get to our speed sections. Let me get Cloudflare open and Windows arrange and all of that. All right, so we are now here under speed. And we're gonna go speed and then optimization. So right here under optimization, there's a number of different tabs, and we're going to pick up with content optimization. Now this is an area that they have in the past few months rearranged. So if you haven't looked at Cloudflare in a while, you'll notice this is different and that's because it's different. They move things around and they do this all the time. So let's look at what should be on so we like Brotli this is going to be one of the things it's in the setup guide or the quickstart guide that we'll run through in a minute. Whenever you add a site to Cloudflare Brotli is good to have on it just makes HTTPS connections quicker. We talked about Cloudflare font so we like those those are on early hints we looked at which preloads pages when you hover over a link that's on rocket loader off because it can break WordPress JavaScript pretty easily. And we're gonna auto minify all three boxes here JavaScript, CSS and HTML. And then we're gonna go back to the top, the tab for protocol optimization. And we're going to turn zero RTT on. Now basically what that does is if a person has already visited your site, it makes reconnecting to the site quicker. It's just it saves a step. In the security in the HTTP protocol process. Good speeds things up. If you want to read more about it, just Google zero RTT. And you can learn more. So not a lot to change here in the optimization section. But we do have some things to look at under caching. So let's take a look at caching and our recommended settings here. So we're going to start out with configuration and look at our browser cache. So I believe I can't remember what the default setting is here but we want this to be 30 days. One month or 30 days is what Google recommends in order to receive to get good marks on their tools. We want to make sure your browser cache is set for one month. We want our crawler hints to be on so this is basically the index now protocol and so Cloudflare will do that for you which is really great. It lets certain search engines that support index now know that changes have been made to your website. So go come crawl it. It basically proactively tell search engines to crawl new content so that's good. And we want always online which pushes the site over to the Internet Archive for us. We want that on as well. So now, there may be some times where you don't want always online on if it's a very large ecommerce site with 1000s of products, rolling that and adding it to the Wayback Machine might be taxing on the server. Or if the site is changed all the time. There's every single site I have is always online. But if you have a massive site, it might create some performance issues. So you might want to toggle it off but likely every site you're going to want on here. Alright, let's look at some caching rules. These are very, very helpful. So let's say you have a site in development, or for some reason you have a site and you do not want to use the Cloudflare cache at all. How do we turn the Cloudflare cache off? 100% of the time whether it's in development, or I just don't want it because by default, the Cloudflare cache is on. So we need a rule that's going to say always turn the cache off and afford unfortunately, there's not like a toggle to turn on and off the cache. I don't know why there's just not. So what is a rule that we can create? Well, I've settled on this one that basically says if the incoming request is HTTPS, and that is yes, then bypass the cache. So this is, you know, basically every single request coming in to any site that I manage, is going to come in under HTTPS. And with that rule, this site will not be cached at all period by CloudFlare, because we're going to bypass the cache here and with browser TTL. Now, this is a rule that you only want to implement if you don't want the site cached at all. Does that make sense to everybody? So you know, on our dev server, for example, we don't want Cloudflare caching, like Cloudflare manages the DNS on our dev server because we want the security, but I don't want any Cloudflare caching on any sites. that are under development. So we have this rule that turns off caching completely. Does that make sense to everybody? So this is probably not a rule that you want on a live site. But for dev sites, yes. 100%. So here's one that you probably will want to use. Maybe there are pages on your site that don't ever need to be cached. So for example, with an E commerce site, I never want the cart page cached by CloudFlare, or the checkout page. So here we've got URI path contains cart your app path contains checkout, you can continue to stack these up if there are other different URLs that you don't want to be cached. So when these things match, then I want to bypass cache for Cloudflare. And at the browser cache, right, so just no caching of these frequently changing dynamic type pages. Don't want those cash. So cash rules are super helpful. I Paul Yes. Membership dashboards, things like this. This though, these are the sorts of things that you'll want to put in a rule like this one. You have a lot of rules here actually. So 10 available caching rules at the free level. So you can really add things Yeah, in anything like LMS site membership site where you don't want to cash in really it. It's\r\n\r\nit's really more like check out, you know, forms that Process Payment, perhaps maybe events like Melanie's mentioning in the chat. It depends. So if you run into an issue where oh my gosh, my events page is not updating why? Oh, it's Cloudflare. Well, we can just turn it off here at the edit with a cache rule. That makes sense to everybody. They're super useful. To debug these caching issues. All right, so we mentioned this yesterday, we're gonna have our tiered cache. We're gonna go here, and just make sure that the tiered cache topology is set for smart and again, what that does is it moves the assets to the Cloudflare data center closest to the person requesting the the site so it basically shortens the load time, so it's good you always want to have that on. Alright, let's scroll down to our next section, which is rules. We're not getting into workers routes, that's not a route however you pronounce it. That's not something we're going to look at. But there's a couple of really good page rules that we're going to look at here that I recommend. The first is this one, which says our URL is going to be our domain name. star dot domain name. So this will catch any subdomains also an anything after the repeat admin. So basically, I want this rule to impact anything in the WordPress admin area for the main site and then any subdomains that I might have under this Cloudflare account. So I want security level high, which means that if somebody tries to come in it's also you know, it's gonna look at that browser more with more scrutiny and maybe present a challenge. If it detects any issues. I want that for anything in the WP admin I'm also going to completely bypass the Cloudflare cache. I don't want anything in WP admin cached by Cloudflare. I just don't want that. And then I also want this here disabled performance. Any performance related optimizations that Cloudflare might do? I don't want that for my WP admin because that can tend to get in the way of things and break admin functions and hash things that shouldn't be cached. And, you know, you get weirdness in the back end sometimes. So this says anything in the admin, I want to make these changes and it's a really helpful rule. This makes sense to everybody. This is a good one and you do have to fill in your specific domain name here, or it won't work. You can't just say star.wp admin. I tried that. It's got to have the actual site name. Alright, another really helpful rule. I really really liked this one. This is the email obfuscation rule. Again, a lot of folks in the years past we've done WordPress shortcodes, that obfuscate email addresses where they can't be scraped by website scrapers. Cloudflare has this built in at the network level, which I really like. And the neat thing about it is you can apply it only to certain pages with a rule, so we can say, all right, if it's the Contact page, then I want to turn on email obfuscation. Well, why wouldn't I just want this on the whole site? The reason is because it loads an extra little piece of JavaScript that can affect load time, so it won't affect it very much. But I mean, why load the JavaScript on a page that doesn't have email addresses, right. So if you have a contact page that has email addresses, turn this on, or maybe it's a team, page or series of pages. Like you have, you know, your domain slash team slash person's name, then you can do something like this I'm pointing at my screen like you can see that this so anything that follows team then this for like a team bio page, you can obfuscate the email addresses their policy, if the site has an email address in the footer. You want this on every page? Yes. And I wouldn't put email addresses in the footer. I would much rather have people fill out a contact form and send email but yes, if it's in the footer, every page where there's an email address, you could load this and if that's the case, then you can actually just turn it on for the site. Yeah, okay. So these two rules make sense. You got your WP admin and you got your email obfuscation. You got a bunch of page rules that you can do some other things with. There's actually sorry only three, three page rules. So we still have one extra one here. And you can do a lot with these Okey dokey. Everybody good so far on this? Because that's it. That was all of the rules are all of the recommended settings. So we didn't get that fully finished yesterday, but we got it done today. And now we get to actually do the thing. Okay. So I want to give you the overview of what this migration process looks like. And then we're going to skip to the end of the document where the actual checklist is, and by the way, if you're just coming in the course handbook is updated from yesterday. And so you're gonna want to redownload that because I fixed a couple of little glitches with the WAF rules. Okay, so here is our process. And again, it is a checklist is in resource to you can copy that part out, you know, make it your own, whatever. So, big picture, okay. We're going to add the site to Cloudflare. And then we're going to walk through the Quickstart process. These are the common, most recommended settings to set up. We're going to add the name servers that Cloudflare gives us over in our domain registrar. Then we're going to pause the site on Cloudflare. This is critical if you don't do this, you're going to get SSL issues in almost every case, then we're going to go through. Here's our items for the quickstart guide. We're going to go through all the rules and settings that we need to add. We're going to wait for our SSL to generate and then we're going to resume the site on Cloudflare. That's the big picture. How this is going to work. So let's go down and take a look at our resource scrolling scrolling right here. This is page 38 of our guide. And here's what we're going to do. So I have this domain set up and this is just a Kadence Starter Site that I have inflated on to WP one dot Dev. Now this is a domain that lives at GoDaddy. And so that may be a place where you see a lot of domains that you have, right and so this is just as simple and basic of a domain swap or DNS change as I can show you with a typical common registrar. Okay. So we're not going to walk through this whole process. So what I want to do I want to get back here to home, which I did just by clicking this arrow I'm in WP Nathan. Now I can go back now I'm at my account home, or I can go up here to this little user icon and hit account home. It's at that point where I can add a site. Okay, so we're going to add the site to Cloudflare by entering the domain, selecting the free tier and confirming our plan, but let's add the site right here. And by the way, if you added a site to Cloudflare a few weeks ago, this is now completely different. They have totally changed this adding a site flow as they do. I mentioned this yesterday Cloudflare changes things like worse than Google and that's saying a lot so just be aware of that. If you're white if you're following this video six months from now they've probably moved some things around. They're all there you know, and you can probably find them pretty easy but it's it's very likely to change. So we're going to enter in our WP one dot dev domain name here. Continue. We're going to select our plan scroll all the way down to free and click that and confirm and we're confirming and Okay, let's so we're going to start our Quick Scan. Now at this point what's going to happen Cloudflare is going to go out and it's going to attempt to find all or as many of the DNS records as possible for this domain. I'm going to click Start click Scan. Now here's the thing. Don't ever trust Cloudflare scan because it is likely going to miss some things. So it's now picked up in a record and to CNAME so there's definitely more than that. And we're just going to keep moving. So if you can't bypass that scan, I wish you could but you can't. It's going to do its best to find records and plug those in to your DNS settings. But now we've gone through our quick scan and we're going to hit continue and we're going to start the domain activation. So right here, we're going to add the provided name servers to our domain. So here's our two name servers that Cloudflare has given us a copy the first one, I'm going to go over here to godaddy under DNS, and go to name servers. This will be different for every registrar. We're going to change this to my own name servers, and copy and our two different name servers. Oops, two here, save and continue. Okay, now over here, I'm gonna hit continue and continue.\r\n\r\nSo now we come to our overview page immediately right now before you do anything else. Pause Cloudflare on the site, because otherwise what can happen is traffic can start flowing to your domain before Cloudflare generates an SSL certificate and you'll get that security warning in browsers by pausing Cloudflare at this point, what that does is stop Cloudflare it doesn't stop it from generating a certificate but it doesn't use the Cloudflare certificate. So we're not using any Cloudflare features right now because the site is paused. Don't forget that step or you're going just it's inevitable that you're going to get you know a security warning. Okay, so pause Cloudflare Now let's go through our quickstart guide. Let's see right here. So we're going to review the settings in our quickstart guide and get started. So we want to keep this on Yes. All these settings are here. Save this. Always use HTTPS Yes. Do we want to enable Brotli? Yes, just basically all the recommended settings we want on and finish. Boom. Okay, so we are good. And now we're going to go down to our DNS. Now Cloudflare has imported some records, right. So we've got this going on here. Um, you know, what I forgot to do is I forgot to open up my email. Let me grab that one second, folks, because we're gonna get an email from Cloudflare at some point very soon, telling us that the site is working. I've got to log into my email, my solid Academy solid email here one second, everybody. I have 8000 Google accounts as perhaps you do. as well. And there it is, okay. All right. So there's my solid email. We'll put that over here and we'll just wait on that. Okay. So now we're at the point of validating our DNS records. So here in GoDaddy, if we look at our DNS, there, there's a lot more than it found. There's not many actually. There's an A record and some other things, you know, nor if this is a site you're already managing. Maybe you have postmark records or some other transactional email or google verification or office 365, all all those verification records, right? You're going to want to make sure that what's here in CloudFlare, matches 100%. What is at your current DNS provider? Okay. Many Melani that's a brilliant idea is to screenshot this and add it to a record someplace. So better even than this is the ability to export my DNS. So let's see here. Many registrar's have the option to export DNS records. If they do you absolutely want to do this. If they don't, it sucks because you have to hand enter every one of them it's really awful. But here I can say Export zone file. Even GoDaddy will let you export the DNS. So I want to export this zone file and boom, there it went. It is now right here as a text file that just downloaded to back. It is right here, simple text file. So I can take this and go right here to import and export and just drop it in. And now I have all of my records and they it now matches perfectly. So that is super helpful when you have a ton of records. If you are running your DNS through a cpanel server, we're going to come back to that at the end because there is a there's a way to actually export out of cPanel if cPanel is actually running your your DNS All right, but for now we know that these match because we've done a good Import and Export Now a couple of things we want to look at. Many times your export will contain name server records, these name server records, these pertain to GoDaddy domain control.com. These are GoDaddy, we're not using GoDaddy. name servers anymore, so I can delete these our name servers or at Cloudflare. We don't need these records anymore so we can safely delete those. The other thing is, if you have in the Cloudflare import when it pulls in all those records, if you import record, you know this import file is going to contain some duplicate records. Cloudflare is smart enough not to import duplicates, so it didn't used to be by the way used to import duplicates, you have to go in and delete your duplicates. It now is smart enough not to create double records, which is awesome. But in many cases, you're still going to have to add those records one by one because, you know this old antiquated registrar doesn't support exporting of DNS, which is just really annoying but Paul is saying Don't forget to turn off some records that need the original. I'm not quite sure what you mean there, Paul. But you're gonna The key here so you don't mess up DNS is at the end of all this. My DNS records in Cloudflare need to match my DNS records with whatever the registrar is now. Other than the name servers, the DNS records you can delete just like we just did, but everything else needs to match 100% Otherwise you might break their email or something like that.\r\n\r\nSo yes, the for example, if there are see names that come in, like right here, this here's another one we can delete. This is a GoDaddy domain connects that we don't need that. We can delete this. Any that are there other registrar's that have specific records. We're not using that anymore, so we can delete this and if it's a CNAME generally, any CNAME other than the www record we want to proc we do not want to proxy correct. So this is a really simple DNS setup because there's no email or anything there. Okay, everybody good on this part, moving DNS records in hopefully you can export them and import them otherwise. This is also helpful if you can if DNS is currently managed by another Cloudflare account, then you can export the records out of the current Cloudflare account and import them into to your Cloudflare account. Sue if there's email Yeah, yeah, so like all the MX records, all the text validation records CNAME records that are all all the DNS needs to match exactly. Unless it has to do with, you know, like the name servers or like these GoDaddy specific records that we don't need anymore, but all the other records need to match exactly. You'll probably find that Cloudflare their import gets about 90%. But it will typically especially if it's a complicated DNS setup, it will typically Miss TXT records, like the valid validation records. It usually gets all the C names and the A records, but it misses it tends to miss the TXT records. Okay, everybody, good. All right. So at this point, it's usually taken, you know, five minutes or so to get our DNS all lined up. So now we're gonna go check and see where we are with our SSL. So we're going to click on here, and let's just look at our edge certificates to see okay, so right here, this is showing us it's in process. So this is live demo. I don't know how this is gonna go, okay. If this breaks, we'll fix it. We'll figure it out. But right here, notice that the SSL has not yet been generated for this domain. So we don't want traffic coming through Cloudflare yet, so let's just move on with our settings and we'll keep watching this edge certificate to see if it's ever finished. So we want to go down to minimum TLS of 1.31 dot O is the default for some reason. So we're going to make that 1.3. Now we're going to go down and add our WAF rules. Just following our checklist here. There's my use your four suggested rules that I've given you or your own variations. So we'll go to Security and WAF. Now again, as I mentioned yesterday, I've got this shortcut set up in my text expander CF one. Here's our manage challenge rule. So what I do in my text expander I have this title here. And so I'll copy cut that and put it up there and this is going to be a managed challenge. Boom, and deploy the quick that was that was done. We're going to create rule number two. I'm going to use my shortcode otherwise, you can copy and paste from your notes. There's our second rule the title, cut and paste up here. So choose the action skip and check all the boxes. All the all the boxes just like that deploy great our rule number three now this one has the the variable in it that fills in my domain I've got that. So these are our block rules. Deploy and one more rule\r\n\r\nthese are our crawler blocks. And this gets a block deploy. So you see how quickly it goes. If you have something like text expander or in my case type desk or one of these macro type programs, apps on your on your computer. It just makes these rules go really fast. Otherwise, you can just copy paste, that's fine too. But we've got all those rules added. Does that make sense? Everybody? Got our rules added there. Any questions about that? If so, ask in the chat. If not, I'm going to keep going under security and bots we want to make sure that bot fight mode is off. It should be by default. I always want to make sure of that because that is it can it causes so many headaches. Speed. Oh, you ask a question. Okay, Paul, I explained why I use the web as a prefix. Is there a possibility of some sort of mix up? If we do not have a prefix? No. This is just for convenience, knowing that these are our rules. So we do have some clients that get into Cloudflare and do some things themselves. If you're the only one that's going to be in Cloudflare it doesn't matter but I prefix everything with be WWE, you know functions code all that is just a habit. So this just lets me know these are our rules. Okay, speed. Let's go back to these rules we just covered so speed optimization, content optimization, only the things we need to change here are Cloudflare fonts are on early hints are on check all three boxes on auto minify boom, boom, boom. And we want to go up to protocol optimization and turn zero RTT on. Great. Now let's look at caching. Let's see configuration crawler hints. Okay, browser cache is one month that's the default. That's awesome. Let's see crawler hints are on always online is on. We'll go over to cache rules. Is there anything we want to fix with our cache? Probably not on this one. It's not an ecommerce site. And you know, it's not in development. So there's no cache rules. To set up here for this one. We do though, want to go into tier two cache and turn on our smart tear topology. Okay, now go down to rules and we're going to add our WP admin rule. Let's see page rules and we're going to be star that dopey one dot dev slash WP admin come on admin star. The settings will be about we spell that correctly. All right, first thing we want to do cache level is bypass then it was performance is disabled and our browser integrity check. Oh, no, it was security. Security level is high. Alright, so there's our DP admin rule. And let's go ahead and add a contact page rule\r\n\r\nand we're going to want email occupation on our contact page. On you can add these rules or not just depending on your setup like we've talked about. Thanks. We got our page rules added. Now we're waiting for SSL generations out look, I've got a an email from Cloudflare. It's now active Boom. That's awesome. Let's see if our SSL certificate generated so you may have the email that says it's active active meaning Cloudflare has detected that its name servers are now being used for the domain. So GoDaddy has gone ahead and updated the name servers and Cloudflare sees that so they're connected. Now that doesn't necessarily mean the certificate is generated yet. So let's go take a look under SSL edge certificates. I look it's active boom, perfect. Okay. As soon as this is active, that means the certificate is there and we can unpause Cloudflare. So we're watching for an email that Cloudflare is protecting. We're watching at edge certificates for the universal SSL right here to be active and it can take time. Okay, so let's talk about what happens if it's if it takes some time. Officially, Cloudflare says this can take 24 hours I've never ever had it take that long. You have had to take a few hours in this was you know, this was actually right after remember last year Cloudflare had that data center issue. It a lot of these things were delayed after that. Usually now it's just like what you just saw, it generally just takes a few minutes. And you're good to go. But it can take a few hours. That's nothing to worry about. Now. If you if you get hours and hours and hours and out like the next morning if it's still not working. Then what I would suggest that you do. Let's see I've given a pointer that put those notes troubleshooting down here, okay, so here's how to troubleshoot if you're stuck on pending validation after an hour. So make sure that you delete those NS records. I've found that sometimes when my sometimes when I'm not getting my certificate generated, it's been because I accidentally left those those NS records in the DNS, that old name server, and that can mess around with validating traffic. So make sure that the NS records are deleted like we showed earlier. Also, again, officially it can take 24 hours. If it's still waiting after 24 hours, go down here, here on edge certificates and down at the bottom. Disable doo doo doo doo doo right here. Disable universal SSL, click that button, wait a couple of minutes for things to the dust to settle. Then you re enable it and it starts that validation process again, and I've never had it not work the second time. So that's maybe that's just lucky on my part. But generally that fix is something that stuck. And I've only had that happen like once or twice and all the sites and that was actually a long time ago. So that's a good way of troubleshooting. If you're still having issues then it's time to go to Cloudflare community and ask them questions. But now, we've got our SSL generated so we're good to go there. So we're going to pick up the process when you see the SSL is there under edge. Right here the universal one now we don't have to wait for that saw this question a minute. ago. We don't have to wait for the backup certificate to get set that can take a little bit of time. We have a good SSL, we're good to go. So now we're going to resume the site on Cloudflare. So back to overview and scroll down to the bottom of the page again, enable the Cloudflare on the site. It is now enabled. And okay, here's where it was before and notice that this is what I had up before we made this move. So connection secure. And this is a Let's Encrypt certificate which which the server generated. Now if we refresh this page, and we look at that certificate, we should see a Google certificate now. So let's do a hard refresh. And actually, Chrome may have cached that certificate, which is fine. Yeah, Chrome cache that certificate if we go let's go into the browser, and you can see that it's the Google cert and for some reason Firefox is taking all day to start. Here we go. All right.\r\n\r\nAll right. So let's see. Where is oh, I clicked the wrong thing. There we go. Now it's still interesting. All right. So it's still showing the Let's Encrypt certificate. That's interesting. I wonder why that is.\r\n\r\nWe can also check with what's my dns.com. Job. Okay, and we are on Cloudflare. So the world is seeing that it's under Cloudflare. When you see to these two IP addresses, that's cloud flares, backup IP address, that's what you want. And so it is it is seeing everywhere in the DNS shows. It's running through Cloudflare. So we're good. I'm not sure why it's not showing that let's or white showing that Let's Encrypt. Let me try it in Safari. Just to see I wonder if I loaded that site in Firefox and it still has it cached. That's interesting. We know it's working though. That's what's that's the most important thing.\r\n\r\nYeah, no, that's interesting. Let's take a look at Oh, because here make sure that you set it to full Am I following my instructions? Now, I didn't follow my instructions. So we would have checked that right here. If we set this to full then I bet that's going to change our SSL certificate helps to follow your own instructions. Now it's still showing. I'm not sure why that is. Well, let me just get back to following my instructions and we'll move on. So we've resumed the site on Cloudflare right. Now we're going to enable DNS sec. So you don't want to do this until Cloudflare has traffic for your site. But we're gonna go here under DNS settings, enable DNS sec. Right here, and again, this is the little bit of code, you're going to add to the registrar to validate that Cloudflare does have legitimate control over the DNS. So this is all the stuff that Cloudflare gives you. You don't necessarily need all of it in every registrar is gonna be a little different. But here in GoDaddy, you just scroll over to DNS sec. And we can turn this on\r\n\r\nnot when I'm around, hang on, hang on, hang on. Go Daddy. It's under DNS, DNS records. And oh, hang on. My goodness gracious. Let me refresh this page.\r\n\r\nRight here, DNS records is what we want. So I had to refresh the GoDaddy page because prior it was it was loaded prior to knowing that GoDaddy had handed off the name servers to Cloudflare. But now we've refreshed this and there is a DNS record tab most registrar's are going to have this. You click that and we're going to add the DNS record. So first, we demonstrated this yesterday but first we add the Key Tag and this is all out of order. But Key Tag is here. The algorithm is 13 the digest type is two. And the digest is this string of characters and that's all we're going to need. Save All right, and it may take a minute, but we're going to click Confirm and it needs to wait it's going to look for this and we'll come back to this in a minute. But it will eventually validate that record with the record at the registrar. Why do you have to add this on GoDaddy? Because GoDaddy is the domain registrar for this domain name. If Cloudflare is your domain registrar you just click a button and it works. It's really simple. And then at the end, we go through and we verify our encryption method. SSL overview bool good to go. All right. So we've just added the site to Cloudflare. wasn't that complicated? Was it I'm gonna pause for a minute questions or comments\r\n\r\nthis is when nothing goes wrong. Oh, if they are all this easy, and they usually aren't terribly complicated\r\n\r\nAll right. Other questions how question is How hard is it to move your domain to Cloudflare I can't really demonstrate that because I don't want to move any domains to Cloudflare right now, but it's really pretty simple. We're going to cover domain registrar things in just a minute in the second hour today. We'll talk more about it then. All right, any other questions before we take a break? That actually took less time than I thought it would? We are now completely set up. If we go to WP admin here we'll get to manage challenge as we would expect. Boom. Good. All good logging in. Yep. and log in. There I am. Pretty cool. I Su ever ever worked with inom? Yes, they do not have an export tool. And generally here's what I found. The more the more the back end of your domain registrar looks like 2004 The less likely they're going to have a DNS record export. CEU I don't know if e nam has a DS dropped down or not. inom is pretty old school on the back end, as you know. They really need to and that's a good reason to not be with Vietnam anymore. And maybe to move domain registration to Cloudflare. We're going to talk about domain registration at Cloudflare the next hour. But yeah, Network Solutions is really bad enough. I'm really bad. Yeah, I don't know. So those are some of the ones I've never used Dotster or web dot actually Dotster I used like 8000 years ago. I haven't used them recently. I don't know in it tends to what I've noticed is if the UI in the domain registration looks fairly modern like this, it's more likely they're going to support exporting of records. If it looks awful, like 1995 or whatever, then they probably don't. Yeah. What do you do about DNS if there's no option if the registrar doesn't support it, they don't support it. And again, that's DNS records. have been around for a while and they're an important part of Domain validation. And if your registrar doesn't support it, I mean, I would start looking for new registrar. Yeah. All right. Any other questions before we take a break? Okay, there is a multi part question here.\r\n\r\nOkay, um So first question here is in regard to the WAF rule, the skip good traffic rule. Does we watch your website have a whitelist of IPs? I can't find them anywhere and Thomas is not getting back. No, I'm not aware of one. But I don't think the rules block them. There's I don't think there's anything in a rule that's going to block that traffic. But so it's a good if you put a rule in and if they're getting blocked. This is an exercise of looking at the event and find what it's trying to do and then allow that but I don't have any specific whitelist for we watch. Second question is about Pay Pal. Do we use the ASN for Pay Pal, as you added at the bottom of the dock? Or do we need to find the API or the web? And I'm guessing what you mean. I'm not sure who's asking this question that came in as an anonymous attendee. Or do we and I think what you mean is the web hook. So and I'll reiterate what I said yesterday about this. Oh, no problem, Karen. So I so let's see, as things are good. web hook URL is better. Because as NS I mean, maybe there's they might change or something might happen. So it's good to add the ASN. But if you know like, there's always going to be a pattern in the Pay Pal web hook for their IPN or whatever. Then try to get the little snippet of that web hook like I showed with the WooCommerce or the Gravity Forms stripe web hook, get that little snippet and always allow that traffic that way you're, you're certain that it's not going to get blocked. Does that make sense? And number three, I added all the H refs IP to a Cloudflare list and then added the list to the good bots rule. Today. I got a report that the score was cut in half. Robots. txt is not accessible. Okay, so that okay, so something is still blocking H refs, for you, Karen. And so it could be the country rule. I've had this happen. So some like you can have, let's, let's let's look at our rules here. So, if we look at our rules, oh, there we go. So we've got block rules, right? Let's just say that for whatever reason, your list of IP addresses, it's not in that or it's not coming in that way. And you're blocking based on country and maybe a traffic that's coming in from a country it's not in your allowed list or whatever. So what I would recommend that you do this is this goes back to the refining of rules. Look at your block rules like this. We've already gotten some hits on our block rule. Look at your block rule and see if you can find the Ahrefs traffic and see what it was doing. That was causing the block to happen and then use that to inform a skip rule. And unfortunately, there's not an easy way around this. You just have to investigate and but once you find that, the thing that allows it to skip then you can use that all the rest of your sites. So this is goes back to yesterday when I was saying of, you know, get it right for a good typical site, and then you can use that rule for your setup on all the rest of your sites. Does that make sense? I wish I had like a silver bullet answer, but that's just not the way WAF rules work. Unfortunately, 364 IP addresses Holy mackerel, yeah. So what I would look for instead of that, find it here. You know, does H refs have a user agent? They likely do. Matter of fact, let's just look. So rather than let's see. Yes. So here's their user agent. So maybe what you would do here is say instead of that ginormous block of IP addresses we can just as easily say, in our allow our skip rule here or user agent contains a tres bot. Like this. And see if that doesn't help. Make sure all of your other see this. This is why the order matters because the skip rule comes in number two. And if you are, if you've identified correctly, that traffic, it's going to skip all your block rules and everything else that's there. So we can deploy this and now ah, refs should be able to scan our site. Give that a try and see. Again, this is just kind of have to experiment and find what works for each of the various things. I really, really wish there was an easier way to do this. I've not found it and it could be that I've just not stumbled upon the right method. But in lots of practical hands on work I've not found an easier way to do this. Other than, Oh, here's a good way to disallow to skip the traffic and now it's not a problem anymore. And we know that going forward now. Okay, question from Paul. When looking at security events, can you see what the trigger values are? That caused the rule to get triggered? Not really. Like we can see here, there's three block events that have already happened since we set the site up. And so here, we've got this block, and so you kind of have to look at what's going on.\r\n\r\nLet's look at this block rule. am I allowing Canada?\r\n\r\nOh duck you got blocked sorry about that.\r\n\r\nUnknown Speaker 59:55 \r\nInteresting.\r\n\r\nNathan Ingram 1:00:16 \r\nDoug, when you saw the site, could you see images? Weird?\r\n\r\nI'm not sure. But yeah, this is how you would identify Paul you you. It doesn't tell you what about the traffic triggered the log but looking at the details, you can probably narrow it down again, I wish there was an easier way All right.\r\n\r\nStacey, yeah, you probably you got to dopey admin without a managed challenge. Probably because, okay, again, if you get to someplace without a managed challenge then Cloudflare has been watching your browser and it knows you don't need challenging. Like that's that's okay. It's a managed challenge. It's not an every time challenge.\r\n\r\nBut generally, like, here's a raw browser. If I try to go to the WP admin, it's going to give it a managed challenge because it doesn't know this browser.\r\n\r\nBut if I go back there, see there if I go back to this page, it's probably not going to challenge it again. Because I've already passed the challenge. Yeah, it's a managed challenge. So Cloudflare manages whether or not it wants to challenge the traffic based on the fact that it's processing billions and billions and billions of requests every day. Okay, well, let's take a break here. It is straight, just right about to be two o'clock Central. Let's take a five minute break. We'll come back with the final bit here, which is scrolling, scrolling, scrolling, scrolling, all the tips and tricks, cetera, et cetera, right there. Cloudflare tips and tools and tips that starting at page 32. We'll have a good q&a time at the end, and that'll be it. So we'll take a break five minutes back at five minutes. After two Central Time.\r\n\r\n32nd warning folks, we're back in 30 seconds.\r\n\r\nAll right, we're back for the final hour of Cloudflare for agencies got a long way in the last few hours together and everybody's still alive. Seems like that's, that's really good. Okay, so in this last bit of time we have together we'll do plenty of time for q&a and also go through some of the tools and tips that I think are helpful to know about Cloudflare. A question came in during the break from Paul, with the rules and effect is this where you no longer set the reCAPTCHA and solid security. So the answer to that question is yes. Because in our WAF rule, we are we have a managed challenge. That's going to challenge any of our WP login now when I when we talk about no longer set the reCAPTCHA for the login page, okay? If you are using solid security to protect your comment forum or whatever. And by the way, are y'all listening? Can we can I share something just between you and me? There may be some ecommerce protections that are coming in solid security maybe that's maybe so this you'll want that those in place right. So this Manage challenge protects the login page if you're using solid security and and turnstile reCAPTCHA, or whatever other recaptures for comments or registration or that sort of thing, then, you know, you either want to put those pages into your rule here or continue to use the CAPTCHA rule. The CAPTCHA is there installed security. Does that make sense Paul? But it's it is redundant. To set a CAPTCHA on a page where they've already had the past through a managed challenge to get there. Does that make sense? Everybody? Nobody's talking in the chat. That's okay. All right. So I'm gonna move on okay. Everybody's gone to sleep. That's okay. All right. So the other thing I'll mention is this and this is a very important note. These as you've seen already web application firewall rules are very flexible and need to be changed for your use case. And may be modified over time, right? The firewall rules that I have in place now work really, really well. But I'm likely going to modify those as I learn new things and you probably will too. So one thing I would watch, for example, there's an ongoing discussion right now in the admin bar. From Troy Glancy Troy is really good at this sort of thing. And he's at his far original Cloudflare rules from a couple of years ago are the ones that kind of got me looking into this to begin with. And he's actually perfected several others and he's going to post at some point soon. So I would recommend if you're in the admin bar, watch this post. Just search for Cloudflare in the admin bar, it'll pop right up and see what his advice is on this right because he may very well and probably will have some ideas for things I haven't seen or thought of yet. So you know, borrow and steal the best firewall rules from others, just with the remembrance that firewall rules can block legitimate traffic. So don't just wholesale apply them to everything. Make sure you know what you're doing. Right. So don't consider these rules or settings even as a silver bullet. I've tried to give you some perspective on when and where and how to apply those rules. Does that make sense? Okay, so let's look now at some Cloudflare tools and tips. So we're going to start with the Cloudflare WordPress plugin. So let's go there. And we're just going to add it to this new WP one dot dev site. So we're just going to search for Cloudflare Cloudflare. And it'll be the official Cloudflare plugin right here. Now, disclaimer, I don't use this plugin, but it is it is there and it's free and you might like it. It's particularly helpful if you don't have a performance optimization plugin. So let's go back to Cloudflare and are actually settings under Settings and Cloudflare. Unlike many plugins, what you're going to do, we're going to sign in, we need our email, which is Nathan and ithemes.com and a global token. So you always find those that your account home. And actually it's where is that it's at profile, actually my profile in API tokens. I'm going to create a token for WordPress. I'm gonna rename this to WP one dot dev so I know which side it is. Scroll down, continue to summary, create token and there's my token. And I'm going to paste that over into here. And save. Now Cloudflare is connected to my site now basically what this plugin does is bringing some of the Cloudflare dashboard functions into WordPress. So you know I can automatically apply Cloudflare settings that are best for WordPress if I want. I don't want to do that. So I've already done that over in Cloudflare. But I can go here to settings for example. And I can turn on development mode just right here from within WordPress. It's got some interesting little things. I don't use this because I prefer just to go to the Cloudflare dashboard to manage my settings. But this plugin does exist. It's pretty, you know it has it has some good use cases and you might just want to play around with it. Like, oh, there's a button right here to get into. I'm under attack mode, right from the WordPress dashboard. So it's there, it's available, it's free. You connect it with an API key just like I showed you. And you know, it can be helpful in certain circumstances where I would recommend though that you add Cloudflare is into whatever WordPress performance plugin that you have chosen. So in our case, we use Lightspeed as an agency because we use Lightspeed server on our server. You might be using we had the discussion earlier about cloud ways breeze, you might be using hummingbird or DEP rocket or whatever. Each of these have a little area for Cloudflare most good WordPress performance plugins have some sort of Cloudflare integration and you know, like right here, the API token I just created, you'd go through that same process, create the token and drop it in with your email address and the domain and it'll be connected. Now why would you want to do this? The reason is, most of these WordPress performance plugins, you know, they've got caching and you know, optimization of JavaScript and all that stuff. And they're smart enough to know, okay, when WordPress runs in Update, clear the cache, okay. Or if you edit a page, we're the cache Cloudflare sitting up here at the network level has no idea that you've made those changes here on WordPress. So the assets that it has cached up here at the network level might differ from what's at WordPress. And the end result is you go to the site, the CSS looks wonky or things just aren't right. So we need something that's going to connect Cloudflare and our WordPress performance plugin so that in effect, in our case, like we're using Lightspeed, so whenever we run plug in updates, Lightspeed clears the local cache, and it clears the Cloudflare cache, so that everything stays in sync and that's what you want. So do not let me just underscore this. Do not use the Cloudflare cache. If you have a performance plugin at the WordPress level that isn't connected in some way to Cloudflare. Because what you will see you'll go to the site one day, and the CSS will be all wonky. And it's because the caches are different and that's what's happened. Does that make sense to everybody? Don't use a WordPress performance plugin and the Cloudflare cache unless you've connected them together. With an API key. Otherwise bad things happen.\r\n\r\nAs Sue is asking, How did I get to the screen? What screen are we talking about? This is the doc Oh, lightspeed. This is just a screenshot. This is in the document. This is just a screenshot. Of the Lightspeed cache settings. It is under CDN in lightspeed. It's in a different spot in every WordPress performance plugin. So just look through your plugin of choice and you'll likely find Cloudflare settings virtually all the good ones support Cloudflare. Oh, okay. So if your server uses Lightspeed, you go under Lightspeed cache on the admin bar, go to the CDN, tab, or link and you'll see it down toward the bottom. The Lightspeed cache Yep, good. Everybody. Okay with this makes sense? Does Perf Matters not connect? I'm shocked at that.\r\n\r\nInteresting, yeah, I don't use perf matters. So I can't speak to that. But you'll definitely want to visit with them on that. So it probably this primarily affects hashing. And I don't Perf Matters doesn't do caching, right. It only does asset optimization. Like, okay, so you may not need Cloudflare connection in that case. So this really, this really comes into play. When it comes to Caching, caching those assets in various places. So if the changes that Perf Matters makes are likely pulled up to Cloudflare anyway, but I would I would still if you're, if in whatever WordPress performance plugin you use, if you don't see Cloudflare settings, reach out to their support and make sure there's not going to be a conflict. That would be my recommendation. Okay, everybody good on that. Does that make sense? Because you will come in one day or you'll get an email from your client. Hey, everything looks weird and wonky and you'll go in there and the CSS is all jacked up. And it's because the cache is wrong. Or worse than that. It'll look fine for you, but it will look wonky for everybody else. And so you know, it's just, it's, it's a Cloudflare cache issue. And what you have to do is go out and let me just show this. This is if you hit that problem, go into your website, go into cache, and configuration and purge everything, and it's probably going to look just fine. Because that's going to cause it to go in and pull assets back up and refresh everything and then connect your performance plugin to Cloudflare and it likely will not happen again. Okay, everybody, good to move on. Everybody has gone to take a nap. Okay. Let's move on and talk about clients and Cloudflare so this is one of the big questions. So if we move our DNS into CloudFlare, can we give clients access? And the answer is yes. And it's beautifully simple. It is so simple. So I delegate access to the Cloudflare DNS to any client who requests it. We have many clients who for various reasons, need to manage their own DNS that didn't used to be the case, when we served a much simpler level of client. They just wanted us to do everything, and many still do. But we also have a lot of clients that manage their own. So we give them access and so here's how you do it. You're gonna go up here to the account icon in the top right, you're gonna go to Account home and scrolling, scrolling, manage account and members. So right here, we can invite members to join our account. So let's invite Nathan to join our account. Nathan at boom. A fan at Nathan ingram.com. I can't type. There we go. And what are we going to do we want to include it can be all domains that are in this Cloudflare account probably don't want to do that. A specific domain Yes, I want to give Nathan access to WP one dot Dev. Well, what if I have multiple domains that Nathan needs access to a domain group? Oh, no, sorry, a specific domain. And I'll just add another one. Or actually we'll do it this include a specific domain. Okay, Nathan needs access to both of these domains that are in my account. What level generally I'm gonna give them domain administrator access, you can restrict it to just DNS if that's all they need. But in these cases, I want my the clients that are going to want Cloudflare access are going to need to have control of everything. Just like I would make sure clients have access to their own domain name. Same thing. I'm going to grant domain administrator rights continue to summary. Yes, yes, yes. Invite an email was just been sent to my other email address that would give me access to that, that this email address. Nathan at Nathan ingram.com doesn't have a Cloudflare account. So I would go through a flow of setting up a Cloudflare account. And it's just that easy. If you want to get rid of their access, you just hit edit and you revoke access x let's see. Let's see. How do we do this? It's a delete. Yeah, cancel the invite. Or at this point, we would like here's this, I can. Here's one where I've given other email address access, and I can remove access from somebody if I want. So pretty helpful. Yes, so Ben, like Dennis saying, this is like a reverse way of giving a client their own account. And it's not their own account. It's you're giving them access to domains in this account, that's yours. But either way they in the end, they have the access that they need, and it's super easy to do this. What's also helpful is you can enforce to FA SO by toggling this on, you can force anyone that you add to this account to add to FA to their account. So I always turn that on. It's not on for this one because this is a test account. Class since client domains are registered with Cloudflare I had them set up account and delegate access to me that works too. Yeah, either way that that works. But the delegation is really simple and smooth. And Cloudflare as you just saw, it's just click click like and you're done. And it gives everybody everything that they need. Any questions about this part? Are we good? Rolling, rolling. Speaking of domain registrar ah Cloudflare is I think the best place to register domains now. Because they don't make any money on domain registration. They charge you a.com Is $9.77 per year. That is the flat cost of a domain plus the ICANN fees. It's literally they're selling you domains at costs. So if you want to get to domain management, you go here, manage our account home. Domain Registration. We're right here. And we can manage domains. So you can register a domain name here and do a search. It even has the suggested domain names if you want to brainstorm a little bit about Dr. nathan.net. That's pretty funny. Anyway, but you see how cheap they are really at 977 for a.com 494 for a.uk. Anyway, you just go through a registration process. Do you want to transfer a domain in right here? You just they have a flow to bring in domains to Cloudflare this way. Yeah, Stacy. So this is a great spot to move clients that were once at Google domains. And now at Squarespace, move them into Cloudflare it's gonna be cheaper and the UI is really simple. And there's not you know, unlike some registrar's, which shall remain nameless. Nameless. There's not a bunch of crap on the screen to upsell. Yeah, Paul, you pay a year when transferring? Yes. But I think also they give you an extra year.\r\n\r\nLet's see. Seems like I read that somewhere. Oh, this is an interesting little point. I didn't mention this earlier with DNS sec. We went and validated the domain. You have to turn that off before you transfer a domain. So just stick that in your back pocket to remember. You cannot transfer a domain like you have to unlock the domain and turn off DNS sec if you've turned it on, if you're going to transfer Yeah, Stacey, I can't I think you're right there Stacy. Yeah, and classes saying the same thing. I can't find where it says that here but when I've transferred a domain to Cloudflare they add it you pay for a year but they add a year to whatever the current date is. So it's a it's as good of a deal as you're gonna get on a transfer. Okay, class that's a good yeah. If if you're already at the max prepay level, then yeah, they don't add a year but that's generally not the case. So really easy to use them as a registrar and now so here it by the way, here is one caveat with using Cloudflare as the domain registrar, you cannot or let me say it this way. You must use Cloudflare to manage your DNS. If Cloudflare is the registrar, so you can't I don't know why you'd want to but you can't manage DNS elsewhere. If you're registering the domain at Cloudflare. I've never found that to be a problem. But just note that that is that's a thing. Oh, there's something I meant to cover in the last hour and I'm going to do that now. I'm going to scroll back up here in the Cloudflare setup process, okay, so we were here we talked about let's this this issue with importing DNS records. I showed you the process of importing from a DNS provider like we exported the DNS from GoDaddy, import it into Cloudflare. There is something here that I want to show you because it's not immediately apparent. And this is super helpful. So you may like I did have a number of sites where the DNS was actually managed with cPanel cPanel. DNS is great, really easy to use. But there's not a clear way in the cPanel UI to export a domain file. Like we just imported from GoDaddy. I don't know why that is. It's been requested for years, but cPanel has never done it. But there is a way to do it and it will save you time from hand entering all those records. Let me show you how it works. So I'm going to jump over to the WP Nathan's cPanel and just There we go. And what you're going to do, and this is again, this is weird, and I wish they would do this differently, but this is what they do. So we're going to grab a recent cPanel backup, and we're going to go here to backup and just download our most recent full account I just hit the cloud for a rule. I wonder what that's all about. There we go. That was really weird. Okay, so if we have time, we'll go and look at the rule and see what hit that. So here's a recent recent account backup. I'm just going to download this and it's downloading this tarball which is like a zip file. It's downloading it to my desktop\r\n\r\ncan take a minute. You're going it's rather large. It's a gigabyte loading, loading loading. Let's go and Okay, so here is our backup file. All right. Now this is so weird and I wish they would do something different but this is what you can do and it works. So we're going to unzip or uncompressed this tarball again, takes just a minute to do because there's a lot of stuff in here it's a full cPanel account backup. What's got to expand all the things\r\n\r\nYeah, this is a really old backup, but it'll still work for illustrative purposes. Slowly, very, very slowly. There is a file in here that you can use to import but you have to download the whole stupid thing to get there. Moving moving, okay, almost almost. Come on. Come on. There we go. Okay, so once we open up our folder here, we're gonna go to the DNS zones folder. So right here is this uncompressed. There's our DNS zone and look, there's WP nathan.com.db. We're going to rename this to dot txt. So it's just a text file. And yes, I want to use this and now this file can just be imported right into Cloudflare. Just like that. It's a backwards process, but it will allow you to import from cPanel and even as long as that takes to download and whatever that's still better than hand entering DNS records. Yeah.\r\n\r\nPaul is saying you did not have to rename the dbx file. Great. Well, that may have been a change in Cloudflare because you used to have to rename it to dot txt so great if you can import that. I haven't tested this recently. So yeah, if you can enter the.db file then you don't have to rename it. That's great. Good. Good, good news. So that will save you time if you're coming out of cPanel and into Cloudflare. Any questions about that before we move on?\r\n\r\nAll right, let's talk a little about turnstile. So Cloudflare turnstile is a CAPTCHA replacement, that many of you are aware of. It's been integrated into solid security for some time now, and again, think of it as turnstile is the same thing as a managed challenge? Only in widget form that can be added to some sort of form like a login form or a comment form or a checkout form or whatever. So it is the same thing as a managed challenge. It's just a widget instead. So now you do have to create turnstile API keys to use it right and so you do that at so many windows. All right. So we're gonna go to account icon account home, turnstile, account home and scroll down to turns turnstile and here's our keys. Now, here's the catch. Wild Slayer lets you have 10 turnstile keys per account. So, a couple of things. First, you might not need more than 10 turnstyle keysets. So for me, I don't need more with all the sites that we manage because in most sites comments are turned off so we don't need comment protection. We're not using it to protect forms because we use Gravity Forms zero spam, and we're protecting the WordPress login page with a well last rule. So I'm not really using turnstyle API keys at all except for WooCommerce sites, which we protect with the simple Cloudflare turnstyle plugin. And for those we do need turnstyle keys. Now if you need more than 10 just created an account Cloudflare account. So the beautiful thing here is you can create multiple Cloudflare accounts with different email addresses and then what you do is just make them members of each other. So that whatever account you log into has access to all the domains that are in all the accounts and it just makes it really easy to manage. So don't let the account limit necessarily bother you. Because you can just simply create more accounts and link them together as members of each other does that make sense? Everybody? So you create turnstile keys right here just like you would a reCAPTCHA key. The domain does have to be in the this account. And you just go from there any questions about that? pod for turnstile? Super, super helpful. All right. We talked a little bit about this Cloudflare does give a lot for free. They do play certain limitations like 10 turnstyle key pairs per account 50 API keys per account. So we actually limit are the number of domains in any account is 50. Even though you can have unlimited domains in a Cloudflare account, you can only have 50 API keys so we only put 50 domains in an account. So we have multiple accounts that meant that are linked to each other as I described. Because the API keys are needed for to connect Lightspeed to flush the cache. So you can again just like I described, use the same delegation process to to connect those accounts to each other. And it's really easy. So when you log in to any of your accounts, and this is what's really neat, when you go to Account home\r\n\r\nhang on a minute. Let's see profile isn't no hang on. I can't see it here. When you log into account that shared with other accounts. You can actually see all the websites you have access to and find the website very easily that way. I can't demonstrate that on the screen right now. But even you know we have like five different Cloudflare accounts now that we're juggling, but you log into one of them. You can search and find the website you're looking for because it's been we have access to it and you just go right to it. It's really simple to connect those accounts together. That was poor explanation, I think But does that make sense? Any questions about that? Linking Cloudflare accounts makes things super easy. Okay. Paul has a good question in the chat. So let's say you have a client in Cloudflare and you give them account access, and they come back in with I don't know anything about Cloudflare if they want to leave. So at that point, the answer is I'm sorry. That's why you hired me Cloudflare manages your DNS and give their next web provider access to the Cloudflare account and if they don't understand how to use it, I mean, that's on them. Right? I really don't have I mean, Cloudflare is pretty industry standard now and if you don't understand how to use it as a web professional, then you probably need to learn. I don't want that to sound arrogant. I just think that's the way it is. Yeah. If they leave then they leave. Yeah. Is that fair? That's good. Stacey. Yeah, give them a DNS export. Good. Yes, send them to this webinar. I mean, honestly, if you're a web, a web professional, even if you didn't know anything about anything we were doing here, you can log into Cloudflare and see what to do with DNS. It's really simple. If the DNS settings and Cloudflare and I'm not talking about firewall rules and all of that, like oh, so if a client were going to leave me then I would probably set up. Yeah, fit. Let me let me reverse my thinking on this a bit. Paul. If if I was going to offboard, a client whose site is managed on CloudFlare, I would probably set up a new Cloudflare account without any of our firewall or any of the security settings that just had the DNS and move the site to that account and give them access to that because I would I wouldn't want any of our security settings to go forward with them the world whatever's next. So been saying he had to do that on Monday. Yeah.\r\n\r\nYeah, that give them a naked Cloudflare account that just has the DNS in it. All right. Something else that's really neat is Cloudflare email routing. We talked a little bit about this on yesterday, and I've given the whole process there for that. I'm not going to go back and re get into that. Pretty, pretty thorough, but basically Cloudflare lets you set up email addresses without an email server that forward to another address and if they're forwarding to a Gmail account, for example, you can set up a send as address so that it can receive email as info at your domain, and it can send email as info at your domain all that can be done free within the Cloudflare email route routing settings. Let's see it looks like this. The last thing Yep. The last thing I'll mention, and we've already sort of dealt with this is troubleshooting WAF rules, you may run into things. If legitimate traffic is blocked by a WAF rule. Go to that activity log. That's right here. Websites AP Nathan. Wow. Yeah, go to your block rule and see what traffic has come in that's been blocked. Oh, this was maybe this was good traffic. So we need to figure out a way there. How do we let this come through? Now, by the way, don't you know if he's Oh, Google is blocked? Well, I don't think that's the Google bot. That's actually a Google Cloud Server. So a lot of times this may be a compromised server. That's trying to get access to things. So just because you see Google doesn't mean it's legit, or you know, Amazon, AWS or whatever. Sometimes those are legitimate, or they are, they are compromised sites that are hosted on Google's infrastructure. For example, anyway, you look at look at the activity log load entries that pertain to that specific rule by clicking this little number in the analytics here that loads one day, there we go.\r\n\r\nAnd actually, I don't know what this flex potential is, maybe we wanted to allow that so we could add this as into our skip rule or whatever. But the log entries here are what you're going to look at to further refine your your rules. All right. So that brings us to the end of the course. That's it. We've gone a long way in the last few days. We got our site live on Cloudflare. We've got recommended settings and all of these things. Now we've got some time for open q&a. What do you think questions, comments, snide remarks all of them are available at this point. Questions from Paul, okay. All of this setup work is built into the cost of a website for a new client correct or do you factor in a cost for this going forward? How much extra if anything would you charge for doing this? Great question. So I would actually wrote this is a management service. So this is part of security that we provide for the client. And it's part of onboarding a site into our website management process. So I don't charge extra for this. And honestly, it took a little while to go through all of this. But once you start to do this over and over again, you'll migrate a site into Cloudflare in like five minutes, like it'll be. It's pretty quick once you get used to it, and especially if you set up little shortcuts like I did with my TextExpander it really doesn't take long once you get all your rules dialed in and how you like things. It doesn't take long to do. And so I don't charge extra for that it actually what happens is, it saves me work on you know, in the future because the site's being protected and much better. And Tanya Yes, I just dropped in the link in the chat for the updated course handbook. There were three different edits I made around web application firewall rules that were like little typos and some of the quotes were squiggly quotes instead of straight quotes, that sort of thing. That's all fixed. Second question for Paul, how about setting this up for existing clients extra service? And the same answer for me on that when we migrated all of our clients over to Cloudflare back last fall. We didn't charge extra for that because it makes things easier for us to have those clients all in Cloudflare more secure less traffic on the server. All of that. Yeah. When there's nothing as you could certainly charge more for it. I chose not to because it's part of the management service. Do I notify clients? The ones that I thought would be interested? Yes. The ones that just want to know their site is secure. No, no, but you know, we'll raise our rates again here probably in two months. And I'll let them know all these extra things we've done at that point. But in a very, you know, you got to communicate with clients. Some clients don't care about all the little things right. So you don't want to overwhelm them with information. So for the clients that are non technical and they just want to know that we're taking care of their site. I would just mention that we've added a network layer of security that blocks you know, something like I'd worded in such a way that was, you know, a high level a level of security that blocks a lot of bad traffic before it ever hits the site. Just to show them, you know, we're constantly improving their security, and that's what they're paying us for. Others, you know, they have a technical person, the ones that have access to Cloudflare. And by the way, some of those that's a that's an interesting little point here. Some of the, our clients, the ones particularly that have access to Cloudflare our clients that have an internal IT department or things like that. And so there was a bit of a process. So we had a canned email that went out of hey, we're in the process of moving to a new server and in doing this we're also getting all of our DNS uniform. And we want to move everything to Cloudflare. Here's why. In some of them we actually had a you know, a quick call with many of those IT folks like yes, great, let's do it. We'd like Cloudflare you know, we know about it, whatever. And so we just set up the account delegated access, good to go but it really depends on the client and their level of involvement or if they have it people, etc. Doug for the web application firewall, if I use the block action for country equals UK, and Google is still indexing my website in the SERP. What happens to a UK visitor when they click the Search link to my website? Yeah. So the blocking traffic from a different country shouldn't impact your SERP and where your site shows up in the SERPs, what will happen is if you're in the UK and you click the search result, you're now going to WP nathan.com with a geo origin of UK which triggers that firewall rule to present a manage challenge. So we're not challenging Google. We're challenging traffic with an origin and a location where we're saying it needs to be challenged. So that's why you want to modify those rules such that any you know if you have legitimate clients that typically come from other countries, you know, whatever, let me say it this way, whatever countries that you have legitimate customers, clients, whatever in that would be coming to that site, allow those but turning off or only allowing traffic from those known good countries can filter out a lot of garbage traffic bots that are coming in from all over the world.\r\n\r\nPaul is asking how do anonymizer is get affected by geo locations or VPN? I mean, it's if I come in if you if I turn on my VPN right now, and I say I'm in Belgium, and I try to visit a site where the WAF rule only allows US and Canada I'm gonna get a managed challenge because the geolocation is coming in as a different country. Yeah. So anonymizer errs impact weath rules, because they they present as coming from that country, because I mean, they actually are they're routing traffic through a server in another country. So that's just how that works. Generally, though, the bot garbage traffic isn't proxying they're not standing there. They're coming from other parts of the world and it's noticeable\r\n\r\nBen when using support like from India for like WP all import, they need access? Yeah, but you can still challenge that traffic. That's the thing is, we're not blocking traffic from those countries. We're putting a manage challenge in place, meaning people you know, if it's a support technician coming in from a country that hasn't been specifically allowed, they're just gonna get a managed challenge. And they can log in with the you know, it's not blocking the traffic. And so I wouldn't change my WAF rules. If support is coming in from a different country. They'll just pass through the Manage challenge and then do what they need to do. So you're, it's a challenge rule, not a block rule does that make sense?\r\n\r\nThe man is challenge will stop bot traffic because bots don't really have a way to validate a managed challenge yet. But who knows, right? The bots will get better and then Cloudflare will get better and then the bots will get better and the Cloudflare will get better. That's just the way it goes. Right. All right. Anybody else before we wrap this one up? Okay, who's ready to add Cloudflare to some client sites do you have everything you need? Are you equipped to to add a client site to Cloudflare? Any final questions before we wrap up? Awesome. All right. Well, hopefully this was helpful to you. We are back tomorrow for office hours. We joke that in the pre show today that anything that breaks when you add these rules just asked me to borrow in office hours we'll deal with all right, we'll see you back here tomorrow office hours one o'clock central time on solid Academy where we go further together.\r\n\r\nTranscribed by https:\/\/otter.ai\r\n\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:968:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:249:\"\r\n\r\n\r\n\r\n\r\nWelcome to Cloudflare!\r\n\r\nCloudflare Page by Page\r\n\r\nRecommended Cloudflare Settings\r\n\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938374439\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1o7Y8xSGeEx8ZF7yBmMsRat6XNkkjEXWc\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/Xr3bZcpfJBN9iV2YsapSA3avN0Q?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:971:\"a:7:{s:18:\"event_replay_title\";s:5:\"Day 2\";s:25:\"day_description_cloneable\";s:254:\"\r\n\r\n\r\n\r\nRecommended Cloudflare Settings (continued)\r\nMigrating a Site to Cloudflare\r\nMore Cloudflare Tools and Tips\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938814771\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1Nr3wkfCzHZ7Nr4PEzVWhV1lKn40abQUV\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/qIa-JHSQCRIijFOyeMsIQX00B1g?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448512,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \nAn overview of Cloudflare and a walkthrough of the major features\n\n\n\nHow to set up Cloudflare for WordPress client sites\n\n\n\nHow to set up important WAF rules\n\n\n\nA proven process for migrating sites into Cloudflare with no mistakes\n\n\n\nOther Cloudflare features like domain registration and email forwarding\n\n\n\nProtips for smoothing out your Cloudflare workflows\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_text":"Unknown Speaker 0:18 \r\nAll right, let me hear from you in the chat. What are you most excited about learning this week in the Cloudflare course?\r\n\r\nUnknown Speaker 0:26 \r\nWhat are you most excited to learn?\r\n\r\nUnknown Speaker 0:32 \r\nAs you answer that I am getting our captions all set.\r\n\r\nUnknown Speaker 0:38 \r\nAlright, captions should now be working for everybody.\r\n\r\nUnknown Speaker 0:43 \r\nFingers crossed\r\n\r\nUnknown Speaker 0:47 \r\nthe whole thing.\r\n\r\nUnknown Speaker 0:49 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:51 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:53 \r\nWe'll see what we can do, Debra. Love it.\r\n\r\nUnknown Speaker 0:59 \r\nAlright folks, we are about four ish minutes away.\r\n\r\nUnknown Speaker 1:06 \r\nFour ish minutes away from getting started with Cloudflare for agencies if you're just joining us in zoom, open up the chat and I'm dropping in once again, the link bundle which has the very large 40 Page course handbook that I've put together for you here. Many many, many things here in the handbook.\r\n\r\nUnknown Speaker 1:32 \r\nAnything you can learn? Yeah, all right.\r\n\r\nUnknown Speaker 1:35 \r\nDefinitely.\r\n\r\nUnknown Speaker 1:37 \r\nYes, Stacy. There are so many things and this is not I'll talk about this as we get started. There's no way this is going to be an exhaustive Cloudflare overview because there are just too many things.\r\n\r\nUnknown Speaker 1:51 \r\nHow much to just do so it doesn't work that way. Like some of these rules, you really do have to decide, you know, what you want to use and so forth. And actually, well, I'm gonna I'm getting ahead of myself. But yeah, some of this is what you want to do for your settings. But I'm gonna give you my recommended things and why. And then you can it should give you a really good basis to make decisions on how you want to implement.\r\n\r\nUnknown Speaker 2:24 \r\nPaul, you make the website and then we'll talk\r\n\r\nUnknown Speaker 2:31 \r\ny'all, I promise once you get into this, it's really not that complicated. Seriously. Once you see how it all fits together.\r\n\r\nUnknown Speaker 2:42 \r\nYeah, I promise it's really not that complicated.\r\n\r\nUnknown Speaker 2:47 \r\nAll right. So if you're just joining us in zoom, welcome, welcome. The chat is open. I'm dropping in once again, the link bundle that has the course handbook. The one the Yes. Yep, of course handbook is there and waiting on you to download also, of course the replay link.\r\n\r\nUnknown Speaker 3:08 \r\nIf you want to go back and rewatch today\r\n\r\nUnknown Speaker 3:16 \r\nmy oldest daughter is currently blowing me up on text messages. So I got to hit the mute button on that.\r\n\r\nUnknown Speaker 3:27 \r\nAlright, y'all just about two minutes ago. hope everybody's doing well hope your week has gotten started. Well check in question today. Let me just hear from you what you are most excited to learn about Cloudflare what you want to know what parts confuse you other than everything, as some folks have said. If there's a particular area I'd love to hear that\r\n\r\nUnknown Speaker 3:52 \r\nOh, Beth. I mean priorities right.\r\n\r\nUnknown Speaker 4:00 \r\nLove it.\r\n\r\nUnknown Speaker 4:02 \r\nYeah, laptop on the beach. Back. Yeah.\r\n\r\nUnknown Speaker 4:07 \r\nActually, Myrtle Beach is gorgeous. This time of year. Good for you, Beth.\r\n\r\nUnknown Speaker 4:15 \r\nturnstyle WAF Yes.\r\n\r\nUnknown Speaker 4:20 \r\nThere's no dancing and Cloudflare\r\n\r\nUnknown Speaker 4:28 \r\nthat's why you take a tablet to the beach, not your laptop.\r\n\r\nUnknown Speaker 4:34 \r\nStacey, that's awesome. That's 100% True. And actually, if you find dancing and Cloudflare just wait because they'll move it to another menu link later or they'll rename it.\r\n\r\nUnknown Speaker 4:48 \r\nYeah, so we'll bet Beth will invent for us the Cloudflare dance which we'll call the turnstile. I love it. Yes, that's it.\r\n\r\nUnknown Speaker 4:59 \r\nDo the turnstile through the turnstile. Alright folks, just about 30 seconds to go. hope everybody's doing well today. Come on in find a seat and grab the course handbook. But to drop the link bundle in once again.\r\n\r\nUnknown Speaker 5:14 \r\ni Yes, exactly. Karen\r\n\r\nUnknown Speaker 5:19 \r\nand what you're talking about there, Karen. There's no easy answer to that. Unfortunately. A lot of the Cloudflare rules that I'm going to give you are pretty good. But you're you're always going to want to fine tune these for your setup. And there's always new suggestions and rules that are coming along. So I'm going to give you what I'm using today. And then you'll have it's it's one of those things that will it's a work in progress. Yeah.\r\n\r\nUnknown Speaker 5:46 \r\nAll right, y'all. It's three minutes after let us get the recording started and we will dive right in.\r\n\r\nUnknown Speaker 5:56 \r\nWell, good afternoon, everybody. Good morning. Good evening, wherever you happen to be around the world. Welcome to this premium course here on solid Academy. Glad you're all here with us for Cloudflare for agencies. So over the next couple of days. We're going to take two hours today two hours tomorrow and unpack Cloudflare through the filter of you manage WordPress sites for clients. So what do you need to know right? And also interestingly, hopefully helpfully, the way that I put this course together is really there's so much that we have to know as WordPress agency owners, right like there's just so many things. And so this is not an exhaustive course on Cloudflare. Like who's got time for that? So what I'm going to give you is an overview of how things work and where the settings are and the big picture of the settings but really, our focus is going to be on okay, what do I need to do to use Cloudflare and leverage all the free stuff in Cloudflare to protect the sites that I manage. So that's where we're headed. And hopefully at the end of this course, you'll have a good idea of what all the things that Cloudflare can do. But really focused in on the practical things that you can do right away to use Cloudflare in your agency.\r\n\r\nUnknown Speaker 7:21 \r\nSo I Karen has asked a great question in the chat just now. This is very different than the Cloudflare livestream I did a couple of years ago or last year, a year and a half, something like that. So I was just I just kind of gotten knee deep into Cloudflare at that point. And so a lot of things have changed since then. This is a much more detailed look. This is I think the first Cloudflare one was like an hour and a half. So just timewise this is a much deeper dive and I've learned a lot since then, and hopefully can give you some better tools and rules and those sorts of things to use. So if you are just now coming in once again, the link bundle is in the chat you're going to want to download this course handbook, it is 40 pages of Cloudflare goodness, and grab that and follow along and I've made it such that you know this is the document you can keep in reference. The table of contents is clickable to jump to, you know the various areas that you want to get to. So hopefully it's a very usable document. All right, so let's dive into what we're going to be talking about. So I mentioned this a little bit earlier and even more in the pre show.\r\n\r\nUnknown Speaker 8:34 \r\nThe idea here is okay, I'm a web agency owner I've heard how Cloudflare is helpful. What do I need to know give me the basics. This is not an exhaustive study of Cloudflare there are far too many things Cloudflare can do to fit into four hours of of course content. So what we want to do is through the lens of what do I need to know as a WordPress website manager about Cloudflare to use it to the best of my ability. If you want a deeper dive Cloudflare has excellent documentation. It's some of the best that I've seen. And you can click the Cloudflare fundamentals link there and it'll take you through all the things if there are pieces that you want to know. So the goal here a no fluff explanation of all the Cloudflare things that you will find the most useful and that you can implement right away in your business of managing WordPress sites. Tomorrow we're going to demonstrate the live setup of a Cloudflare site after we look at some of the basics today. And that's going to include security settings, setting up WAF rules and those sorts of things. So here's the overview we're gonna do and a big overview of what is Cloudflare how does it fit? How do I use it, you know, where does it fit in with solid security and those sorts of things. And then we're going to go through a Cloudflare page by page looking at the various pieces of Cloudflare and how they fit together tomorrow, migrating a site to Cloudflare and then more Cloudflare tools and tips. All right now, this course, assumes that this was on the course intro page. So hopefully you saw this. This assumes that you have a basic understanding of DNS, so I really can't, I'm not going to be able to answer questions about how DNS works in this course. So this is a prerequisite if you need to understand a little bit more about how DNS works. There's a course here we did last year called the web foundations workshop, in which we did an hour on DNS and what the records are and how all that works, et cetera, et cetera. So please let well really I'm just not going to answer questions about DNS in general. If you have those questions, you can grab this prerequisite course it's out there, you can replay it right away. And we're going to focus in on implementing Cloudflare. Alright, so just a couple of housekeeping notes. If you're a see several folks who've just joined us, let me drop in again, our link bundle in the chat force handbook is there. Since I am presenting today, I'm going to be watching the chat as usual. So if you want to ask your questions in the chat, you can do that. It may be that I missed some because I'm presenting. I'll try to catch questions in context. But if I miss one, and it's gone past just stick it in the q&a and we'll get to those at the end of each hour as usual. So all right, let's dive in, shall we? We had some really good check in responses as we were getting ready in the pre show about what you most want to learn. And so let's just start from the top. A lot of folks were like I need to know from the cloud to the flare, the whole thing. So what is Cloudflare?\r\n\r\nUnknown Speaker 11:44 \r\nAt its heart Cloudflare is a web performance and security company. They are they have all sorts of services to secure and protect and accelerate websites. So Cloudflare is sort of like an umbrella. It is a protective barrier between your website and the traffic that comes into your website. And it can shield you from many kinds of online threats just automatically. I Cloudflare. Security Services are comprehensive. They offer protection against DDoS attacks, data breaches, other malicious activities. It works by filtering incoming traffic to your website. So at the heart of all of this is your domain has to have the Cloudflare name servers. So that's how you turn on Cloudflare is by adding the Cloudflare name servers to the domain. So that way, all traffic that goes to the domain has to pass through the filter of Cloudflare and you can think about it sort of like you know, a water filter like we got this new refrigerator when we redid our kitchen a couple of years ago and it's got you know, the fancy water in the door. You know, we're not that usually that fancy kind of people and this is the first fridge we've had like this, but we love it it because there's a water filter in there and it filters out all the impurities and garbage so that we just get really pure water when we put a glass up there. Now Cloudflare sort of works the same way. Think of it in the same way. It's like a traffic filtration system that based on some of the stuff it just knows automatically that this is a bad bot and it filters it out or based on some of the rules that you can set up. It's filtering that traffic through so you get really good pure traffic that actually hits the website.\r\n\r\nUnknown Speaker 13:30 \r\nSo Cloudflare provides free ssl certificates. Also, they use the Google certificate authority as the primary and then sectigo as a secondary. We'll get to all that when we get to the SSL section. They also have a suite of tools designed to optimize website performance, including caching, image optimization, content optimization Cloudflare Cloudflare also provides a CDN that can move your website assets closer to the requester. They have data centers all around the world. So using their CDN even their free CDN, you can move things from your the images and scripts and so forth from your website to the closest point so there's not a lot of jumps between the user and what they're trying to download, which can effectively speed up the website. And the beautiful thing is Cloudflare provides many of its services at no cost with the option to upgrade to more advanced features on a subscription basis. Now a great question in the chat from Dave. So who's monitoring Cloudflare Cloudflare is a private company and so this is you know, like whose basket are you going to put your eggs in? Right? They offer a lot of things for free, but they're making their money. It's a freemium model just like many things that are out there. So you are you have the option to upgrade but a lot of the basic features they're providing at no cost and pushing you towards some of the paid features that can be helpful. So that's how they make their money. I don't know that there's anybody watching Cloudflare like us, they're not like responsible to any governing authority necessarily because they are a private company, but they're used by an immense number of websites. Matter of fact, 32% of the top 1 million sites on the web are using Cloudflare. So that in that way, there's a lot of people watching them from high level, you know, big fortune 500 company websites, so if anything weird is happening, it's likely going to come out but they are a private company. So that is something to take into consideration.\r\n\r\nUnknown Speaker 15:41 \r\nSo a few other interesting Cloudflare statistics, again, more than 15 million websites 32% of the top million websites. Their global network has 300 data centers all over the globe at more than 120 different countries. So the the good thing about that is when traffic is requested by somebody, the hop to the Cloudflare data center is generally very short. They've strategically placed those data centers for that reason. So more than 80% of sites whose reverse proxy we know is Cloudflare. Now what does that mean? It means that if somebody's you know, has started to use proxy, which is hiding the actual IP address of the server, which is a good practice as we'll get into Cloudflare is doing that for more than 80% of sites that are doing this so that is super helpful. It's a huge chunk of the internet relies on Cloudflare to do these things. Also Cloudflare bought blocks look at this number 182 billion threats a day. On average. It's a lot and so simply by virtue of the amount of traffic that they're filtering Cloudflare you know, they, you know, they they just see patterns emerging, and they can protect sites better. It's like, you know, we have Thomas Rafe on here from we watch your website. He's managing over 17 million WordPress sites right now and watching for patterns and you get that much data under your belt, and you can immediately see how you know what's happening, what the trends are, and so forth.\r\n\r\nUnknown Speaker 17:18 \r\nAll right. So why should we use Cloudflare? So the first reason likely and probably the reason that you're here listening is the security benefits. They're just phenomenal. So Cloudflare is free services give you really robust security features at the network level. We'll talk about that in a minute. Like DDoS protection, a web application firewall, again, at the network level, which is where you want those sorts of things. They can also help improve performance with CDN caching, again, moving the downloadable assets closer to the the requester so that those things are fulfilled more quickly. They offer free SSL as we mentioned, they also do DDoS mitigation. There's this great tool in Cloudflare that says I'm under attack, toggle that on and it will effectively stop the impact of a DDoS attack on a website and it works. It's really good. We'll get to that later.\r\n\r\nUnknown Speaker 18:17 \r\nIt's very easy to implement, actually. You just change your name servers and you're into Cloudflare.\r\n\r\nUnknown Speaker 18:24 \r\nThe setup process is straightforward as you'll see as we actually work on that.\r\n\r\nUnknown Speaker 18:30 \r\nLast of all, they do provide some analytics and insights. The statistics in Cloudflare if you are a statistics person, you will love love, love the Statistics reports because it'll show you like on your firewall rules, what's hitting it and you know what the information about that traffic is it can help you further refine your rules. It's really neat once you get some data in there to start digging in and seeing how these turkeys are trying to attack your website. It's really quite interesting. Also, cloud flares analytics are GDPR compliant. They're designed to be privacy first, and so they are GDPR compliant, they state that so that's that's not an issue. So a lot of the confusion that comes in when we start talking about Cloudflare is okay. isn't just installing a WordPress security plug in enough I've been watching it it's really funny. This discussion has come up a number of times in the admin bar just in the last couple of weeks of hey, there's this cloud, this WordPress security plugin and that one and really, isn't it good enough just to install a WordPress security plug in and you're protected? And the answer is no. Heck no. Absolutely not. So let's talk about where Cloudflare fits into all this is Cloudflare a replacement for solid security? Also no. So we need to understand where does Cloudflare fit in the whole matrix of security. So, first of all, Cloudflare becomes active for a site when you change the name servers of a domain name to those that Cloudflare will provide you. So it starts at the name server level, which means Cloudflare at that point becomes responsible for every request that comes into your domain name about you know where does the subdomain live? How's the mail routed? What are the demark records, the txt validation records, all those things? Cloudflare is answering all of those requests. And it's doing it from a security perspective. So you can you can change who gets to make those requests and filter those things out. And so forth. So since all traffic to your website, and everything about that domain name now has to pass through Cloudflare they can filter it. So that's how this all works. Cloudflare can then as a result block a significant portion of malicious traffic before it ever reaches your server. That is the key.\r\n\r\nUnknown Speaker 21:04 \r\nThat is the key. So like, here's your browser, it's gotta pass through Cloudflare to get to your server where the website lives. So this is where we start to talk about a multi layered approach to WordPress security. It is not enough just to have a WordPress security plugin. It's just not because there are jobs that are there are jobs that need to be done to protect WordPress that are better done at a network. level rather than at a WordPress level. So this multi layered approach is something you need to get your mind around. And we've been talking about this now for some time here. On solid Academy. It's not just as simple as installing a plugin. So the best practice for making your site secure is multiple layers of protection. Okay, and each layer has a role that it needs to play and it does that layer best. All right, so let's talk about this. So first, we have network layer level security, which we're going to trust to Cloudflare right so that's wrapping around the whole thing. No traffic gets in until it passes through Cloudflare. Then we go to the server level security, which hopefully is handled by your web hosting provider. So there's certain things that are better done at a server level. We'll get to that in a minute. And then we have our WordPress application level or, or user level security that a really good WordPress security plugin should do. So these are the three layers of security that you should be thinking about when it comes to protecting your WordPress site. So let's unpack those just for a minute. First of all, network security. So Cloudflare is going to mitigate the impact of the distributed denial of service attacks or DDoS. And they can filter out malicious traffic before it ever gets to your server. So if a lot of that traffic can't even get past that Cloudflare wall it makes your server have to work less it makes WordPress have to work less. So it's better to handle all that stuff. Get all the primary garbage filter done at the network level before it even hits the server. So Cloudflare gives you this blanket protection by filtering the websites before a web traffic before it ever gets to the site. Relying on your server alone or worse relying on WordPress alone to filter all the traffic. It takes a lot of resources. Now does solid security have functions that can help to prevent bad traffic? Yes. But that shouldn't be the primary level at which it occurs. If Timothy was here, he tell you the same thing. We want to filter the the lion's share of that out at the network level. So if you do that, it's going to save a lot of valuable server resources. So traffic passes through the network gets to the server. So what role does the server play in this multi layered support? So good web hosting providers implement security measures like server level firewalls, and most importantly in my book is server level file level malware scanning and intrusion detection systems. So I want something at the server level that's actually scanning the files. Now I know that there are some WordPress plugins that provide malware scanning, you don't want a plugin, doing malware scanning. First of all, it's going to be incredibly inefficient at doing that and restricted to only the WordPress install and a lot of malware gets installed out in the server structure and not within WordPress itself.\r\n\r\nUnknown Speaker 24:45 \r\nAlso, if there's malware in WordPress, and the we're in and the the malware scanner exists at the WordPress level, the malware can overwrite. You know, the malware scanner so the malware can actually rewrite the malware scanner saying hey, this is bad and say no, it's actually good. You can ignore that. So you don't want the malware and the scanner. processes running in the same environment. malware scanning needs to happen at the server level, and intrusion detection systems as well. So that's the role of a good server so whoever's providing your server, this is where you have a conversation and say, What malware scanning Do you provide? What intrusion detection services do you provide to keep the server itself safe? Right, so we're filtering out most of the bad traffic at network. We're watching the we're watching the file system and intrusion level at the server. And now we get into WordPress application security. Now WordPress security might have some traffic filtering and blocking features, but that's really the third level like WordPress is consuming a lot of server resources just running and serving pages and doing things. I don't want WordPress to also have to be filtering every bit of bad traffic that comes in. And that's what can cause your website to grind to a halt. If it's getting pounded by login page attacks and all this stuff. I don't want WordPress doing that job at all, or at least as little as possible. Maybe just a few little drops of bad traffic. That have gotten through the other two layers. We pause. Does that make sense to everybody? That this whole approach? Are you getting what I'm saying? Like we want WordPress to do as little work as possible. We want WordPress to do the job of word pressing right not of security. So it's not bad to have those features in the WordPress security plugin. That's why they're included in solid security. But that's like my third level of defense. Okay. All right. So your WordPress security should focus on more specific issues. Starting again, this is exactly what solid Security does, which is why I love it. It is providing vulnerability detection. So I'm scanning my so like Cloudflare is not going to tell me I have vulnerable things in plugins. The server is not going to tell me that it's maybe watching for malware or the malware scanner but if my things and plugins aren't infected yet, I don't know that there's a problem. So I want something like solid security, which is looking at my installed themes and plugins and saying, Oh, this one has a vulnerability. I need to know about that. I need to do virtual patching. I need to do automatic updates if a patch is released, right, so it's doing exactly the job that I want a security plugin doing in WordPress and nothing else. Like the the of the kinds of plugins that exist for WordPress. The most bloat often happens in security plugins and that's why, you know, if you line up a feature list of the things that solid security Pro does, versus some of the other security plugins like it doesn't do as much. Right, exactly. That's the point. You don't want it doing some of those things. You want your server and your network doing those jobs because it's gonna make a more efficient WordPress.\r\n\r\nUnknown Speaker 28:08 \r\nSo WordPress, security should also heavily focus on user security. So we got these great features like you know, the function that bounces out and make sure that the password hasn't been compromised, and that have I been poned database. We're looking at, you know, having to FA for users and pass keys and et cetera, et cetera. We want the users user level security needs to be done by WordPress. So we want that to be done really well by our WordPress security also session cookie protection, right having that like the trusted devices features of solid security that is the perfect use case for a WordPress security plugin. So I want those features in my WordPress security, nothing else that's gonna do you know, be consuming tons and tons of server resources. Okay, so another role for WordPress security is adding in a CAPTCHA for areas that might be prone to attack, like comment form or the WordPress login page. We're actually going to protect that at the network level though. I'll show you that later. But having those captures again, two great use case and job for a WordPress security plugin. Finally, WordPress security plugins can also help you to harden WordPress, by all the little you know there's all those boxes in solid security about don't allow PHP to execute and themes and plugins, you know, turn off the file editor, all those sorts of things. perfect use case for a WordPress security plugin. So, again, think about this in layers. Most of the traffic get that filtered out at the network level so our server doesn't ever have to bother with it. Let our server do the job of file level scanning protection and intrusion detection and let WordPress primarily do the job of just keeping WordPress secure as an application themes and plugins and users.\r\n\r\nUnknown Speaker 30:02 \r\nAnd now we've got a pretty darn good approach to security. I'm gonna pause right there, because that was a, you know, a big firehose of information. I'm gonna pause, make sense questions about this before we move on to the next bit.\r\n\r\nUnknown Speaker 30:17 \r\nYou if you arrange your security approach this way, you're going to have a more efficient server and site and you're going to do a better job all the way around keeping things secure.\r\n\r\nUnknown Speaker 30:31 \r\nMan Polytune m&ms Already Okay.\r\n\r\nUnknown Speaker 30:35 \r\nHope you got a lock then.\r\n\r\nUnknown Speaker 30:38 \r\nYou have any to share with the rest of the class. I'm gonna have to move that around.\r\n\r\nUnknown Speaker 30:41 \r\nAll right. Well, I'm gonna move on then. If you're just joining us link bundle is in the chat that has the course handbook if you want to download this that you're looking at.\r\n\r\nUnknown Speaker 30:49 \r\nAll right, folks, look, we're already on page eight. Moving around, moving right along here.\r\n\r\nUnknown Speaker 30:55 \r\nAll right, now comes the fun part. Cloudflare page by page. So I thought long and hard about how's the best way to do a quick orientation to all the things that Cloudflare can do. And this is what I settled on this Cloudflare page by page. So one second before we get into that, one thing I want to mention is I've added some color coding here. And you know, I was thinking how can I best present this in a quick way to let you know you know what? really to focus on and what not to focus on and so forth.\r\n\r\nUnknown Speaker 31:35 \r\nSo it's basically like this. If I think you're probably going to want to use this feature, it's going to be great. If it's a maybe depending on the circumstance, it's a yellow, if it's probably you're not going to use this there's red. There's also one other emoji in there. That is a money bag and that's it costs money to add this. Those are usually also red because our goal here is to use as much of the free Cloudflare stuff as possible.\r\n\r\nUnknown Speaker 32:01 \r\nSo yeah, that that's, that's the way we're going to approach this now. I'm just looking at timing and where we are in the course of things right now.\r\n\r\nUnknown Speaker 32:11 \r\nOkay.\r\n\r\nUnknown Speaker 32:13 \r\nAll right. This is where it's going to be interesting to see actually how we do this.\r\n\r\nUnknown Speaker 32:24 \r\nOkay, well, let's just, I'm sorry, thinking to myself here and we'll figure out that we may go long in this first hour. So let's look at this Cloudflare page by page. Now if you would like. I would suggest that if you don't have a Cloudflare account, just go quick create one doesn't matter. Just make a make a quick Cloudflare account I'm going to log in to my I iThemes Cloudflare account that I experiment on. I would always recommend that you set up two factor authentication on your Cloudflare install Of course. All right, so what we're going to do is primarily focus on the website settings. We're gonna go down page by page, and I'm gonna explain basically what, what each of them does, just so you have a big picture understanding. Now there's a ton of stuff here. We're currently at the home or the account page you get back here by going to account home. That is this page that we're going to live for most of the course here is in the website settings. So you can you know, you'll add a website you can click that and these are the settings that pertain to the individual websites themselves. And this is where we're going to live for most of the time in this course. So let's take a quick look. Alright, so we're on the overview page, a turn off this ad. Again, you know, they're they make their money by upselling things so I'm constantly closing those boxes. Alright, so the first thing we get, is there an analytics overview. This is kind of helpful if you just want a quick overview of at the network level, what your traffic looks like. You don't get any like, you know where the traffic came from or search terms. It's not about that. It's actually about the stats of the traffic coming in.\r\n\r\nUnknown Speaker 34:12 \r\nYou can set that by days, weeks or months. Something else that's really helpful over here is the Under Attack Mode. So let's just say that you've got a problem on a site you're getting it's an E commerce site and you're getting card testing attacks. Well, I'm just going to toggle that on. And with that one toggle, what's going to happen is every single bit of traffic that comes into the site is going to get a manage challenge from Cloudflare. Now what that looks like is this\r\n\r\nUnknown Speaker 34:45 \r\nso it's going to pass through this challenge. I've got to verify and then move right on. Now that's not ideal, but that will stop a DDoS attack period, because a bot cannot pass Cloudflare turnstile, at least yet. So Todd simply toggling that on is going to stop the DDoS attack it does put a you know that that turnstile pass through manage challenge between every single visitor so it's not ideal to leave on forever. You'll want to add a WAF rule to filter out whatever's attacking you but that this is a great little setting in case something immediately is happening.\r\n\r\nUnknown Speaker 35:29 \r\nIt essentially off.\r\n\r\nUnknown Speaker 35:33 \r\nOkay, the next thing that's helpful here is development mode. So Cloudflare does provide some caching and caching can be absolutely.\r\n\r\nUnknown Speaker 35:43 \r\nYou might use it makes you want to bang your head into the wall sometimes like you you've edited something, it's not showing up then you remember, oh yeah, I've got caching turned on. So if you're making changes to your site, you might just want to toggle this on. And that turns off all caching all optimizations like that, where you're seeing what you see, right. So a lot of times we have to deal with browser caching with WordPress plugin caching. If you have set up.\r\n\r\nUnknown Speaker 36:11 \r\nIf you have set up Cloudflare for your site, you also have Cloudflare caching, it's on by default. So just don't forget that if you want like why isn't why are these changes? Not all? Yeah, Cloudflare caching, so turn on development mode, and that will help you immediately get around that. So very, very helpful. Also, something to draw your attention to here on this overview page is down here at the bottom of the pause Cloudflare. Right here, this is an incredibly important link that we'll get to in the process of adding a site to Cloudflare. You're going to want to click this every time so that you don't get SSL errors. I'll explain that when we get to the process but again, this is your friend. Also if you want to get rid of the site and delete it completely, you can just remove from Cloudflare and it'll it'll kill your whole account.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:59 \r\nYou can set up this you can set up an address here. You just add whatever you want this address to be and where it's going to forward to. And then you validate that email and you're done. And so you can set up these catch you can set up a catch all address or individual addresses. And it'll just forward right to your Gmail account or whatever other free account that you have. And you can also in Gmail, set up a send as address which is really nice. If you want to provide that level of support for your client. Email can come into that Gmail account and they can send as that info at or whatever account with this little process here. So it's really helpful. If a client doesn't want to pay for full email yet you can set up this email routing at really no cost. Cloudflare just handles that traffic for you.\r\n\r\nUnknown Speaker 42:58 \r\nI've given you that whole process right here. If you're interested.\r\n\r\nUnknown Speaker 43:02 \r\nUnder email here also we have demark management you may or may not want to use this. It's free and it's decent demark reporting it's not the best, certainly not the worst. It's really good for free. And it allows you to when you first set it up to add the correct demark record to your DNS, and then it's set up and ready to go. It adds the very basic D equals none demark record if if you have watched those live streams with us recently, it's a very basic level that meets this new Google and Yahoo criteria. So that can all be done from right here. This email security is a more advanced and so paid area.\r\n\r\nUnknown Speaker 43:45 \r\nAll right moving down to SSL. So again, Cloudflare does provide a free ssl certificate for every site that that it's filtering traffic for.\r\n\r\nUnknown Speaker 43:56 \r\nThe first thing you're going to want to look at here is your encryption mode. Now I recommend full there are four levels so you can turn SSL completely off. Don't do that. You can also do flexible which encrypts the traffic between the browser and Cloudflare. But then there's no SSL between Cloudflare and the server. That's for weird scenarios. You don't want to do that. What you want is this one here. This is going to encrypt from the blowout of the browser to Cloudflare with a Google certificate, and then from Cloudflare to the to your server with a self signed certificate at the server. Virtually every server is going to provide a self signed certificate and Cloudflare can use that the encryption tunnel is perfectly it's perfectly secure. There is this full level which says okay, I want to install a trusted like one of those, you know, you buy it certificates on the server. You can do that if you want to or Cloudflare will actually provide you an origin certificate for your server I don't ever do that. It's not necessary for security. As long as there's self sign on the server, which usually is and Cloudflare to the browser is giving Google it's one one clean tunnel.\r\n\r\nUnknown Speaker 45:13 \r\nSo if you have SSL at the server, yeah, that you don't have to worry about it most most of the P SS that are set up by a reputable hosting company like if you have a liquid web VPS it's going to have a self signed certificate on the server and Cloudflare will use that to create encryption.\r\n\r\nUnknown Speaker 45:32 \r\nOkay, all right. So Paul, great question in the chat. That's tomorrow. We're talking about all the whole process and client stuff tomorrow. All right, so this is an area you're going to want to be familiar with here. Other settings here.\r\n\r\nUnknown Speaker 45:49 \r\nWe're gonna go down to let's see, Edge certificates. I do keep this on if they're sometimes you'll get an email. This lets you know if there's anything you can do better with SSL.\r\n\r\nUnknown Speaker 46:03 \r\nIt's helpful. All right, so edge certificates. This says okay, there is an active certificate that's been created for this website. And a backup. This is pretty cool. This tells me that this is a Google trust certificate. This is the primary one so if I go to WP nathan.com And I look at the certificate details here it is valid. It is Google Trust Services right there. So that's what it shows to the user is this Google certificate. If something goes wrong, or there's some weirdness with the Google certificate, it's very unlikely that would ever happen. But if there is then it does have a backup, as this it's a Let's Encrypt certificate here. On the up Nathan it can also be set for set Teego doesn't really matter. Very, very rarely.\r\n\r\nUnknown Speaker 47:00 \r\nWill this backup certificate ever be used?\r\n\r\nUnknown Speaker 47:03 \r\nOkay, so Stacy, Stacy's mentioning here and let me just make let me let me address this. So if you are using CloudFlare, you cannot use Let's Encrypt on your server, because your server isn't it can't validate right or it's the the server isn't controlling the traffic anymore. It's passing through Cloudflare. So you might have Let's Encrypt turned on at your server. But the but like, you may be able to have full strict at the beginning because the Let's Encrypt certificate exists. But eventually that Let's Encrypt certificate is not going to be able to renew in many cases because Cloudflare is in the middle. So that's why I recommend full because there's always a self signed certificate at the server. If you do strict, and something happens to that Let's Encrypt certificate, it's going to create an SSL error. So you don't want that. That's why I'm saying full it's going to be just as secure as having a Let's Encrypt on the server. And you're not going to get those SSL errors Does that make sense?\r\n\r\nUnknown Speaker 48:18 \r\nYeah, so Melanie's encountered that like full string, that sounds great. I want that but you don't want that. It's you want to be able to set this and forever. So yeah, and Stacy, it may be dependent on the host you'll want to know you'll want to look into that. And that's where I just recommend setting it at full and then you want to have any problems.\r\n\r\nUnknown Speaker 48:37 \r\nThere is no limit. Let me say it this way. There is no extra security benefit from full or full strict because the self signed certificate at the server is the same level of encryption as a Let's Encrypt, or you know, your purchased your favorite purchase certificate for whatever. It's generally the same encryption level.\r\n\r\nUnknown Speaker 49:02 \r\nSo it doesn't matter. What's important is what does the user see? And in this case, it's Google first and then you know one of those so does that make sense everybody? Do I need to answer any more questions about that?\r\n\r\nUnknown Speaker 49:15 \r\nFall is easy. It's always going to work unless there's something wrong with your server.\r\n\r\nUnknown Speaker 49:24 \r\nOkay let's keep going. So edge certificates. We talked about these, you're not going to want that cost money. You don't really need it. You don't total TLS this lets you choose like if I toggle this, Oh, I gotta pay. Yeah, it used to let you do this for free. They've changed that. It's another paid feature. This you always want on it's part of the onboarding process that we'll cover tomorrow as we move a site into Cloudflare.\r\n\r\nUnknown Speaker 49:54 \r\nSo, all right, this is a complicated feature that I would not turn on because it's real, real easy to screw things up. And if like, for example, I had a site where I really mess things up on this. Thankfully, it was one of my own, but it took for some traffic almost a month before it straightened out. This is really bad. So it's a way to enforce HTTPS. I'm just going to recommend that you don't use it unless like it can heighten your security. And sometimes, if you have a client that has like a security, like a level of security, they have to reach for their own internal audits or whatever you may have to turn this on. But don't do it if you're planning to make any changes, like migrate the site or change Cloudflare to some other DNS provider because it can lock down it'll lock out traffic. It's just it's very powerful, but also could be very damaging in some cases. So if you're in a scenario where this comes up, you'll want to read more into that minimum TLS version. I'm going to recommend here 1.2 Because it's kind of the it's everybody can use 1.2 But you really might want to consider 1.3. So 1.2 is required for if you're trying to get PCI compliance. You have to have 1.2 layer level of TLS TLS, which is the next level of SSL but really only really, really, really old browsers can't use TLS 1.3. So if you look here, like Internet Explorer can't use.\r\n\r\nUnknown Speaker 51:46 \r\nCan't use TLS 1.3 and Opera Mini like those are the only two browsers. So the chances I mean those are teeny tiny percent. So I'm at the point of where I might just bump everything to 1.3 because it is more secure. It is a little faster.\r\n\r\nUnknown Speaker 52:01 \r\nBut at least 1.2.\r\n\r\nUnknown Speaker 52:06 \r\nAll right, opportunistic encryption, you're going to want to turn that on. I believe that's on by default. You want to enable TLS 1.3, which says, if the browser can support 1.3, use it. That's basically what that's about. I do want to rewrite everything to HTTPS at the network level. That's good. I think that's one by default. I do want to toggle this transparency on what this does is basically, if something if some other server or authority or whatever, issues an SSL certificate for this domain, I'm gonna get an email about it. Where that's helpful is if somebody has hijacked your domain somewhere along the way, or they've got traffic going somewhere something odd is happening. And a certificate gets issued. And I'm not aware of it. I want to be aware of it. So that's what this does. Pretty nice. Works pretty cool.\r\n\r\nUnknown Speaker 52:56 \r\nSo let's see. Moving on down here, the most of the stuff you're not really going to use. You're not going to use this most likely it's complicated scenarios. origin server. This is where if you want to install a Cloudflare generated certificate on your server to do full strict, you can do that here. I don't recommend that it's not super necessary. And then custom host names you're probably not going to use so that gets us all the way through SSL. That was a lot. Let me pause just for a minute. And any questions about this bit, I realized that was a lot. So walking through all the settings is the most tedious part of this, but And my goal here is to kind of set the table and let you know what all is here.\r\n\r\nUnknown Speaker 53:42 \r\nAll right.\r\n\r\nUnknown Speaker 53:44 \r\nLet's move into security. You're gonna live in security a lot. So the main two let places you're going to live in Cloudflare our DNS and security. So security is awesome. I love this area, the events page. This is a log of all the things that have hit my firewall rules. So any event has happened on the server where a firewall a WAF rule was hit by something or whatever.\r\n\r\nUnknown Speaker 54:11 \r\nHere's some examples of some skip rules that I've put into place. And I can see what's going on here.\r\n\r\nUnknown Speaker 54:18 \r\nIt gives me a great amount of detail about what was the IP address that came in? What was the ASN in this case, it is I have a pass a skip rule created for WordPress doing cron, so sometimes the query string here can cause weird security things to go on. And so that's one of the skip rules that I put in.\r\n\r\nUnknown Speaker 54:40 \r\nAnd it's logging here just to show you what that looks like. Here's one look here. Here's something that came in earlier.\r\n\r\nUnknown Speaker 54:48 \r\nAnd this was something from the UK. I don't know what that ASN is but it was trying to get to a weird port like what the heck is this one a 53 I don't even know what that is. This was bad traffic and it got to manage challenge primarily because it was coming from outside the US actually no I've got this setup for to accept UK traffic. So this, this hit Oh no, it hit a challenge right here.\r\n\r\nUnknown Speaker 55:19 \r\nSo it hit a rule that says okay, something's not right here. We're going to challenge this traffic and so it wouldn't have made it through to the site. So this is a great place to look after you've implemented a rule make sure you're not getting legitimate traffic caught or as you are refining your rules later on. Really, really helpful.\r\n\r\nUnknown Speaker 55:40 \r\nHere's something from Netherlands same thing. We'll get into all these as ins and things later. Like look here. They tried to hit XML RPC. This is garbage traffic.\r\n\r\nUnknown Speaker 55:49 \r\nIs there a setting in solid security that turns off XML RPC? Yes. But WordPress would have had to wake up and do something when this traffic and server resources would have been expended. We block this traffic at the network level before it even hit the server. So that's why you do these things. So events is super helpful gives you a lot of good information. Now we move into WAF which stands for web application firewall. Now, these are your this is a place again, you're gonna spend some time here as you're setting up Cloudflare there are five rules available at the free plan. I've suggested four, and so you have room to add your own rule.\r\n\r\nUnknown Speaker 56:28 \r\nSo we'll get into all these rules later. But this is where those are defined and set up. You can actually click the link here and see traffic that just hit that rule. There's a ton of traffic here. Like this first rule here. These are challenges. So you know trying to go to their PII login or my account or if the country is not in Canada or the USA, it's going to get a challenge.\r\n\r\nUnknown Speaker 56:53 \r\nAnd I can go back and look at what traffic actually is hitting that rule by clicking on that number. So it's pretty nice to be able to look and see what all is going on here with my individual rules.\r\n\r\nUnknown Speaker 57:08 \r\nSo I'll give you the rules a little bit later. Now let's keep going here. So those are our custom rules. We also have rate limiting rules and this is pretty neat.\r\n\r\nUnknown Speaker 57:16 \r\nSo you can actually blocked traffic that is pounding away at your website. And we'll go into rate limiting rules later in our recommended settings. But like if there's anything that's hitting my site more than like once a second, I want to block that traffic because there's no legitimate traffic that's going to be making multiple requests per second. Unless it's like a Google bot or something like that. And even it usually throttles back how many requests are being made. So this is a really helpful rule to be able to put into place we'll get into that in the rules section.\r\n\r\nUnknown Speaker 57:53 \r\nHere in tools, there is a the ability to block IP addresses or ranges even over and above the WAF rules themselves. So you can block user agents you have 10 user agent blocking rules if you want to use those. I typically don't but it's there if you want to use it.\r\n\r\nUnknown Speaker 58:15 \r\nMoving down to security the page shield This is a paid feature basically keeps your content safe. Bots feature okay, this is probably the place where most people make a mistake. Bot fight mode on I recommend that you leave this off because of a number of things.\r\n\r\nUnknown Speaker 58:33 \r\nBot fight mode. If there's anything that I've had to troubleshoot more, there's nothing I've had to troubleshoot more than bot fight mode creating problems for X legitimate external connections to websites like web hooks, and, you know, syncing up one thing with another or whatever. It's always bought fight mode. And honestly, bot fight mode gets in the way of a lot of legitimate traffic in an effort to prevent bot traffic. So it's like you know, this ongoing war of how do we keep bots away versus legitimate traffic. It's too heavy handed in my opinion. Also, it adds JavaScript to every single page load on your website, that bot activity and that can actually add as much as two seconds to a page load speed. So just don't do this. Try to get a lot of that traffic out with web application firewall rules, which we'll cover as we move forward. But don't turn this on. It looks like a good idea. It's not a good idea. Don't turn this on is my recommendation. Unless you know what you're doing. There is also in Cloudflare super bot fight mode that actually lets you make some granular changes to the bot fight mode. That's great, but it's an enterprise level. It does cost money.\r\n\r\nUnknown Speaker 59:51 \r\nAlright, let's move on to the DDoS section. This is super helpful. Like let's say you're under attack and you toggle on under attack mode and you can sort it you get to see you know a little bit of what this traffic pattern looks like. You can add a rule here that can stop a lot of those floods that's beyond the scope of this course. But it is there and it's pretty helpful.\r\n\r\nUnknown Speaker 1:00:16 \r\nThere's really good documentation for that's available at this link. And finally, there's some settings here that you may or may not find useful, probably not. The default settings are generally what I use, which is just right here. A security levels essentially off meaning that the average traffic the average user is not going to get a manage challenge to say that I'm human I don't want that in the way of average users. 30 minute, Pat challenged passage meaning like if I'm good, I'm good for the next 30 minutes at least. And then you definitely want this browser integrity check on that just it blocks garbage traffic where there's problems with the requests. So those are all the default settings. You probably don't need to ever change those. But they're there if you do need to.\r\n\r\nUnknown Speaker 1:00:58 \r\nThis access this is actually going away will probably be removed from this menu pretty soon and let me just mention also if you're watching this on a replay and it's like a year from now, a lot of these menu changes may change. Cloudflare is as bad as Google about renaming and moving things and changing it they they change stuff all the time. They literally last week changed the onboarding process for adding a new account. They're constantly changing things and so, you know, the things that I'm talking about here are likely going to be in other places. But yeah, it may not be in exactly the same spot. kind of frustrating.\r\n\r\nUnknown Speaker 1:01:37 \r\nHere under speed, these are some moderately useful things. The observatory is you know, what is my White House speed. So that's kind of cool. I mean, it can show you, you can schedule a test to run at a at certain intervals. It's kind of cool. I like that.\r\n\r\nUnknown Speaker 1:01:56 \r\nYou may or may or may not want to do that. The optimization here not a whole lot to do here. Most of the basic settings are correct, just with the defaults.\r\n\r\nUnknown Speaker 1:02:10 \r\nNot a whole lot you're gonna do here this just gives you an overview of what your settings are. image optimization is now offered by Cloudflare. But if you have a good WordPress image optimizer, which I recommend, do it there do it at the WordPress site like just control your images don't do that off in the cloud. But you can if you want to. It's all here. You are going to want to make some changes here to content optimization Brotli basically speeds up an H an SSL connection. This is part of the onboarding steps that are recommended. We'll get to that tomorrow. This is super cool. So Cloudflare fonts is a recently in the last six months or so added feature. And it basically pulls all the fonts up into the Cloud Flare cloud. So instead of having to go out to Google fonts and download the font Cloudflare fonts, pulls those up into the cloud. So you, you blood, they load faster, and you don't have privacy issues, because Cloudflare is going to deliver that font in a privacy first manner. It's not like you're pulling fonts off of Google server and as a result, the user's IP addresses exposed and all that. So this is great. Just turn it on. It's gonna be faster. It's pretty good. This is also a super cool feature called early hints. And what this is going to do, you may have a WordPress optimizing plugin that does this as well. And actually this may be part of core WordPress going forward. But like when you mouse over a link in the background, the browser starts to load that page already. This does that at the Cloudflare level, which is pretty cool.\r\n\r\nUnknown Speaker 1:03:47 \r\nRocket loader. This is another one of those things that people say oh, it's speed. I'm going to turn don't turn this on. Rocket loader has a bad habit of breaking WordPress, jQuery and other Java scripts. Just don't don't turn that on. It will create problems. That's a red dot for me. And if you Google other WordPress folks talking about this it's a it's a red.it can cause problems.\r\n\r\nUnknown Speaker 1:04:14 \r\nAuto minify yet you want all that on so all your assets are compressed up there at the network level.\r\n\r\nUnknown Speaker 1:04:21 \r\nI mentioned this automatic platform optimization for WordPress. This is a can be really good. It's $5 a month per site. Okay, but with out having to deal with any of those granular performance settings at the WordPress level with plugins like MP rocket or hummingbird or whatever, you can actually push all that up to the cloud and it moves the really big the real benefit here is it moves all of your assets for your website to cloud flares edge CDN, so that it's right as close to the user as possible and it's optimized all it really does a good job at optimizing traffic. So take a look at that. It is expensive. You know, when you put 10 sites on there, it's going to be $50 a month, but it really you know, if you've got a few sites that you're having performance issues out of five bucks a month solves that problem, pass it on to the client and you're done.\r\n\r\nUnknown Speaker 1:05:19 \r\nLet's see.\r\n\r\nUnknown Speaker 1:05:21 \r\nEven ongoing here. Let's see caching. All right. Cloudflare caching. So Cloud for does a good job of caching things the right way. You do get some basic analytics here with an upgrade of a plan. Let's move into configuration. So here is the place where you can purge all the things out of the Cloudflare cache. So if you're having some sort of Cloudflare issue going on, you can come in to caching configuration purge everything. I'm going to mention also later on in the course that a lot of WordPress optimization plugins have a Cloudflare integration, where they will actually you can like for example, I use Lightspeed as a WordPress optimizer. And you add in your API for Cloudflare. And whenever whenever Lightspeed flushes the cache because a page has been updated or there's WordPress updates, it also flushes the Cloudflare cache most good WordPress optimizing plugins like WP Rocket like Perf Matters like hummingbird have Cloudflare integration and you're going to want to use that because what otherwise what you're going to run into is you got one set of assets that are here on the site that the WordPress performance plugin has flushed, but your Cloudflare cache isn't matching and you get wonky CSS, and you don't want that. So that that helps and it solves that problem.\r\n\r\nUnknown Speaker 1:06:44 \r\nLet's see here caching level we kind of leave that alone unless you know what you're doing. browser cache TTL you're gonna want to set this to at least a month. Google requires that those it's set to 30 days or higher. Otherwise, you get that thing you may have seen in Lighthouse of serve static assets with efficient policy, blah, blah, blah. That's this needs to be at least a month. This is helpful if you have a big website that a lot of people have access to. This is a tool that will scan for child sexual abuse material, which is definitely helpful. These next two are really cool crawler hints. Okay, how many of you remember from the Starter Site webinar? We did do every year. We've got that really cool plugin called index now from Bing and it watches changes on your website and let's Bing and let's see which ones it is Bing, duck, duck go Yandex and Naver, which I've never heard of before.\r\n\r\nUnknown Speaker 1:07:43 \r\nAnd yep, so what this does, I've just lost my Here we go. So crawler hints basically adds index now to your site at the Cloudflare level. So as soon as Cloudflare sees you add a new page, it lets all the search engines No, you absolutely want to do this. And it means you cannot use the index now plugin on WordPress, which is kind of cool. Always online this is another one you're gonna want to toggle on.\r\n\r\nUnknown Speaker 1:08:09 \r\nWe've probably all at some point, use the Wayback Machine to go back and look historically at websites. And some websites are there a lot and some are they're just like every once a month or once every few months or whatever. How do you get the site listed on the Wayback Machine what you toggle this on right here and Cloudflare will make sure that the site is saved into the Wayback Machine and if for some reason this your server goes down Cloudflare will know okay, I'm gonna pull the latest copy out of Wayback Machine to serve and it's not the best thing but it's better than the site being down. So this is pretty cool. Definitely want that on. Here's the actual development mode. We looked at that under the overview settings, but this is where the actual toggle is for turning on development mode. And so that's all the configuration things.\r\n\r\nUnknown Speaker 1:09:02 \r\nAll right, cash rules.\r\n\r\nUnknown Speaker 1:09:05 \r\nWe're going to talk about cash rules later. But this is the spot where you can add rule like what if I don't want Cloudflare to cache the site at all? Great. What if I have an E commerce site and I don't want to cache the cart or checkout page, I can do all that here. And I'll give you those rules when we get into that section in a little bit. So tiered cache or the cache rules are very helpful, and the tiered cache is helpful. You're going to want to make sure you enable smart tiered technology that just moves the stuff closest to the user. It's good stuff cash reserve as a paid feature, which you're not going to use. Now if you're getting tired. You're not alone. It is now 207. We've been at this for a little over an hour, but we're coming to the end. There's only a few more things here and then we'll take a break. First of all workers routes don't have to worry about that at all. unlikely you'll use this rules. There's another place for rules. Here's 10 more sets of configuration rules that you can use. Probably not going to use any of those but you certainly can.\r\n\r\nUnknown Speaker 1:10:06 \r\nTransform rules origin rule. These are all ways to deal with rules and traffic. Probably not going to use those unless you have a unique case. Page rules can be helpful.\r\n\r\nUnknown Speaker 1:10:18 \r\nI'll show you some options on when you might want to use those a little bit later.\r\n\r\nUnknown Speaker 1:10:22 \r\nAnd the default settings are just fine. You never have to really change these. So not a whole lot to do here.\r\n\r\nUnknown Speaker 1:10:29 \r\nAnd the rest of this stuff is pretty much read. So let's network you probably won't have to change anything here. Very unlikely that anything will be needed in this area. All the default settings are fine. Traffic is a paid feature. custom pages paid feature apps, it's being deprecated the scrape shield, okay, let's talk about this.\r\n\r\nUnknown Speaker 1:10:53 \r\nSo there's a couple of things. Remember, if you are a long time I iThemes Training solid Academy member we used to have a shortcode that would obfuscate an email address. Cloudflare will actually do this at the network level, so you don't have to hide email addresses at all. It will just automatically obfuscate email addresses from bots that would scrape the site. The problem is it adds some JavaScript which again can potentially add some weight to the page and make the page load slower. So there's a way to apply that with the rule that we'll get to in a little bit. I would not toggle this on for the whole site. I would only have it on with a rule for like the contact page or a team page where email addresses actually appear.\r\n\r\nUnknown Speaker 1:11:38 \r\nhotlink protection this is something I would toggle on because well in certain cases. So if you want to protect your site, like I don't want my images showing up in Google image search, I don't want anybody linking off the site and pulling my images and to show on their site. This is what that does. It will stop that at the network. Level period. But if you are relying on a lot of SEO people, for example.\r\n\r\nUnknown Speaker 1:12:07 \r\nThey rely on an image optimization strategy for SEO like they want people to find the image in Google Images and then go to the page and it's a legitimate SEO strategy. But this will stop that. So depending on what you want to do, this can be super helpful or completely get in the way of an SEO strategy.\r\n\r\nUnknown Speaker 1:12:26 \r\nAll right.\r\n\r\nUnknown Speaker 1:12:29 \r\nxerez so this is super cool, actually, it's way out of scope for this, this live stream in this course. But think of it like this. This is like Google Tag Manager, but at the Cloudflare level. So at the network level, I can actually go in and add code to pages. Like it's really powerful, but it's way out of scope for what we're trying to do today. So you know, it's it's interesting, and if you're super geeky, you want to get into that have added because it's a very powerful tool. And last of all web three, you're probably not ever gonna get into that stuff. All right, so that's all the settings and I'm out of breath.\r\n\r\nUnknown Speaker 1:13:05 \r\nOkay, how let me check in. How are you? Are you are you panting for breath? Are you okay? We've just done this was the fire hose. Okay? Dizzy is legitimate. That's a lot. Okay. And my goal again in that section was simply to give you a lay of the land. There's only a few things in here. If you notice, there's only a few things that you're gonna need to go in. And set. Primarily we're going to focus on DNS, SSL, and security. Those are my main areas. Okay. So, what are we doing next? I am going to give you my recommended settings for each of the areas we're gonna do that probably I hope we can fit that in before 3pm Central. We're going to take a five minute break, because I need to breathe and then we'll do some recommended settings. So we're actually going to go now right back into these areas that we've looked at and I'm going to show you some the actual recommended rules and things like that, that you're gonna want to implement. Now from that tomorrow. We're actually going to migrate a site into Cloudflare and do all this stuff live. Sound good?\r\n\r\nUnknown Speaker 1:14:17 \r\nOkay, so break for five minutes. It is now about to be 12 minutes after so we'll come back at 217 Central time so 17 minutes after and we will be quiet until then.\r\n\r\nUnknown Speaker 1:18:47 \r\n32nd Warning we're back in 30 seconds. From now.\r\n\r\nUnknown Speaker 1:19:32 \r\nAll right, part two, let's talk about some recommended settings. Now. First of all, in this section, there's a couple of caveats. We're going to look at the Cloudflare settings that I use. Okay, these are the ones that I've decided work well for me in my clients. And I'm specifically going to talk about what has changed from the default. Okay, so we just looked at everything. We're going to put a filter in place and now only the things that are going to change from the default settings are what I'm going to cover now with this again, caveat, disclaimer, slash scary warning, scaly emoji grimacing emoji, okay. Is this is this bold enough for you?\r\n\r\nUnknown Speaker 1:20:16 \r\nVery important. These are based on my experience with how we are using Cloudflare currently in my agency. So as with settings, recommendations of any kind at all, you need to test these for your specific use case. Cloud flares tools can block legitimate traffic if they're not used correctly. Okay. Now in my experience, we've had to adjust certain rules in situations where there's external calls to web hooks, certain SEO tools, uptime, monitoring, all sorts of things can be a little different. So I'm providing some very basic settings that we use on all of our sites. They may not be the right settings for your sites. Okay, that's why it's important to look at those event logs, try it on one site, look at the event logs, make sure nothing's getting blocked, etc. So they get sometimes sites require these granular adjustments and it might take a little bit to dial them in so pick a site. Do that one make sure everything's good before you do. We all put 5080 100 sites into all these settings, because they would then have to be changed individually. That's not fun. All right. So Cloudflare can significantly increase your security but with great power comes great responsibility. So just keep all that in mind. Do not blindly apply these settings with under without understanding how they're going to impact your website. So again, educational purposes only, you alone are responsible for the actions you take. In other words, don't call me if you break something or you know, ask an office hours question but Is that Is that a good enough disclaimer?\r\n\r\nUnknown Speaker 1:21:59 \r\nAll right. Let's take a look at DNS records.\r\n\r\nUnknown Speaker 1:22:04 \r\nSo let's move on into this area first. This is one of the places where I mentioned that you'll probably spend some time so here's a pretty typical DNS record setup that's being used for WP Nathan currently. So the first thing you'll notice here is proxied. Now what proxy means, okay, this is the actual IP address of the server. This this little this liquid web VPS that they're up Nathan exists on. But if I go to ping, this address, notice it doesn't give this server IP address. And why is that Cloudflare is proxying the IP address which basically means it's hiding it. So this 104 2147 162 IP address is what the world sees when it says where's that up Nathan located this IP address, but that's not the IP address of the server. This is really good because you unless you know in most cases you're going to want to hide the actual IP address of the server, the real live raw IP address, you're gonna want to hide that from the world. It just puts a layer of security between hackers and your server itself. So that's what proxying does. You can turn this off if you want, but I wouldn't recommend it. So the recommendation is proxy all A records and the CNAME for www.\r\n\r\nUnknown Speaker 1:23:35 \r\nBut other C names like in this case, I don't even know why we still have this one but FTP dot and like this is the postmark record. postmark will not validate this record for the CNAME unless the proxies turned off. So for a lot of C names, especially those used for validation, you're going to want to make sure that proxying is off.\r\n\r\nUnknown Speaker 1:23:59 \r\nUnless you know for sure that proxying isn't going to get in the way of that traffic proxying a CNAME can often get in the way of the server that's handling that traffic knowing that the traffic is correct, and it can cause weird things to happen. So proxy the A records generally proxy do not proxy CNAME records. Now here's another pro tip.\r\n\r\nUnknown Speaker 1:24:21 \r\nIf you like me enjoy having the ability to spin up quick staging sites. I in my case on cPanel I love the WP toolkit. It'll just spin up a quick staging site.\r\n\r\nUnknown Speaker 1:24:32 \r\nYou would normally have to go out and actually create an A record for whatever that subdomain is. But if if most or all of the subdomains you're ever going to create for this domain are going to the same place. They're all on the same server. Then what you can do is just set up a wildcard record. The name has an asterisk and it points here which means unless otherwise defined by another a record that any other traffic, you know, whatever dot DDP nathan.com goes to this server. So it's super helpful. It doesn't prevent you from directing traffic elsewhere. You know we could, you know, we could specifically define a subdomain to go to another IP address. But otherwise, the catch all is pointed to the server and it's really helpful. So add a star record. That's a good thing. All right. We talked about DNS sec. Let me just show you how this works. Here under DNS and sec. Oh, I haven't. I'm going to disable this earlier. Let's that's going to take a minute Doggone it. Sorry about that, y'all.\r\n\r\nUnknown Speaker 1:25:43 \r\nOh, I'm gonna have to remove it from here. Well, I can probably just show you how this works. So here, oh, it's WP one dot Dev. Let me go. Let me get one second. Let me get over to the VP Nathan.\r\n\r\nUnknown Speaker 1:26:01 \r\nAnd I'll show you where this DNS record is set up.\r\n\r\nUnknown Speaker 1:26:06 \r\nSo again, this is GoDaddy. You've all probably use GoDaddy, most other registrar's you're going to be this way as well. Here under DNS, there's a setting for DNS record. And here is the value that Cloudflare gave me I'm going to delete this\r\n\r\nUnknown Speaker 1:26:23 \r\nlet's see how long it takes to create if it sees it right away. Okay, I'm gonna give that just a minute. We'll come back and I'll show you how to create the record. But it's basically Cloudflare is going to give you the value, you put it in over the registrar and that validates your traffic for DNS sec to work correctly. We'll come back to that. In just a minute.\r\n\r\nUnknown Speaker 1:26:42 \r\nAll right, so SSL TLS again, encryption method full I talked about that a lot earlier, so that hopefully that doesn't need any more explanation. Under edge certificates. Always use HTTPS is on and minimum TLS version 1.3 or 1.2. We talked about that earlier. You're probably fine to go 1.3 I've only the really old browsers, right. So all the rest is default settings. And now we get into the WAF rules slightly that we're already past SSL. It's not that hard. Once you see the lay of the land and all the details now we can just focus on the things we need to change. And it's not that terribly complicated. Let's do a quick check for the Yes, right. Oh, okay, good. That's ready. So here's the process are rewinding a bit to do DNS sec. I'm going to click Enable.\r\n\r\nUnknown Speaker 1:27:37 \r\nAlright, here's all the stuff. Let's go over to DNS records and I'm going to add one.\r\n\r\nUnknown Speaker 1:27:45 \r\nAll right, so I need the first the Key Tag and it's not necessarily an order. So Key Tag is here.\r\n\r\nUnknown Speaker 1:27:52 \r\nBoom algorithm is 13. I don't know what that means. I'm just going to put it there. Digest type is this or I can click to copy.\r\n\r\nUnknown Speaker 1:28:06 \r\nOh, that's this digest. Is there and digest type oh two.\r\n\r\nUnknown Speaker 1:28:13 \r\nRight there, I hit Save.\r\n\r\nUnknown Speaker 1:28:19 \r\nAnd it's gonna think about it for a minute.\r\n\r\nUnknown Speaker 1:28:22 \r\nConfirm.\r\n\r\nUnknown Speaker 1:28:24 \r\nAnd it's got to wait and validate. That's all it is. It's just basically it's like adding any other DNS record. And that will help to further validate that the traffic that's coming to my domain is correct.\r\n\r\nUnknown Speaker 1:28:39 \r\nThere it is. Done. Super simple.\r\n\r\nUnknown Speaker 1:28:44 \r\nclass has a great question.\r\n\r\nUnknown Speaker 1:28:46 \r\nThat this process was for a domain that's registered and an external Registrar for Cloudflare. It knows like if you've registered your domain at Cloudflare. We'll talk about Cloudflare for domain registrations tomorrow. But if there's just a button, you push the button it adds the record and validates it's done. It's like a one click thing. That's all you have to do. Pretty neat.\r\n\r\nUnknown Speaker 1:29:06 \r\nOkay, any other questions about that before we move on?\r\n\r\nUnknown Speaker 1:29:12 \r\nAll right, we went through the rest of this full encryption mode edge certificates. Now we're into the fun part which is security. Here are some suggested WAF rules. And um, they're all defined here already, and I'll show you what they look like. So when you get into a WAF rule as you create a rule you have the ability to either do an Expression Builder, which lets you kind of compose with a visual editor like country does not equal you know, it lets you create records like this. And or and you can stack those down. Now notice what's happening here, though. There's an expression preview and so there's this expression that's being created based on the visual here. So let's see if country does not equal United States and I don't know\r\n\r\nUnknown Speaker 1:30:15 \r\nand it's unknown bought, whatever, right? So it continues to build the expression based on what you build up here. Now for these predefined rules. We don't need all like it will take you a while to actually reproduce this rule in the builder, but instead what we can do is this.\r\n\r\nUnknown Speaker 1:30:37 \r\nCopy this expression. I'm going to call this the challengers rule.\r\n\r\nUnknown Speaker 1:30:43 \r\nYou can do edit expression, and just paste in there.\r\n\r\nUnknown Speaker 1:30:49 \r\nAnd what so the action is going to be managed challenge and hit Deploy.\r\n\r\nUnknown Speaker 1:30:59 \r\nAnd look it actually created the rule in the builder. So I can still modify it here if I want to.\r\n\r\nUnknown Speaker 1:31:06 \r\nBut I don't have to actually create it. I can just paste in the expression. And that's what I would recommend that you do for these basic rules. Does that make sense? Does everybody see the process here?\r\n\r\nUnknown Speaker 1:31:20 \r\nI want to pause just for a minute to make sure there any questions?\r\n\r\nUnknown Speaker 1:31:26 \r\nWhat drop down that I choose here? Or action is managed challenge. There's this drop down up here.\r\n\r\nUnknown Speaker 1:31:35 \r\nCan y'all see this drop down on the screen share?\r\n\r\nUnknown Speaker 1:31:40 \r\nOkay, good.\r\n\r\nUnknown Speaker 1:31:42 \r\nSad. Sorry about that. So this is just an example rule. But when you when you put in your challenge rule, you're gonna whatever country you're in, or whatever, like for example, we have one customer that only does business or they they primarily do business in the US, Canada and about seven European countries. And so all those are in this is not in rule, but every other country as a result is going to get a challenge because they're not typically going to get traffic from those countries. And that lets us weed out bot attacks for example, that aren't coming from those those specifically Devine defined countries makes sense. So add, you're gonna want to add the countries that you're typically going to want legitimate traffic from. Right. So that that really helps Karen first drop down on not getting the open field. Oh, okay. All right. So let's start over again.\r\n\r\nUnknown Speaker 1:32:42 \r\nLet me delete this rule that I just created. eally All right. I'm gonna do create rule once again. I'm gonna give this a rule name, call it whatever you want.\r\n\r\nUnknown Speaker 1:32:54 \r\nChallenges, and click right here. Edit expression and paste in there.\r\n\r\nUnknown Speaker 1:33:01 \r\nThen you can save it as a draft if you want or whatever or just click Use Expression Builder and that puts you back into the builder here.\r\n\r\nUnknown Speaker 1:33:08 \r\nSo this edit expression is 100% Your friend i It makes the so much easier.\r\n\r\nUnknown Speaker 1:33:16 \r\nAll right, any other questions? About the process of adding a rule before I go on?\r\n\r\nUnknown Speaker 1:33:27 \r\nOkay, so these rules I've actually added in here already, and I'm just going to go down one by one and show you how they work. And so the first rule is our challenge now by the way, I put in whenever I'm doing a rule i Our prefix for our agency for code we write in for other things is be WW brilliant web works but your own little this what this lets me know is it's our rule. Basically that's why that's there. So I'm going to go here to our challenges rule. And you'll notice it's this first one here, you can edit the rule in the expression if you want and put the two letter country code and if there's more you can just stack amend the expression itself or use the expression builder. Either way. Melanie, does order matter for firewall rules. Yes. And I'll show you that in just a minute. But Cloudflare processes these rules in order. And that's going to matter here in just a minute. Great question.\r\n\r\nUnknown Speaker 1:34:26 \r\nSo here's something I want to talk about. So we've talked about managed challenge already. This is the kind of the interstitial screen that we saw that challenges are you human. It's it's the same thing as Cloudflare turnstile. Okay. Cloudflare turnstile is the Cloudflare managed challenge in a widget that can be applied to just a form or you know, a login or whatever. Okay? So just think about it in those terms. turnstile equals a manage challenge, manage challenge, just full screen. Whereas turnstile is a widget that can be added to a form submit or login or that sort of thing. There are a bunch of other actions that can be taken here. Like I don't want to do anything. I just want to log this traffic. I want to block this traffic altogether. This is a JavaScript challenge. This is the pre managed challenge way that Cloudflare used to block or challenge traffic. I don't use that at all anymore. It's not as good as manage challenge. Use manage challenge. This also the skip this traffic so some way I can notice that this traffic is good and legitimate. I always want to skip it. I have a rule. That action can do that. And interactive challenge again. It's I don't use that at all use manage challenge. That's just the best way to do it. Because a lot of times the Manage challenge if it's has seen what this browser is doing, it knows it's probably legitimate. And so it's you let Cloudflare manage whether or not this user or bot or whatever. Is going to be challenged with a checkbox, right. So just use manage challenge instead of interactive or JavaScript challenge is just better. Does that make sense?\r\n\r\nUnknown Speaker 1:36:11 \r\nOkay, so let's get into each of these. We just look at this one. So this is and by the way, what I like to do is cluster are my rules, usually around what the action is. I only have five rules, right? And so I want to be able to get the most bang for my buck. And so I tend to cluster the rules around what action I want to happen. So I'm going to start with this, this challenge rule. So any kind of traffic that I want to give a challenge to is going to go into this rule. So the first is, and this is probably my favorite rule out of all the Cloudflare rules. It is probably the most helpful rule and that is if you come to the WP any URL that comes in to WP login, so even by the way, like if you're logged out and you used to go to WP admin to log in, it's going to forward you today P login dot PHP, query string blah blah blah. So if the URI path, this is your URI, same thing, essentially is URL. So if the path coming in being requested from the server contains that AP login, I want to challenge that if it it like for here for a WooCommerce as my account is their default login page, right? If you have a membership site, where you've customized a login page, put that URL here. So whatever the login page is, that I want to challenge that traffic. And what that lets me do is like Stacy is saying, it's way better than hiding the login page to try to make it where bots can't find it. That's that's a terrible strategy that doesn't really work. Or it's even better than using something like aI solid security to put a CAPTCHA on the login page. I don't even do that anymore. Because all of that traffic is being challenged at the network level is it bad to use a plugin like solid security to protect the login page with a with a even Cloudflare turnstile? It's not bad, but I want that traffic filtered out at the network level so that the login page doesn't even have to load, right? So do that at the network level. You don't even have to put a CAPTCHA on your login page at all. Just make sure that all your potential login pages are listed here. So if you've got another URL, you could do like, you know URI path contains, you know, login or whatever it is right?\r\n\r\nUnknown Speaker 1:38:41 \r\nAnd just you can keep stacking those up with AND or OR statements.\r\n\r\nUnknown Speaker 1:38:46 \r\nThat makes sense.\r\n\r\nUnknown Speaker 1:38:49 \r\nSo that's our first rule.\r\n\r\nUnknown Speaker 1:38:52 \r\nSecond rule is a skip rule. Now I put these in order of priority in this skip rule will tell you why.\r\n\r\nUnknown Speaker 1:39:02 \r\nThis is a big rule. There's a lot of stuff here. So I've given you the whole rule to copy here. Now right here, notice, boom, this is the IP address of the server. So whenever you know whenever you go to add this rule, you're gonna want to, for your purposes, wherever you're copying from put your server IP address in here, because any request that comes from my server, I don't want Cloudflare to do anything with we want that to happen. So here's our here's our skip rule.\r\n\r\nUnknown Speaker 1:39:37 \r\nSo if it's a known bot, and it has one of these as numbers.\r\n\r\nUnknown Speaker 1:39:47 \r\nLet's talk about AAS numbers for a minute. So an AAS number probably best to be seen here in our events. Let me load our events page.\r\n\r\nUnknown Speaker 1:39:59 \r\nAlright, so here's a skip rule.\r\n\r\nUnknown Speaker 1:40:12 \r\nKaren, if you're getting an error, it's probably because you haven't selected the action here skip.\r\n\r\nUnknown Speaker 1:40:21 \r\nYou did.\r\n\r\nUnknown Speaker 1:40:23 \r\nWell, let's just try copying the expression in and trying it ourselves here\r\n\r\nUnknown Speaker 1:40:39 \r\nYeah, it's working.\r\n\r\nUnknown Speaker 1:40:42 \r\nI don't know check your check your copy because it does work. That's That's odd.\r\n\r\nUnknown Speaker 1:40:49 \r\nAnyhow, so as ns. You can see these right here. So an ASN is think of it this way. It's like a\r\n\r\nUnknown Speaker 1:41:01 \r\nIt's one number that a company like Google can use when Google has hundreds and hundreds or 1000s of IP addresses. And it would be hard for you and they may even change IP addresses from time to time.\r\n\r\nUnknown Speaker 1:41:15 \r\nThis ASN is sort of a placeholder for all of those addresses. So you can create firewall rules based on the ASN and know that it's going to affect all these Google IP addresses. And so there's all these ASN that are listed here are of known services. I've given you a way down here at the very end of the document what to for Sorry, sorry, if I'm making everybody nauseous. So I've given you a table of popular ASNs here. You can also look those up with links like this one, and add your own but these are the most part some of the most popular ones. And many of these are including that firewall rule, but this is one that again, you're going to want to tweak this to have the traffic that that that you want.\r\n\r\nUnknown Speaker 1:42:09 \r\nBut in general, this is going to work.\r\n\r\nUnknown Speaker 1:42:13 \r\nIn general, what I've got here is going to work in most cases, just make sure you update your IP address here. Okay, so got this list of\r\n\r\nUnknown Speaker 1:42:25 \r\ngood ASN so it's a known bot, and it's one of these bots. Okay. It's an there are a lot of Cloudflare bots that are known that I don't want to, you know, have access to the site. Like one of the really bad ones is sem rush. Like they will hit on your site with their bots sometimes. Anyway.\r\n\r\nUnknown Speaker 1:42:50 \r\nSo, yeah.\r\n\r\nUnknown Speaker 1:42:55 \r\nWhy would you want stamps.com Because, if you are if you're, for example, with a WooCommerce connector, you're going to want if you don't exclude stamps.com, the WAF rule will get in the way of WooCommerce talking back and forth to stamps.com.\r\n\r\nUnknown Speaker 1:43:11 \r\nYep, so this is again, if you're anytime you're this is with much power comes great responsibility. Okay, so you're putting a rule and that's going to block traffic. If traffic is being blocked and something's not connecting. Now you go into the event and say, Oh, here's that traffic now I can you know, you can find that ASN to that external service in your event log and then add it to your list of good ones.\r\n\r\nUnknown Speaker 1:43:39 \r\nOkay, so I've added another few things here that are commonly blocked. So for example, if you're using the Gravity Forms stripe add on, okay, then I want to make like this is part of the query string for every that should have\r\n\r\nUnknown Speaker 1:44:02 \r\nyour your web hook for Gravity Forms, always includes Gravity Forms stripe, your webhook for WooCommerce always contains this bit of text. So basically what this is doing is this is a good rule for all sites. So if the traffic is coming to a Gravity Forms web hook or a stripe web hook, if you're using other plugins that have different web hooks, just add them in here. Like this, or replace Gravity Forms with your plugin, that sort of thing. But you're that way, you're letting tret legitimate traffic to that web web hook for the payment processor come through.\r\n\r\nUnknown Speaker 1:44:36 \r\nHere's another one. User Agent is GT metrics or we use better uptime to monitor our site. So user op agent contains better uptime. If you don't use better uptime. Don't use this part of the rule.\r\n\r\nUnknown Speaker 1:44:49 \r\nHere's our server IP address.\r\n\r\nUnknown Speaker 1:44:53 \r\nRight now in Davis, right? If you are if you have other payment processors, whatever that web hook is that they give you just find the particular piece that's not going to change. Like the the WooCommerce stripe. web hook has a whole bunch of characters after this right? But this part is always the same. That way you can create a rule that you don't have to change from site to site.\r\n\r\nUnknown Speaker 1:45:20 \r\nAnd then, you know, here's the IP source address is my server for verified bot category is search engine crawlers or web hooks. Okay, so why, you know, I can choose web hooks here, but I've also specified some web hooks.\r\n\r\nUnknown Speaker 1:45:36 \r\nI know web hook has having that as a rule is good, but I don't necessarily trust that part. Cloudflare is always going to catch all my web hooks with that. So I'm going to specify just to be sure, so this is fine, but I always specifying the actual some contents of that web hook URL. Okay, so does this bit make sense? In that many external SAS calls this you want to, you want to allow those through, okay. Now the action for this is skip.\r\n\r\nUnknown Speaker 1:46:09 \r\nBut make sure that you check and this actually Karen may be where your error is coming from.\r\n\r\nUnknown Speaker 1:46:14 \r\nCheck all the boxes, check all the boxes, otherwise you're not telling it to skip anything.\r\n\r\nUnknown Speaker 1:46:24 \r\nSo we don't if the traffic meets any of this criteria, I always want to skip it. Okay, that was it. Karen Awesome. Now, does that make sense everybody?\r\n\r\nUnknown Speaker 1:46:40 \r\nOkay, one thing here and I don't know how to fix it in the handout. This is very important. Notice how there's a line break here.\r\n\r\nUnknown Speaker 1:46:50 \r\nThis, if you copy this, it creates a problem. I just just noticed this.\r\n\r\nUnknown Speaker 1:46:57 \r\nLet me go into the expression editor and paste this in.\r\n\r\nUnknown Speaker 1:47:03 \r\nSee how there's a space here.\r\n\r\nUnknown Speaker 1:47:06 \r\nMake sure you delete that space. Otherwise, it's not going to match your the exact URL. I'll see if I can update the handbook for that. I'll figure out how to do that. But just for now. If there's a space here, it's not going to match that URL. So make sure it doesn't have a space\r\n\r\nUnknown Speaker 1:47:26 \r\nokay\r\n\r\nUnknown Speaker 1:47:32 \r\nall right. Next okay. This is a locked down WordPress rule. This is pretty refined from lots of different suggestions that I've read and seen and I've tested.\r\n\r\nUnknown Speaker 1:47:45 \r\nAnd it this is pretty darn powerful. So again, this is one of those rules. Okay. If the traffic meets any criteria in this rule, it's going to be blocked period, which means you better be sure that you're not catching the legit traffic here. Okay. But you'll see how this works. So I'll go copying this. And notice there's some instances of the domain name of the site here that you'll want to replace with your domain.\r\n\r\nUnknown Speaker 1:48:15 \r\nBut let's look at what it does.\r\n\r\nUnknown Speaker 1:48:18 \r\nAll right. There's absolutely no reason whatsoever that any site or any match any request from the server should contain WP config if it's not coming from my site, to block that. There's no legitimate reason that should happen or there's no reason like we don't use XML RPC at all ever. So we're gonna block any traffic that comes to XML RPC. Period.\r\n\r\nUnknown Speaker 1:48:46 \r\nSame thing for if the if the, if somebody is trying to get to wp content, and it's not coming from my site. I'm gonna block now that can all that can impact google image searches. So make sure you may not want this if you want the images on your site showing up in Google image search.\r\n\r\nUnknown Speaker 1:49:05 \r\nBut I don't I don't want that so I'm blocking all that traffic. Same thing for WP includes there's a lot you'd be surprised how much traffic comes in matter of fact, let's just I mean, look at this. Look at the traffic that's coming in. From what traffic that tries to come in from.\r\n\r\nUnknown Speaker 1:49:26 \r\nYeah, look at this garbage. Here's traffic that's coming in. I don't even know what this is there trying to access. This is some image. Here's something that's trying to access a lot of this images. There's all this garbage traffic and look at this. What What the heck would anybody need you know, here's some Amazon server that's trying to get to this dopey content, whatever. This is like they're testing for security issues. And we're just blocking all that traffic. Right? And look, there's 192 items in the last 24 hours that have hit this rule. It's crazy.\r\n\r\nUnknown Speaker 1:50:04 \r\nPlease grab this, this this.\r\n\r\nUnknown Speaker 1:50:08 \r\nSo what's happened here is some hacker has spun up in some Amazon server to do this hacking, or it's a site that's been compromised. Crazy and this is WP Nathan, which is a dumb garbage site. Right?\r\n\r\nUnknown Speaker 1:50:29 \r\nAnyway, you see all this stuff, and so this blocks all that garbage traffic. Another thing here if the country's coming in from the Tor network, you're not going to want that that's going to be bot traffic. A lot of by the way. A lot of form spam comes in this way.\r\n\r\nUnknown Speaker 1:50:45 \r\nIf the URL if the if the path contains dopey content and it's a PHP file, I want that out of there. We don't use ASP at all in WordPress so filter that out if the traffic is not a known bot, and it's trying to do anything, post anything on WP Nathan so this is this filters out a lot of of form spam traffic or you're trying to post either things into login fields, or post comments anything like that this just blocked all that traffic. I did add this when I was testing this rule, just to make sure that the host name it's not coming from my site. And it's not in it's not trying WordPress is trying to do a cron I was finding that legitimate WordPress cron jobs were being blocked by this. So that's why I added this extra little bit here.\r\n\r\nUnknown Speaker 1:51:41 \r\nSo here's another one if it's not a known bot, and it's going to admin Ajax admin AJAX is again another bit of forum spam prevention that filters that out. Here it so we're going to filter out post and let's see, why is this this rule is duplicated.\r\n\r\nUnknown Speaker 1:52:01 \r\nLike that out. Sorry about that. And again, there's just an actual I'm posting to the comments. PHP file. So most of this is a form spam and comment spam traffic.\r\n\r\nUnknown Speaker 1:52:16 \r\nDave, on the ASP if you have redesigned a site that was based on this?\r\n\r\nUnknown Speaker 1:52:22 \r\nThat's a great question. So if you are taking over a site that previously had ASP, it was built on ASP, then that's probably something you want to take out. Yeah. Otherwise, it's going to block the traffic completely. You don't want that you want to show a 404 page with hey, we've redesigned blah, blah, blah. So that's a good example of don't just apply these rules wholesale, know what you're doing and know that oh, I need to take out that part of the rule, at least for now. That makes sense, everybody. So the action here is block and you're blocking stuff at the net, the network level, they're going to see a Cloudflare block screen. It's not ever going to even hit your server.\r\n\r\nUnknown Speaker 1:53:02 \r\nLet me show you a little trick. How many of you are using something like text expander or in my case, I use type desk to do like little macros that explode into things, right? Like this macro here that I use, and sometimes you'll see this. Like it'll come in as slides. When I do slides. Type desk explodes into this pre configured bit of text. So I've set up all these Cloudflare rules actually in pipe desk, and some of them have variables. So watch this if I was going to set this rule up for the first time. This is set up as\r\n\r\nUnknown Speaker 1:53:42 \r\nthe F three boom Okay, so it comes in over here. So here's my thing. Oops.\r\n\r\nUnknown Speaker 1:53:57 \r\nSo it I'm gonna have to show this here. Alright, so you have three this, okay, what is my domain? That would be nathan.com.\r\n\r\nUnknown Speaker 1:54:04 \r\nIt fills out with there's variables. So I've set up my exploder to have the variable for the expression of the website. So now when we go into add rules, I have cf One CF two CF three it just drops all the expression in with a variable for the website, right? So I don't have to go in and change that every single time. So that's just a little time saver. Pretty cool.\r\n\r\nUnknown Speaker 1:54:29 \r\nAll right. Here's our next rule.\r\n\r\nUnknown Speaker 1:54:33 \r\nSo we have our skip rule. We get our block rule. Now. This is one I don't know I added this one, just to have something else to show you.\r\n\r\nUnknown Speaker 1:54:44 \r\nHere we go. So this, this can be heavy handed, but it also might be good. This is an example of how do I filter bot traffic? Right. So you may or may not want to use this rule. I don't know. Look what it does. So if it's not the Google bot or the Bing bot or the bot or the Facebook bot or slurp which is Yahoo I think, or Alexa and it's a known bot. So Cloudflare actually has this list of known bots.\r\n\r\nUnknown Speaker 1:55:17 \r\nAnd it's pretty extensive. There's 717 pages of this you can see all the things they do have categories too anyway.\r\n\r\nUnknown Speaker 1:55:31 \r\nSo this is an example of a rule that I probably wouldn't use on every site.\r\n\r\nUnknown Speaker 1:55:36 \r\nBut so if it's a known bot, and it's not one of these, or like a this, the crawler category is AI crawler, then given a man a challenge or you could say give it block. So if you want to stop AI bots crawling your site, you can do it at the network level if you want. And this is a way to do that. So the bot category, there's a lot of different ones here like you can do. Like I don't want any SEO crawlers. Let's see how about is in.\r\n\r\nUnknown Speaker 1:56:09 \r\nI don't want any SEO crawlers. I don't want any AI crawlers.\r\n\r\nUnknown Speaker 1:56:14 \r\nNow this is not Googlebot for example. This is Seo crawlers like sem rush and things like that. Phoebe Why not say if it's not a known bot instead of listing those out great question, because known bot no means it's any track. Just that doesn't say it's a bot and I know what it is. Known bots means it's not in this list of predefined known bots, right? It doesn't say it's a bot and it's unknown. Now there are rules like that. If you upgrade to the enterprise level, you get a lot more control over. I think it's a bot. I don't think it's a bot but we don't have that control at the free level. So you have to do it. That was That makes sense.\r\n\r\nUnknown Speaker 1:57:04 \r\nDave has a question if you're doing this on an existing site, and the clients looking at traffic. Oh, yeah. Okay. So this is the double edged sword. Okay.\r\n\r\nUnknown Speaker 1:57:14 \r\nSo what Dave is asking is essentially, am I gonna see a traffic drop in Google Analytics? If I do this? And the answer is likely yes. And perhaps a significant amount of traffic drop. But the conversation I have with a client is this is actually making your analytics reports more valuable because the traffic that's reaching the site are actually people and not garbage bought traffic, and attack traffic and things like that. So you will see a drop in traffic. But it's this is this will actually make your analytics reports more valuable. Because I mean, think about this, you know, bot traffic isn't likely going to make a conversion. So if you've got a report set up in Google Analytics for tracking conversions, and only 3% of your traffic is converting, well, what if 90% of your traffic is crap traffic? Well, then your conversions go up significantly. Oh, wow. Actually, this is more successful than we thought. Right.\r\n\r\nUnknown Speaker 1:58:10 \r\nSo does that make sense everybody? Here's an example of a way to filter out some of the stuff I probably would not use this on on every site. And you still even after that, we'll have another rule that you can create. And this is for fine tuning, you know, and moving things. along.\r\n\r\nUnknown Speaker 1:58:29 \r\nOkay, good grief. It's almost three o'clock and I got a lot more to do. So I'm gonna move on. Any other questions about this before we move, move ahead.\r\n\r\nUnknown Speaker 1:58:38 \r\nI do want to show you the rate limiting rule here.\r\n\r\nUnknown Speaker 1:58:43 \r\nWe actually may stop here, before tomorrow. So this is a really good rule, I think is super helpful. So in case you weren't watching, we're at security WAF. We were just at custom rules, which is the default page. We're now going to the rate limiting Rules tab. It's going to delete this and start over.\r\n\r\nUnknown Speaker 1:59:03 \r\nYou see it, we're going to create a rule and in the same way here, this is going to be our anti flood, oops, anti flood rule. We're going to edit our expression\r\n\r\nUnknown Speaker 1:59:15 \r\nand we're going to say\r\n\r\nUnknown Speaker 1:59:21 \r\nwhen the rate exceeds 10 requests, at the free level, we only have a 10 second period.\r\n\r\nUnknown Speaker 1:59:29 \r\nSo let's take a look at what we're doing here.\r\n\r\nUnknown Speaker 1:59:34 \r\nWhy not?\r\n\r\nUnknown Speaker 1:59:53 \r\nInteresting, okay, well, oh, see what it's supposed to be. Alright. So, anti flood if it is not a verified bot\r\n\r\nUnknown Speaker 2:00:06 \r\nand\r\n\r\nUnknown Speaker 2:00:09 \r\nthe URI pass contains\r\n\r\nUnknown Speaker 2:00:18 \r\nthe PF not calm and\r\n\r\nUnknown Speaker 2:00:23 \r\nverified bot category is not a search engine crawler.\r\n\r\nUnknown Speaker 2:00:30 \r\nOkay, so what we're saying is, it's not a good bot.\r\n\r\nUnknown Speaker 2:00:34 \r\nIt's coming to the site. This is actually redundant, we could probably get rid of that.\r\n\r\nUnknown Speaker 2:00:39 \r\nInteresting.\r\n\r\nUnknown Speaker 2:00:41 \r\nAnd it's not a search engine crawler, and it's hitting my site more than 10 times like one time a second. Then I want to block it. For as long as possible, which is 10 seconds.\r\n\r\nUnknown Speaker 2:00:56 \r\nOh, you're right. It was missing the opening parenthesis. So there's another correction.\r\n\r\nUnknown Speaker 2:01:03 \r\nSo we'll deploy this and this is going to stop a lot of bot attacks. You know, you need a higher level. Of Cloudflare to fully blocked the traffic. But this at least throttles it back just a little bit.\r\n\r\nUnknown Speaker 2:01:18 \r\nSo that can be helpful.\r\n\r\nUnknown Speaker 2:01:20 \r\nMoving on down here to our bot setting. Again, we want bot fight mode off. We talked about that already. How much further do I have to go? I got a lot of rules to go. Okay, I'm gonna stop right here. And we'll pick this up tomorrow.\r\n\r\nUnknown Speaker 2:01:35 \r\nAll right, pausing for a moment. Questions, comments?\r\n\r\nUnknown Speaker 2:01:41 \r\nAnything unclear and what we've seen today because your homework is if you don't have a Cloudflare account, go set it up. And do that tonight. Before tomorrow. Come on in with a little bit of experience under your belt. It's free. And maybe you start applying some of these settings to a site and you can actually go forward I've given you all the tools you need to kind of follow this and add the additional rules that's there that are there. We will talk through this starting at speed tomorrow.\r\n\r\nUnknown Speaker 2:02:10 \r\nPaul, I would not do this on a client site unless you're brave enough to you.\r\n\r\nUnknown Speaker 2:02:16 \r\nDo it on a site that you control a low value site, just so you can see how it works. I'll everything clients is going to be tomorrow.\r\n\r\nUnknown Speaker 2:02:24 \r\nDoug regarding the WAF. If I block the UK with a managed challenge, and Google is still indexing my site in the search engine results, what happens to a UK visitor when they click the Search link to my website. They're gonna get a managed challenge.\r\n\r\nUnknown Speaker 2:02:40 \r\nYeah, so just to correct so you don't block anything with the Manage challenge. It just puts up this.\r\n\r\nUnknown Speaker 2:02:51 \r\nIt's going to say if I go to try to log in here this screen right here.\r\n\r\nUnknown Speaker 2:02:58 \r\nWell, eventually who?\r\n\r\nUnknown Speaker 2:03:05 \r\nThis, this screen right there. That whole process was a managed challenge. I didn't have to click anything because it already knew that my was legitimate. But any traffic that you present a managed challenge. So if the rule is if the traffic's coming from the UK, then give a man a challenge. It's there. It's not blocked, you just have to pass through the gateway pass through the turnstile to get in. So if a user is outside your set geographic areas in Cloudflare for a challenge, they'll still see their search result. They'll click it, they'll pass you the challenge, they'll act they'll access the website. Yeah, it does put a barrier you know they have to pass through. Now you know, if you want to block the traffic altogether, you can do that. Just make the action block instead of manage challenge.\r\n\r\nUnknown Speaker 2:03:56 \r\nI wouldn't do that typically, you know, the goal for filtering traffic is generally I want to get rid of bot traffic that's coming from GeoIP sources that are not generally where my customers are going to come from. So that cuts out a lot of the bot traffic at that geo level. Does that make sense? Everybody?\r\n\r\nUnknown Speaker 2:04:19 \r\nAll right. Any other questions? Before we call it a day?\r\n\r\nUnknown Speaker 2:04:27 \r\nOkay, so everybody, all right.\r\n\r\nUnknown Speaker 2:04:32 \r\nOkay, Karen, can you copy all these settings and roles from one site to another? Wouldn't that be great?\r\n\r\nUnknown Speaker 2:04:40 \r\nThat would be great, wouldn't it? And the answer is no. You can't they have to be set up individually. I know right? It may be one day that will let us do that. I don't even think in the premium version. Paul. I've not seen that.\r\n\r\nUnknown Speaker 2:04:54 \r\nBut here's here's the thing.\r\n\r\nUnknown Speaker 2:04:58 \r\nI really really got deep into Cloudflare last fall, when in the process of migrating to a new server we just decided to put all of our clients under Cloudflare in that process.\r\n\r\nUnknown Speaker 2:05:10 \r\nSo we moved, you know, plus or minus 100 sites through Cloudflare and onto the new server. And once you start doing this, like I can move a site to Cloudflare pretty much in my head now and it takes just five minutes or so it's done. Boom, boom, boom, boom, you kind of get used to what the settings are.\r\n\r\nUnknown Speaker 2:05:30 \r\nIt's not it. It looks like a lot at the first glance. But as you're seeing from where we went from all the things, and page by page now down to just the things that need to change. There are far less and at the end of the document by the way at the end of the document to here and resource number two, here is the Cloudflare setup process. And I'll walk you through exactly the things to change. And that's it.\r\n\r\nUnknown Speaker 2:06:06 \r\nIt takes just a few minutes once you get used to how this works.\r\n\r\nUnknown Speaker 2:06:10 \r\nDo I have ASN or IPs for managed WP? No. So this is a good question. Alright. So you will at the beginning before you do your first site what are all the services that I use? Right? And so it's reached out let's just say manage WP I don't know if they have a public list.\r\n\r\nUnknown Speaker 2:06:36 \r\nLet's see right here. So you'll a lot of times find posts like this. What are the IP oh look, here they are.\r\n\r\nUnknown Speaker 2:06:45 \r\nAnd a whole bunch of others. So there's a oh my gosh, Holy mackerel. There's a bunch of them. So, you know, here's a list and and I would verify with the support. So send in a ticket and make sure you have the actual\r\n\r\nUnknown Speaker 2:07:02 \r\nIP set and you can add those to your skip rule that so it always skips that traffic.\r\n\r\nUnknown Speaker 2:07:13 \r\nAnd so my actual skip rule is more thorough than this one because I got a bunch of IPs and things like that.\r\n\r\nUnknown Speaker 2:07:21 \r\nYeah.\r\n\r\nUnknown Speaker 2:07:23 \r\nAnd Dave is correct. You want to go conservative at the beginning for sure. Again, this is with much power comes great responsibility. Implement slowly make make sure you one side tested that you're not blocking legitimate traffic. But once you get these dialed in, you can boop boop boop just apply them to your other sites.\r\n\r\nUnknown Speaker 2:07:46 \r\nYeah, Ahrefs it's eight, like H refs. In particular. They don't tend to want to help you because they don't want to block you or give you ways to block their traffic. What I would suggest doing if a traffic is being blocked, then look at your events. Like do a scan so you know kind of about the time when the event would hit. Then you can look at your event log and probably even filter it with your block rule.\r\n\r\nUnknown Speaker 2:08:16 \r\nAnd hit that hit the traffic that fits your block rule and see if Oh, that's coming from this range of IP addresses or this ASN or whatever.\r\n\r\nUnknown Speaker 2:08:28 \r\nAnd go from there.\r\n\r\nUnknown Speaker 2:08:30 \r\nSo sometimes you can back end it and figure out but there's there's no easy way that I found oh, here's the magic list of IP addresses or whatever.\r\n\r\nUnknown Speaker 2:08:40 \r\nIt's just not very easy.\r\n\r\nUnknown Speaker 2:08:43 \r\nYeah.\r\n\r\nUnknown Speaker 2:08:46 \r\nTanya, oh, how do you know if you're blocking legit traffic? Good question. That's not a stupid question. So I would watch you know the first so when you implement the for the first time you know, put it on your own site or something else site where the impact is going to be low, but that you have enough traffic to actually generate some decent results. And just look at the events and see what's happening. That's how for example, on the skip rule here, I realized oh, no, I've got let's see, hang on, hang on. I know it was the block rule.\r\n\r\nUnknown Speaker 2:09:30 \r\nThis one, it you know, I saw this query string coming up a lot in the block rule. And that's a legitimate, I realize, oh, blocking this and I don't need to be blocking this. So I added a rule to get around it right.\r\n\r\nUnknown Speaker 2:09:47 \r\nSo, Stacy, you find out when the clients customers complain is not exactly incorrect. Like it's that's pretty right. It some of it is a little bit of trial by error, but that's the way it is for firewall rules, okay. And that's why for example, implement these rules with here. Don't just wholesale drop these rules in thinking what could possibly go wrong because the answer to that question is a lot. But once you get them dialed in for your use case, you have really powerful, really powerful tracking.\r\n\r\nUnknown Speaker 2:10:22 \r\nOr filtering. Yeah. Okay. Anybody else? Before we move? Wrap it up for today?\r\n\r\nUnknown Speaker 2:10:34 \r\nOkay, so homework policy when you migrate a site to Cloudflare do you remove them from the Yep, we're gonna cover that tomorrow. Migration is tomorrow\r\n\r\nUnknown Speaker 2:10:48 \r\nokay, Karen, I have tried to enable copy in the chat. For whatever reason zoom webinars just does not allow that. And I don't know why and we've tried, but give the as soon as the We the chat ends up as a file on the replay page, where you can open it up and grab whatever.\r\n\r\nUnknown Speaker 2:11:09 \r\nYeah, it isn't zoom meetings. This is a zoom webinar, and it's different and I don't know why I've talked to zoom support there. No help. It's yeah, it's a thing and I've not been able to solve it. I'm apparently too dumb to figure that out. Because I've tried zoom settings are horrendous. They're worse than Cloudflare and that's saying a lot Okay, all right. Let's go to Wrap it Up homework for tonight. Add a site, drop it in you know your your site or just spin up a site in try adding some of these settings, we will step through. We'll go through the rest of the recommended settings tomorrow. And then we will put that into practice by actually migrating a site's DNS into Cloudflare tomorrow. That will probably take most of our time and then because we'll do it step by step, and then we'll do we'll wrap up with tips and tricks and whatever questions are left. So that's where we're going. Congratulations, you survived day one. You have endured the firehose of things and it gets really practical from here. All right. So I will see you back here tomorrow. One o'clock central time for part two of Cloudflare for agencies here on solid Academy, where we go further together.\r\n\r\nNathan Ingram 0:04 \r\nAll right, everybody. So welcome, welcome. So how about some feedback from yesterday? Did you learn anything? What was your biggest takeaway? Aha. I assume that we're going to do live demo today. So sure, you'll just go into watching the demo without having the basic foundation of knowledge. So sure there's value without watching the replay.\r\n\r\nAll right, let's get these captions connected. There. All right. Oh, goodness. Gotcha. All right. Link bundle is in the chat. Of course handbook if you need to download that. It is updated by the way from yesterday. So make sure you grab the current copy. I probably need to update the link bundle to reflect that\r\n\r\nall right, well, good. That's good news. So really, really glad to hear that. All right. Welcome, everybody as you're coming on in find a seat, get ready to go. Links are in the chat. The course handbook has been updated since yesterday. The fix the two little typos that I had. Those are now fixed and going and a third that I just recognized. All in the WAF rules. So that's all correct. Now. Make sure you read download that course handbook. Just so you have the correct things. All right. We got a lot of the handbook Yes, one handbook for both days. 40 pages of Cloudflare goodness. or 40 pages of Cloudflare. Comma, goodness, exclamation point. That's a lot of Cloudflare. Oh, it's gonna be a long day when I'm entertaining myself already. Okay. So let me hear from you in the chat. What was your biggest takeaway from yesterday if you survived and had lived to tell the tale\r\n\r\nPaul that will be office hours tomorrow, or week or if we have some time at the end. That's funny. Love it. All right, couple of minutes before we get started, welcome, everybody. Glad you're all here. Make sure you download the fresh copy of the course handbook that has three corrections in and around the WAF rules. Just a couple typos and that space problem and so forth. Yeah, look, there are everybody that I'm constantly finding new ideas for rules. I'm going to talk about that at the beginning as we get started here, because there's some really interesting chatter in the admin bar about rules and stuff going on right now. On a reference that\r\n\r\nhey, look at that foul, awesome. How about that? It's small. It's the little things right. Alright folks, two minutes to go. If you're just joining us in zoom, open up the chat. Say hi. Let me know what your biggest takeaway from yesterday was. Did you get in there and try to set up a site yesterday. Did you do any of that? Thanks still broke? Yeah, yeah. Little bit of tripod. Doug. You did it. Awesome. Yes, Doug, indeed. Cloudflare SSL? Yeah. Very good.\r\n\r\nYep, good stuff there. All right, about a minute away, y'all. We got a long way to go today. Long way to go. The handout is updated. Yes. So please read download the course handbook it fixes those typos or like there was a space that shouldn't have been at a line break and that sort of thing. All that is fixed in working in this latest version. Phoebe. So we are you did you you would get a challenge at WP admin if you use the rules that I provided that the the challenge rule by default is going to protect the WordPress login page. That's what allows you not to need a CAPTCHA on the login page. So I want all traffic that hits the WP admin to get challenged.\r\n\r\nAlright, just about ready to start everybody. Yeah, Paul, I saw on that note, and I don't know why that would happen. That's really weird. It feels like it feels like that's a browser. Cookie issue. here and what do you mean it looks weird after the challenge\r\n\r\nno formatting Okay, so that's interesting.\r\n\r\nI've never seen that happen. Sounds like there's some sort of a an optimization issue like the CSS isn't getting loaded for some reason. Where are you hosting? It could be related to your hosting environment. cloudways GS? Ah could be something in the breeze plugin. I would look and make sure that the breeze are using cloud where cloudways Breeze. Yeah, so see if it has that. The connection to Cloudflare that I mentioned with the caching so that it's empty incorrectly the cache I've never used breeze so I can't speak to that one. Yeah, always. It's awesome. That's it. It's not just reason the optimization plugins are some that frequently cause problems. Okay, let's get started. I got a long way to go today. Well, Happy Wednesday everybody. Welcome back to day two of the Cloudflare for agencies course here on solid Academy. My name is Nathan Ingram, and we went a long way yesterday, as we looked at what in the world is Cloudflare how does it all work? We went page by page through the settings just to give you kind of a lay of the land of you know all the things that are there. And then we started with recommended settings yesterday. So that's what we're going to pick up today. We got all the way down to speed we've worked through the Cloudflare WAF rules, and we've made our way down to speed now, I do want to mention that I have updated the course handbook from yesterday. I'm going to drop that link in the chat once again. This fixes those couple of types of the like the linebreak typo I noticed also there's some quotation marks that got styled like outwards and not straight quotation marks and one of the rules. So those things are fixed, and it's there in the updated link that's there in the chat. If you're watching this on the replay. The link that's downloadable on the course page has will be correct for you so that's all there and ready to go. So here's where we're going today. We are going to pick up with our recommended settings at the speed portion which we see on the screen now. Then we're going to set up a site in Cloudflare live and just go through the process using the checklist that is in the resource number two at the end of the course handbook. So we'll be just walking through that checklist. And then we'll the final hour we made that that setup process may actually bleed into the second hour so we'll just kind of see how that works. And take a break at some point in the middle. And then at the very end we'll have the the tips and things that I've learned and basically things that I've messed up along the way and how you could not do that. And how to work with clients and you know, had multiple accounts and all that sort of thing and how's the best way to do that. So that's where we're heading today. As always, if you have questions, if the question is about something we're talking about right now, just drop it in the chat. I'll do my best to see that and talk about it. Otherwise, put it in the q&a, and we'll deal with those at the end of each hour. All right. Well, let's get started, shall we? So we finished up yesterday with our various rules around security with our custom WAF rules, and then an anti flood rate limiting rule and making sure we have bought fight mode off. So now we're going to get to our speed sections. Let me get Cloudflare open and Windows arrange and all of that. All right, so we are now here under speed. And we're gonna go speed and then optimization. So right here under optimization, there's a number of different tabs, and we're going to pick up with content optimization. Now this is an area that they have in the past few months rearranged. So if you haven't looked at Cloudflare in a while, you'll notice this is different and that's because it's different. They move things around and they do this all the time. So let's look at what should be on so we like Brotli this is going to be one of the things it's in the setup guide or the quickstart guide that we'll run through in a minute. Whenever you add a site to Cloudflare Brotli is good to have on it just makes HTTPS connections quicker. We talked about Cloudflare font so we like those those are on early hints we looked at which preloads pages when you hover over a link that's on rocket loader off because it can break WordPress JavaScript pretty easily. And we're gonna auto minify all three boxes here JavaScript, CSS and HTML. And then we're gonna go back to the top, the tab for protocol optimization. And we're going to turn zero RTT on. Now basically what that does is if a person has already visited your site, it makes reconnecting to the site quicker. It's just it saves a step. In the security in the HTTP protocol process. Good speeds things up. If you want to read more about it, just Google zero RTT. And you can learn more. So not a lot to change here in the optimization section. But we do have some things to look at under caching. So let's take a look at caching and our recommended settings here. So we're going to start out with configuration and look at our browser cache. So I believe I can't remember what the default setting is here but we want this to be 30 days. One month or 30 days is what Google recommends in order to receive to get good marks on their tools. We want to make sure your browser cache is set for one month. We want our crawler hints to be on so this is basically the index now protocol and so Cloudflare will do that for you which is really great. It lets certain search engines that support index now know that changes have been made to your website. So go come crawl it. It basically proactively tell search engines to crawl new content so that's good. And we want always online which pushes the site over to the Internet Archive for us. We want that on as well. So now, there may be some times where you don't want always online on if it's a very large ecommerce site with 1000s of products, rolling that and adding it to the Wayback Machine might be taxing on the server. Or if the site is changed all the time. There's every single site I have is always online. But if you have a massive site, it might create some performance issues. So you might want to toggle it off but likely every site you're going to want on here. Alright, let's look at some caching rules. These are very, very helpful. So let's say you have a site in development, or for some reason you have a site and you do not want to use the Cloudflare cache at all. How do we turn the Cloudflare cache off? 100% of the time whether it's in development, or I just don't want it because by default, the Cloudflare cache is on. So we need a rule that's going to say always turn the cache off and afford unfortunately, there's not like a toggle to turn on and off the cache. I don't know why there's just not. So what is a rule that we can create? Well, I've settled on this one that basically says if the incoming request is HTTPS, and that is yes, then bypass the cache. So this is, you know, basically every single request coming in to any site that I manage, is going to come in under HTTPS. And with that rule, this site will not be cached at all period by CloudFlare, because we're going to bypass the cache here and with browser TTL. Now, this is a rule that you only want to implement if you don't want the site cached at all. Does that make sense to everybody? So you know, on our dev server, for example, we don't want Cloudflare caching, like Cloudflare manages the DNS on our dev server because we want the security, but I don't want any Cloudflare caching on any sites. that are under development. So we have this rule that turns off caching completely. Does that make sense to everybody? So this is probably not a rule that you want on a live site. But for dev sites, yes. 100%. So here's one that you probably will want to use. Maybe there are pages on your site that don't ever need to be cached. So for example, with an E commerce site, I never want the cart page cached by CloudFlare, or the checkout page. So here we've got URI path contains cart your app path contains checkout, you can continue to stack these up if there are other different URLs that you don't want to be cached. So when these things match, then I want to bypass cache for Cloudflare. And at the browser cache, right, so just no caching of these frequently changing dynamic type pages. Don't want those cash. So cash rules are super helpful. I Paul Yes. Membership dashboards, things like this. This though, these are the sorts of things that you'll want to put in a rule like this one. You have a lot of rules here actually. So 10 available caching rules at the free level. So you can really add things Yeah, in anything like LMS site membership site where you don't want to cash in really it. It's\r\n\r\nit's really more like check out, you know, forms that Process Payment, perhaps maybe events like Melanie's mentioning in the chat. It depends. So if you run into an issue where oh my gosh, my events page is not updating why? Oh, it's Cloudflare. Well, we can just turn it off here at the edit with a cache rule. That makes sense to everybody. They're super useful. To debug these caching issues. All right, so we mentioned this yesterday, we're gonna have our tiered cache. We're gonna go here, and just make sure that the tiered cache topology is set for smart and again, what that does is it moves the assets to the Cloudflare data center closest to the person requesting the the site so it basically shortens the load time, so it's good you always want to have that on. Alright, let's scroll down to our next section, which is rules. We're not getting into workers routes, that's not a route however you pronounce it. That's not something we're going to look at. But there's a couple of really good page rules that we're going to look at here that I recommend. The first is this one, which says our URL is going to be our domain name. star dot domain name. So this will catch any subdomains also an anything after the repeat admin. So basically, I want this rule to impact anything in the WordPress admin area for the main site and then any subdomains that I might have under this Cloudflare account. So I want security level high, which means that if somebody tries to come in it's also you know, it's gonna look at that browser more with more scrutiny and maybe present a challenge. If it detects any issues. I want that for anything in the WP admin I'm also going to completely bypass the Cloudflare cache. I don't want anything in WP admin cached by Cloudflare. I just don't want that. And then I also want this here disabled performance. Any performance related optimizations that Cloudflare might do? I don't want that for my WP admin because that can tend to get in the way of things and break admin functions and hash things that shouldn't be cached. And, you know, you get weirdness in the back end sometimes. So this says anything in the admin, I want to make these changes and it's a really helpful rule. This makes sense to everybody. This is a good one and you do have to fill in your specific domain name here, or it won't work. You can't just say star.wp admin. I tried that. It's got to have the actual site name. Alright, another really helpful rule. I really really liked this one. This is the email obfuscation rule. Again, a lot of folks in the years past we've done WordPress shortcodes, that obfuscate email addresses where they can't be scraped by website scrapers. Cloudflare has this built in at the network level, which I really like. And the neat thing about it is you can apply it only to certain pages with a rule, so we can say, all right, if it's the Contact page, then I want to turn on email obfuscation. Well, why wouldn't I just want this on the whole site? The reason is because it loads an extra little piece of JavaScript that can affect load time, so it won't affect it very much. But I mean, why load the JavaScript on a page that doesn't have email addresses, right. So if you have a contact page that has email addresses, turn this on, or maybe it's a team, page or series of pages. Like you have, you know, your domain slash team slash person's name, then you can do something like this I'm pointing at my screen like you can see that this so anything that follows team then this for like a team bio page, you can obfuscate the email addresses their policy, if the site has an email address in the footer. You want this on every page? Yes. And I wouldn't put email addresses in the footer. I would much rather have people fill out a contact form and send email but yes, if it's in the footer, every page where there's an email address, you could load this and if that's the case, then you can actually just turn it on for the site. Yeah, okay. So these two rules make sense. You got your WP admin and you got your email obfuscation. You got a bunch of page rules that you can do some other things with. There's actually sorry only three, three page rules. So we still have one extra one here. And you can do a lot with these Okey dokey. Everybody good so far on this? Because that's it. That was all of the rules are all of the recommended settings. So we didn't get that fully finished yesterday, but we got it done today. And now we get to actually do the thing. Okay. So I want to give you the overview of what this migration process looks like. And then we're going to skip to the end of the document where the actual checklist is, and by the way, if you're just coming in the course handbook is updated from yesterday. And so you're gonna want to redownload that because I fixed a couple of little glitches with the WAF rules. Okay, so here is our process. And again, it is a checklist is in resource to you can copy that part out, you know, make it your own, whatever. So, big picture, okay. We're going to add the site to Cloudflare. And then we're going to walk through the Quickstart process. These are the common, most recommended settings to set up. We're going to add the name servers that Cloudflare gives us over in our domain registrar. Then we're going to pause the site on Cloudflare. This is critical if you don't do this, you're going to get SSL issues in almost every case, then we're going to go through. Here's our items for the quickstart guide. We're going to go through all the rules and settings that we need to add. We're going to wait for our SSL to generate and then we're going to resume the site on Cloudflare. That's the big picture. How this is going to work. So let's go down and take a look at our resource scrolling scrolling right here. This is page 38 of our guide. And here's what we're going to do. So I have this domain set up and this is just a Kadence Starter Site that I have inflated on to WP one dot Dev. Now this is a domain that lives at GoDaddy. And so that may be a place where you see a lot of domains that you have, right and so this is just as simple and basic of a domain swap or DNS change as I can show you with a typical common registrar. Okay. So we're not going to walk through this whole process. So what I want to do I want to get back here to home, which I did just by clicking this arrow I'm in WP Nathan. Now I can go back now I'm at my account home, or I can go up here to this little user icon and hit account home. It's at that point where I can add a site. Okay, so we're going to add the site to Cloudflare by entering the domain, selecting the free tier and confirming our plan, but let's add the site right here. And by the way, if you added a site to Cloudflare a few weeks ago, this is now completely different. They have totally changed this adding a site flow as they do. I mentioned this yesterday Cloudflare changes things like worse than Google and that's saying a lot so just be aware of that. If you're white if you're following this video six months from now they've probably moved some things around. They're all there you know, and you can probably find them pretty easy but it's it's very likely to change. So we're going to enter in our WP one dot dev domain name here. Continue. We're going to select our plan scroll all the way down to free and click that and confirm and we're confirming and Okay, let's so we're going to start our Quick Scan. Now at this point what's going to happen Cloudflare is going to go out and it's going to attempt to find all or as many of the DNS records as possible for this domain. I'm going to click Start click Scan. Now here's the thing. Don't ever trust Cloudflare scan because it is likely going to miss some things. So it's now picked up in a record and to CNAME so there's definitely more than that. And we're just going to keep moving. So if you can't bypass that scan, I wish you could but you can't. It's going to do its best to find records and plug those in to your DNS settings. But now we've gone through our quick scan and we're going to hit continue and we're going to start the domain activation. So right here, we're going to add the provided name servers to our domain. So here's our two name servers that Cloudflare has given us a copy the first one, I'm going to go over here to godaddy under DNS, and go to name servers. This will be different for every registrar. We're going to change this to my own name servers, and copy and our two different name servers. Oops, two here, save and continue. Okay, now over here, I'm gonna hit continue and continue.\r\n\r\nSo now we come to our overview page immediately right now before you do anything else. Pause Cloudflare on the site, because otherwise what can happen is traffic can start flowing to your domain before Cloudflare generates an SSL certificate and you'll get that security warning in browsers by pausing Cloudflare at this point, what that does is stop Cloudflare it doesn't stop it from generating a certificate but it doesn't use the Cloudflare certificate. So we're not using any Cloudflare features right now because the site is paused. Don't forget that step or you're going just it's inevitable that you're going to get you know a security warning. Okay, so pause Cloudflare Now let's go through our quickstart guide. Let's see right here. So we're going to review the settings in our quickstart guide and get started. So we want to keep this on Yes. All these settings are here. Save this. Always use HTTPS Yes. Do we want to enable Brotli? Yes, just basically all the recommended settings we want on and finish. Boom. Okay, so we are good. And now we're going to go down to our DNS. Now Cloudflare has imported some records, right. So we've got this going on here. Um, you know, what I forgot to do is I forgot to open up my email. Let me grab that one second, folks, because we're gonna get an email from Cloudflare at some point very soon, telling us that the site is working. I've got to log into my email, my solid Academy solid email here one second, everybody. I have 8000 Google accounts as perhaps you do. as well. And there it is, okay. All right. So there's my solid email. We'll put that over here and we'll just wait on that. Okay. So now we're at the point of validating our DNS records. So here in GoDaddy, if we look at our DNS, there, there's a lot more than it found. There's not many actually. There's an A record and some other things, you know, nor if this is a site you're already managing. Maybe you have postmark records or some other transactional email or google verification or office 365, all all those verification records, right? You're going to want to make sure that what's here in CloudFlare, matches 100%. What is at your current DNS provider? Okay. Many Melani that's a brilliant idea is to screenshot this and add it to a record someplace. So better even than this is the ability to export my DNS. So let's see here. Many registrar's have the option to export DNS records. If they do you absolutely want to do this. If they don't, it sucks because you have to hand enter every one of them it's really awful. But here I can say Export zone file. Even GoDaddy will let you export the DNS. So I want to export this zone file and boom, there it went. It is now right here as a text file that just downloaded to back. It is right here, simple text file. So I can take this and go right here to import and export and just drop it in. And now I have all of my records and they it now matches perfectly. So that is super helpful when you have a ton of records. If you are running your DNS through a cpanel server, we're going to come back to that at the end because there is a there's a way to actually export out of cPanel if cPanel is actually running your your DNS All right, but for now we know that these match because we've done a good Import and Export Now a couple of things we want to look at. Many times your export will contain name server records, these name server records, these pertain to GoDaddy domain control.com. These are GoDaddy, we're not using GoDaddy. name servers anymore, so I can delete these our name servers or at Cloudflare. We don't need these records anymore so we can safely delete those. The other thing is, if you have in the Cloudflare import when it pulls in all those records, if you import record, you know this import file is going to contain some duplicate records. Cloudflare is smart enough not to import duplicates, so it didn't used to be by the way used to import duplicates, you have to go in and delete your duplicates. It now is smart enough not to create double records, which is awesome. But in many cases, you're still going to have to add those records one by one because, you know this old antiquated registrar doesn't support exporting of DNS, which is just really annoying but Paul is saying Don't forget to turn off some records that need the original. I'm not quite sure what you mean there, Paul. But you're gonna The key here so you don't mess up DNS is at the end of all this. My DNS records in Cloudflare need to match my DNS records with whatever the registrar is now. Other than the name servers, the DNS records you can delete just like we just did, but everything else needs to match 100% Otherwise you might break their email or something like that.\r\n\r\nSo yes, the for example, if there are see names that come in, like right here, this here's another one we can delete. This is a GoDaddy domain connects that we don't need that. We can delete this. Any that are there other registrar's that have specific records. We're not using that anymore, so we can delete this and if it's a CNAME generally, any CNAME other than the www record we want to proc we do not want to proxy correct. So this is a really simple DNS setup because there's no email or anything there. Okay, everybody good on this part, moving DNS records in hopefully you can export them and import them otherwise. This is also helpful if you can if DNS is currently managed by another Cloudflare account, then you can export the records out of the current Cloudflare account and import them into to your Cloudflare account. Sue if there's email Yeah, yeah, so like all the MX records, all the text validation records CNAME records that are all all the DNS needs to match exactly. Unless it has to do with, you know, like the name servers or like these GoDaddy specific records that we don't need anymore, but all the other records need to match exactly. You'll probably find that Cloudflare their import gets about 90%. But it will typically especially if it's a complicated DNS setup, it will typically Miss TXT records, like the valid validation records. It usually gets all the C names and the A records, but it misses it tends to miss the TXT records. Okay, everybody, good. All right. So at this point, it's usually taken, you know, five minutes or so to get our DNS all lined up. So now we're gonna go check and see where we are with our SSL. So we're going to click on here, and let's just look at our edge certificates to see okay, so right here, this is showing us it's in process. So this is live demo. I don't know how this is gonna go, okay. If this breaks, we'll fix it. We'll figure it out. But right here, notice that the SSL has not yet been generated for this domain. So we don't want traffic coming through Cloudflare yet, so let's just move on with our settings and we'll keep watching this edge certificate to see if it's ever finished. So we want to go down to minimum TLS of 1.31 dot O is the default for some reason. So we're going to make that 1.3. Now we're going to go down and add our WAF rules. Just following our checklist here. There's my use your four suggested rules that I've given you or your own variations. So we'll go to Security and WAF. Now again, as I mentioned yesterday, I've got this shortcut set up in my text expander CF one. Here's our manage challenge rule. So what I do in my text expander I have this title here. And so I'll copy cut that and put it up there and this is going to be a managed challenge. Boom, and deploy the quick that was that was done. We're going to create rule number two. I'm going to use my shortcode otherwise, you can copy and paste from your notes. There's our second rule the title, cut and paste up here. So choose the action skip and check all the boxes. All the all the boxes just like that deploy great our rule number three now this one has the the variable in it that fills in my domain I've got that. So these are our block rules. Deploy and one more rule\r\n\r\nthese are our crawler blocks. And this gets a block deploy. So you see how quickly it goes. If you have something like text expander or in my case type desk or one of these macro type programs, apps on your on your computer. It just makes these rules go really fast. Otherwise, you can just copy paste, that's fine too. But we've got all those rules added. Does that make sense? Everybody? Got our rules added there. Any questions about that? If so, ask in the chat. If not, I'm going to keep going under security and bots we want to make sure that bot fight mode is off. It should be by default. I always want to make sure of that because that is it can it causes so many headaches. Speed. Oh, you ask a question. Okay, Paul, I explained why I use the web as a prefix. Is there a possibility of some sort of mix up? If we do not have a prefix? No. This is just for convenience, knowing that these are our rules. So we do have some clients that get into Cloudflare and do some things themselves. If you're the only one that's going to be in Cloudflare it doesn't matter but I prefix everything with be WWE, you know functions code all that is just a habit. So this just lets me know these are our rules. Okay, speed. Let's go back to these rules we just covered so speed optimization, content optimization, only the things we need to change here are Cloudflare fonts are on early hints are on check all three boxes on auto minify boom, boom, boom. And we want to go up to protocol optimization and turn zero RTT on. Great. Now let's look at caching. Let's see configuration crawler hints. Okay, browser cache is one month that's the default. That's awesome. Let's see crawler hints are on always online is on. We'll go over to cache rules. Is there anything we want to fix with our cache? Probably not on this one. It's not an ecommerce site. And you know, it's not in development. So there's no cache rules. To set up here for this one. We do though, want to go into tier two cache and turn on our smart tear topology. Okay, now go down to rules and we're going to add our WP admin rule. Let's see page rules and we're going to be star that dopey one dot dev slash WP admin come on admin star. The settings will be about we spell that correctly. All right, first thing we want to do cache level is bypass then it was performance is disabled and our browser integrity check. Oh, no, it was security. Security level is high. Alright, so there's our DP admin rule. And let's go ahead and add a contact page rule\r\n\r\nand we're going to want email occupation on our contact page. On you can add these rules or not just depending on your setup like we've talked about. Thanks. We got our page rules added. Now we're waiting for SSL generations out look, I've got a an email from Cloudflare. It's now active Boom. That's awesome. Let's see if our SSL certificate generated so you may have the email that says it's active active meaning Cloudflare has detected that its name servers are now being used for the domain. So GoDaddy has gone ahead and updated the name servers and Cloudflare sees that so they're connected. Now that doesn't necessarily mean the certificate is generated yet. So let's go take a look under SSL edge certificates. I look it's active boom, perfect. Okay. As soon as this is active, that means the certificate is there and we can unpause Cloudflare. So we're watching for an email that Cloudflare is protecting. We're watching at edge certificates for the universal SSL right here to be active and it can take time. Okay, so let's talk about what happens if it's if it takes some time. Officially, Cloudflare says this can take 24 hours I've never ever had it take that long. You have had to take a few hours in this was you know, this was actually right after remember last year Cloudflare had that data center issue. It a lot of these things were delayed after that. Usually now it's just like what you just saw, it generally just takes a few minutes. And you're good to go. But it can take a few hours. That's nothing to worry about. Now. If you if you get hours and hours and hours and out like the next morning if it's still not working. Then what I would suggest that you do. Let's see I've given a pointer that put those notes troubleshooting down here, okay, so here's how to troubleshoot if you're stuck on pending validation after an hour. So make sure that you delete those NS records. I've found that sometimes when my sometimes when I'm not getting my certificate generated, it's been because I accidentally left those those NS records in the DNS, that old name server, and that can mess around with validating traffic. So make sure that the NS records are deleted like we showed earlier. Also, again, officially it can take 24 hours. If it's still waiting after 24 hours, go down here, here on edge certificates and down at the bottom. Disable doo doo doo doo doo right here. Disable universal SSL, click that button, wait a couple of minutes for things to the dust to settle. Then you re enable it and it starts that validation process again, and I've never had it not work the second time. So that's maybe that's just lucky on my part. But generally that fix is something that stuck. And I've only had that happen like once or twice and all the sites and that was actually a long time ago. So that's a good way of troubleshooting. If you're still having issues then it's time to go to Cloudflare community and ask them questions. But now, we've got our SSL generated so we're good to go there. So we're going to pick up the process when you see the SSL is there under edge. Right here the universal one now we don't have to wait for that saw this question a minute. ago. We don't have to wait for the backup certificate to get set that can take a little bit of time. We have a good SSL, we're good to go. So now we're going to resume the site on Cloudflare. So back to overview and scroll down to the bottom of the page again, enable the Cloudflare on the site. It is now enabled. And okay, here's where it was before and notice that this is what I had up before we made this move. So connection secure. And this is a Let's Encrypt certificate which which the server generated. Now if we refresh this page, and we look at that certificate, we should see a Google certificate now. So let's do a hard refresh. And actually, Chrome may have cached that certificate, which is fine. Yeah, Chrome cache that certificate if we go let's go into the browser, and you can see that it's the Google cert and for some reason Firefox is taking all day to start. Here we go. All right.\r\n\r\nAll right. So let's see. Where is oh, I clicked the wrong thing. There we go. Now it's still interesting. All right. So it's still showing the Let's Encrypt certificate. That's interesting. I wonder why that is.\r\n\r\nWe can also check with what's my dns.com. Job. Okay, and we are on Cloudflare. So the world is seeing that it's under Cloudflare. When you see to these two IP addresses, that's cloud flares, backup IP address, that's what you want. And so it is it is seeing everywhere in the DNS shows. It's running through Cloudflare. So we're good. I'm not sure why it's not showing that let's or white showing that Let's Encrypt. Let me try it in Safari. Just to see I wonder if I loaded that site in Firefox and it still has it cached. That's interesting. We know it's working though. That's what's that's the most important thing.\r\n\r\nYeah, no, that's interesting. Let's take a look at Oh, because here make sure that you set it to full Am I following my instructions? Now, I didn't follow my instructions. So we would have checked that right here. If we set this to full then I bet that's going to change our SSL certificate helps to follow your own instructions. Now it's still showing. I'm not sure why that is. Well, let me just get back to following my instructions and we'll move on. So we've resumed the site on Cloudflare right. Now we're going to enable DNS sec. So you don't want to do this until Cloudflare has traffic for your site. But we're gonna go here under DNS settings, enable DNS sec. Right here, and again, this is the little bit of code, you're going to add to the registrar to validate that Cloudflare does have legitimate control over the DNS. So this is all the stuff that Cloudflare gives you. You don't necessarily need all of it in every registrar is gonna be a little different. But here in GoDaddy, you just scroll over to DNS sec. And we can turn this on\r\n\r\nnot when I'm around, hang on, hang on, hang on. Go Daddy. It's under DNS, DNS records. And oh, hang on. My goodness gracious. Let me refresh this page.\r\n\r\nRight here, DNS records is what we want. So I had to refresh the GoDaddy page because prior it was it was loaded prior to knowing that GoDaddy had handed off the name servers to Cloudflare. But now we've refreshed this and there is a DNS record tab most registrar's are going to have this. You click that and we're going to add the DNS record. So first, we demonstrated this yesterday but first we add the Key Tag and this is all out of order. But Key Tag is here. The algorithm is 13 the digest type is two. And the digest is this string of characters and that's all we're going to need. Save All right, and it may take a minute, but we're going to click Confirm and it needs to wait it's going to look for this and we'll come back to this in a minute. But it will eventually validate that record with the record at the registrar. Why do you have to add this on GoDaddy? Because GoDaddy is the domain registrar for this domain name. If Cloudflare is your domain registrar you just click a button and it works. It's really simple. And then at the end, we go through and we verify our encryption method. SSL overview bool good to go. All right. So we've just added the site to Cloudflare. wasn't that complicated? Was it I'm gonna pause for a minute questions or comments\r\n\r\nthis is when nothing goes wrong. Oh, if they are all this easy, and they usually aren't terribly complicated\r\n\r\nAll right. Other questions how question is How hard is it to move your domain to Cloudflare I can't really demonstrate that because I don't want to move any domains to Cloudflare right now, but it's really pretty simple. We're going to cover domain registrar things in just a minute in the second hour today. We'll talk more about it then. All right, any other questions before we take a break? That actually took less time than I thought it would? We are now completely set up. If we go to WP admin here we'll get to manage challenge as we would expect. Boom. Good. All good logging in. Yep. and log in. There I am. Pretty cool. I Su ever ever worked with inom? Yes, they do not have an export tool. And generally here's what I found. The more the more the back end of your domain registrar looks like 2004 The less likely they're going to have a DNS record export. CEU I don't know if e nam has a DS dropped down or not. inom is pretty old school on the back end, as you know. They really need to and that's a good reason to not be with Vietnam anymore. And maybe to move domain registration to Cloudflare. We're going to talk about domain registration at Cloudflare the next hour. But yeah, Network Solutions is really bad enough. I'm really bad. Yeah, I don't know. So those are some of the ones I've never used Dotster or web dot actually Dotster I used like 8000 years ago. I haven't used them recently. I don't know in it tends to what I've noticed is if the UI in the domain registration looks fairly modern like this, it's more likely they're going to support exporting of records. If it looks awful, like 1995 or whatever, then they probably don't. Yeah. What do you do about DNS if there's no option if the registrar doesn't support it, they don't support it. And again, that's DNS records. have been around for a while and they're an important part of Domain validation. And if your registrar doesn't support it, I mean, I would start looking for new registrar. Yeah. All right. Any other questions before we take a break? Okay, there is a multi part question here.\r\n\r\nOkay, um So first question here is in regard to the WAF rule, the skip good traffic rule. Does we watch your website have a whitelist of IPs? I can't find them anywhere and Thomas is not getting back. No, I'm not aware of one. But I don't think the rules block them. There's I don't think there's anything in a rule that's going to block that traffic. But so it's a good if you put a rule in and if they're getting blocked. This is an exercise of looking at the event and find what it's trying to do and then allow that but I don't have any specific whitelist for we watch. Second question is about Pay Pal. Do we use the ASN for Pay Pal, as you added at the bottom of the dock? Or do we need to find the API or the web? And I'm guessing what you mean. I'm not sure who's asking this question that came in as an anonymous attendee. Or do we and I think what you mean is the web hook. So and I'll reiterate what I said yesterday about this. Oh, no problem, Karen. So I so let's see, as things are good. web hook URL is better. Because as NS I mean, maybe there's they might change or something might happen. So it's good to add the ASN. But if you know like, there's always going to be a pattern in the Pay Pal web hook for their IPN or whatever. Then try to get the little snippet of that web hook like I showed with the WooCommerce or the Gravity Forms stripe web hook, get that little snippet and always allow that traffic that way you're, you're certain that it's not going to get blocked. Does that make sense? And number three, I added all the H refs IP to a Cloudflare list and then added the list to the good bots rule. Today. I got a report that the score was cut in half. Robots. txt is not accessible. Okay, so that okay, so something is still blocking H refs, for you, Karen. And so it could be the country rule. I've had this happen. So some like you can have, let's, let's let's look at our rules here. So, if we look at our rules, oh, there we go. So we've got block rules, right? Let's just say that for whatever reason, your list of IP addresses, it's not in that or it's not coming in that way. And you're blocking based on country and maybe a traffic that's coming in from a country it's not in your allowed list or whatever. So what I would recommend that you do this is this goes back to the refining of rules. Look at your block rules like this. We've already gotten some hits on our block rule. Look at your block rule and see if you can find the Ahrefs traffic and see what it was doing. That was causing the block to happen and then use that to inform a skip rule. And unfortunately, there's not an easy way around this. You just have to investigate and but once you find that, the thing that allows it to skip then you can use that all the rest of your sites. So this is goes back to yesterday when I was saying of, you know, get it right for a good typical site, and then you can use that rule for your setup on all the rest of your sites. Does that make sense? I wish I had like a silver bullet answer, but that's just not the way WAF rules work. Unfortunately, 364 IP addresses Holy mackerel, yeah. So what I would look for instead of that, find it here. You know, does H refs have a user agent? They likely do. Matter of fact, let's just look. So rather than let's see. Yes. So here's their user agent. So maybe what you would do here is say instead of that ginormous block of IP addresses we can just as easily say, in our allow our skip rule here or user agent contains a tres bot. Like this. And see if that doesn't help. Make sure all of your other see this. This is why the order matters because the skip rule comes in number two. And if you are, if you've identified correctly, that traffic, it's going to skip all your block rules and everything else that's there. So we can deploy this and now ah, refs should be able to scan our site. Give that a try and see. Again, this is just kind of have to experiment and find what works for each of the various things. I really, really wish there was an easier way to do this. I've not found it and it could be that I've just not stumbled upon the right method. But in lots of practical hands on work I've not found an easier way to do this. Other than, Oh, here's a good way to disallow to skip the traffic and now it's not a problem anymore. And we know that going forward now. Okay, question from Paul. When looking at security events, can you see what the trigger values are? That caused the rule to get triggered? Not really. Like we can see here, there's three block events that have already happened since we set the site up. And so here, we've got this block, and so you kind of have to look at what's going on.\r\n\r\nLet's look at this block rule. am I allowing Canada?\r\n\r\nOh duck you got blocked sorry about that.\r\n\r\nUnknown Speaker 59:55 \r\nInteresting.\r\n\r\nNathan Ingram 1:00:16 \r\nDoug, when you saw the site, could you see images? Weird?\r\n\r\nI'm not sure. But yeah, this is how you would identify Paul you you. It doesn't tell you what about the traffic triggered the log but looking at the details, you can probably narrow it down again, I wish there was an easier way All right.\r\n\r\nStacey, yeah, you probably you got to dopey admin without a managed challenge. Probably because, okay, again, if you get to someplace without a managed challenge then Cloudflare has been watching your browser and it knows you don't need challenging. Like that's that's okay. It's a managed challenge. It's not an every time challenge.\r\n\r\nBut generally, like, here's a raw browser. If I try to go to the WP admin, it's going to give it a managed challenge because it doesn't know this browser.\r\n\r\nBut if I go back there, see there if I go back to this page, it's probably not going to challenge it again. Because I've already passed the challenge. Yeah, it's a managed challenge. So Cloudflare manages whether or not it wants to challenge the traffic based on the fact that it's processing billions and billions and billions of requests every day. Okay, well, let's take a break here. It is straight, just right about to be two o'clock Central. Let's take a five minute break. We'll come back with the final bit here, which is scrolling, scrolling, scrolling, scrolling, all the tips and tricks, cetera, et cetera, right there. Cloudflare tips and tools and tips that starting at page 32. We'll have a good q&a time at the end, and that'll be it. So we'll take a break five minutes back at five minutes. After two Central Time.\r\n\r\n32nd warning folks, we're back in 30 seconds.\r\n\r\nAll right, we're back for the final hour of Cloudflare for agencies got a long way in the last few hours together and everybody's still alive. Seems like that's, that's really good. Okay, so in this last bit of time we have together we'll do plenty of time for q&a and also go through some of the tools and tips that I think are helpful to know about Cloudflare. A question came in during the break from Paul, with the rules and effect is this where you no longer set the reCAPTCHA and solid security. So the answer to that question is yes. Because in our WAF rule, we are we have a managed challenge. That's going to challenge any of our WP login now when I when we talk about no longer set the reCAPTCHA for the login page, okay? If you are using solid security to protect your comment forum or whatever. And by the way, are y'all listening? Can we can I share something just between you and me? There may be some ecommerce protections that are coming in solid security maybe that's maybe so this you'll want that those in place right. So this Manage challenge protects the login page if you're using solid security and and turnstile reCAPTCHA, or whatever other recaptures for comments or registration or that sort of thing, then, you know, you either want to put those pages into your rule here or continue to use the CAPTCHA rule. The CAPTCHA is there installed security. Does that make sense Paul? But it's it is redundant. To set a CAPTCHA on a page where they've already had the past through a managed challenge to get there. Does that make sense? Everybody? Nobody's talking in the chat. That's okay. All right. So I'm gonna move on okay. Everybody's gone to sleep. That's okay. All right. So the other thing I'll mention is this and this is a very important note. These as you've seen already web application firewall rules are very flexible and need to be changed for your use case. And may be modified over time, right? The firewall rules that I have in place now work really, really well. But I'm likely going to modify those as I learn new things and you probably will too. So one thing I would watch, for example, there's an ongoing discussion right now in the admin bar. From Troy Glancy Troy is really good at this sort of thing. And he's at his far original Cloudflare rules from a couple of years ago are the ones that kind of got me looking into this to begin with. And he's actually perfected several others and he's going to post at some point soon. So I would recommend if you're in the admin bar, watch this post. Just search for Cloudflare in the admin bar, it'll pop right up and see what his advice is on this right because he may very well and probably will have some ideas for things I haven't seen or thought of yet. So you know, borrow and steal the best firewall rules from others, just with the remembrance that firewall rules can block legitimate traffic. So don't just wholesale apply them to everything. Make sure you know what you're doing. Right. So don't consider these rules or settings even as a silver bullet. I've tried to give you some perspective on when and where and how to apply those rules. Does that make sense? Okay, so let's look now at some Cloudflare tools and tips. So we're going to start with the Cloudflare WordPress plugin. So let's go there. And we're just going to add it to this new WP one dot dev site. So we're just going to search for Cloudflare Cloudflare. And it'll be the official Cloudflare plugin right here. Now, disclaimer, I don't use this plugin, but it is it is there and it's free and you might like it. It's particularly helpful if you don't have a performance optimization plugin. So let's go back to Cloudflare and are actually settings under Settings and Cloudflare. Unlike many plugins, what you're going to do, we're going to sign in, we need our email, which is Nathan and ithemes.com and a global token. So you always find those that your account home. And actually it's where is that it's at profile, actually my profile in API tokens. I'm going to create a token for WordPress. I'm gonna rename this to WP one dot dev so I know which side it is. Scroll down, continue to summary, create token and there's my token. And I'm going to paste that over into here. And save. Now Cloudflare is connected to my site now basically what this plugin does is bringing some of the Cloudflare dashboard functions into WordPress. So you know I can automatically apply Cloudflare settings that are best for WordPress if I want. I don't want to do that. So I've already done that over in Cloudflare. But I can go here to settings for example. And I can turn on development mode just right here from within WordPress. It's got some interesting little things. I don't use this because I prefer just to go to the Cloudflare dashboard to manage my settings. But this plugin does exist. It's pretty, you know it has it has some good use cases and you might just want to play around with it. Like, oh, there's a button right here to get into. I'm under attack mode, right from the WordPress dashboard. So it's there, it's available, it's free. You connect it with an API key just like I showed you. And you know, it can be helpful in certain circumstances where I would recommend though that you add Cloudflare is into whatever WordPress performance plugin that you have chosen. So in our case, we use Lightspeed as an agency because we use Lightspeed server on our server. You might be using we had the discussion earlier about cloud ways breeze, you might be using hummingbird or DEP rocket or whatever. Each of these have a little area for Cloudflare most good WordPress performance plugins have some sort of Cloudflare integration and you know, like right here, the API token I just created, you'd go through that same process, create the token and drop it in with your email address and the domain and it'll be connected. Now why would you want to do this? The reason is, most of these WordPress performance plugins, you know, they've got caching and you know, optimization of JavaScript and all that stuff. And they're smart enough to know, okay, when WordPress runs in Update, clear the cache, okay. Or if you edit a page, we're the cache Cloudflare sitting up here at the network level has no idea that you've made those changes here on WordPress. So the assets that it has cached up here at the network level might differ from what's at WordPress. And the end result is you go to the site, the CSS looks wonky or things just aren't right. So we need something that's going to connect Cloudflare and our WordPress performance plugin so that in effect, in our case, like we're using Lightspeed, so whenever we run plug in updates, Lightspeed clears the local cache, and it clears the Cloudflare cache, so that everything stays in sync and that's what you want. So do not let me just underscore this. Do not use the Cloudflare cache. If you have a performance plugin at the WordPress level that isn't connected in some way to Cloudflare. Because what you will see you'll go to the site one day, and the CSS will be all wonky. And it's because the caches are different and that's what's happened. Does that make sense to everybody? Don't use a WordPress performance plugin and the Cloudflare cache unless you've connected them together. With an API key. Otherwise bad things happen.\r\n\r\nAs Sue is asking, How did I get to the screen? What screen are we talking about? This is the doc Oh, lightspeed. This is just a screenshot. This is in the document. This is just a screenshot. Of the Lightspeed cache settings. It is under CDN in lightspeed. It's in a different spot in every WordPress performance plugin. So just look through your plugin of choice and you'll likely find Cloudflare settings virtually all the good ones support Cloudflare. Oh, okay. So if your server uses Lightspeed, you go under Lightspeed cache on the admin bar, go to the CDN, tab, or link and you'll see it down toward the bottom. The Lightspeed cache Yep, good. Everybody. Okay with this makes sense? Does Perf Matters not connect? I'm shocked at that.\r\n\r\nInteresting, yeah, I don't use perf matters. So I can't speak to that. But you'll definitely want to visit with them on that. So it probably this primarily affects hashing. And I don't Perf Matters doesn't do caching, right. It only does asset optimization. Like, okay, so you may not need Cloudflare connection in that case. So this really, this really comes into play. When it comes to Caching, caching those assets in various places. So if the changes that Perf Matters makes are likely pulled up to Cloudflare anyway, but I would I would still if you're, if in whatever WordPress performance plugin you use, if you don't see Cloudflare settings, reach out to their support and make sure there's not going to be a conflict. That would be my recommendation. Okay, everybody good on that. Does that make sense? Because you will come in one day or you'll get an email from your client. Hey, everything looks weird and wonky and you'll go in there and the CSS is all jacked up. And it's because the cache is wrong. Or worse than that. It'll look fine for you, but it will look wonky for everybody else. And so you know, it's just, it's, it's a Cloudflare cache issue. And what you have to do is go out and let me just show this. This is if you hit that problem, go into your website, go into cache, and configuration and purge everything, and it's probably going to look just fine. Because that's going to cause it to go in and pull assets back up and refresh everything and then connect your performance plugin to Cloudflare and it likely will not happen again. Okay, everybody, good to move on. Everybody has gone to take a nap. Okay. Let's move on and talk about clients and Cloudflare so this is one of the big questions. So if we move our DNS into CloudFlare, can we give clients access? And the answer is yes. And it's beautifully simple. It is so simple. So I delegate access to the Cloudflare DNS to any client who requests it. We have many clients who for various reasons, need to manage their own DNS that didn't used to be the case, when we served a much simpler level of client. They just wanted us to do everything, and many still do. But we also have a lot of clients that manage their own. So we give them access and so here's how you do it. You're gonna go up here to the account icon in the top right, you're gonna go to Account home and scrolling, scrolling, manage account and members. So right here, we can invite members to join our account. So let's invite Nathan to join our account. Nathan at boom. A fan at Nathan ingram.com. I can't type. There we go. And what are we going to do we want to include it can be all domains that are in this Cloudflare account probably don't want to do that. A specific domain Yes, I want to give Nathan access to WP one dot Dev. Well, what if I have multiple domains that Nathan needs access to a domain group? Oh, no, sorry, a specific domain. And I'll just add another one. Or actually we'll do it this include a specific domain. Okay, Nathan needs access to both of these domains that are in my account. What level generally I'm gonna give them domain administrator access, you can restrict it to just DNS if that's all they need. But in these cases, I want my the clients that are going to want Cloudflare access are going to need to have control of everything. Just like I would make sure clients have access to their own domain name. Same thing. I'm going to grant domain administrator rights continue to summary. Yes, yes, yes. Invite an email was just been sent to my other email address that would give me access to that, that this email address. Nathan at Nathan ingram.com doesn't have a Cloudflare account. So I would go through a flow of setting up a Cloudflare account. And it's just that easy. If you want to get rid of their access, you just hit edit and you revoke access x let's see. Let's see. How do we do this? It's a delete. Yeah, cancel the invite. Or at this point, we would like here's this, I can. Here's one where I've given other email address access, and I can remove access from somebody if I want. So pretty helpful. Yes, so Ben, like Dennis saying, this is like a reverse way of giving a client their own account. And it's not their own account. It's you're giving them access to domains in this account, that's yours. But either way they in the end, they have the access that they need, and it's super easy to do this. What's also helpful is you can enforce to FA SO by toggling this on, you can force anyone that you add to this account to add to FA to their account. So I always turn that on. It's not on for this one because this is a test account. Class since client domains are registered with Cloudflare I had them set up account and delegate access to me that works too. Yeah, either way that that works. But the delegation is really simple and smooth. And Cloudflare as you just saw, it's just click click like and you're done. And it gives everybody everything that they need. Any questions about this part? Are we good? Rolling, rolling. Speaking of domain registrar ah Cloudflare is I think the best place to register domains now. Because they don't make any money on domain registration. They charge you a.com Is $9.77 per year. That is the flat cost of a domain plus the ICANN fees. It's literally they're selling you domains at costs. So if you want to get to domain management, you go here, manage our account home. Domain Registration. We're right here. And we can manage domains. So you can register a domain name here and do a search. It even has the suggested domain names if you want to brainstorm a little bit about Dr. nathan.net. That's pretty funny. Anyway, but you see how cheap they are really at 977 for a.com 494 for a.uk. Anyway, you just go through a registration process. Do you want to transfer a domain in right here? You just they have a flow to bring in domains to Cloudflare this way. Yeah, Stacy. So this is a great spot to move clients that were once at Google domains. And now at Squarespace, move them into Cloudflare it's gonna be cheaper and the UI is really simple. And there's not you know, unlike some registrar's, which shall remain nameless. Nameless. There's not a bunch of crap on the screen to upsell. Yeah, Paul, you pay a year when transferring? Yes. But I think also they give you an extra year.\r\n\r\nLet's see. Seems like I read that somewhere. Oh, this is an interesting little point. I didn't mention this earlier with DNS sec. We went and validated the domain. You have to turn that off before you transfer a domain. So just stick that in your back pocket to remember. You cannot transfer a domain like you have to unlock the domain and turn off DNS sec if you've turned it on, if you're going to transfer Yeah, Stacey, I can't I think you're right there Stacy. Yeah, and classes saying the same thing. I can't find where it says that here but when I've transferred a domain to Cloudflare they add it you pay for a year but they add a year to whatever the current date is. So it's a it's as good of a deal as you're gonna get on a transfer. Okay, class that's a good yeah. If if you're already at the max prepay level, then yeah, they don't add a year but that's generally not the case. So really easy to use them as a registrar and now so here it by the way, here is one caveat with using Cloudflare as the domain registrar, you cannot or let me say it this way. You must use Cloudflare to manage your DNS. If Cloudflare is the registrar, so you can't I don't know why you'd want to but you can't manage DNS elsewhere. If you're registering the domain at Cloudflare. I've never found that to be a problem. But just note that that is that's a thing. Oh, there's something I meant to cover in the last hour and I'm going to do that now. I'm going to scroll back up here in the Cloudflare setup process, okay, so we were here we talked about let's this this issue with importing DNS records. I showed you the process of importing from a DNS provider like we exported the DNS from GoDaddy, import it into Cloudflare. There is something here that I want to show you because it's not immediately apparent. And this is super helpful. So you may like I did have a number of sites where the DNS was actually managed with cPanel cPanel. DNS is great, really easy to use. But there's not a clear way in the cPanel UI to export a domain file. Like we just imported from GoDaddy. I don't know why that is. It's been requested for years, but cPanel has never done it. But there is a way to do it and it will save you time from hand entering all those records. Let me show you how it works. So I'm going to jump over to the WP Nathan's cPanel and just There we go. And what you're going to do, and this is again, this is weird, and I wish they would do this differently, but this is what they do. So we're going to grab a recent cPanel backup, and we're going to go here to backup and just download our most recent full account I just hit the cloud for a rule. I wonder what that's all about. There we go. That was really weird. Okay, so if we have time, we'll go and look at the rule and see what hit that. So here's a recent recent account backup. I'm just going to download this and it's downloading this tarball which is like a zip file. It's downloading it to my desktop\r\n\r\ncan take a minute. You're going it's rather large. It's a gigabyte loading, loading loading. Let's go and Okay, so here is our backup file. All right. Now this is so weird and I wish they would do something different but this is what you can do and it works. So we're going to unzip or uncompressed this tarball again, takes just a minute to do because there's a lot of stuff in here it's a full cPanel account backup. What's got to expand all the things\r\n\r\nYeah, this is a really old backup, but it'll still work for illustrative purposes. Slowly, very, very slowly. There is a file in here that you can use to import but you have to download the whole stupid thing to get there. Moving moving, okay, almost almost. Come on. Come on. There we go. Okay, so once we open up our folder here, we're gonna go to the DNS zones folder. So right here is this uncompressed. There's our DNS zone and look, there's WP nathan.com.db. We're going to rename this to dot txt. So it's just a text file. And yes, I want to use this and now this file can just be imported right into Cloudflare. Just like that. It's a backwards process, but it will allow you to import from cPanel and even as long as that takes to download and whatever that's still better than hand entering DNS records. Yeah.\r\n\r\nPaul is saying you did not have to rename the dbx file. Great. Well, that may have been a change in Cloudflare because you used to have to rename it to dot txt so great if you can import that. I haven't tested this recently. So yeah, if you can enter the.db file then you don't have to rename it. That's great. Good. Good, good news. So that will save you time if you're coming out of cPanel and into Cloudflare. Any questions about that before we move on?\r\n\r\nAll right, let's talk a little about turnstile. So Cloudflare turnstile is a CAPTCHA replacement, that many of you are aware of. It's been integrated into solid security for some time now, and again, think of it as turnstile is the same thing as a managed challenge? Only in widget form that can be added to some sort of form like a login form or a comment form or a checkout form or whatever. So it is the same thing as a managed challenge. It's just a widget instead. So now you do have to create turnstile API keys to use it right and so you do that at so many windows. All right. So we're gonna go to account icon account home, turnstile, account home and scroll down to turns turnstile and here's our keys. Now, here's the catch. Wild Slayer lets you have 10 turnstile keys per account. So, a couple of things. First, you might not need more than 10 turnstyle keysets. So for me, I don't need more with all the sites that we manage because in most sites comments are turned off so we don't need comment protection. We're not using it to protect forms because we use Gravity Forms zero spam, and we're protecting the WordPress login page with a well last rule. So I'm not really using turnstyle API keys at all except for WooCommerce sites, which we protect with the simple Cloudflare turnstyle plugin. And for those we do need turnstyle keys. Now if you need more than 10 just created an account Cloudflare account. So the beautiful thing here is you can create multiple Cloudflare accounts with different email addresses and then what you do is just make them members of each other. So that whatever account you log into has access to all the domains that are in all the accounts and it just makes it really easy to manage. So don't let the account limit necessarily bother you. Because you can just simply create more accounts and link them together as members of each other does that make sense? Everybody? So you create turnstile keys right here just like you would a reCAPTCHA key. The domain does have to be in the this account. And you just go from there any questions about that? pod for turnstile? Super, super helpful. All right. We talked a little bit about this Cloudflare does give a lot for free. They do play certain limitations like 10 turnstyle key pairs per account 50 API keys per account. So we actually limit are the number of domains in any account is 50. Even though you can have unlimited domains in a Cloudflare account, you can only have 50 API keys so we only put 50 domains in an account. So we have multiple accounts that meant that are linked to each other as I described. Because the API keys are needed for to connect Lightspeed to flush the cache. So you can again just like I described, use the same delegation process to to connect those accounts to each other. And it's really easy. So when you log in to any of your accounts, and this is what's really neat, when you go to Account home\r\n\r\nhang on a minute. Let's see profile isn't no hang on. I can't see it here. When you log into account that shared with other accounts. You can actually see all the websites you have access to and find the website very easily that way. I can't demonstrate that on the screen right now. But even you know we have like five different Cloudflare accounts now that we're juggling, but you log into one of them. You can search and find the website you're looking for because it's been we have access to it and you just go right to it. It's really simple to connect those accounts together. That was poor explanation, I think But does that make sense? Any questions about that? Linking Cloudflare accounts makes things super easy. Okay. Paul has a good question in the chat. So let's say you have a client in Cloudflare and you give them account access, and they come back in with I don't know anything about Cloudflare if they want to leave. So at that point, the answer is I'm sorry. That's why you hired me Cloudflare manages your DNS and give their next web provider access to the Cloudflare account and if they don't understand how to use it, I mean, that's on them. Right? I really don't have I mean, Cloudflare is pretty industry standard now and if you don't understand how to use it as a web professional, then you probably need to learn. I don't want that to sound arrogant. I just think that's the way it is. Yeah. If they leave then they leave. Yeah. Is that fair? That's good. Stacey. Yeah, give them a DNS export. Good. Yes, send them to this webinar. I mean, honestly, if you're a web, a web professional, even if you didn't know anything about anything we were doing here, you can log into Cloudflare and see what to do with DNS. It's really simple. If the DNS settings and Cloudflare and I'm not talking about firewall rules and all of that, like oh, so if a client were going to leave me then I would probably set up. Yeah, fit. Let me let me reverse my thinking on this a bit. Paul. If if I was going to offboard, a client whose site is managed on CloudFlare, I would probably set up a new Cloudflare account without any of our firewall or any of the security settings that just had the DNS and move the site to that account and give them access to that because I would I wouldn't want any of our security settings to go forward with them the world whatever's next. So been saying he had to do that on Monday. Yeah.\r\n\r\nYeah, that give them a naked Cloudflare account that just has the DNS in it. All right. Something else that's really neat is Cloudflare email routing. We talked a little bit about this on yesterday, and I've given the whole process there for that. I'm not going to go back and re get into that. Pretty, pretty thorough, but basically Cloudflare lets you set up email addresses without an email server that forward to another address and if they're forwarding to a Gmail account, for example, you can set up a send as address so that it can receive email as info at your domain, and it can send email as info at your domain all that can be done free within the Cloudflare email route routing settings. Let's see it looks like this. The last thing Yep. The last thing I'll mention, and we've already sort of dealt with this is troubleshooting WAF rules, you may run into things. If legitimate traffic is blocked by a WAF rule. Go to that activity log. That's right here. Websites AP Nathan. Wow. Yeah, go to your block rule and see what traffic has come in that's been blocked. Oh, this was maybe this was good traffic. So we need to figure out a way there. How do we let this come through? Now, by the way, don't you know if he's Oh, Google is blocked? Well, I don't think that's the Google bot. That's actually a Google Cloud Server. So a lot of times this may be a compromised server. That's trying to get access to things. So just because you see Google doesn't mean it's legit, or you know, Amazon, AWS or whatever. Sometimes those are legitimate, or they are, they are compromised sites that are hosted on Google's infrastructure. For example, anyway, you look at look at the activity log load entries that pertain to that specific rule by clicking this little number in the analytics here that loads one day, there we go.\r\n\r\nAnd actually, I don't know what this flex potential is, maybe we wanted to allow that so we could add this as into our skip rule or whatever. But the log entries here are what you're going to look at to further refine your your rules. All right. So that brings us to the end of the course. That's it. We've gone a long way in the last few days. We got our site live on Cloudflare. We've got recommended settings and all of these things. Now we've got some time for open q&a. What do you think questions, comments, snide remarks all of them are available at this point. Questions from Paul, okay. All of this setup work is built into the cost of a website for a new client correct or do you factor in a cost for this going forward? How much extra if anything would you charge for doing this? Great question. So I would actually wrote this is a management service. So this is part of security that we provide for the client. And it's part of onboarding a site into our website management process. So I don't charge extra for this. And honestly, it took a little while to go through all of this. But once you start to do this over and over again, you'll migrate a site into Cloudflare in like five minutes, like it'll be. It's pretty quick once you get used to it, and especially if you set up little shortcuts like I did with my TextExpander it really doesn't take long once you get all your rules dialed in and how you like things. It doesn't take long to do. And so I don't charge extra for that it actually what happens is, it saves me work on you know, in the future because the site's being protected and much better. And Tanya Yes, I just dropped in the link in the chat for the updated course handbook. There were three different edits I made around web application firewall rules that were like little typos and some of the quotes were squiggly quotes instead of straight quotes, that sort of thing. That's all fixed. Second question for Paul, how about setting this up for existing clients extra service? And the same answer for me on that when we migrated all of our clients over to Cloudflare back last fall. We didn't charge extra for that because it makes things easier for us to have those clients all in Cloudflare more secure less traffic on the server. All of that. Yeah. When there's nothing as you could certainly charge more for it. I chose not to because it's part of the management service. Do I notify clients? The ones that I thought would be interested? Yes. The ones that just want to know their site is secure. No, no, but you know, we'll raise our rates again here probably in two months. And I'll let them know all these extra things we've done at that point. But in a very, you know, you got to communicate with clients. Some clients don't care about all the little things right. So you don't want to overwhelm them with information. So for the clients that are non technical and they just want to know that we're taking care of their site. I would just mention that we've added a network layer of security that blocks you know, something like I'd worded in such a way that was, you know, a high level a level of security that blocks a lot of bad traffic before it ever hits the site. Just to show them, you know, we're constantly improving their security, and that's what they're paying us for. Others, you know, they have a technical person, the ones that have access to Cloudflare. And by the way, some of those that's a that's an interesting little point here. Some of the, our clients, the ones particularly that have access to Cloudflare our clients that have an internal IT department or things like that. And so there was a bit of a process. So we had a canned email that went out of hey, we're in the process of moving to a new server and in doing this we're also getting all of our DNS uniform. And we want to move everything to Cloudflare. Here's why. In some of them we actually had a you know, a quick call with many of those IT folks like yes, great, let's do it. We'd like Cloudflare you know, we know about it, whatever. And so we just set up the account delegated access, good to go but it really depends on the client and their level of involvement or if they have it people, etc. Doug for the web application firewall, if I use the block action for country equals UK, and Google is still indexing my website in the SERP. What happens to a UK visitor when they click the Search link to my website? Yeah. So the blocking traffic from a different country shouldn't impact your SERP and where your site shows up in the SERPs, what will happen is if you're in the UK and you click the search result, you're now going to WP nathan.com with a geo origin of UK which triggers that firewall rule to present a manage challenge. So we're not challenging Google. We're challenging traffic with an origin and a location where we're saying it needs to be challenged. So that's why you want to modify those rules such that any you know if you have legitimate clients that typically come from other countries, you know, whatever, let me say it this way, whatever countries that you have legitimate customers, clients, whatever in that would be coming to that site, allow those but turning off or only allowing traffic from those known good countries can filter out a lot of garbage traffic bots that are coming in from all over the world.\r\n\r\nPaul is asking how do anonymizer is get affected by geo locations or VPN? I mean, it's if I come in if you if I turn on my VPN right now, and I say I'm in Belgium, and I try to visit a site where the WAF rule only allows US and Canada I'm gonna get a managed challenge because the geolocation is coming in as a different country. Yeah. So anonymizer errs impact weath rules, because they they present as coming from that country, because I mean, they actually are they're routing traffic through a server in another country. So that's just how that works. Generally, though, the bot garbage traffic isn't proxying they're not standing there. They're coming from other parts of the world and it's noticeable\r\n\r\nBen when using support like from India for like WP all import, they need access? Yeah, but you can still challenge that traffic. That's the thing is, we're not blocking traffic from those countries. We're putting a manage challenge in place, meaning people you know, if it's a support technician coming in from a country that hasn't been specifically allowed, they're just gonna get a managed challenge. And they can log in with the you know, it's not blocking the traffic. And so I wouldn't change my WAF rules. If support is coming in from a different country. They'll just pass through the Manage challenge and then do what they need to do. So you're, it's a challenge rule, not a block rule does that make sense?\r\n\r\nThe man is challenge will stop bot traffic because bots don't really have a way to validate a managed challenge yet. But who knows, right? The bots will get better and then Cloudflare will get better and then the bots will get better and the Cloudflare will get better. That's just the way it goes. Right. All right. Anybody else before we wrap this one up? Okay, who's ready to add Cloudflare to some client sites do you have everything you need? Are you equipped to to add a client site to Cloudflare? Any final questions before we wrap up? Awesome. All right. Well, hopefully this was helpful to you. We are back tomorrow for office hours. We joke that in the pre show today that anything that breaks when you add these rules just asked me to borrow in office hours we'll deal with all right, we'll see you back here tomorrow office hours one o'clock central time on solid Academy where we go further together.\r\n\r\nTranscribed by https:\/\/otter.ai\r\n\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:968:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:249:\"\r\n\r\n\r\n\r\n\r\nWelcome to Cloudflare!\r\n\r\nCloudflare Page by Page\r\n\r\nRecommended Cloudflare Settings\r\n\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938374439\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1o7Y8xSGeEx8ZF7yBmMsRat6XNkkjEXWc\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/Xr3bZcpfJBN9iV2YsapSA3avN0Q?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:971:\"a:7:{s:18:\"event_replay_title\";s:5:\"Day 2\";s:25:\"day_description_cloneable\";s:254:\"\r\n\r\n\r\n\r\nRecommended Cloudflare Settings (continued)\r\nMigrating a Site to Cloudflare\r\nMore Cloudflare Tools and Tips\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938814771\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1Nr3wkfCzHZ7Nr4PEzVWhV1lKn40abQUV\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/qIa-JHSQCRIijFOyeMsIQX00B1g?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448512,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \n\nAn overview of Cloudflare and a walkthrough of the major features\n\n\n\nHow to set up Cloudflare for WordPress client sites\n\n\n\nHow to set up important WAF rules\n\n\n\nA proven process for migrating sites into Cloudflare with no mistakes\n\n\n\nOther Cloudflare features like domain registration and email forwarding\n\n\n\nProtips for smoothing out your Cloudflare workflows\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_text":"Unknown Speaker 0:18 \r\nAll right, let me hear from you in the chat. What are you most excited about learning this week in the Cloudflare course?\r\n\r\nUnknown Speaker 0:26 \r\nWhat are you most excited to learn?\r\n\r\nUnknown Speaker 0:32 \r\nAs you answer that I am getting our captions all set.\r\n\r\nUnknown Speaker 0:38 \r\nAlright, captions should now be working for everybody.\r\n\r\nUnknown Speaker 0:43 \r\nFingers crossed\r\n\r\nUnknown Speaker 0:47 \r\nthe whole thing.\r\n\r\nUnknown Speaker 0:49 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:51 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:53 \r\nWe'll see what we can do, Debra. Love it.\r\n\r\nUnknown Speaker 0:59 \r\nAlright folks, we are about four ish minutes away.\r\n\r\nUnknown Speaker 1:06 \r\nFour ish minutes away from getting started with Cloudflare for agencies if you're just joining us in zoom, open up the chat and I'm dropping in once again, the link bundle which has the very large 40 Page course handbook that I've put together for you here. Many many, many things here in the handbook.\r\n\r\nUnknown Speaker 1:32 \r\nAnything you can learn? Yeah, all right.\r\n\r\nUnknown Speaker 1:35 \r\nDefinitely.\r\n\r\nUnknown Speaker 1:37 \r\nYes, Stacy. There are so many things and this is not I'll talk about this as we get started. There's no way this is going to be an exhaustive Cloudflare overview because there are just too many things.\r\n\r\nUnknown Speaker 1:51 \r\nHow much to just do so it doesn't work that way. Like some of these rules, you really do have to decide, you know, what you want to use and so forth. And actually, well, I'm gonna I'm getting ahead of myself. But yeah, some of this is what you want to do for your settings. But I'm gonna give you my recommended things and why. And then you can it should give you a really good basis to make decisions on how you want to implement.\r\n\r\nUnknown Speaker 2:24 \r\nPaul, you make the website and then we'll talk\r\n\r\nUnknown Speaker 2:31 \r\ny'all, I promise once you get into this, it's really not that complicated. Seriously. Once you see how it all fits together.\r\n\r\nUnknown Speaker 2:42 \r\nYeah, I promise it's really not that complicated.\r\n\r\nUnknown Speaker 2:47 \r\nAll right. So if you're just joining us in zoom, welcome, welcome. The chat is open. I'm dropping in once again, the link bundle that has the course handbook. The one the Yes. Yep, of course handbook is there and waiting on you to download also, of course the replay link.\r\n\r\nUnknown Speaker 3:08 \r\nIf you want to go back and rewatch today\r\n\r\nUnknown Speaker 3:16 \r\nmy oldest daughter is currently blowing me up on text messages. So I got to hit the mute button on that.\r\n\r\nUnknown Speaker 3:27 \r\nAlright, y'all just about two minutes ago. hope everybody's doing well hope your week has gotten started. Well check in question today. Let me just hear from you what you are most excited to learn about Cloudflare what you want to know what parts confuse you other than everything, as some folks have said. If there's a particular area I'd love to hear that\r\n\r\nUnknown Speaker 3:52 \r\nOh, Beth. I mean priorities right.\r\n\r\nUnknown Speaker 4:00 \r\nLove it.\r\n\r\nUnknown Speaker 4:02 \r\nYeah, laptop on the beach. Back. Yeah.\r\n\r\nUnknown Speaker 4:07 \r\nActually, Myrtle Beach is gorgeous. This time of year. Good for you, Beth.\r\n\r\nUnknown Speaker 4:15 \r\nturnstyle WAF Yes.\r\n\r\nUnknown Speaker 4:20 \r\nThere's no dancing and Cloudflare\r\n\r\nUnknown Speaker 4:28 \r\nthat's why you take a tablet to the beach, not your laptop.\r\n\r\nUnknown Speaker 4:34 \r\nStacey, that's awesome. That's 100% True. And actually, if you find dancing and Cloudflare just wait because they'll move it to another menu link later or they'll rename it.\r\n\r\nUnknown Speaker 4:48 \r\nYeah, so we'll bet Beth will invent for us the Cloudflare dance which we'll call the turnstile. I love it. Yes, that's it.\r\n\r\nUnknown Speaker 4:59 \r\nDo the turnstile through the turnstile. Alright folks, just about 30 seconds to go. hope everybody's doing well today. Come on in find a seat and grab the course handbook. But to drop the link bundle in once again.\r\n\r\nUnknown Speaker 5:14 \r\ni Yes, exactly. Karen\r\n\r\nUnknown Speaker 5:19 \r\nand what you're talking about there, Karen. There's no easy answer to that. Unfortunately. A lot of the Cloudflare rules that I'm going to give you are pretty good. But you're you're always going to want to fine tune these for your setup. And there's always new suggestions and rules that are coming along. So I'm going to give you what I'm using today. And then you'll have it's it's one of those things that will it's a work in progress. Yeah.\r\n\r\nUnknown Speaker 5:46 \r\nAll right, y'all. It's three minutes after let us get the recording started and we will dive right in.\r\n\r\nUnknown Speaker 5:56 \r\nWell, good afternoon, everybody. Good morning. Good evening, wherever you happen to be around the world. Welcome to this premium course here on solid Academy. Glad you're all here with us for Cloudflare for agencies. So over the next couple of days. We're going to take two hours today two hours tomorrow and unpack Cloudflare through the filter of you manage WordPress sites for clients. So what do you need to know right? And also interestingly, hopefully helpfully, the way that I put this course together is really there's so much that we have to know as WordPress agency owners, right like there's just so many things. And so this is not an exhaustive course on Cloudflare. Like who's got time for that? So what I'm going to give you is an overview of how things work and where the settings are and the big picture of the settings but really, our focus is going to be on okay, what do I need to do to use Cloudflare and leverage all the free stuff in Cloudflare to protect the sites that I manage. So that's where we're headed. And hopefully at the end of this course, you'll have a good idea of what all the things that Cloudflare can do. But really focused in on the practical things that you can do right away to use Cloudflare in your agency.\r\n\r\nUnknown Speaker 7:21 \r\nSo I Karen has asked a great question in the chat just now. This is very different than the Cloudflare livestream I did a couple of years ago or last year, a year and a half, something like that. So I was just I just kind of gotten knee deep into Cloudflare at that point. And so a lot of things have changed since then. This is a much more detailed look. This is I think the first Cloudflare one was like an hour and a half. So just timewise this is a much deeper dive and I've learned a lot since then, and hopefully can give you some better tools and rules and those sorts of things to use. So if you are just now coming in once again, the link bundle is in the chat you're going to want to download this course handbook, it is 40 pages of Cloudflare goodness, and grab that and follow along and I've made it such that you know this is the document you can keep in reference. The table of contents is clickable to jump to, you know the various areas that you want to get to. So hopefully it's a very usable document. All right, so let's dive into what we're going to be talking about. So I mentioned this a little bit earlier and even more in the pre show.\r\n\r\nUnknown Speaker 8:34 \r\nThe idea here is okay, I'm a web agency owner I've heard how Cloudflare is helpful. What do I need to know give me the basics. This is not an exhaustive study of Cloudflare there are far too many things Cloudflare can do to fit into four hours of of course content. So what we want to do is through the lens of what do I need to know as a WordPress website manager about Cloudflare to use it to the best of my ability. If you want a deeper dive Cloudflare has excellent documentation. It's some of the best that I've seen. And you can click the Cloudflare fundamentals link there and it'll take you through all the things if there are pieces that you want to know. So the goal here a no fluff explanation of all the Cloudflare things that you will find the most useful and that you can implement right away in your business of managing WordPress sites. Tomorrow we're going to demonstrate the live setup of a Cloudflare site after we look at some of the basics today. And that's going to include security settings, setting up WAF rules and those sorts of things. So here's the overview we're gonna do and a big overview of what is Cloudflare how does it fit? How do I use it, you know, where does it fit in with solid security and those sorts of things. And then we're going to go through a Cloudflare page by page looking at the various pieces of Cloudflare and how they fit together tomorrow, migrating a site to Cloudflare and then more Cloudflare tools and tips. All right now, this course, assumes that this was on the course intro page. So hopefully you saw this. This assumes that you have a basic understanding of DNS, so I really can't, I'm not going to be able to answer questions about how DNS works in this course. So this is a prerequisite if you need to understand a little bit more about how DNS works. There's a course here we did last year called the web foundations workshop, in which we did an hour on DNS and what the records are and how all that works, et cetera, et cetera. So please let well really I'm just not going to answer questions about DNS in general. If you have those questions, you can grab this prerequisite course it's out there, you can replay it right away. And we're going to focus in on implementing Cloudflare. Alright, so just a couple of housekeeping notes. If you're a see several folks who've just joined us, let me drop in again, our link bundle in the chat force handbook is there. Since I am presenting today, I'm going to be watching the chat as usual. So if you want to ask your questions in the chat, you can do that. It may be that I missed some because I'm presenting. I'll try to catch questions in context. But if I miss one, and it's gone past just stick it in the q&a and we'll get to those at the end of each hour as usual. So all right, let's dive in, shall we? We had some really good check in responses as we were getting ready in the pre show about what you most want to learn. And so let's just start from the top. A lot of folks were like I need to know from the cloud to the flare, the whole thing. So what is Cloudflare?\r\n\r\nUnknown Speaker 11:44 \r\nAt its heart Cloudflare is a web performance and security company. They are they have all sorts of services to secure and protect and accelerate websites. So Cloudflare is sort of like an umbrella. It is a protective barrier between your website and the traffic that comes into your website. And it can shield you from many kinds of online threats just automatically. I Cloudflare. Security Services are comprehensive. They offer protection against DDoS attacks, data breaches, other malicious activities. It works by filtering incoming traffic to your website. So at the heart of all of this is your domain has to have the Cloudflare name servers. So that's how you turn on Cloudflare is by adding the Cloudflare name servers to the domain. So that way, all traffic that goes to the domain has to pass through the filter of Cloudflare and you can think about it sort of like you know, a water filter like we got this new refrigerator when we redid our kitchen a couple of years ago and it's got you know, the fancy water in the door. You know, we're not that usually that fancy kind of people and this is the first fridge we've had like this, but we love it it because there's a water filter in there and it filters out all the impurities and garbage so that we just get really pure water when we put a glass up there. Now Cloudflare sort of works the same way. Think of it in the same way. It's like a traffic filtration system that based on some of the stuff it just knows automatically that this is a bad bot and it filters it out or based on some of the rules that you can set up. It's filtering that traffic through so you get really good pure traffic that actually hits the website.\r\n\r\nUnknown Speaker 13:30 \r\nSo Cloudflare provides free ssl certificates. Also, they use the Google certificate authority as the primary and then sectigo as a secondary. We'll get to all that when we get to the SSL section. They also have a suite of tools designed to optimize website performance, including caching, image optimization, content optimization Cloudflare Cloudflare also provides a CDN that can move your website assets closer to the requester. They have data centers all around the world. So using their CDN even their free CDN, you can move things from your the images and scripts and so forth from your website to the closest point so there's not a lot of jumps between the user and what they're trying to download, which can effectively speed up the website. And the beautiful thing is Cloudflare provides many of its services at no cost with the option to upgrade to more advanced features on a subscription basis. Now a great question in the chat from Dave. So who's monitoring Cloudflare Cloudflare is a private company and so this is you know, like whose basket are you going to put your eggs in? Right? They offer a lot of things for free, but they're making their money. It's a freemium model just like many things that are out there. So you are you have the option to upgrade but a lot of the basic features they're providing at no cost and pushing you towards some of the paid features that can be helpful. So that's how they make their money. I don't know that there's anybody watching Cloudflare like us, they're not like responsible to any governing authority necessarily because they are a private company, but they're used by an immense number of websites. Matter of fact, 32% of the top 1 million sites on the web are using Cloudflare. So that in that way, there's a lot of people watching them from high level, you know, big fortune 500 company websites, so if anything weird is happening, it's likely going to come out but they are a private company. So that is something to take into consideration.\r\n\r\nUnknown Speaker 15:41 \r\nSo a few other interesting Cloudflare statistics, again, more than 15 million websites 32% of the top million websites. Their global network has 300 data centers all over the globe at more than 120 different countries. So the the good thing about that is when traffic is requested by somebody, the hop to the Cloudflare data center is generally very short. They've strategically placed those data centers for that reason. So more than 80% of sites whose reverse proxy we know is Cloudflare. Now what does that mean? It means that if somebody's you know, has started to use proxy, which is hiding the actual IP address of the server, which is a good practice as we'll get into Cloudflare is doing that for more than 80% of sites that are doing this so that is super helpful. It's a huge chunk of the internet relies on Cloudflare to do these things. Also Cloudflare bought blocks look at this number 182 billion threats a day. On average. It's a lot and so simply by virtue of the amount of traffic that they're filtering Cloudflare you know, they, you know, they they just see patterns emerging, and they can protect sites better. It's like, you know, we have Thomas Rafe on here from we watch your website. He's managing over 17 million WordPress sites right now and watching for patterns and you get that much data under your belt, and you can immediately see how you know what's happening, what the trends are, and so forth.\r\n\r\nUnknown Speaker 17:18 \r\nAll right. So why should we use Cloudflare? So the first reason likely and probably the reason that you're here listening is the security benefits. They're just phenomenal. So Cloudflare is free services give you really robust security features at the network level. We'll talk about that in a minute. Like DDoS protection, a web application firewall, again, at the network level, which is where you want those sorts of things. They can also help improve performance with CDN caching, again, moving the downloadable assets closer to the the requester so that those things are fulfilled more quickly. They offer free SSL as we mentioned, they also do DDoS mitigation. There's this great tool in Cloudflare that says I'm under attack, toggle that on and it will effectively stop the impact of a DDoS attack on a website and it works. It's really good. We'll get to that later.\r\n\r\nUnknown Speaker 18:17 \r\nIt's very easy to implement, actually. You just change your name servers and you're into Cloudflare.\r\n\r\nUnknown Speaker 18:24 \r\nThe setup process is straightforward as you'll see as we actually work on that.\r\n\r\nUnknown Speaker 18:30 \r\nLast of all, they do provide some analytics and insights. The statistics in Cloudflare if you are a statistics person, you will love love, love the Statistics reports because it'll show you like on your firewall rules, what's hitting it and you know what the information about that traffic is it can help you further refine your rules. It's really neat once you get some data in there to start digging in and seeing how these turkeys are trying to attack your website. It's really quite interesting. Also, cloud flares analytics are GDPR compliant. They're designed to be privacy first, and so they are GDPR compliant, they state that so that's that's not an issue. So a lot of the confusion that comes in when we start talking about Cloudflare is okay. isn't just installing a WordPress security plug in enough I've been watching it it's really funny. This discussion has come up a number of times in the admin bar just in the last couple of weeks of hey, there's this cloud, this WordPress security plugin and that one and really, isn't it good enough just to install a WordPress security plug in and you're protected? And the answer is no. Heck no. Absolutely not. So let's talk about where Cloudflare fits into all this is Cloudflare a replacement for solid security? Also no. So we need to understand where does Cloudflare fit in the whole matrix of security. So, first of all, Cloudflare becomes active for a site when you change the name servers of a domain name to those that Cloudflare will provide you. So it starts at the name server level, which means Cloudflare at that point becomes responsible for every request that comes into your domain name about you know where does the subdomain live? How's the mail routed? What are the demark records, the txt validation records, all those things? Cloudflare is answering all of those requests. And it's doing it from a security perspective. So you can you can change who gets to make those requests and filter those things out. And so forth. So since all traffic to your website, and everything about that domain name now has to pass through Cloudflare they can filter it. So that's how this all works. Cloudflare can then as a result block a significant portion of malicious traffic before it ever reaches your server. That is the key.\r\n\r\nUnknown Speaker 21:04 \r\nThat is the key. So like, here's your browser, it's gotta pass through Cloudflare to get to your server where the website lives. So this is where we start to talk about a multi layered approach to WordPress security. It is not enough just to have a WordPress security plugin. It's just not because there are jobs that are there are jobs that need to be done to protect WordPress that are better done at a network. level rather than at a WordPress level. So this multi layered approach is something you need to get your mind around. And we've been talking about this now for some time here. On solid Academy. It's not just as simple as installing a plugin. So the best practice for making your site secure is multiple layers of protection. Okay, and each layer has a role that it needs to play and it does that layer best. All right, so let's talk about this. So first, we have network layer level security, which we're going to trust to Cloudflare right so that's wrapping around the whole thing. No traffic gets in until it passes through Cloudflare. Then we go to the server level security, which hopefully is handled by your web hosting provider. So there's certain things that are better done at a server level. We'll get to that in a minute. And then we have our WordPress application level or, or user level security that a really good WordPress security plugin should do. So these are the three layers of security that you should be thinking about when it comes to protecting your WordPress site. So let's unpack those just for a minute. First of all, network security. So Cloudflare is going to mitigate the impact of the distributed denial of service attacks or DDoS. And they can filter out malicious traffic before it ever gets to your server. So if a lot of that traffic can't even get past that Cloudflare wall it makes your server have to work less it makes WordPress have to work less. So it's better to handle all that stuff. Get all the primary garbage filter done at the network level before it even hits the server. So Cloudflare gives you this blanket protection by filtering the websites before a web traffic before it ever gets to the site. Relying on your server alone or worse relying on WordPress alone to filter all the traffic. It takes a lot of resources. Now does solid security have functions that can help to prevent bad traffic? Yes. But that shouldn't be the primary level at which it occurs. If Timothy was here, he tell you the same thing. We want to filter the the lion's share of that out at the network level. So if you do that, it's going to save a lot of valuable server resources. So traffic passes through the network gets to the server. So what role does the server play in this multi layered support? So good web hosting providers implement security measures like server level firewalls, and most importantly in my book is server level file level malware scanning and intrusion detection systems. So I want something at the server level that's actually scanning the files. Now I know that there are some WordPress plugins that provide malware scanning, you don't want a plugin, doing malware scanning. First of all, it's going to be incredibly inefficient at doing that and restricted to only the WordPress install and a lot of malware gets installed out in the server structure and not within WordPress itself.\r\n\r\nUnknown Speaker 24:45 \r\nAlso, if there's malware in WordPress, and the we're in and the the malware scanner exists at the WordPress level, the malware can overwrite. You know, the malware scanner so the malware can actually rewrite the malware scanner saying hey, this is bad and say no, it's actually good. You can ignore that. So you don't want the malware and the scanner. processes running in the same environment. malware scanning needs to happen at the server level, and intrusion detection systems as well. So that's the role of a good server so whoever's providing your server, this is where you have a conversation and say, What malware scanning Do you provide? What intrusion detection services do you provide to keep the server itself safe? Right, so we're filtering out most of the bad traffic at network. We're watching the we're watching the file system and intrusion level at the server. And now we get into WordPress application security. Now WordPress security might have some traffic filtering and blocking features, but that's really the third level like WordPress is consuming a lot of server resources just running and serving pages and doing things. I don't want WordPress to also have to be filtering every bit of bad traffic that comes in. And that's what can cause your website to grind to a halt. If it's getting pounded by login page attacks and all this stuff. I don't want WordPress doing that job at all, or at least as little as possible. Maybe just a few little drops of bad traffic. That have gotten through the other two layers. We pause. Does that make sense to everybody? That this whole approach? Are you getting what I'm saying? Like we want WordPress to do as little work as possible. We want WordPress to do the job of word pressing right not of security. So it's not bad to have those features in the WordPress security plugin. That's why they're included in solid security. But that's like my third level of defense. Okay. All right. So your WordPress security should focus on more specific issues. Starting again, this is exactly what solid Security does, which is why I love it. It is providing vulnerability detection. So I'm scanning my so like Cloudflare is not going to tell me I have vulnerable things in plugins. The server is not going to tell me that it's maybe watching for malware or the malware scanner but if my things and plugins aren't infected yet, I don't know that there's a problem. So I want something like solid security, which is looking at my installed themes and plugins and saying, Oh, this one has a vulnerability. I need to know about that. I need to do virtual patching. I need to do automatic updates if a patch is released, right, so it's doing exactly the job that I want a security plugin doing in WordPress and nothing else. Like the the of the kinds of plugins that exist for WordPress. The most bloat often happens in security plugins and that's why, you know, if you line up a feature list of the things that solid security Pro does, versus some of the other security plugins like it doesn't do as much. Right, exactly. That's the point. You don't want it doing some of those things. You want your server and your network doing those jobs because it's gonna make a more efficient WordPress.\r\n\r\nUnknown Speaker 28:08 \r\nSo WordPress, security should also heavily focus on user security. So we got these great features like you know, the function that bounces out and make sure that the password hasn't been compromised, and that have I been poned database. We're looking at, you know, having to FA for users and pass keys and et cetera, et cetera. We want the users user level security needs to be done by WordPress. So we want that to be done really well by our WordPress security also session cookie protection, right having that like the trusted devices features of solid security that is the perfect use case for a WordPress security plugin. So I want those features in my WordPress security, nothing else that's gonna do you know, be consuming tons and tons of server resources. Okay, so another role for WordPress security is adding in a CAPTCHA for areas that might be prone to attack, like comment form or the WordPress login page. We're actually going to protect that at the network level though. I'll show you that later. But having those captures again, two great use case and job for a WordPress security plugin. Finally, WordPress security plugins can also help you to harden WordPress, by all the little you know there's all those boxes in solid security about don't allow PHP to execute and themes and plugins, you know, turn off the file editor, all those sorts of things. perfect use case for a WordPress security plugin. So, again, think about this in layers. Most of the traffic get that filtered out at the network level so our server doesn't ever have to bother with it. Let our server do the job of file level scanning protection and intrusion detection and let WordPress primarily do the job of just keeping WordPress secure as an application themes and plugins and users.\r\n\r\nUnknown Speaker 30:02 \r\nAnd now we've got a pretty darn good approach to security. I'm gonna pause right there, because that was a, you know, a big firehose of information. I'm gonna pause, make sense questions about this before we move on to the next bit.\r\n\r\nUnknown Speaker 30:17 \r\nYou if you arrange your security approach this way, you're going to have a more efficient server and site and you're going to do a better job all the way around keeping things secure.\r\n\r\nUnknown Speaker 30:31 \r\nMan Polytune m&ms Already Okay.\r\n\r\nUnknown Speaker 30:35 \r\nHope you got a lock then.\r\n\r\nUnknown Speaker 30:38 \r\nYou have any to share with the rest of the class. I'm gonna have to move that around.\r\n\r\nUnknown Speaker 30:41 \r\nAll right. Well, I'm gonna move on then. If you're just joining us link bundle is in the chat that has the course handbook if you want to download this that you're looking at.\r\n\r\nUnknown Speaker 30:49 \r\nAll right, folks, look, we're already on page eight. Moving around, moving right along here.\r\n\r\nUnknown Speaker 30:55 \r\nAll right, now comes the fun part. Cloudflare page by page. So I thought long and hard about how's the best way to do a quick orientation to all the things that Cloudflare can do. And this is what I settled on this Cloudflare page by page. So one second before we get into that, one thing I want to mention is I've added some color coding here. And you know, I was thinking how can I best present this in a quick way to let you know you know what? really to focus on and what not to focus on and so forth.\r\n\r\nUnknown Speaker 31:35 \r\nSo it's basically like this. If I think you're probably going to want to use this feature, it's going to be great. If it's a maybe depending on the circumstance, it's a yellow, if it's probably you're not going to use this there's red. There's also one other emoji in there. That is a money bag and that's it costs money to add this. Those are usually also red because our goal here is to use as much of the free Cloudflare stuff as possible.\r\n\r\nUnknown Speaker 32:01 \r\nSo yeah, that that's, that's the way we're going to approach this now. I'm just looking at timing and where we are in the course of things right now.\r\n\r\nUnknown Speaker 32:11 \r\nOkay.\r\n\r\nUnknown Speaker 32:13 \r\nAll right. This is where it's going to be interesting to see actually how we do this.\r\n\r\nUnknown Speaker 32:24 \r\nOkay, well, let's just, I'm sorry, thinking to myself here and we'll figure out that we may go long in this first hour. So let's look at this Cloudflare page by page. Now if you would like. I would suggest that if you don't have a Cloudflare account, just go quick create one doesn't matter. Just make a make a quick Cloudflare account I'm going to log in to my I iThemes Cloudflare account that I experiment on. I would always recommend that you set up two factor authentication on your Cloudflare install Of course. All right, so what we're going to do is primarily focus on the website settings. We're gonna go down page by page, and I'm gonna explain basically what, what each of them does, just so you have a big picture understanding. Now there's a ton of stuff here. We're currently at the home or the account page you get back here by going to account home. That is this page that we're going to live for most of the course here is in the website settings. So you can you know, you'll add a website you can click that and these are the settings that pertain to the individual websites themselves. And this is where we're going to live for most of the time in this course. So let's take a quick look. Alright, so we're on the overview page, a turn off this ad. Again, you know, they're they make their money by upselling things so I'm constantly closing those boxes. Alright, so the first thing we get, is there an analytics overview. This is kind of helpful if you just want a quick overview of at the network level, what your traffic looks like. You don't get any like, you know where the traffic came from or search terms. It's not about that. It's actually about the stats of the traffic coming in.\r\n\r\nUnknown Speaker 34:12 \r\nYou can set that by days, weeks or months. Something else that's really helpful over here is the Under Attack Mode. So let's just say that you've got a problem on a site you're getting it's an E commerce site and you're getting card testing attacks. Well, I'm just going to toggle that on. And with that one toggle, what's going to happen is every single bit of traffic that comes into the site is going to get a manage challenge from Cloudflare. Now what that looks like is this\r\n\r\nUnknown Speaker 34:45 \r\nso it's going to pass through this challenge. I've got to verify and then move right on. Now that's not ideal, but that will stop a DDoS attack period, because a bot cannot pass Cloudflare turnstile, at least yet. So Todd simply toggling that on is going to stop the DDoS attack it does put a you know that that turnstile pass through manage challenge between every single visitor so it's not ideal to leave on forever. You'll want to add a WAF rule to filter out whatever's attacking you but that this is a great little setting in case something immediately is happening.\r\n\r\nUnknown Speaker 35:29 \r\nIt essentially off.\r\n\r\nUnknown Speaker 35:33 \r\nOkay, the next thing that's helpful here is development mode. So Cloudflare does provide some caching and caching can be absolutely.\r\n\r\nUnknown Speaker 35:43 \r\nYou might use it makes you want to bang your head into the wall sometimes like you you've edited something, it's not showing up then you remember, oh yeah, I've got caching turned on. So if you're making changes to your site, you might just want to toggle this on. And that turns off all caching all optimizations like that, where you're seeing what you see, right. So a lot of times we have to deal with browser caching with WordPress plugin caching. If you have set up.\r\n\r\nUnknown Speaker 36:11 \r\nIf you have set up Cloudflare for your site, you also have Cloudflare caching, it's on by default. So just don't forget that if you want like why isn't why are these changes? Not all? Yeah, Cloudflare caching, so turn on development mode, and that will help you immediately get around that. So very, very helpful. Also, something to draw your attention to here on this overview page is down here at the bottom of the pause Cloudflare. Right here, this is an incredibly important link that we'll get to in the process of adding a site to Cloudflare. You're going to want to click this every time so that you don't get SSL errors. I'll explain that when we get to the process but again, this is your friend. Also if you want to get rid of the site and delete it completely, you can just remove from Cloudflare and it'll it'll kill your whole account.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:59 \r\nYou can set up this you can set up an address here. You just add whatever you want this address to be and where it's going to forward to. And then you validate that email and you're done. And so you can set up these catch you can set up a catch all address or individual addresses. And it'll just forward right to your Gmail account or whatever other free account that you have. And you can also in Gmail, set up a send as address which is really nice. If you want to provide that level of support for your client. Email can come into that Gmail account and they can send as that info at or whatever account with this little process here. So it's really helpful. If a client doesn't want to pay for full email yet you can set up this email routing at really no cost. Cloudflare just handles that traffic for you.\r\n\r\nUnknown Speaker 42:58 \r\nI've given you that whole process right here. If you're interested.\r\n\r\nUnknown Speaker 43:02 \r\nUnder email here also we have demark management you may or may not want to use this. It's free and it's decent demark reporting it's not the best, certainly not the worst. It's really good for free. And it allows you to when you first set it up to add the correct demark record to your DNS, and then it's set up and ready to go. It adds the very basic D equals none demark record if if you have watched those live streams with us recently, it's a very basic level that meets this new Google and Yahoo criteria. So that can all be done from right here. This email security is a more advanced and so paid area.\r\n\r\nUnknown Speaker 43:45 \r\nAll right moving down to SSL. So again, Cloudflare does provide a free ssl certificate for every site that that it's filtering traffic for.\r\n\r\nUnknown Speaker 43:56 \r\nThe first thing you're going to want to look at here is your encryption mode. Now I recommend full there are four levels so you can turn SSL completely off. Don't do that. You can also do flexible which encrypts the traffic between the browser and Cloudflare. But then there's no SSL between Cloudflare and the server. That's for weird scenarios. You don't want to do that. What you want is this one here. This is going to encrypt from the blowout of the browser to Cloudflare with a Google certificate, and then from Cloudflare to the to your server with a self signed certificate at the server. Virtually every server is going to provide a self signed certificate and Cloudflare can use that the encryption tunnel is perfectly it's perfectly secure. There is this full level which says okay, I want to install a trusted like one of those, you know, you buy it certificates on the server. You can do that if you want to or Cloudflare will actually provide you an origin certificate for your server I don't ever do that. It's not necessary for security. As long as there's self sign on the server, which usually is and Cloudflare to the browser is giving Google it's one one clean tunnel.\r\n\r\nUnknown Speaker 45:13 \r\nSo if you have SSL at the server, yeah, that you don't have to worry about it most most of the P SS that are set up by a reputable hosting company like if you have a liquid web VPS it's going to have a self signed certificate on the server and Cloudflare will use that to create encryption.\r\n\r\nUnknown Speaker 45:32 \r\nOkay, all right. So Paul, great question in the chat. That's tomorrow. We're talking about all the whole process and client stuff tomorrow. All right, so this is an area you're going to want to be familiar with here. Other settings here.\r\n\r\nUnknown Speaker 45:49 \r\nWe're gonna go down to let's see, Edge certificates. I do keep this on if they're sometimes you'll get an email. This lets you know if there's anything you can do better with SSL.\r\n\r\nUnknown Speaker 46:03 \r\nIt's helpful. All right, so edge certificates. This says okay, there is an active certificate that's been created for this website. And a backup. This is pretty cool. This tells me that this is a Google trust certificate. This is the primary one so if I go to WP nathan.com And I look at the certificate details here it is valid. It is Google Trust Services right there. So that's what it shows to the user is this Google certificate. If something goes wrong, or there's some weirdness with the Google certificate, it's very unlikely that would ever happen. But if there is then it does have a backup, as this it's a Let's Encrypt certificate here. On the up Nathan it can also be set for set Teego doesn't really matter. Very, very rarely.\r\n\r\nUnknown Speaker 47:00 \r\nWill this backup certificate ever be used?\r\n\r\nUnknown Speaker 47:03 \r\nOkay, so Stacy, Stacy's mentioning here and let me just make let me let me address this. So if you are using CloudFlare, you cannot use Let's Encrypt on your server, because your server isn't it can't validate right or it's the the server isn't controlling the traffic anymore. It's passing through Cloudflare. So you might have Let's Encrypt turned on at your server. But the but like, you may be able to have full strict at the beginning because the Let's Encrypt certificate exists. But eventually that Let's Encrypt certificate is not going to be able to renew in many cases because Cloudflare is in the middle. So that's why I recommend full because there's always a self signed certificate at the server. If you do strict, and something happens to that Let's Encrypt certificate, it's going to create an SSL error. So you don't want that. That's why I'm saying full it's going to be just as secure as having a Let's Encrypt on the server. And you're not going to get those SSL errors Does that make sense?\r\n\r\nUnknown Speaker 48:18 \r\nYeah, so Melanie's encountered that like full string, that sounds great. I want that but you don't want that. It's you want to be able to set this and forever. So yeah, and Stacy, it may be dependent on the host you'll want to know you'll want to look into that. And that's where I just recommend setting it at full and then you want to have any problems.\r\n\r\nUnknown Speaker 48:37 \r\nThere is no limit. Let me say it this way. There is no extra security benefit from full or full strict because the self signed certificate at the server is the same level of encryption as a Let's Encrypt, or you know, your purchased your favorite purchase certificate for whatever. It's generally the same encryption level.\r\n\r\nUnknown Speaker 49:02 \r\nSo it doesn't matter. What's important is what does the user see? And in this case, it's Google first and then you know one of those so does that make sense everybody? Do I need to answer any more questions about that?\r\n\r\nUnknown Speaker 49:15 \r\nFall is easy. It's always going to work unless there's something wrong with your server.\r\n\r\nUnknown Speaker 49:24 \r\nOkay let's keep going. So edge certificates. We talked about these, you're not going to want that cost money. You don't really need it. You don't total TLS this lets you choose like if I toggle this, Oh, I gotta pay. Yeah, it used to let you do this for free. They've changed that. It's another paid feature. This you always want on it's part of the onboarding process that we'll cover tomorrow as we move a site into Cloudflare.\r\n\r\nUnknown Speaker 49:54 \r\nSo, all right, this is a complicated feature that I would not turn on because it's real, real easy to screw things up. And if like, for example, I had a site where I really mess things up on this. Thankfully, it was one of my own, but it took for some traffic almost a month before it straightened out. This is really bad. So it's a way to enforce HTTPS. I'm just going to recommend that you don't use it unless like it can heighten your security. And sometimes, if you have a client that has like a security, like a level of security, they have to reach for their own internal audits or whatever you may have to turn this on. But don't do it if you're planning to make any changes, like migrate the site or change Cloudflare to some other DNS provider because it can lock down it'll lock out traffic. It's just it's very powerful, but also could be very damaging in some cases. So if you're in a scenario where this comes up, you'll want to read more into that minimum TLS version. I'm going to recommend here 1.2 Because it's kind of the it's everybody can use 1.2 But you really might want to consider 1.3. So 1.2 is required for if you're trying to get PCI compliance. You have to have 1.2 layer level of TLS TLS, which is the next level of SSL but really only really, really, really old browsers can't use TLS 1.3. So if you look here, like Internet Explorer can't use.\r\n\r\nUnknown Speaker 51:46 \r\nCan't use TLS 1.3 and Opera Mini like those are the only two browsers. So the chances I mean those are teeny tiny percent. So I'm at the point of where I might just bump everything to 1.3 because it is more secure. It is a little faster.\r\n\r\nUnknown Speaker 52:01 \r\nBut at least 1.2.\r\n\r\nUnknown Speaker 52:06 \r\nAll right, opportunistic encryption, you're going to want to turn that on. I believe that's on by default. You want to enable TLS 1.3, which says, if the browser can support 1.3, use it. That's basically what that's about. I do want to rewrite everything to HTTPS at the network level. That's good. I think that's one by default. I do want to toggle this transparency on what this does is basically, if something if some other server or authority or whatever, issues an SSL certificate for this domain, I'm gonna get an email about it. Where that's helpful is if somebody has hijacked your domain somewhere along the way, or they've got traffic going somewhere something odd is happening. And a certificate gets issued. And I'm not aware of it. I want to be aware of it. So that's what this does. Pretty nice. Works pretty cool.\r\n\r\nUnknown Speaker 52:56 \r\nSo let's see. Moving on down here, the most of the stuff you're not really going to use. You're not going to use this most likely it's complicated scenarios. origin server. This is where if you want to install a Cloudflare generated certificate on your server to do full strict, you can do that here. I don't recommend that it's not super necessary. And then custom host names you're probably not going to use so that gets us all the way through SSL. That was a lot. Let me pause just for a minute. And any questions about this bit, I realized that was a lot. So walking through all the settings is the most tedious part of this, but And my goal here is to kind of set the table and let you know what all is here.\r\n\r\nUnknown Speaker 53:42 \r\nAll right.\r\n\r\nUnknown Speaker 53:44 \r\nLet's move into security. You're gonna live in security a lot. So the main two let places you're going to live in Cloudflare our DNS and security. So security is awesome. I love this area, the events page. This is a log of all the things that have hit my firewall rules. So any event has happened on the server where a firewall a WAF rule was hit by something or whatever.\r\n\r\nUnknown Speaker 54:11 \r\nHere's some examples of some skip rules that I've put into place. And I can see what's going on here.\r\n\r\nUnknown Speaker 54:18 \r\nIt gives me a great amount of detail about what was the IP address that came in? What was the ASN in this case, it is I have a pass a skip rule created for WordPress doing cron, so sometimes the query string here can cause weird security things to go on. And so that's one of the skip rules that I put in.\r\n\r\nUnknown Speaker 54:40 \r\nAnd it's logging here just to show you what that looks like. Here's one look here. Here's something that came in earlier.\r\n\r\nUnknown Speaker 54:48 \r\nAnd this was something from the UK. I don't know what that ASN is but it was trying to get to a weird port like what the heck is this one a 53 I don't even know what that is. This was bad traffic and it got to manage challenge primarily because it was coming from outside the US actually no I've got this setup for to accept UK traffic. So this, this hit Oh no, it hit a challenge right here.\r\n\r\nUnknown Speaker 55:19 \r\nSo it hit a rule that says okay, something's not right here. We're going to challenge this traffic and so it wouldn't have made it through to the site. So this is a great place to look after you've implemented a rule make sure you're not getting legitimate traffic caught or as you are refining your rules later on. Really, really helpful.\r\n\r\nUnknown Speaker 55:40 \r\nHere's something from Netherlands same thing. We'll get into all these as ins and things later. Like look here. They tried to hit XML RPC. This is garbage traffic.\r\n\r\nUnknown Speaker 55:49 \r\nIs there a setting in solid security that turns off XML RPC? Yes. But WordPress would have had to wake up and do something when this traffic and server resources would have been expended. We block this traffic at the network level before it even hit the server. So that's why you do these things. So events is super helpful gives you a lot of good information. Now we move into WAF which stands for web application firewall. Now, these are your this is a place again, you're gonna spend some time here as you're setting up Cloudflare there are five rules available at the free plan. I've suggested four, and so you have room to add your own rule.\r\n\r\nUnknown Speaker 56:28 \r\nSo we'll get into all these rules later. But this is where those are defined and set up. You can actually click the link here and see traffic that just hit that rule. There's a ton of traffic here. Like this first rule here. These are challenges. So you know trying to go to their PII login or my account or if the country is not in Canada or the USA, it's going to get a challenge.\r\n\r\nUnknown Speaker 56:53 \r\nAnd I can go back and look at what traffic actually is hitting that rule by clicking on that number. So it's pretty nice to be able to look and see what all is going on here with my individual rules.\r\n\r\nUnknown Speaker 57:08 \r\nSo I'll give you the rules a little bit later. Now let's keep going here. So those are our custom rules. We also have rate limiting rules and this is pretty neat.\r\n\r\nUnknown Speaker 57:16 \r\nSo you can actually blocked traffic that is pounding away at your website. And we'll go into rate limiting rules later in our recommended settings. But like if there's anything that's hitting my site more than like once a second, I want to block that traffic because there's no legitimate traffic that's going to be making multiple requests per second. Unless it's like a Google bot or something like that. And even it usually throttles back how many requests are being made. So this is a really helpful rule to be able to put into place we'll get into that in the rules section.\r\n\r\nUnknown Speaker 57:53 \r\nHere in tools, there is a the ability to block IP addresses or ranges even over and above the WAF rules themselves. So you can block user agents you have 10 user agent blocking rules if you want to use those. I typically don't but it's there if you want to use it.\r\n\r\nUnknown Speaker 58:15 \r\nMoving down to security the page shield This is a paid feature basically keeps your content safe. Bots feature okay, this is probably the place where most people make a mistake. Bot fight mode on I recommend that you leave this off because of a number of things.\r\n\r\nUnknown Speaker 58:33 \r\nBot fight mode. If there's anything that I've had to troubleshoot more, there's nothing I've had to troubleshoot more than bot fight mode creating problems for X legitimate external connections to websites like web hooks, and, you know, syncing up one thing with another or whatever. It's always bought fight mode. And honestly, bot fight mode gets in the way of a lot of legitimate traffic in an effort to prevent bot traffic. So it's like you know, this ongoing war of how do we keep bots away versus legitimate traffic. It's too heavy handed in my opinion. Also, it adds JavaScript to every single page load on your website, that bot activity and that can actually add as much as two seconds to a page load speed. So just don't do this. Try to get a lot of that traffic out with web application firewall rules, which we'll cover as we move forward. But don't turn this on. It looks like a good idea. It's not a good idea. Don't turn this on is my recommendation. Unless you know what you're doing. There is also in Cloudflare super bot fight mode that actually lets you make some granular changes to the bot fight mode. That's great, but it's an enterprise level. It does cost money.\r\n\r\nUnknown Speaker 59:51 \r\nAlright, let's move on to the DDoS section. This is super helpful. Like let's say you're under attack and you toggle on under attack mode and you can sort it you get to see you know a little bit of what this traffic pattern looks like. You can add a rule here that can stop a lot of those floods that's beyond the scope of this course. But it is there and it's pretty helpful.\r\n\r\nUnknown Speaker 1:00:16 \r\nThere's really good documentation for that's available at this link. And finally, there's some settings here that you may or may not find useful, probably not. The default settings are generally what I use, which is just right here. A security levels essentially off meaning that the average traffic the average user is not going to get a manage challenge to say that I'm human I don't want that in the way of average users. 30 minute, Pat challenged passage meaning like if I'm good, I'm good for the next 30 minutes at least. And then you definitely want this browser integrity check on that just it blocks garbage traffic where there's problems with the requests. So those are all the default settings. You probably don't need to ever change those. But they're there if you do need to.\r\n\r\nUnknown Speaker 1:00:58 \r\nThis access this is actually going away will probably be removed from this menu pretty soon and let me just mention also if you're watching this on a replay and it's like a year from now, a lot of these menu changes may change. Cloudflare is as bad as Google about renaming and moving things and changing it they they change stuff all the time. They literally last week changed the onboarding process for adding a new account. They're constantly changing things and so, you know, the things that I'm talking about here are likely going to be in other places. But yeah, it may not be in exactly the same spot. kind of frustrating.\r\n\r\nUnknown Speaker 1:01:37 \r\nHere under speed, these are some moderately useful things. The observatory is you know, what is my White House speed. So that's kind of cool. I mean, it can show you, you can schedule a test to run at a at certain intervals. It's kind of cool. I like that.\r\n\r\nUnknown Speaker 1:01:56 \r\nYou may or may or may not want to do that. The optimization here not a whole lot to do here. Most of the basic settings are correct, just with the defaults.\r\n\r\nUnknown Speaker 1:02:10 \r\nNot a whole lot you're gonna do here this just gives you an overview of what your settings are. image optimization is now offered by Cloudflare. But if you have a good WordPress image optimizer, which I recommend, do it there do it at the WordPress site like just control your images don't do that off in the cloud. But you can if you want to. It's all here. You are going to want to make some changes here to content optimization Brotli basically speeds up an H an SSL connection. This is part of the onboarding steps that are recommended. We'll get to that tomorrow. This is super cool. So Cloudflare fonts is a recently in the last six months or so added feature. And it basically pulls all the fonts up into the Cloud Flare cloud. So instead of having to go out to Google fonts and download the font Cloudflare fonts, pulls those up into the cloud. So you, you blood, they load faster, and you don't have privacy issues, because Cloudflare is going to deliver that font in a privacy first manner. It's not like you're pulling fonts off of Google server and as a result, the user's IP addresses exposed and all that. So this is great. Just turn it on. It's gonna be faster. It's pretty good. This is also a super cool feature called early hints. And what this is going to do, you may have a WordPress optimizing plugin that does this as well. And actually this may be part of core WordPress going forward. But like when you mouse over a link in the background, the browser starts to load that page already. This does that at the Cloudflare level, which is pretty cool.\r\n\r\nUnknown Speaker 1:03:47 \r\nRocket loader. This is another one of those things that people say oh, it's speed. I'm going to turn don't turn this on. Rocket loader has a bad habit of breaking WordPress, jQuery and other Java scripts. Just don't don't turn that on. It will create problems. That's a red dot for me. And if you Google other WordPress folks talking about this it's a it's a red.it can cause problems.\r\n\r\nUnknown Speaker 1:04:14 \r\nAuto minify yet you want all that on so all your assets are compressed up there at the network level.\r\n\r\nUnknown Speaker 1:04:21 \r\nI mentioned this automatic platform optimization for WordPress. This is a can be really good. It's $5 a month per site. Okay, but with out having to deal with any of those granular performance settings at the WordPress level with plugins like MP rocket or hummingbird or whatever, you can actually push all that up to the cloud and it moves the really big the real benefit here is it moves all of your assets for your website to cloud flares edge CDN, so that it's right as close to the user as possible and it's optimized all it really does a good job at optimizing traffic. So take a look at that. It is expensive. You know, when you put 10 sites on there, it's going to be $50 a month, but it really you know, if you've got a few sites that you're having performance issues out of five bucks a month solves that problem, pass it on to the client and you're done.\r\n\r\nUnknown Speaker 1:05:19 \r\nLet's see.\r\n\r\nUnknown Speaker 1:05:21 \r\nEven ongoing here. Let's see caching. All right. Cloudflare caching. So Cloud for does a good job of caching things the right way. You do get some basic analytics here with an upgrade of a plan. Let's move into configuration. So here is the place where you can purge all the things out of the Cloudflare cache. So if you're having some sort of Cloudflare issue going on, you can come in to caching configuration purge everything. I'm going to mention also later on in the course that a lot of WordPress optimization plugins have a Cloudflare integration, where they will actually you can like for example, I use Lightspeed as a WordPress optimizer. And you add in your API for Cloudflare. And whenever whenever Lightspeed flushes the cache because a page has been updated or there's WordPress updates, it also flushes the Cloudflare cache most good WordPress optimizing plugins like WP Rocket like Perf Matters like hummingbird have Cloudflare integration and you're going to want to use that because what otherwise what you're going to run into is you got one set of assets that are here on the site that the WordPress performance plugin has flushed, but your Cloudflare cache isn't matching and you get wonky CSS, and you don't want that. So that that helps and it solves that problem.\r\n\r\nUnknown Speaker 1:06:44 \r\nLet's see here caching level we kind of leave that alone unless you know what you're doing. browser cache TTL you're gonna want to set this to at least a month. Google requires that those it's set to 30 days or higher. Otherwise, you get that thing you may have seen in Lighthouse of serve static assets with efficient policy, blah, blah, blah. That's this needs to be at least a month. This is helpful if you have a big website that a lot of people have access to. This is a tool that will scan for child sexual abuse material, which is definitely helpful. These next two are really cool crawler hints. Okay, how many of you remember from the Starter Site webinar? We did do every year. We've got that really cool plugin called index now from Bing and it watches changes on your website and let's Bing and let's see which ones it is Bing, duck, duck go Yandex and Naver, which I've never heard of before.\r\n\r\nUnknown Speaker 1:07:43 \r\nAnd yep, so what this does, I've just lost my Here we go. So crawler hints basically adds index now to your site at the Cloudflare level. So as soon as Cloudflare sees you add a new page, it lets all the search engines No, you absolutely want to do this. And it means you cannot use the index now plugin on WordPress, which is kind of cool. Always online this is another one you're gonna want to toggle on.\r\n\r\nUnknown Speaker 1:08:09 \r\nWe've probably all at some point, use the Wayback Machine to go back and look historically at websites. And some websites are there a lot and some are they're just like every once a month or once every few months or whatever. How do you get the site listed on the Wayback Machine what you toggle this on right here and Cloudflare will make sure that the site is saved into the Wayback Machine and if for some reason this your server goes down Cloudflare will know okay, I'm gonna pull the latest copy out of Wayback Machine to serve and it's not the best thing but it's better than the site being down. So this is pretty cool. Definitely want that on. Here's the actual development mode. We looked at that under the overview settings, but this is where the actual toggle is for turning on development mode. And so that's all the configuration things.\r\n\r\nUnknown Speaker 1:09:02 \r\nAll right, cash rules.\r\n\r\nUnknown Speaker 1:09:05 \r\nWe're going to talk about cash rules later. But this is the spot where you can add rule like what if I don't want Cloudflare to cache the site at all? Great. What if I have an E commerce site and I don't want to cache the cart or checkout page, I can do all that here. And I'll give you those rules when we get into that section in a little bit. So tiered cache or the cache rules are very helpful, and the tiered cache is helpful. You're going to want to make sure you enable smart tiered technology that just moves the stuff closest to the user. It's good stuff cash reserve as a paid feature, which you're not going to use. Now if you're getting tired. You're not alone. It is now 207. We've been at this for a little over an hour, but we're coming to the end. There's only a few more things here and then we'll take a break. First of all workers routes don't have to worry about that at all. unlikely you'll use this rules. There's another place for rules. Here's 10 more sets of configuration rules that you can use. Probably not going to use any of those but you certainly can.\r\n\r\nUnknown Speaker 1:10:06 \r\nTransform rules origin rule. These are all ways to deal with rules and traffic. Probably not going to use those unless you have a unique case. Page rules can be helpful.\r\n\r\nUnknown Speaker 1:10:18 \r\nI'll show you some options on when you might want to use those a little bit later.\r\n\r\nUnknown Speaker 1:10:22 \r\nAnd the default settings are just fine. You never have to really change these. So not a whole lot to do here.\r\n\r\nUnknown Speaker 1:10:29 \r\nAnd the rest of this stuff is pretty much read. So let's network you probably won't have to change anything here. Very unlikely that anything will be needed in this area. All the default settings are fine. Traffic is a paid feature. custom pages paid feature apps, it's being deprecated the scrape shield, okay, let's talk about this.\r\n\r\nUnknown Speaker 1:10:53 \r\nSo there's a couple of things. Remember, if you are a long time I iThemes Training solid Academy member we used to have a shortcode that would obfuscate an email address. Cloudflare will actually do this at the network level, so you don't have to hide email addresses at all. It will just automatically obfuscate email addresses from bots that would scrape the site. The problem is it adds some JavaScript which again can potentially add some weight to the page and make the page load slower. So there's a way to apply that with the rule that we'll get to in a little bit. I would not toggle this on for the whole site. I would only have it on with a rule for like the contact page or a team page where email addresses actually appear.\r\n\r\nUnknown Speaker 1:11:38 \r\nhotlink protection this is something I would toggle on because well in certain cases. So if you want to protect your site, like I don't want my images showing up in Google image search, I don't want anybody linking off the site and pulling my images and to show on their site. This is what that does. It will stop that at the network. Level period. But if you are relying on a lot of SEO people, for example.\r\n\r\nUnknown Speaker 1:12:07 \r\nThey rely on an image optimization strategy for SEO like they want people to find the image in Google Images and then go to the page and it's a legitimate SEO strategy. But this will stop that. So depending on what you want to do, this can be super helpful or completely get in the way of an SEO strategy.\r\n\r\nUnknown Speaker 1:12:26 \r\nAll right.\r\n\r\nUnknown Speaker 1:12:29 \r\nxerez so this is super cool, actually, it's way out of scope for this, this live stream in this course. But think of it like this. This is like Google Tag Manager, but at the Cloudflare level. So at the network level, I can actually go in and add code to pages. Like it's really powerful, but it's way out of scope for what we're trying to do today. So you know, it's it's interesting, and if you're super geeky, you want to get into that have added because it's a very powerful tool. And last of all web three, you're probably not ever gonna get into that stuff. All right, so that's all the settings and I'm out of breath.\r\n\r\nUnknown Speaker 1:13:05 \r\nOkay, how let me check in. How are you? Are you are you panting for breath? Are you okay? We've just done this was the fire hose. Okay? Dizzy is legitimate. That's a lot. Okay. And my goal again in that section was simply to give you a lay of the land. There's only a few things in here. If you notice, there's only a few things that you're gonna need to go in. And set. Primarily we're going to focus on DNS, SSL, and security. Those are my main areas. Okay. So, what are we doing next? I am going to give you my recommended settings for each of the areas we're gonna do that probably I hope we can fit that in before 3pm Central. We're going to take a five minute break, because I need to breathe and then we'll do some recommended settings. So we're actually going to go now right back into these areas that we've looked at and I'm going to show you some the actual recommended rules and things like that, that you're gonna want to implement. Now from that tomorrow. We're actually going to migrate a site into Cloudflare and do all this stuff live. Sound good?\r\n\r\nUnknown Speaker 1:14:17 \r\nOkay, so break for five minutes. It is now about to be 12 minutes after so we'll come back at 217 Central time so 17 minutes after and we will be quiet until then.\r\n\r\nUnknown Speaker 1:18:47 \r\n32nd Warning we're back in 30 seconds. From now.\r\n\r\nUnknown Speaker 1:19:32 \r\nAll right, part two, let's talk about some recommended settings. Now. First of all, in this section, there's a couple of caveats. We're going to look at the Cloudflare settings that I use. Okay, these are the ones that I've decided work well for me in my clients. And I'm specifically going to talk about what has changed from the default. Okay, so we just looked at everything. We're going to put a filter in place and now only the things that are going to change from the default settings are what I'm going to cover now with this again, caveat, disclaimer, slash scary warning, scaly emoji grimacing emoji, okay. Is this is this bold enough for you?\r\n\r\nUnknown Speaker 1:20:16 \r\nVery important. These are based on my experience with how we are using Cloudflare currently in my agency. So as with settings, recommendations of any kind at all, you need to test these for your specific use case. Cloud flares tools can block legitimate traffic if they're not used correctly. Okay. Now in my experience, we've had to adjust certain rules in situations where there's external calls to web hooks, certain SEO tools, uptime, monitoring, all sorts of things can be a little different. So I'm providing some very basic settings that we use on all of our sites. They may not be the right settings for your sites. Okay, that's why it's important to look at those event logs, try it on one site, look at the event logs, make sure nothing's getting blocked, etc. So they get sometimes sites require these granular adjustments and it might take a little bit to dial them in so pick a site. Do that one make sure everything's good before you do. We all put 5080 100 sites into all these settings, because they would then have to be changed individually. That's not fun. All right. So Cloudflare can significantly increase your security but with great power comes great responsibility. So just keep all that in mind. Do not blindly apply these settings with under without understanding how they're going to impact your website. So again, educational purposes only, you alone are responsible for the actions you take. In other words, don't call me if you break something or you know, ask an office hours question but Is that Is that a good enough disclaimer?\r\n\r\nUnknown Speaker 1:21:59 \r\nAll right. Let's take a look at DNS records.\r\n\r\nUnknown Speaker 1:22:04 \r\nSo let's move on into this area first. This is one of the places where I mentioned that you'll probably spend some time so here's a pretty typical DNS record setup that's being used for WP Nathan currently. So the first thing you'll notice here is proxied. Now what proxy means, okay, this is the actual IP address of the server. This this little this liquid web VPS that they're up Nathan exists on. But if I go to ping, this address, notice it doesn't give this server IP address. And why is that Cloudflare is proxying the IP address which basically means it's hiding it. So this 104 2147 162 IP address is what the world sees when it says where's that up Nathan located this IP address, but that's not the IP address of the server. This is really good because you unless you know in most cases you're going to want to hide the actual IP address of the server, the real live raw IP address, you're gonna want to hide that from the world. It just puts a layer of security between hackers and your server itself. So that's what proxying does. You can turn this off if you want, but I wouldn't recommend it. So the recommendation is proxy all A records and the CNAME for www.\r\n\r\nUnknown Speaker 1:23:35 \r\nBut other C names like in this case, I don't even know why we still have this one but FTP dot and like this is the postmark record. postmark will not validate this record for the CNAME unless the proxies turned off. So for a lot of C names, especially those used for validation, you're going to want to make sure that proxying is off.\r\n\r\nUnknown Speaker 1:23:59 \r\nUnless you know for sure that proxying isn't going to get in the way of that traffic proxying a CNAME can often get in the way of the server that's handling that traffic knowing that the traffic is correct, and it can cause weird things to happen. So proxy the A records generally proxy do not proxy CNAME records. Now here's another pro tip.\r\n\r\nUnknown Speaker 1:24:21 \r\nIf you like me enjoy having the ability to spin up quick staging sites. I in my case on cPanel I love the WP toolkit. It'll just spin up a quick staging site.\r\n\r\nUnknown Speaker 1:24:32 \r\nYou would normally have to go out and actually create an A record for whatever that subdomain is. But if if most or all of the subdomains you're ever going to create for this domain are going to the same place. They're all on the same server. Then what you can do is just set up a wildcard record. The name has an asterisk and it points here which means unless otherwise defined by another a record that any other traffic, you know, whatever dot DDP nathan.com goes to this server. So it's super helpful. It doesn't prevent you from directing traffic elsewhere. You know we could, you know, we could specifically define a subdomain to go to another IP address. But otherwise, the catch all is pointed to the server and it's really helpful. So add a star record. That's a good thing. All right. We talked about DNS sec. Let me just show you how this works. Here under DNS and sec. Oh, I haven't. I'm going to disable this earlier. Let's that's going to take a minute Doggone it. Sorry about that, y'all.\r\n\r\nUnknown Speaker 1:25:43 \r\nOh, I'm gonna have to remove it from here. Well, I can probably just show you how this works. So here, oh, it's WP one dot Dev. Let me go. Let me get one second. Let me get over to the VP Nathan.\r\n\r\nUnknown Speaker 1:26:01 \r\nAnd I'll show you where this DNS record is set up.\r\n\r\nUnknown Speaker 1:26:06 \r\nSo again, this is GoDaddy. You've all probably use GoDaddy, most other registrar's you're going to be this way as well. Here under DNS, there's a setting for DNS record. And here is the value that Cloudflare gave me I'm going to delete this\r\n\r\nUnknown Speaker 1:26:23 \r\nlet's see how long it takes to create if it sees it right away. Okay, I'm gonna give that just a minute. We'll come back and I'll show you how to create the record. But it's basically Cloudflare is going to give you the value, you put it in over the registrar and that validates your traffic for DNS sec to work correctly. We'll come back to that. In just a minute.\r\n\r\nUnknown Speaker 1:26:42 \r\nAll right, so SSL TLS again, encryption method full I talked about that a lot earlier, so that hopefully that doesn't need any more explanation. Under edge certificates. Always use HTTPS is on and minimum TLS version 1.3 or 1.2. We talked about that earlier. You're probably fine to go 1.3 I've only the really old browsers, right. So all the rest is default settings. And now we get into the WAF rules slightly that we're already past SSL. It's not that hard. Once you see the lay of the land and all the details now we can just focus on the things we need to change. And it's not that terribly complicated. Let's do a quick check for the Yes, right. Oh, okay, good. That's ready. So here's the process are rewinding a bit to do DNS sec. I'm going to click Enable.\r\n\r\nUnknown Speaker 1:27:37 \r\nAlright, here's all the stuff. Let's go over to DNS records and I'm going to add one.\r\n\r\nUnknown Speaker 1:27:45 \r\nAll right, so I need the first the Key Tag and it's not necessarily an order. So Key Tag is here.\r\n\r\nUnknown Speaker 1:27:52 \r\nBoom algorithm is 13. I don't know what that means. I'm just going to put it there. Digest type is this or I can click to copy.\r\n\r\nUnknown Speaker 1:28:06 \r\nOh, that's this digest. Is there and digest type oh two.\r\n\r\nUnknown Speaker 1:28:13 \r\nRight there, I hit Save.\r\n\r\nUnknown Speaker 1:28:19 \r\nAnd it's gonna think about it for a minute.\r\n\r\nUnknown Speaker 1:28:22 \r\nConfirm.\r\n\r\nUnknown Speaker 1:28:24 \r\nAnd it's got to wait and validate. That's all it is. It's just basically it's like adding any other DNS record. And that will help to further validate that the traffic that's coming to my domain is correct.\r\n\r\nUnknown Speaker 1:28:39 \r\nThere it is. Done. Super simple.\r\n\r\nUnknown Speaker 1:28:44 \r\nclass has a great question.\r\n\r\nUnknown Speaker 1:28:46 \r\nThat this process was for a domain that's registered and an external Registrar for Cloudflare. It knows like if you've registered your domain at Cloudflare. We'll talk about Cloudflare for domain registrations tomorrow. But if there's just a button, you push the button it adds the record and validates it's done. It's like a one click thing. That's all you have to do. Pretty neat.\r\n\r\nUnknown Speaker 1:29:06 \r\nOkay, any other questions about that before we move on?\r\n\r\nUnknown Speaker 1:29:12 \r\nAll right, we went through the rest of this full encryption mode edge certificates. Now we're into the fun part which is security. Here are some suggested WAF rules. And um, they're all defined here already, and I'll show you what they look like. So when you get into a WAF rule as you create a rule you have the ability to either do an Expression Builder, which lets you kind of compose with a visual editor like country does not equal you know, it lets you create records like this. And or and you can stack those down. Now notice what's happening here, though. There's an expression preview and so there's this expression that's being created based on the visual here. So let's see if country does not equal United States and I don't know\r\n\r\nUnknown Speaker 1:30:15 \r\nand it's unknown bought, whatever, right? So it continues to build the expression based on what you build up here. Now for these predefined rules. We don't need all like it will take you a while to actually reproduce this rule in the builder, but instead what we can do is this.\r\n\r\nUnknown Speaker 1:30:37 \r\nCopy this expression. I'm going to call this the challengers rule.\r\n\r\nUnknown Speaker 1:30:43 \r\nYou can do edit expression, and just paste in there.\r\n\r\nUnknown Speaker 1:30:49 \r\nAnd what so the action is going to be managed challenge and hit Deploy.\r\n\r\nUnknown Speaker 1:30:59 \r\nAnd look it actually created the rule in the builder. So I can still modify it here if I want to.\r\n\r\nUnknown Speaker 1:31:06 \r\nBut I don't have to actually create it. I can just paste in the expression. And that's what I would recommend that you do for these basic rules. Does that make sense? Does everybody see the process here?\r\n\r\nUnknown Speaker 1:31:20 \r\nI want to pause just for a minute to make sure there any questions?\r\n\r\nUnknown Speaker 1:31:26 \r\nWhat drop down that I choose here? Or action is managed challenge. There's this drop down up here.\r\n\r\nUnknown Speaker 1:31:35 \r\nCan y'all see this drop down on the screen share?\r\n\r\nUnknown Speaker 1:31:40 \r\nOkay, good.\r\n\r\nUnknown Speaker 1:31:42 \r\nSad. Sorry about that. So this is just an example rule. But when you when you put in your challenge rule, you're gonna whatever country you're in, or whatever, like for example, we have one customer that only does business or they they primarily do business in the US, Canada and about seven European countries. And so all those are in this is not in rule, but every other country as a result is going to get a challenge because they're not typically going to get traffic from those countries. And that lets us weed out bot attacks for example, that aren't coming from those those specifically Devine defined countries makes sense. So add, you're gonna want to add the countries that you're typically going to want legitimate traffic from. Right. So that that really helps Karen first drop down on not getting the open field. Oh, okay. All right. So let's start over again.\r\n\r\nUnknown Speaker 1:32:42 \r\nLet me delete this rule that I just created. eally All right. I'm gonna do create rule once again. I'm gonna give this a rule name, call it whatever you want.\r\n\r\nUnknown Speaker 1:32:54 \r\nChallenges, and click right here. Edit expression and paste in there.\r\n\r\nUnknown Speaker 1:33:01 \r\nThen you can save it as a draft if you want or whatever or just click Use Expression Builder and that puts you back into the builder here.\r\n\r\nUnknown Speaker 1:33:08 \r\nSo this edit expression is 100% Your friend i It makes the so much easier.\r\n\r\nUnknown Speaker 1:33:16 \r\nAll right, any other questions? About the process of adding a rule before I go on?\r\n\r\nUnknown Speaker 1:33:27 \r\nOkay, so these rules I've actually added in here already, and I'm just going to go down one by one and show you how they work. And so the first rule is our challenge now by the way, I put in whenever I'm doing a rule i Our prefix for our agency for code we write in for other things is be WW brilliant web works but your own little this what this lets me know is it's our rule. Basically that's why that's there. So I'm going to go here to our challenges rule. And you'll notice it's this first one here, you can edit the rule in the expression if you want and put the two letter country code and if there's more you can just stack amend the expression itself or use the expression builder. Either way. Melanie, does order matter for firewall rules. Yes. And I'll show you that in just a minute. But Cloudflare processes these rules in order. And that's going to matter here in just a minute. Great question.\r\n\r\nUnknown Speaker 1:34:26 \r\nSo here's something I want to talk about. So we've talked about managed challenge already. This is the kind of the interstitial screen that we saw that challenges are you human. It's it's the same thing as Cloudflare turnstile. Okay. Cloudflare turnstile is the Cloudflare managed challenge in a widget that can be applied to just a form or you know, a login or whatever. Okay? So just think about it in those terms. turnstile equals a manage challenge, manage challenge, just full screen. Whereas turnstile is a widget that can be added to a form submit or login or that sort of thing. There are a bunch of other actions that can be taken here. Like I don't want to do anything. I just want to log this traffic. I want to block this traffic altogether. This is a JavaScript challenge. This is the pre managed challenge way that Cloudflare used to block or challenge traffic. I don't use that at all anymore. It's not as good as manage challenge. Use manage challenge. This also the skip this traffic so some way I can notice that this traffic is good and legitimate. I always want to skip it. I have a rule. That action can do that. And interactive challenge again. It's I don't use that at all use manage challenge. That's just the best way to do it. Because a lot of times the Manage challenge if it's has seen what this browser is doing, it knows it's probably legitimate. And so it's you let Cloudflare manage whether or not this user or bot or whatever. Is going to be challenged with a checkbox, right. So just use manage challenge instead of interactive or JavaScript challenge is just better. Does that make sense?\r\n\r\nUnknown Speaker 1:36:11 \r\nOkay, so let's get into each of these. We just look at this one. So this is and by the way, what I like to do is cluster are my rules, usually around what the action is. I only have five rules, right? And so I want to be able to get the most bang for my buck. And so I tend to cluster the rules around what action I want to happen. So I'm going to start with this, this challenge rule. So any kind of traffic that I want to give a challenge to is going to go into this rule. So the first is, and this is probably my favorite rule out of all the Cloudflare rules. It is probably the most helpful rule and that is if you come to the WP any URL that comes in to WP login, so even by the way, like if you're logged out and you used to go to WP admin to log in, it's going to forward you today P login dot PHP, query string blah blah blah. So if the URI path, this is your URI, same thing, essentially is URL. So if the path coming in being requested from the server contains that AP login, I want to challenge that if it it like for here for a WooCommerce as my account is their default login page, right? If you have a membership site, where you've customized a login page, put that URL here. So whatever the login page is, that I want to challenge that traffic. And what that lets me do is like Stacy is saying, it's way better than hiding the login page to try to make it where bots can't find it. That's that's a terrible strategy that doesn't really work. Or it's even better than using something like aI solid security to put a CAPTCHA on the login page. I don't even do that anymore. Because all of that traffic is being challenged at the network level is it bad to use a plugin like solid security to protect the login page with a with a even Cloudflare turnstile? It's not bad, but I want that traffic filtered out at the network level so that the login page doesn't even have to load, right? So do that at the network level. You don't even have to put a CAPTCHA on your login page at all. Just make sure that all your potential login pages are listed here. So if you've got another URL, you could do like, you know URI path contains, you know, login or whatever it is right?\r\n\r\nUnknown Speaker 1:38:41 \r\nAnd just you can keep stacking those up with AND or OR statements.\r\n\r\nUnknown Speaker 1:38:46 \r\nThat makes sense.\r\n\r\nUnknown Speaker 1:38:49 \r\nSo that's our first rule.\r\n\r\nUnknown Speaker 1:38:52 \r\nSecond rule is a skip rule. Now I put these in order of priority in this skip rule will tell you why.\r\n\r\nUnknown Speaker 1:39:02 \r\nThis is a big rule. There's a lot of stuff here. So I've given you the whole rule to copy here. Now right here, notice, boom, this is the IP address of the server. So whenever you know whenever you go to add this rule, you're gonna want to, for your purposes, wherever you're copying from put your server IP address in here, because any request that comes from my server, I don't want Cloudflare to do anything with we want that to happen. So here's our here's our skip rule.\r\n\r\nUnknown Speaker 1:39:37 \r\nSo if it's a known bot, and it has one of these as numbers.\r\n\r\nUnknown Speaker 1:39:47 \r\nLet's talk about AAS numbers for a minute. So an AAS number probably best to be seen here in our events. Let me load our events page.\r\n\r\nUnknown Speaker 1:39:59 \r\nAlright, so here's a skip rule.\r\n\r\nUnknown Speaker 1:40:12 \r\nKaren, if you're getting an error, it's probably because you haven't selected the action here skip.\r\n\r\nUnknown Speaker 1:40:21 \r\nYou did.\r\n\r\nUnknown Speaker 1:40:23 \r\nWell, let's just try copying the expression in and trying it ourselves here\r\n\r\nUnknown Speaker 1:40:39 \r\nYeah, it's working.\r\n\r\nUnknown Speaker 1:40:42 \r\nI don't know check your check your copy because it does work. That's That's odd.\r\n\r\nUnknown Speaker 1:40:49 \r\nAnyhow, so as ns. You can see these right here. So an ASN is think of it this way. It's like a\r\n\r\nUnknown Speaker 1:41:01 \r\nIt's one number that a company like Google can use when Google has hundreds and hundreds or 1000s of IP addresses. And it would be hard for you and they may even change IP addresses from time to time.\r\n\r\nUnknown Speaker 1:41:15 \r\nThis ASN is sort of a placeholder for all of those addresses. So you can create firewall rules based on the ASN and know that it's going to affect all these Google IP addresses. And so there's all these ASN that are listed here are of known services. I've given you a way down here at the very end of the document what to for Sorry, sorry, if I'm making everybody nauseous. So I've given you a table of popular ASNs here. You can also look those up with links like this one, and add your own but these are the most part some of the most popular ones. And many of these are including that firewall rule, but this is one that again, you're going to want to tweak this to have the traffic that that that you want.\r\n\r\nUnknown Speaker 1:42:09 \r\nBut in general, this is going to work.\r\n\r\nUnknown Speaker 1:42:13 \r\nIn general, what I've got here is going to work in most cases, just make sure you update your IP address here. Okay, so got this list of\r\n\r\nUnknown Speaker 1:42:25 \r\ngood ASN so it's a known bot, and it's one of these bots. Okay. It's an there are a lot of Cloudflare bots that are known that I don't want to, you know, have access to the site. Like one of the really bad ones is sem rush. Like they will hit on your site with their bots sometimes. Anyway.\r\n\r\nUnknown Speaker 1:42:50 \r\nSo, yeah.\r\n\r\nUnknown Speaker 1:42:55 \r\nWhy would you want stamps.com Because, if you are if you're, for example, with a WooCommerce connector, you're going to want if you don't exclude stamps.com, the WAF rule will get in the way of WooCommerce talking back and forth to stamps.com.\r\n\r\nUnknown Speaker 1:43:11 \r\nYep, so this is again, if you're anytime you're this is with much power comes great responsibility. Okay, so you're putting a rule and that's going to block traffic. If traffic is being blocked and something's not connecting. Now you go into the event and say, Oh, here's that traffic now I can you know, you can find that ASN to that external service in your event log and then add it to your list of good ones.\r\n\r\nUnknown Speaker 1:43:39 \r\nOkay, so I've added another few things here that are commonly blocked. So for example, if you're using the Gravity Forms stripe add on, okay, then I want to make like this is part of the query string for every that should have\r\n\r\nUnknown Speaker 1:44:02 \r\nyour your web hook for Gravity Forms, always includes Gravity Forms stripe, your webhook for WooCommerce always contains this bit of text. So basically what this is doing is this is a good rule for all sites. So if the traffic is coming to a Gravity Forms web hook or a stripe web hook, if you're using other plugins that have different web hooks, just add them in here. Like this, or replace Gravity Forms with your plugin, that sort of thing. But you're that way, you're letting tret legitimate traffic to that web web hook for the payment processor come through.\r\n\r\nUnknown Speaker 1:44:36 \r\nHere's another one. User Agent is GT metrics or we use better uptime to monitor our site. So user op agent contains better uptime. If you don't use better uptime. Don't use this part of the rule.\r\n\r\nUnknown Speaker 1:44:49 \r\nHere's our server IP address.\r\n\r\nUnknown Speaker 1:44:53 \r\nRight now in Davis, right? If you are if you have other payment processors, whatever that web hook is that they give you just find the particular piece that's not going to change. Like the the WooCommerce stripe. web hook has a whole bunch of characters after this right? But this part is always the same. That way you can create a rule that you don't have to change from site to site.\r\n\r\nUnknown Speaker 1:45:20 \r\nAnd then, you know, here's the IP source address is my server for verified bot category is search engine crawlers or web hooks. Okay, so why, you know, I can choose web hooks here, but I've also specified some web hooks.\r\n\r\nUnknown Speaker 1:45:36 \r\nI know web hook has having that as a rule is good, but I don't necessarily trust that part. Cloudflare is always going to catch all my web hooks with that. So I'm going to specify just to be sure, so this is fine, but I always specifying the actual some contents of that web hook URL. Okay, so does this bit make sense? In that many external SAS calls this you want to, you want to allow those through, okay. Now the action for this is skip.\r\n\r\nUnknown Speaker 1:46:09 \r\nBut make sure that you check and this actually Karen may be where your error is coming from.\r\n\r\nUnknown Speaker 1:46:14 \r\nCheck all the boxes, check all the boxes, otherwise you're not telling it to skip anything.\r\n\r\nUnknown Speaker 1:46:24 \r\nSo we don't if the traffic meets any of this criteria, I always want to skip it. Okay, that was it. Karen Awesome. Now, does that make sense everybody?\r\n\r\nUnknown Speaker 1:46:40 \r\nOkay, one thing here and I don't know how to fix it in the handout. This is very important. Notice how there's a line break here.\r\n\r\nUnknown Speaker 1:46:50 \r\nThis, if you copy this, it creates a problem. I just just noticed this.\r\n\r\nUnknown Speaker 1:46:57 \r\nLet me go into the expression editor and paste this in.\r\n\r\nUnknown Speaker 1:47:03 \r\nSee how there's a space here.\r\n\r\nUnknown Speaker 1:47:06 \r\nMake sure you delete that space. Otherwise, it's not going to match your the exact URL. I'll see if I can update the handbook for that. I'll figure out how to do that. But just for now. If there's a space here, it's not going to match that URL. So make sure it doesn't have a space\r\n\r\nUnknown Speaker 1:47:26 \r\nokay\r\n\r\nUnknown Speaker 1:47:32 \r\nall right. Next okay. This is a locked down WordPress rule. This is pretty refined from lots of different suggestions that I've read and seen and I've tested.\r\n\r\nUnknown Speaker 1:47:45 \r\nAnd it this is pretty darn powerful. So again, this is one of those rules. Okay. If the traffic meets any criteria in this rule, it's going to be blocked period, which means you better be sure that you're not catching the legit traffic here. Okay. But you'll see how this works. So I'll go copying this. And notice there's some instances of the domain name of the site here that you'll want to replace with your domain.\r\n\r\nUnknown Speaker 1:48:15 \r\nBut let's look at what it does.\r\n\r\nUnknown Speaker 1:48:18 \r\nAll right. There's absolutely no reason whatsoever that any site or any match any request from the server should contain WP config if it's not coming from my site, to block that. There's no legitimate reason that should happen or there's no reason like we don't use XML RPC at all ever. So we're gonna block any traffic that comes to XML RPC. Period.\r\n\r\nUnknown Speaker 1:48:46 \r\nSame thing for if the if the, if somebody is trying to get to wp content, and it's not coming from my site. I'm gonna block now that can all that can impact google image searches. So make sure you may not want this if you want the images on your site showing up in Google image search.\r\n\r\nUnknown Speaker 1:49:05 \r\nBut I don't I don't want that so I'm blocking all that traffic. Same thing for WP includes there's a lot you'd be surprised how much traffic comes in matter of fact, let's just I mean, look at this. Look at the traffic that's coming in. From what traffic that tries to come in from.\r\n\r\nUnknown Speaker 1:49:26 \r\nYeah, look at this garbage. Here's traffic that's coming in. I don't even know what this is there trying to access. This is some image. Here's something that's trying to access a lot of this images. There's all this garbage traffic and look at this. What What the heck would anybody need you know, here's some Amazon server that's trying to get to this dopey content, whatever. This is like they're testing for security issues. And we're just blocking all that traffic. Right? And look, there's 192 items in the last 24 hours that have hit this rule. It's crazy.\r\n\r\nUnknown Speaker 1:50:04 \r\nPlease grab this, this this.\r\n\r\nUnknown Speaker 1:50:08 \r\nSo what's happened here is some hacker has spun up in some Amazon server to do this hacking, or it's a site that's been compromised. Crazy and this is WP Nathan, which is a dumb garbage site. Right?\r\n\r\nUnknown Speaker 1:50:29 \r\nAnyway, you see all this stuff, and so this blocks all that garbage traffic. Another thing here if the country's coming in from the Tor network, you're not going to want that that's going to be bot traffic. A lot of by the way. A lot of form spam comes in this way.\r\n\r\nUnknown Speaker 1:50:45 \r\nIf the URL if the if the path contains dopey content and it's a PHP file, I want that out of there. We don't use ASP at all in WordPress so filter that out if the traffic is not a known bot, and it's trying to do anything, post anything on WP Nathan so this is this filters out a lot of of form spam traffic or you're trying to post either things into login fields, or post comments anything like that this just blocked all that traffic. I did add this when I was testing this rule, just to make sure that the host name it's not coming from my site. And it's not in it's not trying WordPress is trying to do a cron I was finding that legitimate WordPress cron jobs were being blocked by this. So that's why I added this extra little bit here.\r\n\r\nUnknown Speaker 1:51:41 \r\nSo here's another one if it's not a known bot, and it's going to admin Ajax admin AJAX is again another bit of forum spam prevention that filters that out. Here it so we're going to filter out post and let's see, why is this this rule is duplicated.\r\n\r\nUnknown Speaker 1:52:01 \r\nLike that out. Sorry about that. And again, there's just an actual I'm posting to the comments. PHP file. So most of this is a form spam and comment spam traffic.\r\n\r\nUnknown Speaker 1:52:16 \r\nDave, on the ASP if you have redesigned a site that was based on this?\r\n\r\nUnknown Speaker 1:52:22 \r\nThat's a great question. So if you are taking over a site that previously had ASP, it was built on ASP, then that's probably something you want to take out. Yeah. Otherwise, it's going to block the traffic completely. You don't want that you want to show a 404 page with hey, we've redesigned blah, blah, blah. So that's a good example of don't just apply these rules wholesale, know what you're doing and know that oh, I need to take out that part of the rule, at least for now. That makes sense, everybody. So the action here is block and you're blocking stuff at the net, the network level, they're going to see a Cloudflare block screen. It's not ever going to even hit your server.\r\n\r\nUnknown Speaker 1:53:02 \r\nLet me show you a little trick. How many of you are using something like text expander or in my case, I use type desk to do like little macros that explode into things, right? Like this macro here that I use, and sometimes you'll see this. Like it'll come in as slides. When I do slides. Type desk explodes into this pre configured bit of text. So I've set up all these Cloudflare rules actually in pipe desk, and some of them have variables. So watch this if I was going to set this rule up for the first time. This is set up as\r\n\r\nUnknown Speaker 1:53:42 \r\nthe F three boom Okay, so it comes in over here. So here's my thing. Oops.\r\n\r\nUnknown Speaker 1:53:57 \r\nSo it I'm gonna have to show this here. Alright, so you have three this, okay, what is my domain? That would be nathan.com.\r\n\r\nUnknown Speaker 1:54:04 \r\nIt fills out with there's variables. So I've set up my exploder to have the variable for the expression of the website. So now when we go into add rules, I have cf One CF two CF three it just drops all the expression in with a variable for the website, right? So I don't have to go in and change that every single time. So that's just a little time saver. Pretty cool.\r\n\r\nUnknown Speaker 1:54:29 \r\nAll right. Here's our next rule.\r\n\r\nUnknown Speaker 1:54:33 \r\nSo we have our skip rule. We get our block rule. Now. This is one I don't know I added this one, just to have something else to show you.\r\n\r\nUnknown Speaker 1:54:44 \r\nHere we go. So this, this can be heavy handed, but it also might be good. This is an example of how do I filter bot traffic? Right. So you may or may not want to use this rule. I don't know. Look what it does. So if it's not the Google bot or the Bing bot or the bot or the Facebook bot or slurp which is Yahoo I think, or Alexa and it's a known bot. So Cloudflare actually has this list of known bots.\r\n\r\nUnknown Speaker 1:55:17 \r\nAnd it's pretty extensive. There's 717 pages of this you can see all the things they do have categories too anyway.\r\n\r\nUnknown Speaker 1:55:31 \r\nSo this is an example of a rule that I probably wouldn't use on every site.\r\n\r\nUnknown Speaker 1:55:36 \r\nBut so if it's a known bot, and it's not one of these, or like a this, the crawler category is AI crawler, then given a man a challenge or you could say give it block. So if you want to stop AI bots crawling your site, you can do it at the network level if you want. And this is a way to do that. So the bot category, there's a lot of different ones here like you can do. Like I don't want any SEO crawlers. Let's see how about is in.\r\n\r\nUnknown Speaker 1:56:09 \r\nI don't want any SEO crawlers. I don't want any AI crawlers.\r\n\r\nUnknown Speaker 1:56:14 \r\nNow this is not Googlebot for example. This is Seo crawlers like sem rush and things like that. Phoebe Why not say if it's not a known bot instead of listing those out great question, because known bot no means it's any track. Just that doesn't say it's a bot and I know what it is. Known bots means it's not in this list of predefined known bots, right? It doesn't say it's a bot and it's unknown. Now there are rules like that. If you upgrade to the enterprise level, you get a lot more control over. I think it's a bot. I don't think it's a bot but we don't have that control at the free level. So you have to do it. That was That makes sense.\r\n\r\nUnknown Speaker 1:57:04 \r\nDave has a question if you're doing this on an existing site, and the clients looking at traffic. Oh, yeah. Okay. So this is the double edged sword. Okay.\r\n\r\nUnknown Speaker 1:57:14 \r\nSo what Dave is asking is essentially, am I gonna see a traffic drop in Google Analytics? If I do this? And the answer is likely yes. And perhaps a significant amount of traffic drop. But the conversation I have with a client is this is actually making your analytics reports more valuable because the traffic that's reaching the site are actually people and not garbage bought traffic, and attack traffic and things like that. So you will see a drop in traffic. But it's this is this will actually make your analytics reports more valuable. Because I mean, think about this, you know, bot traffic isn't likely going to make a conversion. So if you've got a report set up in Google Analytics for tracking conversions, and only 3% of your traffic is converting, well, what if 90% of your traffic is crap traffic? Well, then your conversions go up significantly. Oh, wow. Actually, this is more successful than we thought. Right.\r\n\r\nUnknown Speaker 1:58:10 \r\nSo does that make sense everybody? Here's an example of a way to filter out some of the stuff I probably would not use this on on every site. And you still even after that, we'll have another rule that you can create. And this is for fine tuning, you know, and moving things. along.\r\n\r\nUnknown Speaker 1:58:29 \r\nOkay, good grief. It's almost three o'clock and I got a lot more to do. So I'm gonna move on. Any other questions about this before we move, move ahead.\r\n\r\nUnknown Speaker 1:58:38 \r\nI do want to show you the rate limiting rule here.\r\n\r\nUnknown Speaker 1:58:43 \r\nWe actually may stop here, before tomorrow. So this is a really good rule, I think is super helpful. So in case you weren't watching, we're at security WAF. We were just at custom rules, which is the default page. We're now going to the rate limiting Rules tab. It's going to delete this and start over.\r\n\r\nUnknown Speaker 1:59:03 \r\nYou see it, we're going to create a rule and in the same way here, this is going to be our anti flood, oops, anti flood rule. We're going to edit our expression\r\n\r\nUnknown Speaker 1:59:15 \r\nand we're going to say\r\n\r\nUnknown Speaker 1:59:21 \r\nwhen the rate exceeds 10 requests, at the free level, we only have a 10 second period.\r\n\r\nUnknown Speaker 1:59:29 \r\nSo let's take a look at what we're doing here.\r\n\r\nUnknown Speaker 1:59:34 \r\nWhy not?\r\n\r\nUnknown Speaker 1:59:53 \r\nInteresting, okay, well, oh, see what it's supposed to be. Alright. So, anti flood if it is not a verified bot\r\n\r\nUnknown Speaker 2:00:06 \r\nand\r\n\r\nUnknown Speaker 2:00:09 \r\nthe URI pass contains\r\n\r\nUnknown Speaker 2:00:18 \r\nthe PF not calm and\r\n\r\nUnknown Speaker 2:00:23 \r\nverified bot category is not a search engine crawler.\r\n\r\nUnknown Speaker 2:00:30 \r\nOkay, so what we're saying is, it's not a good bot.\r\n\r\nUnknown Speaker 2:00:34 \r\nIt's coming to the site. This is actually redundant, we could probably get rid of that.\r\n\r\nUnknown Speaker 2:00:39 \r\nInteresting.\r\n\r\nUnknown Speaker 2:00:41 \r\nAnd it's not a search engine crawler, and it's hitting my site more than 10 times like one time a second. Then I want to block it. For as long as possible, which is 10 seconds.\r\n\r\nUnknown Speaker 2:00:56 \r\nOh, you're right. It was missing the opening parenthesis. So there's another correction.\r\n\r\nUnknown Speaker 2:01:03 \r\nSo we'll deploy this and this is going to stop a lot of bot attacks. You know, you need a higher level. Of Cloudflare to fully blocked the traffic. But this at least throttles it back just a little bit.\r\n\r\nUnknown Speaker 2:01:18 \r\nSo that can be helpful.\r\n\r\nUnknown Speaker 2:01:20 \r\nMoving on down here to our bot setting. Again, we want bot fight mode off. We talked about that already. How much further do I have to go? I got a lot of rules to go. Okay, I'm gonna stop right here. And we'll pick this up tomorrow.\r\n\r\nUnknown Speaker 2:01:35 \r\nAll right, pausing for a moment. Questions, comments?\r\n\r\nUnknown Speaker 2:01:41 \r\nAnything unclear and what we've seen today because your homework is if you don't have a Cloudflare account, go set it up. And do that tonight. Before tomorrow. Come on in with a little bit of experience under your belt. It's free. And maybe you start applying some of these settings to a site and you can actually go forward I've given you all the tools you need to kind of follow this and add the additional rules that's there that are there. We will talk through this starting at speed tomorrow.\r\n\r\nUnknown Speaker 2:02:10 \r\nPaul, I would not do this on a client site unless you're brave enough to you.\r\n\r\nUnknown Speaker 2:02:16 \r\nDo it on a site that you control a low value site, just so you can see how it works. I'll everything clients is going to be tomorrow.\r\n\r\nUnknown Speaker 2:02:24 \r\nDoug regarding the WAF. If I block the UK with a managed challenge, and Google is still indexing my site in the search engine results, what happens to a UK visitor when they click the Search link to my website. They're gonna get a managed challenge.\r\n\r\nUnknown Speaker 2:02:40 \r\nYeah, so just to correct so you don't block anything with the Manage challenge. It just puts up this.\r\n\r\nUnknown Speaker 2:02:51 \r\nIt's going to say if I go to try to log in here this screen right here.\r\n\r\nUnknown Speaker 2:02:58 \r\nWell, eventually who?\r\n\r\nUnknown Speaker 2:03:05 \r\nThis, this screen right there. That whole process was a managed challenge. I didn't have to click anything because it already knew that my was legitimate. But any traffic that you present a managed challenge. So if the rule is if the traffic's coming from the UK, then give a man a challenge. It's there. It's not blocked, you just have to pass through the gateway pass through the turnstile to get in. So if a user is outside your set geographic areas in Cloudflare for a challenge, they'll still see their search result. They'll click it, they'll pass you the challenge, they'll act they'll access the website. Yeah, it does put a barrier you know they have to pass through. Now you know, if you want to block the traffic altogether, you can do that. Just make the action block instead of manage challenge.\r\n\r\nUnknown Speaker 2:03:56 \r\nI wouldn't do that typically, you know, the goal for filtering traffic is generally I want to get rid of bot traffic that's coming from GeoIP sources that are not generally where my customers are going to come from. So that cuts out a lot of the bot traffic at that geo level. Does that make sense? Everybody?\r\n\r\nUnknown Speaker 2:04:19 \r\nAll right. Any other questions? Before we call it a day?\r\n\r\nUnknown Speaker 2:04:27 \r\nOkay, so everybody, all right.\r\n\r\nUnknown Speaker 2:04:32 \r\nOkay, Karen, can you copy all these settings and roles from one site to another? Wouldn't that be great?\r\n\r\nUnknown Speaker 2:04:40 \r\nThat would be great, wouldn't it? And the answer is no. You can't they have to be set up individually. I know right? It may be one day that will let us do that. I don't even think in the premium version. Paul. I've not seen that.\r\n\r\nUnknown Speaker 2:04:54 \r\nBut here's here's the thing.\r\n\r\nUnknown Speaker 2:04:58 \r\nI really really got deep into Cloudflare last fall, when in the process of migrating to a new server we just decided to put all of our clients under Cloudflare in that process.\r\n\r\nUnknown Speaker 2:05:10 \r\nSo we moved, you know, plus or minus 100 sites through Cloudflare and onto the new server. And once you start doing this, like I can move a site to Cloudflare pretty much in my head now and it takes just five minutes or so it's done. Boom, boom, boom, boom, you kind of get used to what the settings are.\r\n\r\nUnknown Speaker 2:05:30 \r\nIt's not it. It looks like a lot at the first glance. But as you're seeing from where we went from all the things, and page by page now down to just the things that need to change. There are far less and at the end of the document by the way at the end of the document to here and resource number two, here is the Cloudflare setup process. And I'll walk you through exactly the things to change. And that's it.\r\n\r\nUnknown Speaker 2:06:06 \r\nIt takes just a few minutes once you get used to how this works.\r\n\r\nUnknown Speaker 2:06:10 \r\nDo I have ASN or IPs for managed WP? No. So this is a good question. Alright. So you will at the beginning before you do your first site what are all the services that I use? Right? And so it's reached out let's just say manage WP I don't know if they have a public list.\r\n\r\nUnknown Speaker 2:06:36 \r\nLet's see right here. So you'll a lot of times find posts like this. What are the IP oh look, here they are.\r\n\r\nUnknown Speaker 2:06:45 \r\nAnd a whole bunch of others. So there's a oh my gosh, Holy mackerel. There's a bunch of them. So, you know, here's a list and and I would verify with the support. So send in a ticket and make sure you have the actual\r\n\r\nUnknown Speaker 2:07:02 \r\nIP set and you can add those to your skip rule that so it always skips that traffic.\r\n\r\nUnknown Speaker 2:07:13 \r\nAnd so my actual skip rule is more thorough than this one because I got a bunch of IPs and things like that.\r\n\r\nUnknown Speaker 2:07:21 \r\nYeah.\r\n\r\nUnknown Speaker 2:07:23 \r\nAnd Dave is correct. You want to go conservative at the beginning for sure. Again, this is with much power comes great responsibility. Implement slowly make make sure you one side tested that you're not blocking legitimate traffic. But once you get these dialed in, you can boop boop boop just apply them to your other sites.\r\n\r\nUnknown Speaker 2:07:46 \r\nYeah, Ahrefs it's eight, like H refs. In particular. They don't tend to want to help you because they don't want to block you or give you ways to block their traffic. What I would suggest doing if a traffic is being blocked, then look at your events. Like do a scan so you know kind of about the time when the event would hit. Then you can look at your event log and probably even filter it with your block rule.\r\n\r\nUnknown Speaker 2:08:16 \r\nAnd hit that hit the traffic that fits your block rule and see if Oh, that's coming from this range of IP addresses or this ASN or whatever.\r\n\r\nUnknown Speaker 2:08:28 \r\nAnd go from there.\r\n\r\nUnknown Speaker 2:08:30 \r\nSo sometimes you can back end it and figure out but there's there's no easy way that I found oh, here's the magic list of IP addresses or whatever.\r\n\r\nUnknown Speaker 2:08:40 \r\nIt's just not very easy.\r\n\r\nUnknown Speaker 2:08:43 \r\nYeah.\r\n\r\nUnknown Speaker 2:08:46 \r\nTanya, oh, how do you know if you're blocking legit traffic? Good question. That's not a stupid question. So I would watch you know the first so when you implement the for the first time you know, put it on your own site or something else site where the impact is going to be low, but that you have enough traffic to actually generate some decent results. And just look at the events and see what's happening. That's how for example, on the skip rule here, I realized oh, no, I've got let's see, hang on, hang on. I know it was the block rule.\r\n\r\nUnknown Speaker 2:09:30 \r\nThis one, it you know, I saw this query string coming up a lot in the block rule. And that's a legitimate, I realize, oh, blocking this and I don't need to be blocking this. So I added a rule to get around it right.\r\n\r\nUnknown Speaker 2:09:47 \r\nSo, Stacy, you find out when the clients customers complain is not exactly incorrect. Like it's that's pretty right. It some of it is a little bit of trial by error, but that's the way it is for firewall rules, okay. And that's why for example, implement these rules with here. Don't just wholesale drop these rules in thinking what could possibly go wrong because the answer to that question is a lot. But once you get them dialed in for your use case, you have really powerful, really powerful tracking.\r\n\r\nUnknown Speaker 2:10:22 \r\nOr filtering. Yeah. Okay. Anybody else? Before we move? Wrap it up for today?\r\n\r\nUnknown Speaker 2:10:34 \r\nOkay, so homework policy when you migrate a site to Cloudflare do you remove them from the Yep, we're gonna cover that tomorrow. Migration is tomorrow\r\n\r\nUnknown Speaker 2:10:48 \r\nokay, Karen, I have tried to enable copy in the chat. For whatever reason zoom webinars just does not allow that. And I don't know why and we've tried, but give the as soon as the We the chat ends up as a file on the replay page, where you can open it up and grab whatever.\r\n\r\nUnknown Speaker 2:11:09 \r\nYeah, it isn't zoom meetings. This is a zoom webinar, and it's different and I don't know why I've talked to zoom support there. No help. It's yeah, it's a thing and I've not been able to solve it. I'm apparently too dumb to figure that out. Because I've tried zoom settings are horrendous. They're worse than Cloudflare and that's saying a lot Okay, all right. Let's go to Wrap it Up homework for tonight. Add a site, drop it in you know your your site or just spin up a site in try adding some of these settings, we will step through. We'll go through the rest of the recommended settings tomorrow. And then we will put that into practice by actually migrating a site's DNS into Cloudflare tomorrow. That will probably take most of our time and then because we'll do it step by step, and then we'll do we'll wrap up with tips and tricks and whatever questions are left. So that's where we're going. Congratulations, you survived day one. You have endured the firehose of things and it gets really practical from here. All right. So I will see you back here tomorrow. One o'clock central time for part two of Cloudflare for agencies here on solid Academy, where we go further together.\r\n\r\nNathan Ingram 0:04 \r\nAll right, everybody. So welcome, welcome. So how about some feedback from yesterday? Did you learn anything? What was your biggest takeaway? Aha. I assume that we're going to do live demo today. So sure, you'll just go into watching the demo without having the basic foundation of knowledge. So sure there's value without watching the replay.\r\n\r\nAll right, let's get these captions connected. There. All right. Oh, goodness. Gotcha. All right. Link bundle is in the chat. Of course handbook if you need to download that. It is updated by the way from yesterday. So make sure you grab the current copy. I probably need to update the link bundle to reflect that\r\n\r\nall right, well, good. That's good news. So really, really glad to hear that. All right. Welcome, everybody as you're coming on in find a seat, get ready to go. Links are in the chat. The course handbook has been updated since yesterday. The fix the two little typos that I had. Those are now fixed and going and a third that I just recognized. All in the WAF rules. So that's all correct. Now. Make sure you read download that course handbook. Just so you have the correct things. All right. We got a lot of the handbook Yes, one handbook for both days. 40 pages of Cloudflare goodness. or 40 pages of Cloudflare. Comma, goodness, exclamation point. That's a lot of Cloudflare. Oh, it's gonna be a long day when I'm entertaining myself already. Okay. So let me hear from you in the chat. What was your biggest takeaway from yesterday if you survived and had lived to tell the tale\r\n\r\nPaul that will be office hours tomorrow, or week or if we have some time at the end. That's funny. Love it. All right, couple of minutes before we get started, welcome, everybody. Glad you're all here. Make sure you download the fresh copy of the course handbook that has three corrections in and around the WAF rules. Just a couple typos and that space problem and so forth. Yeah, look, there are everybody that I'm constantly finding new ideas for rules. I'm going to talk about that at the beginning as we get started here, because there's some really interesting chatter in the admin bar about rules and stuff going on right now. On a reference that\r\n\r\nhey, look at that foul, awesome. How about that? It's small. It's the little things right. Alright folks, two minutes to go. If you're just joining us in zoom, open up the chat. Say hi. Let me know what your biggest takeaway from yesterday was. Did you get in there and try to set up a site yesterday. Did you do any of that? Thanks still broke? Yeah, yeah. Little bit of tripod. Doug. You did it. Awesome. Yes, Doug, indeed. Cloudflare SSL? Yeah. Very good.\r\n\r\nYep, good stuff there. All right, about a minute away, y'all. We got a long way to go today. Long way to go. The handout is updated. Yes. So please read download the course handbook it fixes those typos or like there was a space that shouldn't have been at a line break and that sort of thing. All that is fixed in working in this latest version. Phoebe. So we are you did you you would get a challenge at WP admin if you use the rules that I provided that the the challenge rule by default is going to protect the WordPress login page. That's what allows you not to need a CAPTCHA on the login page. So I want all traffic that hits the WP admin to get challenged.\r\n\r\nAlright, just about ready to start everybody. Yeah, Paul, I saw on that note, and I don't know why that would happen. That's really weird. It feels like it feels like that's a browser. Cookie issue. here and what do you mean it looks weird after the challenge\r\n\r\nno formatting Okay, so that's interesting.\r\n\r\nI've never seen that happen. Sounds like there's some sort of a an optimization issue like the CSS isn't getting loaded for some reason. Where are you hosting? It could be related to your hosting environment. cloudways GS? Ah could be something in the breeze plugin. I would look and make sure that the breeze are using cloud where cloudways Breeze. Yeah, so see if it has that. The connection to Cloudflare that I mentioned with the caching so that it's empty incorrectly the cache I've never used breeze so I can't speak to that one. Yeah, always. It's awesome. That's it. It's not just reason the optimization plugins are some that frequently cause problems. Okay, let's get started. I got a long way to go today. Well, Happy Wednesday everybody. Welcome back to day two of the Cloudflare for agencies course here on solid Academy. My name is Nathan Ingram, and we went a long way yesterday, as we looked at what in the world is Cloudflare how does it all work? We went page by page through the settings just to give you kind of a lay of the land of you know all the things that are there. And then we started with recommended settings yesterday. So that's what we're going to pick up today. We got all the way down to speed we've worked through the Cloudflare WAF rules, and we've made our way down to speed now, I do want to mention that I have updated the course handbook from yesterday. I'm going to drop that link in the chat once again. This fixes those couple of types of the like the linebreak typo I noticed also there's some quotation marks that got styled like outwards and not straight quotation marks and one of the rules. So those things are fixed, and it's there in the updated link that's there in the chat. If you're watching this on the replay. The link that's downloadable on the course page has will be correct for you so that's all there and ready to go. So here's where we're going today. We are going to pick up with our recommended settings at the speed portion which we see on the screen now. Then we're going to set up a site in Cloudflare live and just go through the process using the checklist that is in the resource number two at the end of the course handbook. So we'll be just walking through that checklist. And then we'll the final hour we made that that setup process may actually bleed into the second hour so we'll just kind of see how that works. And take a break at some point in the middle. And then at the very end we'll have the the tips and things that I've learned and basically things that I've messed up along the way and how you could not do that. And how to work with clients and you know, had multiple accounts and all that sort of thing and how's the best way to do that. So that's where we're heading today. As always, if you have questions, if the question is about something we're talking about right now, just drop it in the chat. I'll do my best to see that and talk about it. Otherwise, put it in the q&a, and we'll deal with those at the end of each hour. All right. Well, let's get started, shall we? So we finished up yesterday with our various rules around security with our custom WAF rules, and then an anti flood rate limiting rule and making sure we have bought fight mode off. So now we're going to get to our speed sections. Let me get Cloudflare open and Windows arrange and all of that. All right, so we are now here under speed. And we're gonna go speed and then optimization. So right here under optimization, there's a number of different tabs, and we're going to pick up with content optimization. Now this is an area that they have in the past few months rearranged. So if you haven't looked at Cloudflare in a while, you'll notice this is different and that's because it's different. They move things around and they do this all the time. So let's look at what should be on so we like Brotli this is going to be one of the things it's in the setup guide or the quickstart guide that we'll run through in a minute. Whenever you add a site to Cloudflare Brotli is good to have on it just makes HTTPS connections quicker. We talked about Cloudflare font so we like those those are on early hints we looked at which preloads pages when you hover over a link that's on rocket loader off because it can break WordPress JavaScript pretty easily. And we're gonna auto minify all three boxes here JavaScript, CSS and HTML. And then we're gonna go back to the top, the tab for protocol optimization. And we're going to turn zero RTT on. Now basically what that does is if a person has already visited your site, it makes reconnecting to the site quicker. It's just it saves a step. In the security in the HTTP protocol process. Good speeds things up. If you want to read more about it, just Google zero RTT. And you can learn more. So not a lot to change here in the optimization section. But we do have some things to look at under caching. So let's take a look at caching and our recommended settings here. So we're going to start out with configuration and look at our browser cache. So I believe I can't remember what the default setting is here but we want this to be 30 days. One month or 30 days is what Google recommends in order to receive to get good marks on their tools. We want to make sure your browser cache is set for one month. We want our crawler hints to be on so this is basically the index now protocol and so Cloudflare will do that for you which is really great. It lets certain search engines that support index now know that changes have been made to your website. So go come crawl it. It basically proactively tell search engines to crawl new content so that's good. And we want always online which pushes the site over to the Internet Archive for us. We want that on as well. So now, there may be some times where you don't want always online on if it's a very large ecommerce site with 1000s of products, rolling that and adding it to the Wayback Machine might be taxing on the server. Or if the site is changed all the time. There's every single site I have is always online. But if you have a massive site, it might create some performance issues. So you might want to toggle it off but likely every site you're going to want on here. Alright, let's look at some caching rules. These are very, very helpful. So let's say you have a site in development, or for some reason you have a site and you do not want to use the Cloudflare cache at all. How do we turn the Cloudflare cache off? 100% of the time whether it's in development, or I just don't want it because by default, the Cloudflare cache is on. So we need a rule that's going to say always turn the cache off and afford unfortunately, there's not like a toggle to turn on and off the cache. I don't know why there's just not. So what is a rule that we can create? Well, I've settled on this one that basically says if the incoming request is HTTPS, and that is yes, then bypass the cache. So this is, you know, basically every single request coming in to any site that I manage, is going to come in under HTTPS. And with that rule, this site will not be cached at all period by CloudFlare, because we're going to bypass the cache here and with browser TTL. Now, this is a rule that you only want to implement if you don't want the site cached at all. Does that make sense to everybody? So you know, on our dev server, for example, we don't want Cloudflare caching, like Cloudflare manages the DNS on our dev server because we want the security, but I don't want any Cloudflare caching on any sites. that are under development. So we have this rule that turns off caching completely. Does that make sense to everybody? So this is probably not a rule that you want on a live site. But for dev sites, yes. 100%. So here's one that you probably will want to use. Maybe there are pages on your site that don't ever need to be cached. So for example, with an E commerce site, I never want the cart page cached by CloudFlare, or the checkout page. So here we've got URI path contains cart your app path contains checkout, you can continue to stack these up if there are other different URLs that you don't want to be cached. So when these things match, then I want to bypass cache for Cloudflare. And at the browser cache, right, so just no caching of these frequently changing dynamic type pages. Don't want those cash. So cash rules are super helpful. I Paul Yes. Membership dashboards, things like this. This though, these are the sorts of things that you'll want to put in a rule like this one. You have a lot of rules here actually. So 10 available caching rules at the free level. So you can really add things Yeah, in anything like LMS site membership site where you don't want to cash in really it. It's\r\n\r\nit's really more like check out, you know, forms that Process Payment, perhaps maybe events like Melanie's mentioning in the chat. It depends. So if you run into an issue where oh my gosh, my events page is not updating why? Oh, it's Cloudflare. Well, we can just turn it off here at the edit with a cache rule. That makes sense to everybody. They're super useful. To debug these caching issues. All right, so we mentioned this yesterday, we're gonna have our tiered cache. We're gonna go here, and just make sure that the tiered cache topology is set for smart and again, what that does is it moves the assets to the Cloudflare data center closest to the person requesting the the site so it basically shortens the load time, so it's good you always want to have that on. Alright, let's scroll down to our next section, which is rules. We're not getting into workers routes, that's not a route however you pronounce it. That's not something we're going to look at. But there's a couple of really good page rules that we're going to look at here that I recommend. The first is this one, which says our URL is going to be our domain name. star dot domain name. So this will catch any subdomains also an anything after the repeat admin. So basically, I want this rule to impact anything in the WordPress admin area for the main site and then any subdomains that I might have under this Cloudflare account. So I want security level high, which means that if somebody tries to come in it's also you know, it's gonna look at that browser more with more scrutiny and maybe present a challenge. If it detects any issues. I want that for anything in the WP admin I'm also going to completely bypass the Cloudflare cache. I don't want anything in WP admin cached by Cloudflare. I just don't want that. And then I also want this here disabled performance. Any performance related optimizations that Cloudflare might do? I don't want that for my WP admin because that can tend to get in the way of things and break admin functions and hash things that shouldn't be cached. And, you know, you get weirdness in the back end sometimes. So this says anything in the admin, I want to make these changes and it's a really helpful rule. This makes sense to everybody. This is a good one and you do have to fill in your specific domain name here, or it won't work. You can't just say star.wp admin. I tried that. It's got to have the actual site name. Alright, another really helpful rule. I really really liked this one. This is the email obfuscation rule. Again, a lot of folks in the years past we've done WordPress shortcodes, that obfuscate email addresses where they can't be scraped by website scrapers. Cloudflare has this built in at the network level, which I really like. And the neat thing about it is you can apply it only to certain pages with a rule, so we can say, all right, if it's the Contact page, then I want to turn on email obfuscation. Well, why wouldn't I just want this on the whole site? The reason is because it loads an extra little piece of JavaScript that can affect load time, so it won't affect it very much. But I mean, why load the JavaScript on a page that doesn't have email addresses, right. So if you have a contact page that has email addresses, turn this on, or maybe it's a team, page or series of pages. Like you have, you know, your domain slash team slash person's name, then you can do something like this I'm pointing at my screen like you can see that this so anything that follows team then this for like a team bio page, you can obfuscate the email addresses their policy, if the site has an email address in the footer. You want this on every page? Yes. And I wouldn't put email addresses in the footer. I would much rather have people fill out a contact form and send email but yes, if it's in the footer, every page where there's an email address, you could load this and if that's the case, then you can actually just turn it on for the site. Yeah, okay. So these two rules make sense. You got your WP admin and you got your email obfuscation. You got a bunch of page rules that you can do some other things with. There's actually sorry only three, three page rules. So we still have one extra one here. And you can do a lot with these Okey dokey. Everybody good so far on this? Because that's it. That was all of the rules are all of the recommended settings. So we didn't get that fully finished yesterday, but we got it done today. And now we get to actually do the thing. Okay. So I want to give you the overview of what this migration process looks like. And then we're going to skip to the end of the document where the actual checklist is, and by the way, if you're just coming in the course handbook is updated from yesterday. And so you're gonna want to redownload that because I fixed a couple of little glitches with the WAF rules. Okay, so here is our process. And again, it is a checklist is in resource to you can copy that part out, you know, make it your own, whatever. So, big picture, okay. We're going to add the site to Cloudflare. And then we're going to walk through the Quickstart process. These are the common, most recommended settings to set up. We're going to add the name servers that Cloudflare gives us over in our domain registrar. Then we're going to pause the site on Cloudflare. This is critical if you don't do this, you're going to get SSL issues in almost every case, then we're going to go through. Here's our items for the quickstart guide. We're going to go through all the rules and settings that we need to add. We're going to wait for our SSL to generate and then we're going to resume the site on Cloudflare. That's the big picture. How this is going to work. So let's go down and take a look at our resource scrolling scrolling right here. This is page 38 of our guide. And here's what we're going to do. So I have this domain set up and this is just a Kadence Starter Site that I have inflated on to WP one dot Dev. Now this is a domain that lives at GoDaddy. And so that may be a place where you see a lot of domains that you have, right and so this is just as simple and basic of a domain swap or DNS change as I can show you with a typical common registrar. Okay. So we're not going to walk through this whole process. So what I want to do I want to get back here to home, which I did just by clicking this arrow I'm in WP Nathan. Now I can go back now I'm at my account home, or I can go up here to this little user icon and hit account home. It's at that point where I can add a site. Okay, so we're going to add the site to Cloudflare by entering the domain, selecting the free tier and confirming our plan, but let's add the site right here. And by the way, if you added a site to Cloudflare a few weeks ago, this is now completely different. They have totally changed this adding a site flow as they do. I mentioned this yesterday Cloudflare changes things like worse than Google and that's saying a lot so just be aware of that. If you're white if you're following this video six months from now they've probably moved some things around. They're all there you know, and you can probably find them pretty easy but it's it's very likely to change. So we're going to enter in our WP one dot dev domain name here. Continue. We're going to select our plan scroll all the way down to free and click that and confirm and we're confirming and Okay, let's so we're going to start our Quick Scan. Now at this point what's going to happen Cloudflare is going to go out and it's going to attempt to find all or as many of the DNS records as possible for this domain. I'm going to click Start click Scan. Now here's the thing. Don't ever trust Cloudflare scan because it is likely going to miss some things. So it's now picked up in a record and to CNAME so there's definitely more than that. And we're just going to keep moving. So if you can't bypass that scan, I wish you could but you can't. It's going to do its best to find records and plug those in to your DNS settings. But now we've gone through our quick scan and we're going to hit continue and we're going to start the domain activation. So right here, we're going to add the provided name servers to our domain. So here's our two name servers that Cloudflare has given us a copy the first one, I'm going to go over here to godaddy under DNS, and go to name servers. This will be different for every registrar. We're going to change this to my own name servers, and copy and our two different name servers. Oops, two here, save and continue. Okay, now over here, I'm gonna hit continue and continue.\r\n\r\nSo now we come to our overview page immediately right now before you do anything else. Pause Cloudflare on the site, because otherwise what can happen is traffic can start flowing to your domain before Cloudflare generates an SSL certificate and you'll get that security warning in browsers by pausing Cloudflare at this point, what that does is stop Cloudflare it doesn't stop it from generating a certificate but it doesn't use the Cloudflare certificate. So we're not using any Cloudflare features right now because the site is paused. Don't forget that step or you're going just it's inevitable that you're going to get you know a security warning. Okay, so pause Cloudflare Now let's go through our quickstart guide. Let's see right here. So we're going to review the settings in our quickstart guide and get started. So we want to keep this on Yes. All these settings are here. Save this. Always use HTTPS Yes. Do we want to enable Brotli? Yes, just basically all the recommended settings we want on and finish. Boom. Okay, so we are good. And now we're going to go down to our DNS. Now Cloudflare has imported some records, right. So we've got this going on here. Um, you know, what I forgot to do is I forgot to open up my email. Let me grab that one second, folks, because we're gonna get an email from Cloudflare at some point very soon, telling us that the site is working. I've got to log into my email, my solid Academy solid email here one second, everybody. I have 8000 Google accounts as perhaps you do. as well. And there it is, okay. All right. So there's my solid email. We'll put that over here and we'll just wait on that. Okay. So now we're at the point of validating our DNS records. So here in GoDaddy, if we look at our DNS, there, there's a lot more than it found. There's not many actually. There's an A record and some other things, you know, nor if this is a site you're already managing. Maybe you have postmark records or some other transactional email or google verification or office 365, all all those verification records, right? You're going to want to make sure that what's here in CloudFlare, matches 100%. What is at your current DNS provider? Okay. Many Melani that's a brilliant idea is to screenshot this and add it to a record someplace. So better even than this is the ability to export my DNS. So let's see here. Many registrar's have the option to export DNS records. If they do you absolutely want to do this. If they don't, it sucks because you have to hand enter every one of them it's really awful. But here I can say Export zone file. Even GoDaddy will let you export the DNS. So I want to export this zone file and boom, there it went. It is now right here as a text file that just downloaded to back. It is right here, simple text file. So I can take this and go right here to import and export and just drop it in. And now I have all of my records and they it now matches perfectly. So that is super helpful when you have a ton of records. If you are running your DNS through a cpanel server, we're going to come back to that at the end because there is a there's a way to actually export out of cPanel if cPanel is actually running your your DNS All right, but for now we know that these match because we've done a good Import and Export Now a couple of things we want to look at. Many times your export will contain name server records, these name server records, these pertain to GoDaddy domain control.com. These are GoDaddy, we're not using GoDaddy. name servers anymore, so I can delete these our name servers or at Cloudflare. We don't need these records anymore so we can safely delete those. The other thing is, if you have in the Cloudflare import when it pulls in all those records, if you import record, you know this import file is going to contain some duplicate records. Cloudflare is smart enough not to import duplicates, so it didn't used to be by the way used to import duplicates, you have to go in and delete your duplicates. It now is smart enough not to create double records, which is awesome. But in many cases, you're still going to have to add those records one by one because, you know this old antiquated registrar doesn't support exporting of DNS, which is just really annoying but Paul is saying Don't forget to turn off some records that need the original. I'm not quite sure what you mean there, Paul. But you're gonna The key here so you don't mess up DNS is at the end of all this. My DNS records in Cloudflare need to match my DNS records with whatever the registrar is now. Other than the name servers, the DNS records you can delete just like we just did, but everything else needs to match 100% Otherwise you might break their email or something like that.\r\n\r\nSo yes, the for example, if there are see names that come in, like right here, this here's another one we can delete. This is a GoDaddy domain connects that we don't need that. We can delete this. Any that are there other registrar's that have specific records. We're not using that anymore, so we can delete this and if it's a CNAME generally, any CNAME other than the www record we want to proc we do not want to proxy correct. So this is a really simple DNS setup because there's no email or anything there. Okay, everybody good on this part, moving DNS records in hopefully you can export them and import them otherwise. This is also helpful if you can if DNS is currently managed by another Cloudflare account, then you can export the records out of the current Cloudflare account and import them into to your Cloudflare account. Sue if there's email Yeah, yeah, so like all the MX records, all the text validation records CNAME records that are all all the DNS needs to match exactly. Unless it has to do with, you know, like the name servers or like these GoDaddy specific records that we don't need anymore, but all the other records need to match exactly. You'll probably find that Cloudflare their import gets about 90%. But it will typically especially if it's a complicated DNS setup, it will typically Miss TXT records, like the valid validation records. It usually gets all the C names and the A records, but it misses it tends to miss the TXT records. Okay, everybody, good. All right. So at this point, it's usually taken, you know, five minutes or so to get our DNS all lined up. So now we're gonna go check and see where we are with our SSL. So we're going to click on here, and let's just look at our edge certificates to see okay, so right here, this is showing us it's in process. So this is live demo. I don't know how this is gonna go, okay. If this breaks, we'll fix it. We'll figure it out. But right here, notice that the SSL has not yet been generated for this domain. So we don't want traffic coming through Cloudflare yet, so let's just move on with our settings and we'll keep watching this edge certificate to see if it's ever finished. So we want to go down to minimum TLS of 1.31 dot O is the default for some reason. So we're going to make that 1.3. Now we're going to go down and add our WAF rules. Just following our checklist here. There's my use your four suggested rules that I've given you or your own variations. So we'll go to Security and WAF. Now again, as I mentioned yesterday, I've got this shortcut set up in my text expander CF one. Here's our manage challenge rule. So what I do in my text expander I have this title here. And so I'll copy cut that and put it up there and this is going to be a managed challenge. Boom, and deploy the quick that was that was done. We're going to create rule number two. I'm going to use my shortcode otherwise, you can copy and paste from your notes. There's our second rule the title, cut and paste up here. So choose the action skip and check all the boxes. All the all the boxes just like that deploy great our rule number three now this one has the the variable in it that fills in my domain I've got that. So these are our block rules. Deploy and one more rule\r\n\r\nthese are our crawler blocks. And this gets a block deploy. So you see how quickly it goes. If you have something like text expander or in my case type desk or one of these macro type programs, apps on your on your computer. It just makes these rules go really fast. Otherwise, you can just copy paste, that's fine too. But we've got all those rules added. Does that make sense? Everybody? Got our rules added there. Any questions about that? If so, ask in the chat. If not, I'm going to keep going under security and bots we want to make sure that bot fight mode is off. It should be by default. I always want to make sure of that because that is it can it causes so many headaches. Speed. Oh, you ask a question. Okay, Paul, I explained why I use the web as a prefix. Is there a possibility of some sort of mix up? If we do not have a prefix? No. This is just for convenience, knowing that these are our rules. So we do have some clients that get into Cloudflare and do some things themselves. If you're the only one that's going to be in Cloudflare it doesn't matter but I prefix everything with be WWE, you know functions code all that is just a habit. So this just lets me know these are our rules. Okay, speed. Let's go back to these rules we just covered so speed optimization, content optimization, only the things we need to change here are Cloudflare fonts are on early hints are on check all three boxes on auto minify boom, boom, boom. And we want to go up to protocol optimization and turn zero RTT on. Great. Now let's look at caching. Let's see configuration crawler hints. Okay, browser cache is one month that's the default. That's awesome. Let's see crawler hints are on always online is on. We'll go over to cache rules. Is there anything we want to fix with our cache? Probably not on this one. It's not an ecommerce site. And you know, it's not in development. So there's no cache rules. To set up here for this one. We do though, want to go into tier two cache and turn on our smart tear topology. Okay, now go down to rules and we're going to add our WP admin rule. Let's see page rules and we're going to be star that dopey one dot dev slash WP admin come on admin star. The settings will be about we spell that correctly. All right, first thing we want to do cache level is bypass then it was performance is disabled and our browser integrity check. Oh, no, it was security. Security level is high. Alright, so there's our DP admin rule. And let's go ahead and add a contact page rule\r\n\r\nand we're going to want email occupation on our contact page. On you can add these rules or not just depending on your setup like we've talked about. Thanks. We got our page rules added. Now we're waiting for SSL generations out look, I've got a an email from Cloudflare. It's now active Boom. That's awesome. Let's see if our SSL certificate generated so you may have the email that says it's active active meaning Cloudflare has detected that its name servers are now being used for the domain. So GoDaddy has gone ahead and updated the name servers and Cloudflare sees that so they're connected. Now that doesn't necessarily mean the certificate is generated yet. So let's go take a look under SSL edge certificates. I look it's active boom, perfect. Okay. As soon as this is active, that means the certificate is there and we can unpause Cloudflare. So we're watching for an email that Cloudflare is protecting. We're watching at edge certificates for the universal SSL right here to be active and it can take time. Okay, so let's talk about what happens if it's if it takes some time. Officially, Cloudflare says this can take 24 hours I've never ever had it take that long. You have had to take a few hours in this was you know, this was actually right after remember last year Cloudflare had that data center issue. It a lot of these things were delayed after that. Usually now it's just like what you just saw, it generally just takes a few minutes. And you're good to go. But it can take a few hours. That's nothing to worry about. Now. If you if you get hours and hours and hours and out like the next morning if it's still not working. Then what I would suggest that you do. Let's see I've given a pointer that put those notes troubleshooting down here, okay, so here's how to troubleshoot if you're stuck on pending validation after an hour. So make sure that you delete those NS records. I've found that sometimes when my sometimes when I'm not getting my certificate generated, it's been because I accidentally left those those NS records in the DNS, that old name server, and that can mess around with validating traffic. So make sure that the NS records are deleted like we showed earlier. Also, again, officially it can take 24 hours. If it's still waiting after 24 hours, go down here, here on edge certificates and down at the bottom. Disable doo doo doo doo doo right here. Disable universal SSL, click that button, wait a couple of minutes for things to the dust to settle. Then you re enable it and it starts that validation process again, and I've never had it not work the second time. So that's maybe that's just lucky on my part. But generally that fix is something that stuck. And I've only had that happen like once or twice and all the sites and that was actually a long time ago. So that's a good way of troubleshooting. If you're still having issues then it's time to go to Cloudflare community and ask them questions. But now, we've got our SSL generated so we're good to go there. So we're going to pick up the process when you see the SSL is there under edge. Right here the universal one now we don't have to wait for that saw this question a minute. ago. We don't have to wait for the backup certificate to get set that can take a little bit of time. We have a good SSL, we're good to go. So now we're going to resume the site on Cloudflare. So back to overview and scroll down to the bottom of the page again, enable the Cloudflare on the site. It is now enabled. And okay, here's where it was before and notice that this is what I had up before we made this move. So connection secure. And this is a Let's Encrypt certificate which which the server generated. Now if we refresh this page, and we look at that certificate, we should see a Google certificate now. So let's do a hard refresh. And actually, Chrome may have cached that certificate, which is fine. Yeah, Chrome cache that certificate if we go let's go into the browser, and you can see that it's the Google cert and for some reason Firefox is taking all day to start. Here we go. All right.\r\n\r\nAll right. So let's see. Where is oh, I clicked the wrong thing. There we go. Now it's still interesting. All right. So it's still showing the Let's Encrypt certificate. That's interesting. I wonder why that is.\r\n\r\nWe can also check with what's my dns.com. Job. Okay, and we are on Cloudflare. So the world is seeing that it's under Cloudflare. When you see to these two IP addresses, that's cloud flares, backup IP address, that's what you want. And so it is it is seeing everywhere in the DNS shows. It's running through Cloudflare. So we're good. I'm not sure why it's not showing that let's or white showing that Let's Encrypt. Let me try it in Safari. Just to see I wonder if I loaded that site in Firefox and it still has it cached. That's interesting. We know it's working though. That's what's that's the most important thing.\r\n\r\nYeah, no, that's interesting. Let's take a look at Oh, because here make sure that you set it to full Am I following my instructions? Now, I didn't follow my instructions. So we would have checked that right here. If we set this to full then I bet that's going to change our SSL certificate helps to follow your own instructions. Now it's still showing. I'm not sure why that is. Well, let me just get back to following my instructions and we'll move on. So we've resumed the site on Cloudflare right. Now we're going to enable DNS sec. So you don't want to do this until Cloudflare has traffic for your site. But we're gonna go here under DNS settings, enable DNS sec. Right here, and again, this is the little bit of code, you're going to add to the registrar to validate that Cloudflare does have legitimate control over the DNS. So this is all the stuff that Cloudflare gives you. You don't necessarily need all of it in every registrar is gonna be a little different. But here in GoDaddy, you just scroll over to DNS sec. And we can turn this on\r\n\r\nnot when I'm around, hang on, hang on, hang on. Go Daddy. It's under DNS, DNS records. And oh, hang on. My goodness gracious. Let me refresh this page.\r\n\r\nRight here, DNS records is what we want. So I had to refresh the GoDaddy page because prior it was it was loaded prior to knowing that GoDaddy had handed off the name servers to Cloudflare. But now we've refreshed this and there is a DNS record tab most registrar's are going to have this. You click that and we're going to add the DNS record. So first, we demonstrated this yesterday but first we add the Key Tag and this is all out of order. But Key Tag is here. The algorithm is 13 the digest type is two. And the digest is this string of characters and that's all we're going to need. Save All right, and it may take a minute, but we're going to click Confirm and it needs to wait it's going to look for this and we'll come back to this in a minute. But it will eventually validate that record with the record at the registrar. Why do you have to add this on GoDaddy? Because GoDaddy is the domain registrar for this domain name. If Cloudflare is your domain registrar you just click a button and it works. It's really simple. And then at the end, we go through and we verify our encryption method. SSL overview bool good to go. All right. So we've just added the site to Cloudflare. wasn't that complicated? Was it I'm gonna pause for a minute questions or comments\r\n\r\nthis is when nothing goes wrong. Oh, if they are all this easy, and they usually aren't terribly complicated\r\n\r\nAll right. Other questions how question is How hard is it to move your domain to Cloudflare I can't really demonstrate that because I don't want to move any domains to Cloudflare right now, but it's really pretty simple. We're going to cover domain registrar things in just a minute in the second hour today. We'll talk more about it then. All right, any other questions before we take a break? That actually took less time than I thought it would? We are now completely set up. If we go to WP admin here we'll get to manage challenge as we would expect. Boom. Good. All good logging in. Yep. and log in. There I am. Pretty cool. I Su ever ever worked with inom? Yes, they do not have an export tool. And generally here's what I found. The more the more the back end of your domain registrar looks like 2004 The less likely they're going to have a DNS record export. CEU I don't know if e nam has a DS dropped down or not. inom is pretty old school on the back end, as you know. They really need to and that's a good reason to not be with Vietnam anymore. And maybe to move domain registration to Cloudflare. We're going to talk about domain registration at Cloudflare the next hour. But yeah, Network Solutions is really bad enough. I'm really bad. Yeah, I don't know. So those are some of the ones I've never used Dotster or web dot actually Dotster I used like 8000 years ago. I haven't used them recently. I don't know in it tends to what I've noticed is if the UI in the domain registration looks fairly modern like this, it's more likely they're going to support exporting of records. If it looks awful, like 1995 or whatever, then they probably don't. Yeah. What do you do about DNS if there's no option if the registrar doesn't support it, they don't support it. And again, that's DNS records. have been around for a while and they're an important part of Domain validation. And if your registrar doesn't support it, I mean, I would start looking for new registrar. Yeah. All right. Any other questions before we take a break? Okay, there is a multi part question here.\r\n\r\nOkay, um So first question here is in regard to the WAF rule, the skip good traffic rule. Does we watch your website have a whitelist of IPs? I can't find them anywhere and Thomas is not getting back. No, I'm not aware of one. But I don't think the rules block them. There's I don't think there's anything in a rule that's going to block that traffic. But so it's a good if you put a rule in and if they're getting blocked. This is an exercise of looking at the event and find what it's trying to do and then allow that but I don't have any specific whitelist for we watch. Second question is about Pay Pal. Do we use the ASN for Pay Pal, as you added at the bottom of the dock? Or do we need to find the API or the web? And I'm guessing what you mean. I'm not sure who's asking this question that came in as an anonymous attendee. Or do we and I think what you mean is the web hook. So and I'll reiterate what I said yesterday about this. Oh, no problem, Karen. So I so let's see, as things are good. web hook URL is better. Because as NS I mean, maybe there's they might change or something might happen. So it's good to add the ASN. But if you know like, there's always going to be a pattern in the Pay Pal web hook for their IPN or whatever. Then try to get the little snippet of that web hook like I showed with the WooCommerce or the Gravity Forms stripe web hook, get that little snippet and always allow that traffic that way you're, you're certain that it's not going to get blocked. Does that make sense? And number three, I added all the H refs IP to a Cloudflare list and then added the list to the good bots rule. Today. I got a report that the score was cut in half. Robots. txt is not accessible. Okay, so that okay, so something is still blocking H refs, for you, Karen. And so it could be the country rule. I've had this happen. So some like you can have, let's, let's let's look at our rules here. So, if we look at our rules, oh, there we go. So we've got block rules, right? Let's just say that for whatever reason, your list of IP addresses, it's not in that or it's not coming in that way. And you're blocking based on country and maybe a traffic that's coming in from a country it's not in your allowed list or whatever. So what I would recommend that you do this is this goes back to the refining of rules. Look at your block rules like this. We've already gotten some hits on our block rule. Look at your block rule and see if you can find the Ahrefs traffic and see what it was doing. That was causing the block to happen and then use that to inform a skip rule. And unfortunately, there's not an easy way around this. You just have to investigate and but once you find that, the thing that allows it to skip then you can use that all the rest of your sites. So this is goes back to yesterday when I was saying of, you know, get it right for a good typical site, and then you can use that rule for your setup on all the rest of your sites. Does that make sense? I wish I had like a silver bullet answer, but that's just not the way WAF rules work. Unfortunately, 364 IP addresses Holy mackerel, yeah. So what I would look for instead of that, find it here. You know, does H refs have a user agent? They likely do. Matter of fact, let's just look. So rather than let's see. Yes. So here's their user agent. So maybe what you would do here is say instead of that ginormous block of IP addresses we can just as easily say, in our allow our skip rule here or user agent contains a tres bot. Like this. And see if that doesn't help. Make sure all of your other see this. This is why the order matters because the skip rule comes in number two. And if you are, if you've identified correctly, that traffic, it's going to skip all your block rules and everything else that's there. So we can deploy this and now ah, refs should be able to scan our site. Give that a try and see. Again, this is just kind of have to experiment and find what works for each of the various things. I really, really wish there was an easier way to do this. I've not found it and it could be that I've just not stumbled upon the right method. But in lots of practical hands on work I've not found an easier way to do this. Other than, Oh, here's a good way to disallow to skip the traffic and now it's not a problem anymore. And we know that going forward now. Okay, question from Paul. When looking at security events, can you see what the trigger values are? That caused the rule to get triggered? Not really. Like we can see here, there's three block events that have already happened since we set the site up. And so here, we've got this block, and so you kind of have to look at what's going on.\r\n\r\nLet's look at this block rule. am I allowing Canada?\r\n\r\nOh duck you got blocked sorry about that.\r\n\r\nUnknown Speaker 59:55 \r\nInteresting.\r\n\r\nNathan Ingram 1:00:16 \r\nDoug, when you saw the site, could you see images? Weird?\r\n\r\nI'm not sure. But yeah, this is how you would identify Paul you you. It doesn't tell you what about the traffic triggered the log but looking at the details, you can probably narrow it down again, I wish there was an easier way All right.\r\n\r\nStacey, yeah, you probably you got to dopey admin without a managed challenge. Probably because, okay, again, if you get to someplace without a managed challenge then Cloudflare has been watching your browser and it knows you don't need challenging. Like that's that's okay. It's a managed challenge. It's not an every time challenge.\r\n\r\nBut generally, like, here's a raw browser. If I try to go to the WP admin, it's going to give it a managed challenge because it doesn't know this browser.\r\n\r\nBut if I go back there, see there if I go back to this page, it's probably not going to challenge it again. Because I've already passed the challenge. Yeah, it's a managed challenge. So Cloudflare manages whether or not it wants to challenge the traffic based on the fact that it's processing billions and billions and billions of requests every day. Okay, well, let's take a break here. It is straight, just right about to be two o'clock Central. Let's take a five minute break. We'll come back with the final bit here, which is scrolling, scrolling, scrolling, scrolling, all the tips and tricks, cetera, et cetera, right there. Cloudflare tips and tools and tips that starting at page 32. We'll have a good q&a time at the end, and that'll be it. So we'll take a break five minutes back at five minutes. After two Central Time.\r\n\r\n32nd warning folks, we're back in 30 seconds.\r\n\r\nAll right, we're back for the final hour of Cloudflare for agencies got a long way in the last few hours together and everybody's still alive. Seems like that's, that's really good. Okay, so in this last bit of time we have together we'll do plenty of time for q&a and also go through some of the tools and tips that I think are helpful to know about Cloudflare. A question came in during the break from Paul, with the rules and effect is this where you no longer set the reCAPTCHA and solid security. So the answer to that question is yes. Because in our WAF rule, we are we have a managed challenge. That's going to challenge any of our WP login now when I when we talk about no longer set the reCAPTCHA for the login page, okay? If you are using solid security to protect your comment forum or whatever. And by the way, are y'all listening? Can we can I share something just between you and me? There may be some ecommerce protections that are coming in solid security maybe that's maybe so this you'll want that those in place right. So this Manage challenge protects the login page if you're using solid security and and turnstile reCAPTCHA, or whatever other recaptures for comments or registration or that sort of thing, then, you know, you either want to put those pages into your rule here or continue to use the CAPTCHA rule. The CAPTCHA is there installed security. Does that make sense Paul? But it's it is redundant. To set a CAPTCHA on a page where they've already had the past through a managed challenge to get there. Does that make sense? Everybody? Nobody's talking in the chat. That's okay. All right. So I'm gonna move on okay. Everybody's gone to sleep. That's okay. All right. So the other thing I'll mention is this and this is a very important note. These as you've seen already web application firewall rules are very flexible and need to be changed for your use case. And may be modified over time, right? The firewall rules that I have in place now work really, really well. But I'm likely going to modify those as I learn new things and you probably will too. So one thing I would watch, for example, there's an ongoing discussion right now in the admin bar. From Troy Glancy Troy is really good at this sort of thing. And he's at his far original Cloudflare rules from a couple of years ago are the ones that kind of got me looking into this to begin with. And he's actually perfected several others and he's going to post at some point soon. So I would recommend if you're in the admin bar, watch this post. Just search for Cloudflare in the admin bar, it'll pop right up and see what his advice is on this right because he may very well and probably will have some ideas for things I haven't seen or thought of yet. So you know, borrow and steal the best firewall rules from others, just with the remembrance that firewall rules can block legitimate traffic. So don't just wholesale apply them to everything. Make sure you know what you're doing. Right. So don't consider these rules or settings even as a silver bullet. I've tried to give you some perspective on when and where and how to apply those rules. Does that make sense? Okay, so let's look now at some Cloudflare tools and tips. So we're going to start with the Cloudflare WordPress plugin. So let's go there. And we're just going to add it to this new WP one dot dev site. So we're just going to search for Cloudflare Cloudflare. And it'll be the official Cloudflare plugin right here. Now, disclaimer, I don't use this plugin, but it is it is there and it's free and you might like it. It's particularly helpful if you don't have a performance optimization plugin. So let's go back to Cloudflare and are actually settings under Settings and Cloudflare. Unlike many plugins, what you're going to do, we're going to sign in, we need our email, which is Nathan and ithemes.com and a global token. So you always find those that your account home. And actually it's where is that it's at profile, actually my profile in API tokens. I'm going to create a token for WordPress. I'm gonna rename this to WP one dot dev so I know which side it is. Scroll down, continue to summary, create token and there's my token. And I'm going to paste that over into here. And save. Now Cloudflare is connected to my site now basically what this plugin does is bringing some of the Cloudflare dashboard functions into WordPress. So you know I can automatically apply Cloudflare settings that are best for WordPress if I want. I don't want to do that. So I've already done that over in Cloudflare. But I can go here to settings for example. And I can turn on development mode just right here from within WordPress. It's got some interesting little things. I don't use this because I prefer just to go to the Cloudflare dashboard to manage my settings. But this plugin does exist. It's pretty, you know it has it has some good use cases and you might just want to play around with it. Like, oh, there's a button right here to get into. I'm under attack mode, right from the WordPress dashboard. So it's there, it's available, it's free. You connect it with an API key just like I showed you. And you know, it can be helpful in certain circumstances where I would recommend though that you add Cloudflare is into whatever WordPress performance plugin that you have chosen. So in our case, we use Lightspeed as an agency because we use Lightspeed server on our server. You might be using we had the discussion earlier about cloud ways breeze, you might be using hummingbird or DEP rocket or whatever. Each of these have a little area for Cloudflare most good WordPress performance plugins have some sort of Cloudflare integration and you know, like right here, the API token I just created, you'd go through that same process, create the token and drop it in with your email address and the domain and it'll be connected. Now why would you want to do this? The reason is, most of these WordPress performance plugins, you know, they've got caching and you know, optimization of JavaScript and all that stuff. And they're smart enough to know, okay, when WordPress runs in Update, clear the cache, okay. Or if you edit a page, we're the cache Cloudflare sitting up here at the network level has no idea that you've made those changes here on WordPress. So the assets that it has cached up here at the network level might differ from what's at WordPress. And the end result is you go to the site, the CSS looks wonky or things just aren't right. So we need something that's going to connect Cloudflare and our WordPress performance plugin so that in effect, in our case, like we're using Lightspeed, so whenever we run plug in updates, Lightspeed clears the local cache, and it clears the Cloudflare cache, so that everything stays in sync and that's what you want. So do not let me just underscore this. Do not use the Cloudflare cache. If you have a performance plugin at the WordPress level that isn't connected in some way to Cloudflare. Because what you will see you'll go to the site one day, and the CSS will be all wonky. And it's because the caches are different and that's what's happened. Does that make sense to everybody? Don't use a WordPress performance plugin and the Cloudflare cache unless you've connected them together. With an API key. Otherwise bad things happen.\r\n\r\nAs Sue is asking, How did I get to the screen? What screen are we talking about? This is the doc Oh, lightspeed. This is just a screenshot. This is in the document. This is just a screenshot. Of the Lightspeed cache settings. It is under CDN in lightspeed. It's in a different spot in every WordPress performance plugin. So just look through your plugin of choice and you'll likely find Cloudflare settings virtually all the good ones support Cloudflare. Oh, okay. So if your server uses Lightspeed, you go under Lightspeed cache on the admin bar, go to the CDN, tab, or link and you'll see it down toward the bottom. The Lightspeed cache Yep, good. Everybody. Okay with this makes sense? Does Perf Matters not connect? I'm shocked at that.\r\n\r\nInteresting, yeah, I don't use perf matters. So I can't speak to that. But you'll definitely want to visit with them on that. So it probably this primarily affects hashing. And I don't Perf Matters doesn't do caching, right. It only does asset optimization. Like, okay, so you may not need Cloudflare connection in that case. So this really, this really comes into play. When it comes to Caching, caching those assets in various places. So if the changes that Perf Matters makes are likely pulled up to Cloudflare anyway, but I would I would still if you're, if in whatever WordPress performance plugin you use, if you don't see Cloudflare settings, reach out to their support and make sure there's not going to be a conflict. That would be my recommendation. Okay, everybody good on that. Does that make sense? Because you will come in one day or you'll get an email from your client. Hey, everything looks weird and wonky and you'll go in there and the CSS is all jacked up. And it's because the cache is wrong. Or worse than that. It'll look fine for you, but it will look wonky for everybody else. And so you know, it's just, it's, it's a Cloudflare cache issue. And what you have to do is go out and let me just show this. This is if you hit that problem, go into your website, go into cache, and configuration and purge everything, and it's probably going to look just fine. Because that's going to cause it to go in and pull assets back up and refresh everything and then connect your performance plugin to Cloudflare and it likely will not happen again. Okay, everybody, good to move on. Everybody has gone to take a nap. Okay. Let's move on and talk about clients and Cloudflare so this is one of the big questions. So if we move our DNS into CloudFlare, can we give clients access? And the answer is yes. And it's beautifully simple. It is so simple. So I delegate access to the Cloudflare DNS to any client who requests it. We have many clients who for various reasons, need to manage their own DNS that didn't used to be the case, when we served a much simpler level of client. They just wanted us to do everything, and many still do. But we also have a lot of clients that manage their own. So we give them access and so here's how you do it. You're gonna go up here to the account icon in the top right, you're gonna go to Account home and scrolling, scrolling, manage account and members. So right here, we can invite members to join our account. So let's invite Nathan to join our account. Nathan at boom. A fan at Nathan ingram.com. I can't type. There we go. And what are we going to do we want to include it can be all domains that are in this Cloudflare account probably don't want to do that. A specific domain Yes, I want to give Nathan access to WP one dot Dev. Well, what if I have multiple domains that Nathan needs access to a domain group? Oh, no, sorry, a specific domain. And I'll just add another one. Or actually we'll do it this include a specific domain. Okay, Nathan needs access to both of these domains that are in my account. What level generally I'm gonna give them domain administrator access, you can restrict it to just DNS if that's all they need. But in these cases, I want my the clients that are going to want Cloudflare access are going to need to have control of everything. Just like I would make sure clients have access to their own domain name. Same thing. I'm going to grant domain administrator rights continue to summary. Yes, yes, yes. Invite an email was just been sent to my other email address that would give me access to that, that this email address. Nathan at Nathan ingram.com doesn't have a Cloudflare account. So I would go through a flow of setting up a Cloudflare account. And it's just that easy. If you want to get rid of their access, you just hit edit and you revoke access x let's see. Let's see. How do we do this? It's a delete. Yeah, cancel the invite. Or at this point, we would like here's this, I can. Here's one where I've given other email address access, and I can remove access from somebody if I want. So pretty helpful. Yes, so Ben, like Dennis saying, this is like a reverse way of giving a client their own account. And it's not their own account. It's you're giving them access to domains in this account, that's yours. But either way they in the end, they have the access that they need, and it's super easy to do this. What's also helpful is you can enforce to FA SO by toggling this on, you can force anyone that you add to this account to add to FA to their account. So I always turn that on. It's not on for this one because this is a test account. Class since client domains are registered with Cloudflare I had them set up account and delegate access to me that works too. Yeah, either way that that works. But the delegation is really simple and smooth. And Cloudflare as you just saw, it's just click click like and you're done. And it gives everybody everything that they need. Any questions about this part? Are we good? Rolling, rolling. Speaking of domain registrar ah Cloudflare is I think the best place to register domains now. Because they don't make any money on domain registration. They charge you a.com Is $9.77 per year. That is the flat cost of a domain plus the ICANN fees. It's literally they're selling you domains at costs. So if you want to get to domain management, you go here, manage our account home. Domain Registration. We're right here. And we can manage domains. So you can register a domain name here and do a search. It even has the suggested domain names if you want to brainstorm a little bit about Dr. nathan.net. That's pretty funny. Anyway, but you see how cheap they are really at 977 for a.com 494 for a.uk. Anyway, you just go through a registration process. Do you want to transfer a domain in right here? You just they have a flow to bring in domains to Cloudflare this way. Yeah, Stacy. So this is a great spot to move clients that were once at Google domains. And now at Squarespace, move them into Cloudflare it's gonna be cheaper and the UI is really simple. And there's not you know, unlike some registrar's, which shall remain nameless. Nameless. There's not a bunch of crap on the screen to upsell. Yeah, Paul, you pay a year when transferring? Yes. But I think also they give you an extra year.\r\n\r\nLet's see. Seems like I read that somewhere. Oh, this is an interesting little point. I didn't mention this earlier with DNS sec. We went and validated the domain. You have to turn that off before you transfer a domain. So just stick that in your back pocket to remember. You cannot transfer a domain like you have to unlock the domain and turn off DNS sec if you've turned it on, if you're going to transfer Yeah, Stacey, I can't I think you're right there Stacy. Yeah, and classes saying the same thing. I can't find where it says that here but when I've transferred a domain to Cloudflare they add it you pay for a year but they add a year to whatever the current date is. So it's a it's as good of a deal as you're gonna get on a transfer. Okay, class that's a good yeah. If if you're already at the max prepay level, then yeah, they don't add a year but that's generally not the case. So really easy to use them as a registrar and now so here it by the way, here is one caveat with using Cloudflare as the domain registrar, you cannot or let me say it this way. You must use Cloudflare to manage your DNS. If Cloudflare is the registrar, so you can't I don't know why you'd want to but you can't manage DNS elsewhere. If you're registering the domain at Cloudflare. I've never found that to be a problem. But just note that that is that's a thing. Oh, there's something I meant to cover in the last hour and I'm going to do that now. I'm going to scroll back up here in the Cloudflare setup process, okay, so we were here we talked about let's this this issue with importing DNS records. I showed you the process of importing from a DNS provider like we exported the DNS from GoDaddy, import it into Cloudflare. There is something here that I want to show you because it's not immediately apparent. And this is super helpful. So you may like I did have a number of sites where the DNS was actually managed with cPanel cPanel. DNS is great, really easy to use. But there's not a clear way in the cPanel UI to export a domain file. Like we just imported from GoDaddy. I don't know why that is. It's been requested for years, but cPanel has never done it. But there is a way to do it and it will save you time from hand entering all those records. Let me show you how it works. So I'm going to jump over to the WP Nathan's cPanel and just There we go. And what you're going to do, and this is again, this is weird, and I wish they would do this differently, but this is what they do. So we're going to grab a recent cPanel backup, and we're going to go here to backup and just download our most recent full account I just hit the cloud for a rule. I wonder what that's all about. There we go. That was really weird. Okay, so if we have time, we'll go and look at the rule and see what hit that. So here's a recent recent account backup. I'm just going to download this and it's downloading this tarball which is like a zip file. It's downloading it to my desktop\r\n\r\ncan take a minute. You're going it's rather large. It's a gigabyte loading, loading loading. Let's go and Okay, so here is our backup file. All right. Now this is so weird and I wish they would do something different but this is what you can do and it works. So we're going to unzip or uncompressed this tarball again, takes just a minute to do because there's a lot of stuff in here it's a full cPanel account backup. What's got to expand all the things\r\n\r\nYeah, this is a really old backup, but it'll still work for illustrative purposes. Slowly, very, very slowly. There is a file in here that you can use to import but you have to download the whole stupid thing to get there. Moving moving, okay, almost almost. Come on. Come on. There we go. Okay, so once we open up our folder here, we're gonna go to the DNS zones folder. So right here is this uncompressed. There's our DNS zone and look, there's WP nathan.com.db. We're going to rename this to dot txt. So it's just a text file. And yes, I want to use this and now this file can just be imported right into Cloudflare. Just like that. It's a backwards process, but it will allow you to import from cPanel and even as long as that takes to download and whatever that's still better than hand entering DNS records. Yeah.\r\n\r\nPaul is saying you did not have to rename the dbx file. Great. Well, that may have been a change in Cloudflare because you used to have to rename it to dot txt so great if you can import that. I haven't tested this recently. So yeah, if you can enter the.db file then you don't have to rename it. That's great. Good. Good, good news. So that will save you time if you're coming out of cPanel and into Cloudflare. Any questions about that before we move on?\r\n\r\nAll right, let's talk a little about turnstile. So Cloudflare turnstile is a CAPTCHA replacement, that many of you are aware of. It's been integrated into solid security for some time now, and again, think of it as turnstile is the same thing as a managed challenge? Only in widget form that can be added to some sort of form like a login form or a comment form or a checkout form or whatever. So it is the same thing as a managed challenge. It's just a widget instead. So now you do have to create turnstile API keys to use it right and so you do that at so many windows. All right. So we're gonna go to account icon account home, turnstile, account home and scroll down to turns turnstile and here's our keys. Now, here's the catch. Wild Slayer lets you have 10 turnstile keys per account. So, a couple of things. First, you might not need more than 10 turnstyle keysets. So for me, I don't need more with all the sites that we manage because in most sites comments are turned off so we don't need comment protection. We're not using it to protect forms because we use Gravity Forms zero spam, and we're protecting the WordPress login page with a well last rule. So I'm not really using turnstyle API keys at all except for WooCommerce sites, which we protect with the simple Cloudflare turnstyle plugin. And for those we do need turnstyle keys. Now if you need more than 10 just created an account Cloudflare account. So the beautiful thing here is you can create multiple Cloudflare accounts with different email addresses and then what you do is just make them members of each other. So that whatever account you log into has access to all the domains that are in all the accounts and it just makes it really easy to manage. So don't let the account limit necessarily bother you. Because you can just simply create more accounts and link them together as members of each other does that make sense? Everybody? So you create turnstile keys right here just like you would a reCAPTCHA key. The domain does have to be in the this account. And you just go from there any questions about that? pod for turnstile? Super, super helpful. All right. We talked a little bit about this Cloudflare does give a lot for free. They do play certain limitations like 10 turnstyle key pairs per account 50 API keys per account. So we actually limit are the number of domains in any account is 50. Even though you can have unlimited domains in a Cloudflare account, you can only have 50 API keys so we only put 50 domains in an account. So we have multiple accounts that meant that are linked to each other as I described. Because the API keys are needed for to connect Lightspeed to flush the cache. So you can again just like I described, use the same delegation process to to connect those accounts to each other. And it's really easy. So when you log in to any of your accounts, and this is what's really neat, when you go to Account home\r\n\r\nhang on a minute. Let's see profile isn't no hang on. I can't see it here. When you log into account that shared with other accounts. You can actually see all the websites you have access to and find the website very easily that way. I can't demonstrate that on the screen right now. But even you know we have like five different Cloudflare accounts now that we're juggling, but you log into one of them. You can search and find the website you're looking for because it's been we have access to it and you just go right to it. It's really simple to connect those accounts together. That was poor explanation, I think But does that make sense? Any questions about that? Linking Cloudflare accounts makes things super easy. Okay. Paul has a good question in the chat. So let's say you have a client in Cloudflare and you give them account access, and they come back in with I don't know anything about Cloudflare if they want to leave. So at that point, the answer is I'm sorry. That's why you hired me Cloudflare manages your DNS and give their next web provider access to the Cloudflare account and if they don't understand how to use it, I mean, that's on them. Right? I really don't have I mean, Cloudflare is pretty industry standard now and if you don't understand how to use it as a web professional, then you probably need to learn. I don't want that to sound arrogant. I just think that's the way it is. Yeah. If they leave then they leave. Yeah. Is that fair? That's good. Stacey. Yeah, give them a DNS export. Good. Yes, send them to this webinar. I mean, honestly, if you're a web, a web professional, even if you didn't know anything about anything we were doing here, you can log into Cloudflare and see what to do with DNS. It's really simple. If the DNS settings and Cloudflare and I'm not talking about firewall rules and all of that, like oh, so if a client were going to leave me then I would probably set up. Yeah, fit. Let me let me reverse my thinking on this a bit. Paul. If if I was going to offboard, a client whose site is managed on CloudFlare, I would probably set up a new Cloudflare account without any of our firewall or any of the security settings that just had the DNS and move the site to that account and give them access to that because I would I wouldn't want any of our security settings to go forward with them the world whatever's next. So been saying he had to do that on Monday. Yeah.\r\n\r\nYeah, that give them a naked Cloudflare account that just has the DNS in it. All right. Something else that's really neat is Cloudflare email routing. We talked a little bit about this on yesterday, and I've given the whole process there for that. I'm not going to go back and re get into that. Pretty, pretty thorough, but basically Cloudflare lets you set up email addresses without an email server that forward to another address and if they're forwarding to a Gmail account, for example, you can set up a send as address so that it can receive email as info at your domain, and it can send email as info at your domain all that can be done free within the Cloudflare email route routing settings. Let's see it looks like this. The last thing Yep. The last thing I'll mention, and we've already sort of dealt with this is troubleshooting WAF rules, you may run into things. If legitimate traffic is blocked by a WAF rule. Go to that activity log. That's right here. Websites AP Nathan. Wow. Yeah, go to your block rule and see what traffic has come in that's been blocked. Oh, this was maybe this was good traffic. So we need to figure out a way there. How do we let this come through? Now, by the way, don't you know if he's Oh, Google is blocked? Well, I don't think that's the Google bot. That's actually a Google Cloud Server. So a lot of times this may be a compromised server. That's trying to get access to things. So just because you see Google doesn't mean it's legit, or you know, Amazon, AWS or whatever. Sometimes those are legitimate, or they are, they are compromised sites that are hosted on Google's infrastructure. For example, anyway, you look at look at the activity log load entries that pertain to that specific rule by clicking this little number in the analytics here that loads one day, there we go.\r\n\r\nAnd actually, I don't know what this flex potential is, maybe we wanted to allow that so we could add this as into our skip rule or whatever. But the log entries here are what you're going to look at to further refine your your rules. All right. So that brings us to the end of the course. That's it. We've gone a long way in the last few days. We got our site live on Cloudflare. We've got recommended settings and all of these things. Now we've got some time for open q&a. What do you think questions, comments, snide remarks all of them are available at this point. Questions from Paul, okay. All of this setup work is built into the cost of a website for a new client correct or do you factor in a cost for this going forward? How much extra if anything would you charge for doing this? Great question. So I would actually wrote this is a management service. So this is part of security that we provide for the client. And it's part of onboarding a site into our website management process. So I don't charge extra for this. And honestly, it took a little while to go through all of this. But once you start to do this over and over again, you'll migrate a site into Cloudflare in like five minutes, like it'll be. It's pretty quick once you get used to it, and especially if you set up little shortcuts like I did with my TextExpander it really doesn't take long once you get all your rules dialed in and how you like things. It doesn't take long to do. And so I don't charge extra for that it actually what happens is, it saves me work on you know, in the future because the site's being protected and much better. And Tanya Yes, I just dropped in the link in the chat for the updated course handbook. There were three different edits I made around web application firewall rules that were like little typos and some of the quotes were squiggly quotes instead of straight quotes, that sort of thing. That's all fixed. Second question for Paul, how about setting this up for existing clients extra service? And the same answer for me on that when we migrated all of our clients over to Cloudflare back last fall. We didn't charge extra for that because it makes things easier for us to have those clients all in Cloudflare more secure less traffic on the server. All of that. Yeah. When there's nothing as you could certainly charge more for it. I chose not to because it's part of the management service. Do I notify clients? The ones that I thought would be interested? Yes. The ones that just want to know their site is secure. No, no, but you know, we'll raise our rates again here probably in two months. And I'll let them know all these extra things we've done at that point. But in a very, you know, you got to communicate with clients. Some clients don't care about all the little things right. So you don't want to overwhelm them with information. So for the clients that are non technical and they just want to know that we're taking care of their site. I would just mention that we've added a network layer of security that blocks you know, something like I'd worded in such a way that was, you know, a high level a level of security that blocks a lot of bad traffic before it ever hits the site. Just to show them, you know, we're constantly improving their security, and that's what they're paying us for. Others, you know, they have a technical person, the ones that have access to Cloudflare. And by the way, some of those that's a that's an interesting little point here. Some of the, our clients, the ones particularly that have access to Cloudflare our clients that have an internal IT department or things like that. And so there was a bit of a process. So we had a canned email that went out of hey, we're in the process of moving to a new server and in doing this we're also getting all of our DNS uniform. And we want to move everything to Cloudflare. Here's why. In some of them we actually had a you know, a quick call with many of those IT folks like yes, great, let's do it. We'd like Cloudflare you know, we know about it, whatever. And so we just set up the account delegated access, good to go but it really depends on the client and their level of involvement or if they have it people, etc. Doug for the web application firewall, if I use the block action for country equals UK, and Google is still indexing my website in the SERP. What happens to a UK visitor when they click the Search link to my website? Yeah. So the blocking traffic from a different country shouldn't impact your SERP and where your site shows up in the SERPs, what will happen is if you're in the UK and you click the search result, you're now going to WP nathan.com with a geo origin of UK which triggers that firewall rule to present a manage challenge. So we're not challenging Google. We're challenging traffic with an origin and a location where we're saying it needs to be challenged. So that's why you want to modify those rules such that any you know if you have legitimate clients that typically come from other countries, you know, whatever, let me say it this way, whatever countries that you have legitimate customers, clients, whatever in that would be coming to that site, allow those but turning off or only allowing traffic from those known good countries can filter out a lot of garbage traffic bots that are coming in from all over the world.\r\n\r\nPaul is asking how do anonymizer is get affected by geo locations or VPN? I mean, it's if I come in if you if I turn on my VPN right now, and I say I'm in Belgium, and I try to visit a site where the WAF rule only allows US and Canada I'm gonna get a managed challenge because the geolocation is coming in as a different country. Yeah. So anonymizer errs impact weath rules, because they they present as coming from that country, because I mean, they actually are they're routing traffic through a server in another country. So that's just how that works. Generally, though, the bot garbage traffic isn't proxying they're not standing there. They're coming from other parts of the world and it's noticeable\r\n\r\nBen when using support like from India for like WP all import, they need access? Yeah, but you can still challenge that traffic. That's the thing is, we're not blocking traffic from those countries. We're putting a manage challenge in place, meaning people you know, if it's a support technician coming in from a country that hasn't been specifically allowed, they're just gonna get a managed challenge. And they can log in with the you know, it's not blocking the traffic. And so I wouldn't change my WAF rules. If support is coming in from a different country. They'll just pass through the Manage challenge and then do what they need to do. So you're, it's a challenge rule, not a block rule does that make sense?\r\n\r\nThe man is challenge will stop bot traffic because bots don't really have a way to validate a managed challenge yet. But who knows, right? The bots will get better and then Cloudflare will get better and then the bots will get better and the Cloudflare will get better. That's just the way it goes. Right. All right. Anybody else before we wrap this one up? Okay, who's ready to add Cloudflare to some client sites do you have everything you need? Are you equipped to to add a client site to Cloudflare? Any final questions before we wrap up? Awesome. All right. Well, hopefully this was helpful to you. We are back tomorrow for office hours. We joke that in the pre show today that anything that breaks when you add these rules just asked me to borrow in office hours we'll deal with all right, we'll see you back here tomorrow office hours one o'clock central time on solid Academy where we go further together.\r\n\r\nTranscribed by https:\/\/otter.ai\r\n\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:968:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:249:\"\r\n\r\n\r\n\r\n\r\nWelcome to Cloudflare!\r\n\r\nCloudflare Page by Page\r\n\r\nRecommended Cloudflare Settings\r\n\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938374439\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1o7Y8xSGeEx8ZF7yBmMsRat6XNkkjEXWc\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/Xr3bZcpfJBN9iV2YsapSA3avN0Q?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:971:\"a:7:{s:18:\"event_replay_title\";s:5:\"Day 2\";s:25:\"day_description_cloneable\";s:254:\"\r\n\r\n\r\n\r\nRecommended Cloudflare Settings (continued)\r\nMigrating a Site to Cloudflare\r\nMore Cloudflare Tools and Tips\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938814771\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1Nr3wkfCzHZ7Nr4PEzVWhV1lKn40abQUV\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/qIa-JHSQCRIijFOyeMsIQX00B1g?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448512,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \nIncluded in this Course\n\n\n\n\nAn overview of Cloudflare and a walkthrough of the major features\n\n\n\nHow to set up Cloudflare for WordPress client sites\n\n\n\nHow to set up important WAF rules\n\n\n\nA proven process for migrating sites into Cloudflare with no mistakes\n\n\n\nOther Cloudflare features like domain registration and email forwarding\n\n\n\nProtips for smoothing out your Cloudflare workflows\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_text":"Unknown Speaker 0:18 \r\nAll right, let me hear from you in the chat. What are you most excited about learning this week in the Cloudflare course?\r\n\r\nUnknown Speaker 0:26 \r\nWhat are you most excited to learn?\r\n\r\nUnknown Speaker 0:32 \r\nAs you answer that I am getting our captions all set.\r\n\r\nUnknown Speaker 0:38 \r\nAlright, captions should now be working for everybody.\r\n\r\nUnknown Speaker 0:43 \r\nFingers crossed\r\n\r\nUnknown Speaker 0:47 \r\nthe whole thing.\r\n\r\nUnknown Speaker 0:49 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:51 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:53 \r\nWe'll see what we can do, Debra. Love it.\r\n\r\nUnknown Speaker 0:59 \r\nAlright folks, we are about four ish minutes away.\r\n\r\nUnknown Speaker 1:06 \r\nFour ish minutes away from getting started with Cloudflare for agencies if you're just joining us in zoom, open up the chat and I'm dropping in once again, the link bundle which has the very large 40 Page course handbook that I've put together for you here. Many many, many things here in the handbook.\r\n\r\nUnknown Speaker 1:32 \r\nAnything you can learn? Yeah, all right.\r\n\r\nUnknown Speaker 1:35 \r\nDefinitely.\r\n\r\nUnknown Speaker 1:37 \r\nYes, Stacy. There are so many things and this is not I'll talk about this as we get started. There's no way this is going to be an exhaustive Cloudflare overview because there are just too many things.\r\n\r\nUnknown Speaker 1:51 \r\nHow much to just do so it doesn't work that way. Like some of these rules, you really do have to decide, you know, what you want to use and so forth. And actually, well, I'm gonna I'm getting ahead of myself. But yeah, some of this is what you want to do for your settings. But I'm gonna give you my recommended things and why. And then you can it should give you a really good basis to make decisions on how you want to implement.\r\n\r\nUnknown Speaker 2:24 \r\nPaul, you make the website and then we'll talk\r\n\r\nUnknown Speaker 2:31 \r\ny'all, I promise once you get into this, it's really not that complicated. Seriously. Once you see how it all fits together.\r\n\r\nUnknown Speaker 2:42 \r\nYeah, I promise it's really not that complicated.\r\n\r\nUnknown Speaker 2:47 \r\nAll right. So if you're just joining us in zoom, welcome, welcome. The chat is open. I'm dropping in once again, the link bundle that has the course handbook. The one the Yes. Yep, of course handbook is there and waiting on you to download also, of course the replay link.\r\n\r\nUnknown Speaker 3:08 \r\nIf you want to go back and rewatch today\r\n\r\nUnknown Speaker 3:16 \r\nmy oldest daughter is currently blowing me up on text messages. So I got to hit the mute button on that.\r\n\r\nUnknown Speaker 3:27 \r\nAlright, y'all just about two minutes ago. hope everybody's doing well hope your week has gotten started. Well check in question today. Let me just hear from you what you are most excited to learn about Cloudflare what you want to know what parts confuse you other than everything, as some folks have said. If there's a particular area I'd love to hear that\r\n\r\nUnknown Speaker 3:52 \r\nOh, Beth. I mean priorities right.\r\n\r\nUnknown Speaker 4:00 \r\nLove it.\r\n\r\nUnknown Speaker 4:02 \r\nYeah, laptop on the beach. Back. Yeah.\r\n\r\nUnknown Speaker 4:07 \r\nActually, Myrtle Beach is gorgeous. This time of year. Good for you, Beth.\r\n\r\nUnknown Speaker 4:15 \r\nturnstyle WAF Yes.\r\n\r\nUnknown Speaker 4:20 \r\nThere's no dancing and Cloudflare\r\n\r\nUnknown Speaker 4:28 \r\nthat's why you take a tablet to the beach, not your laptop.\r\n\r\nUnknown Speaker 4:34 \r\nStacey, that's awesome. That's 100% True. And actually, if you find dancing and Cloudflare just wait because they'll move it to another menu link later or they'll rename it.\r\n\r\nUnknown Speaker 4:48 \r\nYeah, so we'll bet Beth will invent for us the Cloudflare dance which we'll call the turnstile. I love it. Yes, that's it.\r\n\r\nUnknown Speaker 4:59 \r\nDo the turnstile through the turnstile. Alright folks, just about 30 seconds to go. hope everybody's doing well today. Come on in find a seat and grab the course handbook. But to drop the link bundle in once again.\r\n\r\nUnknown Speaker 5:14 \r\ni Yes, exactly. Karen\r\n\r\nUnknown Speaker 5:19 \r\nand what you're talking about there, Karen. There's no easy answer to that. Unfortunately. A lot of the Cloudflare rules that I'm going to give you are pretty good. But you're you're always going to want to fine tune these for your setup. And there's always new suggestions and rules that are coming along. So I'm going to give you what I'm using today. And then you'll have it's it's one of those things that will it's a work in progress. Yeah.\r\n\r\nUnknown Speaker 5:46 \r\nAll right, y'all. It's three minutes after let us get the recording started and we will dive right in.\r\n\r\nUnknown Speaker 5:56 \r\nWell, good afternoon, everybody. Good morning. Good evening, wherever you happen to be around the world. Welcome to this premium course here on solid Academy. Glad you're all here with us for Cloudflare for agencies. So over the next couple of days. We're going to take two hours today two hours tomorrow and unpack Cloudflare through the filter of you manage WordPress sites for clients. So what do you need to know right? And also interestingly, hopefully helpfully, the way that I put this course together is really there's so much that we have to know as WordPress agency owners, right like there's just so many things. And so this is not an exhaustive course on Cloudflare. Like who's got time for that? So what I'm going to give you is an overview of how things work and where the settings are and the big picture of the settings but really, our focus is going to be on okay, what do I need to do to use Cloudflare and leverage all the free stuff in Cloudflare to protect the sites that I manage. So that's where we're headed. And hopefully at the end of this course, you'll have a good idea of what all the things that Cloudflare can do. But really focused in on the practical things that you can do right away to use Cloudflare in your agency.\r\n\r\nUnknown Speaker 7:21 \r\nSo I Karen has asked a great question in the chat just now. This is very different than the Cloudflare livestream I did a couple of years ago or last year, a year and a half, something like that. So I was just I just kind of gotten knee deep into Cloudflare at that point. And so a lot of things have changed since then. This is a much more detailed look. This is I think the first Cloudflare one was like an hour and a half. So just timewise this is a much deeper dive and I've learned a lot since then, and hopefully can give you some better tools and rules and those sorts of things to use. So if you are just now coming in once again, the link bundle is in the chat you're going to want to download this course handbook, it is 40 pages of Cloudflare goodness, and grab that and follow along and I've made it such that you know this is the document you can keep in reference. The table of contents is clickable to jump to, you know the various areas that you want to get to. So hopefully it's a very usable document. All right, so let's dive into what we're going to be talking about. So I mentioned this a little bit earlier and even more in the pre show.\r\n\r\nUnknown Speaker 8:34 \r\nThe idea here is okay, I'm a web agency owner I've heard how Cloudflare is helpful. What do I need to know give me the basics. This is not an exhaustive study of Cloudflare there are far too many things Cloudflare can do to fit into four hours of of course content. So what we want to do is through the lens of what do I need to know as a WordPress website manager about Cloudflare to use it to the best of my ability. If you want a deeper dive Cloudflare has excellent documentation. It's some of the best that I've seen. And you can click the Cloudflare fundamentals link there and it'll take you through all the things if there are pieces that you want to know. So the goal here a no fluff explanation of all the Cloudflare things that you will find the most useful and that you can implement right away in your business of managing WordPress sites. Tomorrow we're going to demonstrate the live setup of a Cloudflare site after we look at some of the basics today. And that's going to include security settings, setting up WAF rules and those sorts of things. So here's the overview we're gonna do and a big overview of what is Cloudflare how does it fit? How do I use it, you know, where does it fit in with solid security and those sorts of things. And then we're going to go through a Cloudflare page by page looking at the various pieces of Cloudflare and how they fit together tomorrow, migrating a site to Cloudflare and then more Cloudflare tools and tips. All right now, this course, assumes that this was on the course intro page. So hopefully you saw this. This assumes that you have a basic understanding of DNS, so I really can't, I'm not going to be able to answer questions about how DNS works in this course. So this is a prerequisite if you need to understand a little bit more about how DNS works. There's a course here we did last year called the web foundations workshop, in which we did an hour on DNS and what the records are and how all that works, et cetera, et cetera. So please let well really I'm just not going to answer questions about DNS in general. If you have those questions, you can grab this prerequisite course it's out there, you can replay it right away. And we're going to focus in on implementing Cloudflare. Alright, so just a couple of housekeeping notes. If you're a see several folks who've just joined us, let me drop in again, our link bundle in the chat force handbook is there. Since I am presenting today, I'm going to be watching the chat as usual. So if you want to ask your questions in the chat, you can do that. It may be that I missed some because I'm presenting. I'll try to catch questions in context. But if I miss one, and it's gone past just stick it in the q&a and we'll get to those at the end of each hour as usual. So all right, let's dive in, shall we? We had some really good check in responses as we were getting ready in the pre show about what you most want to learn. And so let's just start from the top. A lot of folks were like I need to know from the cloud to the flare, the whole thing. So what is Cloudflare?\r\n\r\nUnknown Speaker 11:44 \r\nAt its heart Cloudflare is a web performance and security company. They are they have all sorts of services to secure and protect and accelerate websites. So Cloudflare is sort of like an umbrella. It is a protective barrier between your website and the traffic that comes into your website. And it can shield you from many kinds of online threats just automatically. I Cloudflare. Security Services are comprehensive. They offer protection against DDoS attacks, data breaches, other malicious activities. It works by filtering incoming traffic to your website. So at the heart of all of this is your domain has to have the Cloudflare name servers. So that's how you turn on Cloudflare is by adding the Cloudflare name servers to the domain. So that way, all traffic that goes to the domain has to pass through the filter of Cloudflare and you can think about it sort of like you know, a water filter like we got this new refrigerator when we redid our kitchen a couple of years ago and it's got you know, the fancy water in the door. You know, we're not that usually that fancy kind of people and this is the first fridge we've had like this, but we love it it because there's a water filter in there and it filters out all the impurities and garbage so that we just get really pure water when we put a glass up there. Now Cloudflare sort of works the same way. Think of it in the same way. It's like a traffic filtration system that based on some of the stuff it just knows automatically that this is a bad bot and it filters it out or based on some of the rules that you can set up. It's filtering that traffic through so you get really good pure traffic that actually hits the website.\r\n\r\nUnknown Speaker 13:30 \r\nSo Cloudflare provides free ssl certificates. Also, they use the Google certificate authority as the primary and then sectigo as a secondary. We'll get to all that when we get to the SSL section. They also have a suite of tools designed to optimize website performance, including caching, image optimization, content optimization Cloudflare Cloudflare also provides a CDN that can move your website assets closer to the requester. They have data centers all around the world. So using their CDN even their free CDN, you can move things from your the images and scripts and so forth from your website to the closest point so there's not a lot of jumps between the user and what they're trying to download, which can effectively speed up the website. And the beautiful thing is Cloudflare provides many of its services at no cost with the option to upgrade to more advanced features on a subscription basis. Now a great question in the chat from Dave. So who's monitoring Cloudflare Cloudflare is a private company and so this is you know, like whose basket are you going to put your eggs in? Right? They offer a lot of things for free, but they're making their money. It's a freemium model just like many things that are out there. So you are you have the option to upgrade but a lot of the basic features they're providing at no cost and pushing you towards some of the paid features that can be helpful. So that's how they make their money. I don't know that there's anybody watching Cloudflare like us, they're not like responsible to any governing authority necessarily because they are a private company, but they're used by an immense number of websites. Matter of fact, 32% of the top 1 million sites on the web are using Cloudflare. So that in that way, there's a lot of people watching them from high level, you know, big fortune 500 company websites, so if anything weird is happening, it's likely going to come out but they are a private company. So that is something to take into consideration.\r\n\r\nUnknown Speaker 15:41 \r\nSo a few other interesting Cloudflare statistics, again, more than 15 million websites 32% of the top million websites. Their global network has 300 data centers all over the globe at more than 120 different countries. So the the good thing about that is when traffic is requested by somebody, the hop to the Cloudflare data center is generally very short. They've strategically placed those data centers for that reason. So more than 80% of sites whose reverse proxy we know is Cloudflare. Now what does that mean? It means that if somebody's you know, has started to use proxy, which is hiding the actual IP address of the server, which is a good practice as we'll get into Cloudflare is doing that for more than 80% of sites that are doing this so that is super helpful. It's a huge chunk of the internet relies on Cloudflare to do these things. Also Cloudflare bought blocks look at this number 182 billion threats a day. On average. It's a lot and so simply by virtue of the amount of traffic that they're filtering Cloudflare you know, they, you know, they they just see patterns emerging, and they can protect sites better. It's like, you know, we have Thomas Rafe on here from we watch your website. He's managing over 17 million WordPress sites right now and watching for patterns and you get that much data under your belt, and you can immediately see how you know what's happening, what the trends are, and so forth.\r\n\r\nUnknown Speaker 17:18 \r\nAll right. So why should we use Cloudflare? So the first reason likely and probably the reason that you're here listening is the security benefits. They're just phenomenal. So Cloudflare is free services give you really robust security features at the network level. We'll talk about that in a minute. Like DDoS protection, a web application firewall, again, at the network level, which is where you want those sorts of things. They can also help improve performance with CDN caching, again, moving the downloadable assets closer to the the requester so that those things are fulfilled more quickly. They offer free SSL as we mentioned, they also do DDoS mitigation. There's this great tool in Cloudflare that says I'm under attack, toggle that on and it will effectively stop the impact of a DDoS attack on a website and it works. It's really good. We'll get to that later.\r\n\r\nUnknown Speaker 18:17 \r\nIt's very easy to implement, actually. You just change your name servers and you're into Cloudflare.\r\n\r\nUnknown Speaker 18:24 \r\nThe setup process is straightforward as you'll see as we actually work on that.\r\n\r\nUnknown Speaker 18:30 \r\nLast of all, they do provide some analytics and insights. The statistics in Cloudflare if you are a statistics person, you will love love, love the Statistics reports because it'll show you like on your firewall rules, what's hitting it and you know what the information about that traffic is it can help you further refine your rules. It's really neat once you get some data in there to start digging in and seeing how these turkeys are trying to attack your website. It's really quite interesting. Also, cloud flares analytics are GDPR compliant. They're designed to be privacy first, and so they are GDPR compliant, they state that so that's that's not an issue. So a lot of the confusion that comes in when we start talking about Cloudflare is okay. isn't just installing a WordPress security plug in enough I've been watching it it's really funny. This discussion has come up a number of times in the admin bar just in the last couple of weeks of hey, there's this cloud, this WordPress security plugin and that one and really, isn't it good enough just to install a WordPress security plug in and you're protected? And the answer is no. Heck no. Absolutely not. So let's talk about where Cloudflare fits into all this is Cloudflare a replacement for solid security? Also no. So we need to understand where does Cloudflare fit in the whole matrix of security. So, first of all, Cloudflare becomes active for a site when you change the name servers of a domain name to those that Cloudflare will provide you. So it starts at the name server level, which means Cloudflare at that point becomes responsible for every request that comes into your domain name about you know where does the subdomain live? How's the mail routed? What are the demark records, the txt validation records, all those things? Cloudflare is answering all of those requests. And it's doing it from a security perspective. So you can you can change who gets to make those requests and filter those things out. And so forth. So since all traffic to your website, and everything about that domain name now has to pass through Cloudflare they can filter it. So that's how this all works. Cloudflare can then as a result block a significant portion of malicious traffic before it ever reaches your server. That is the key.\r\n\r\nUnknown Speaker 21:04 \r\nThat is the key. So like, here's your browser, it's gotta pass through Cloudflare to get to your server where the website lives. So this is where we start to talk about a multi layered approach to WordPress security. It is not enough just to have a WordPress security plugin. It's just not because there are jobs that are there are jobs that need to be done to protect WordPress that are better done at a network. level rather than at a WordPress level. So this multi layered approach is something you need to get your mind around. And we've been talking about this now for some time here. On solid Academy. It's not just as simple as installing a plugin. So the best practice for making your site secure is multiple layers of protection. Okay, and each layer has a role that it needs to play and it does that layer best. All right, so let's talk about this. So first, we have network layer level security, which we're going to trust to Cloudflare right so that's wrapping around the whole thing. No traffic gets in until it passes through Cloudflare. Then we go to the server level security, which hopefully is handled by your web hosting provider. So there's certain things that are better done at a server level. We'll get to that in a minute. And then we have our WordPress application level or, or user level security that a really good WordPress security plugin should do. So these are the three layers of security that you should be thinking about when it comes to protecting your WordPress site. So let's unpack those just for a minute. First of all, network security. So Cloudflare is going to mitigate the impact of the distributed denial of service attacks or DDoS. And they can filter out malicious traffic before it ever gets to your server. So if a lot of that traffic can't even get past that Cloudflare wall it makes your server have to work less it makes WordPress have to work less. So it's better to handle all that stuff. Get all the primary garbage filter done at the network level before it even hits the server. So Cloudflare gives you this blanket protection by filtering the websites before a web traffic before it ever gets to the site. Relying on your server alone or worse relying on WordPress alone to filter all the traffic. It takes a lot of resources. Now does solid security have functions that can help to prevent bad traffic? Yes. But that shouldn't be the primary level at which it occurs. If Timothy was here, he tell you the same thing. We want to filter the the lion's share of that out at the network level. So if you do that, it's going to save a lot of valuable server resources. So traffic passes through the network gets to the server. So what role does the server play in this multi layered support? So good web hosting providers implement security measures like server level firewalls, and most importantly in my book is server level file level malware scanning and intrusion detection systems. So I want something at the server level that's actually scanning the files. Now I know that there are some WordPress plugins that provide malware scanning, you don't want a plugin, doing malware scanning. First of all, it's going to be incredibly inefficient at doing that and restricted to only the WordPress install and a lot of malware gets installed out in the server structure and not within WordPress itself.\r\n\r\nUnknown Speaker 24:45 \r\nAlso, if there's malware in WordPress, and the we're in and the the malware scanner exists at the WordPress level, the malware can overwrite. You know, the malware scanner so the malware can actually rewrite the malware scanner saying hey, this is bad and say no, it's actually good. You can ignore that. So you don't want the malware and the scanner. processes running in the same environment. malware scanning needs to happen at the server level, and intrusion detection systems as well. So that's the role of a good server so whoever's providing your server, this is where you have a conversation and say, What malware scanning Do you provide? What intrusion detection services do you provide to keep the server itself safe? Right, so we're filtering out most of the bad traffic at network. We're watching the we're watching the file system and intrusion level at the server. And now we get into WordPress application security. Now WordPress security might have some traffic filtering and blocking features, but that's really the third level like WordPress is consuming a lot of server resources just running and serving pages and doing things. I don't want WordPress to also have to be filtering every bit of bad traffic that comes in. And that's what can cause your website to grind to a halt. If it's getting pounded by login page attacks and all this stuff. I don't want WordPress doing that job at all, or at least as little as possible. Maybe just a few little drops of bad traffic. That have gotten through the other two layers. We pause. Does that make sense to everybody? That this whole approach? Are you getting what I'm saying? Like we want WordPress to do as little work as possible. We want WordPress to do the job of word pressing right not of security. So it's not bad to have those features in the WordPress security plugin. That's why they're included in solid security. But that's like my third level of defense. Okay. All right. So your WordPress security should focus on more specific issues. Starting again, this is exactly what solid Security does, which is why I love it. It is providing vulnerability detection. So I'm scanning my so like Cloudflare is not going to tell me I have vulnerable things in plugins. The server is not going to tell me that it's maybe watching for malware or the malware scanner but if my things and plugins aren't infected yet, I don't know that there's a problem. So I want something like solid security, which is looking at my installed themes and plugins and saying, Oh, this one has a vulnerability. I need to know about that. I need to do virtual patching. I need to do automatic updates if a patch is released, right, so it's doing exactly the job that I want a security plugin doing in WordPress and nothing else. Like the the of the kinds of plugins that exist for WordPress. The most bloat often happens in security plugins and that's why, you know, if you line up a feature list of the things that solid security Pro does, versus some of the other security plugins like it doesn't do as much. Right, exactly. That's the point. You don't want it doing some of those things. You want your server and your network doing those jobs because it's gonna make a more efficient WordPress.\r\n\r\nUnknown Speaker 28:08 \r\nSo WordPress, security should also heavily focus on user security. So we got these great features like you know, the function that bounces out and make sure that the password hasn't been compromised, and that have I been poned database. We're looking at, you know, having to FA for users and pass keys and et cetera, et cetera. We want the users user level security needs to be done by WordPress. So we want that to be done really well by our WordPress security also session cookie protection, right having that like the trusted devices features of solid security that is the perfect use case for a WordPress security plugin. So I want those features in my WordPress security, nothing else that's gonna do you know, be consuming tons and tons of server resources. Okay, so another role for WordPress security is adding in a CAPTCHA for areas that might be prone to attack, like comment form or the WordPress login page. We're actually going to protect that at the network level though. I'll show you that later. But having those captures again, two great use case and job for a WordPress security plugin. Finally, WordPress security plugins can also help you to harden WordPress, by all the little you know there's all those boxes in solid security about don't allow PHP to execute and themes and plugins, you know, turn off the file editor, all those sorts of things. perfect use case for a WordPress security plugin. So, again, think about this in layers. Most of the traffic get that filtered out at the network level so our server doesn't ever have to bother with it. Let our server do the job of file level scanning protection and intrusion detection and let WordPress primarily do the job of just keeping WordPress secure as an application themes and plugins and users.\r\n\r\nUnknown Speaker 30:02 \r\nAnd now we've got a pretty darn good approach to security. I'm gonna pause right there, because that was a, you know, a big firehose of information. I'm gonna pause, make sense questions about this before we move on to the next bit.\r\n\r\nUnknown Speaker 30:17 \r\nYou if you arrange your security approach this way, you're going to have a more efficient server and site and you're going to do a better job all the way around keeping things secure.\r\n\r\nUnknown Speaker 30:31 \r\nMan Polytune m&ms Already Okay.\r\n\r\nUnknown Speaker 30:35 \r\nHope you got a lock then.\r\n\r\nUnknown Speaker 30:38 \r\nYou have any to share with the rest of the class. I'm gonna have to move that around.\r\n\r\nUnknown Speaker 30:41 \r\nAll right. Well, I'm gonna move on then. If you're just joining us link bundle is in the chat that has the course handbook if you want to download this that you're looking at.\r\n\r\nUnknown Speaker 30:49 \r\nAll right, folks, look, we're already on page eight. Moving around, moving right along here.\r\n\r\nUnknown Speaker 30:55 \r\nAll right, now comes the fun part. Cloudflare page by page. So I thought long and hard about how's the best way to do a quick orientation to all the things that Cloudflare can do. And this is what I settled on this Cloudflare page by page. So one second before we get into that, one thing I want to mention is I've added some color coding here. And you know, I was thinking how can I best present this in a quick way to let you know you know what? really to focus on and what not to focus on and so forth.\r\n\r\nUnknown Speaker 31:35 \r\nSo it's basically like this. If I think you're probably going to want to use this feature, it's going to be great. If it's a maybe depending on the circumstance, it's a yellow, if it's probably you're not going to use this there's red. There's also one other emoji in there. That is a money bag and that's it costs money to add this. Those are usually also red because our goal here is to use as much of the free Cloudflare stuff as possible.\r\n\r\nUnknown Speaker 32:01 \r\nSo yeah, that that's, that's the way we're going to approach this now. I'm just looking at timing and where we are in the course of things right now.\r\n\r\nUnknown Speaker 32:11 \r\nOkay.\r\n\r\nUnknown Speaker 32:13 \r\nAll right. This is where it's going to be interesting to see actually how we do this.\r\n\r\nUnknown Speaker 32:24 \r\nOkay, well, let's just, I'm sorry, thinking to myself here and we'll figure out that we may go long in this first hour. So let's look at this Cloudflare page by page. Now if you would like. I would suggest that if you don't have a Cloudflare account, just go quick create one doesn't matter. Just make a make a quick Cloudflare account I'm going to log in to my I iThemes Cloudflare account that I experiment on. I would always recommend that you set up two factor authentication on your Cloudflare install Of course. All right, so what we're going to do is primarily focus on the website settings. We're gonna go down page by page, and I'm gonna explain basically what, what each of them does, just so you have a big picture understanding. Now there's a ton of stuff here. We're currently at the home or the account page you get back here by going to account home. That is this page that we're going to live for most of the course here is in the website settings. So you can you know, you'll add a website you can click that and these are the settings that pertain to the individual websites themselves. And this is where we're going to live for most of the time in this course. So let's take a quick look. Alright, so we're on the overview page, a turn off this ad. Again, you know, they're they make their money by upselling things so I'm constantly closing those boxes. Alright, so the first thing we get, is there an analytics overview. This is kind of helpful if you just want a quick overview of at the network level, what your traffic looks like. You don't get any like, you know where the traffic came from or search terms. It's not about that. It's actually about the stats of the traffic coming in.\r\n\r\nUnknown Speaker 34:12 \r\nYou can set that by days, weeks or months. Something else that's really helpful over here is the Under Attack Mode. So let's just say that you've got a problem on a site you're getting it's an E commerce site and you're getting card testing attacks. Well, I'm just going to toggle that on. And with that one toggle, what's going to happen is every single bit of traffic that comes into the site is going to get a manage challenge from Cloudflare. Now what that looks like is this\r\n\r\nUnknown Speaker 34:45 \r\nso it's going to pass through this challenge. I've got to verify and then move right on. Now that's not ideal, but that will stop a DDoS attack period, because a bot cannot pass Cloudflare turnstile, at least yet. So Todd simply toggling that on is going to stop the DDoS attack it does put a you know that that turnstile pass through manage challenge between every single visitor so it's not ideal to leave on forever. You'll want to add a WAF rule to filter out whatever's attacking you but that this is a great little setting in case something immediately is happening.\r\n\r\nUnknown Speaker 35:29 \r\nIt essentially off.\r\n\r\nUnknown Speaker 35:33 \r\nOkay, the next thing that's helpful here is development mode. So Cloudflare does provide some caching and caching can be absolutely.\r\n\r\nUnknown Speaker 35:43 \r\nYou might use it makes you want to bang your head into the wall sometimes like you you've edited something, it's not showing up then you remember, oh yeah, I've got caching turned on. So if you're making changes to your site, you might just want to toggle this on. And that turns off all caching all optimizations like that, where you're seeing what you see, right. So a lot of times we have to deal with browser caching with WordPress plugin caching. If you have set up.\r\n\r\nUnknown Speaker 36:11 \r\nIf you have set up Cloudflare for your site, you also have Cloudflare caching, it's on by default. So just don't forget that if you want like why isn't why are these changes? Not all? Yeah, Cloudflare caching, so turn on development mode, and that will help you immediately get around that. So very, very helpful. Also, something to draw your attention to here on this overview page is down here at the bottom of the pause Cloudflare. Right here, this is an incredibly important link that we'll get to in the process of adding a site to Cloudflare. You're going to want to click this every time so that you don't get SSL errors. I'll explain that when we get to the process but again, this is your friend. Also if you want to get rid of the site and delete it completely, you can just remove from Cloudflare and it'll it'll kill your whole account.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:59 \r\nYou can set up this you can set up an address here. You just add whatever you want this address to be and where it's going to forward to. And then you validate that email and you're done. And so you can set up these catch you can set up a catch all address or individual addresses. And it'll just forward right to your Gmail account or whatever other free account that you have. And you can also in Gmail, set up a send as address which is really nice. If you want to provide that level of support for your client. Email can come into that Gmail account and they can send as that info at or whatever account with this little process here. So it's really helpful. If a client doesn't want to pay for full email yet you can set up this email routing at really no cost. Cloudflare just handles that traffic for you.\r\n\r\nUnknown Speaker 42:58 \r\nI've given you that whole process right here. If you're interested.\r\n\r\nUnknown Speaker 43:02 \r\nUnder email here also we have demark management you may or may not want to use this. It's free and it's decent demark reporting it's not the best, certainly not the worst. It's really good for free. And it allows you to when you first set it up to add the correct demark record to your DNS, and then it's set up and ready to go. It adds the very basic D equals none demark record if if you have watched those live streams with us recently, it's a very basic level that meets this new Google and Yahoo criteria. So that can all be done from right here. This email security is a more advanced and so paid area.\r\n\r\nUnknown Speaker 43:45 \r\nAll right moving down to SSL. So again, Cloudflare does provide a free ssl certificate for every site that that it's filtering traffic for.\r\n\r\nUnknown Speaker 43:56 \r\nThe first thing you're going to want to look at here is your encryption mode. Now I recommend full there are four levels so you can turn SSL completely off. Don't do that. You can also do flexible which encrypts the traffic between the browser and Cloudflare. But then there's no SSL between Cloudflare and the server. That's for weird scenarios. You don't want to do that. What you want is this one here. This is going to encrypt from the blowout of the browser to Cloudflare with a Google certificate, and then from Cloudflare to the to your server with a self signed certificate at the server. Virtually every server is going to provide a self signed certificate and Cloudflare can use that the encryption tunnel is perfectly it's perfectly secure. There is this full level which says okay, I want to install a trusted like one of those, you know, you buy it certificates on the server. You can do that if you want to or Cloudflare will actually provide you an origin certificate for your server I don't ever do that. It's not necessary for security. As long as there's self sign on the server, which usually is and Cloudflare to the browser is giving Google it's one one clean tunnel.\r\n\r\nUnknown Speaker 45:13 \r\nSo if you have SSL at the server, yeah, that you don't have to worry about it most most of the P SS that are set up by a reputable hosting company like if you have a liquid web VPS it's going to have a self signed certificate on the server and Cloudflare will use that to create encryption.\r\n\r\nUnknown Speaker 45:32 \r\nOkay, all right. So Paul, great question in the chat. That's tomorrow. We're talking about all the whole process and client stuff tomorrow. All right, so this is an area you're going to want to be familiar with here. Other settings here.\r\n\r\nUnknown Speaker 45:49 \r\nWe're gonna go down to let's see, Edge certificates. I do keep this on if they're sometimes you'll get an email. This lets you know if there's anything you can do better with SSL.\r\n\r\nUnknown Speaker 46:03 \r\nIt's helpful. All right, so edge certificates. This says okay, there is an active certificate that's been created for this website. And a backup. This is pretty cool. This tells me that this is a Google trust certificate. This is the primary one so if I go to WP nathan.com And I look at the certificate details here it is valid. It is Google Trust Services right there. So that's what it shows to the user is this Google certificate. If something goes wrong, or there's some weirdness with the Google certificate, it's very unlikely that would ever happen. But if there is then it does have a backup, as this it's a Let's Encrypt certificate here. On the up Nathan it can also be set for set Teego doesn't really matter. Very, very rarely.\r\n\r\nUnknown Speaker 47:00 \r\nWill this backup certificate ever be used?\r\n\r\nUnknown Speaker 47:03 \r\nOkay, so Stacy, Stacy's mentioning here and let me just make let me let me address this. So if you are using CloudFlare, you cannot use Let's Encrypt on your server, because your server isn't it can't validate right or it's the the server isn't controlling the traffic anymore. It's passing through Cloudflare. So you might have Let's Encrypt turned on at your server. But the but like, you may be able to have full strict at the beginning because the Let's Encrypt certificate exists. But eventually that Let's Encrypt certificate is not going to be able to renew in many cases because Cloudflare is in the middle. So that's why I recommend full because there's always a self signed certificate at the server. If you do strict, and something happens to that Let's Encrypt certificate, it's going to create an SSL error. So you don't want that. That's why I'm saying full it's going to be just as secure as having a Let's Encrypt on the server. And you're not going to get those SSL errors Does that make sense?\r\n\r\nUnknown Speaker 48:18 \r\nYeah, so Melanie's encountered that like full string, that sounds great. I want that but you don't want that. It's you want to be able to set this and forever. So yeah, and Stacy, it may be dependent on the host you'll want to know you'll want to look into that. And that's where I just recommend setting it at full and then you want to have any problems.\r\n\r\nUnknown Speaker 48:37 \r\nThere is no limit. Let me say it this way. There is no extra security benefit from full or full strict because the self signed certificate at the server is the same level of encryption as a Let's Encrypt, or you know, your purchased your favorite purchase certificate for whatever. It's generally the same encryption level.\r\n\r\nUnknown Speaker 49:02 \r\nSo it doesn't matter. What's important is what does the user see? And in this case, it's Google first and then you know one of those so does that make sense everybody? Do I need to answer any more questions about that?\r\n\r\nUnknown Speaker 49:15 \r\nFall is easy. It's always going to work unless there's something wrong with your server.\r\n\r\nUnknown Speaker 49:24 \r\nOkay let's keep going. So edge certificates. We talked about these, you're not going to want that cost money. You don't really need it. You don't total TLS this lets you choose like if I toggle this, Oh, I gotta pay. Yeah, it used to let you do this for free. They've changed that. It's another paid feature. This you always want on it's part of the onboarding process that we'll cover tomorrow as we move a site into Cloudflare.\r\n\r\nUnknown Speaker 49:54 \r\nSo, all right, this is a complicated feature that I would not turn on because it's real, real easy to screw things up. And if like, for example, I had a site where I really mess things up on this. Thankfully, it was one of my own, but it took for some traffic almost a month before it straightened out. This is really bad. So it's a way to enforce HTTPS. I'm just going to recommend that you don't use it unless like it can heighten your security. And sometimes, if you have a client that has like a security, like a level of security, they have to reach for their own internal audits or whatever you may have to turn this on. But don't do it if you're planning to make any changes, like migrate the site or change Cloudflare to some other DNS provider because it can lock down it'll lock out traffic. It's just it's very powerful, but also could be very damaging in some cases. So if you're in a scenario where this comes up, you'll want to read more into that minimum TLS version. I'm going to recommend here 1.2 Because it's kind of the it's everybody can use 1.2 But you really might want to consider 1.3. So 1.2 is required for if you're trying to get PCI compliance. You have to have 1.2 layer level of TLS TLS, which is the next level of SSL but really only really, really, really old browsers can't use TLS 1.3. So if you look here, like Internet Explorer can't use.\r\n\r\nUnknown Speaker 51:46 \r\nCan't use TLS 1.3 and Opera Mini like those are the only two browsers. So the chances I mean those are teeny tiny percent. So I'm at the point of where I might just bump everything to 1.3 because it is more secure. It is a little faster.\r\n\r\nUnknown Speaker 52:01 \r\nBut at least 1.2.\r\n\r\nUnknown Speaker 52:06 \r\nAll right, opportunistic encryption, you're going to want to turn that on. I believe that's on by default. You want to enable TLS 1.3, which says, if the browser can support 1.3, use it. That's basically what that's about. I do want to rewrite everything to HTTPS at the network level. That's good. I think that's one by default. I do want to toggle this transparency on what this does is basically, if something if some other server or authority or whatever, issues an SSL certificate for this domain, I'm gonna get an email about it. Where that's helpful is if somebody has hijacked your domain somewhere along the way, or they've got traffic going somewhere something odd is happening. And a certificate gets issued. And I'm not aware of it. I want to be aware of it. So that's what this does. Pretty nice. Works pretty cool.\r\n\r\nUnknown Speaker 52:56 \r\nSo let's see. Moving on down here, the most of the stuff you're not really going to use. You're not going to use this most likely it's complicated scenarios. origin server. This is where if you want to install a Cloudflare generated certificate on your server to do full strict, you can do that here. I don't recommend that it's not super necessary. And then custom host names you're probably not going to use so that gets us all the way through SSL. That was a lot. Let me pause just for a minute. And any questions about this bit, I realized that was a lot. So walking through all the settings is the most tedious part of this, but And my goal here is to kind of set the table and let you know what all is here.\r\n\r\nUnknown Speaker 53:42 \r\nAll right.\r\n\r\nUnknown Speaker 53:44 \r\nLet's move into security. You're gonna live in security a lot. So the main two let places you're going to live in Cloudflare our DNS and security. So security is awesome. I love this area, the events page. This is a log of all the things that have hit my firewall rules. So any event has happened on the server where a firewall a WAF rule was hit by something or whatever.\r\n\r\nUnknown Speaker 54:11 \r\nHere's some examples of some skip rules that I've put into place. And I can see what's going on here.\r\n\r\nUnknown Speaker 54:18 \r\nIt gives me a great amount of detail about what was the IP address that came in? What was the ASN in this case, it is I have a pass a skip rule created for WordPress doing cron, so sometimes the query string here can cause weird security things to go on. And so that's one of the skip rules that I put in.\r\n\r\nUnknown Speaker 54:40 \r\nAnd it's logging here just to show you what that looks like. Here's one look here. Here's something that came in earlier.\r\n\r\nUnknown Speaker 54:48 \r\nAnd this was something from the UK. I don't know what that ASN is but it was trying to get to a weird port like what the heck is this one a 53 I don't even know what that is. This was bad traffic and it got to manage challenge primarily because it was coming from outside the US actually no I've got this setup for to accept UK traffic. So this, this hit Oh no, it hit a challenge right here.\r\n\r\nUnknown Speaker 55:19 \r\nSo it hit a rule that says okay, something's not right here. We're going to challenge this traffic and so it wouldn't have made it through to the site. So this is a great place to look after you've implemented a rule make sure you're not getting legitimate traffic caught or as you are refining your rules later on. Really, really helpful.\r\n\r\nUnknown Speaker 55:40 \r\nHere's something from Netherlands same thing. We'll get into all these as ins and things later. Like look here. They tried to hit XML RPC. This is garbage traffic.\r\n\r\nUnknown Speaker 55:49 \r\nIs there a setting in solid security that turns off XML RPC? Yes. But WordPress would have had to wake up and do something when this traffic and server resources would have been expended. We block this traffic at the network level before it even hit the server. So that's why you do these things. So events is super helpful gives you a lot of good information. Now we move into WAF which stands for web application firewall. Now, these are your this is a place again, you're gonna spend some time here as you're setting up Cloudflare there are five rules available at the free plan. I've suggested four, and so you have room to add your own rule.\r\n\r\nUnknown Speaker 56:28 \r\nSo we'll get into all these rules later. But this is where those are defined and set up. You can actually click the link here and see traffic that just hit that rule. There's a ton of traffic here. Like this first rule here. These are challenges. So you know trying to go to their PII login or my account or if the country is not in Canada or the USA, it's going to get a challenge.\r\n\r\nUnknown Speaker 56:53 \r\nAnd I can go back and look at what traffic actually is hitting that rule by clicking on that number. So it's pretty nice to be able to look and see what all is going on here with my individual rules.\r\n\r\nUnknown Speaker 57:08 \r\nSo I'll give you the rules a little bit later. Now let's keep going here. So those are our custom rules. We also have rate limiting rules and this is pretty neat.\r\n\r\nUnknown Speaker 57:16 \r\nSo you can actually blocked traffic that is pounding away at your website. And we'll go into rate limiting rules later in our recommended settings. But like if there's anything that's hitting my site more than like once a second, I want to block that traffic because there's no legitimate traffic that's going to be making multiple requests per second. Unless it's like a Google bot or something like that. And even it usually throttles back how many requests are being made. So this is a really helpful rule to be able to put into place we'll get into that in the rules section.\r\n\r\nUnknown Speaker 57:53 \r\nHere in tools, there is a the ability to block IP addresses or ranges even over and above the WAF rules themselves. So you can block user agents you have 10 user agent blocking rules if you want to use those. I typically don't but it's there if you want to use it.\r\n\r\nUnknown Speaker 58:15 \r\nMoving down to security the page shield This is a paid feature basically keeps your content safe. Bots feature okay, this is probably the place where most people make a mistake. Bot fight mode on I recommend that you leave this off because of a number of things.\r\n\r\nUnknown Speaker 58:33 \r\nBot fight mode. If there's anything that I've had to troubleshoot more, there's nothing I've had to troubleshoot more than bot fight mode creating problems for X legitimate external connections to websites like web hooks, and, you know, syncing up one thing with another or whatever. It's always bought fight mode. And honestly, bot fight mode gets in the way of a lot of legitimate traffic in an effort to prevent bot traffic. So it's like you know, this ongoing war of how do we keep bots away versus legitimate traffic. It's too heavy handed in my opinion. Also, it adds JavaScript to every single page load on your website, that bot activity and that can actually add as much as two seconds to a page load speed. So just don't do this. Try to get a lot of that traffic out with web application firewall rules, which we'll cover as we move forward. But don't turn this on. It looks like a good idea. It's not a good idea. Don't turn this on is my recommendation. Unless you know what you're doing. There is also in Cloudflare super bot fight mode that actually lets you make some granular changes to the bot fight mode. That's great, but it's an enterprise level. It does cost money.\r\n\r\nUnknown Speaker 59:51 \r\nAlright, let's move on to the DDoS section. This is super helpful. Like let's say you're under attack and you toggle on under attack mode and you can sort it you get to see you know a little bit of what this traffic pattern looks like. You can add a rule here that can stop a lot of those floods that's beyond the scope of this course. But it is there and it's pretty helpful.\r\n\r\nUnknown Speaker 1:00:16 \r\nThere's really good documentation for that's available at this link. And finally, there's some settings here that you may or may not find useful, probably not. The default settings are generally what I use, which is just right here. A security levels essentially off meaning that the average traffic the average user is not going to get a manage challenge to say that I'm human I don't want that in the way of average users. 30 minute, Pat challenged passage meaning like if I'm good, I'm good for the next 30 minutes at least. And then you definitely want this browser integrity check on that just it blocks garbage traffic where there's problems with the requests. So those are all the default settings. You probably don't need to ever change those. But they're there if you do need to.\r\n\r\nUnknown Speaker 1:00:58 \r\nThis access this is actually going away will probably be removed from this menu pretty soon and let me just mention also if you're watching this on a replay and it's like a year from now, a lot of these menu changes may change. Cloudflare is as bad as Google about renaming and moving things and changing it they they change stuff all the time. They literally last week changed the onboarding process for adding a new account. They're constantly changing things and so, you know, the things that I'm talking about here are likely going to be in other places. But yeah, it may not be in exactly the same spot. kind of frustrating.\r\n\r\nUnknown Speaker 1:01:37 \r\nHere under speed, these are some moderately useful things. The observatory is you know, what is my White House speed. So that's kind of cool. I mean, it can show you, you can schedule a test to run at a at certain intervals. It's kind of cool. I like that.\r\n\r\nUnknown Speaker 1:01:56 \r\nYou may or may or may not want to do that. The optimization here not a whole lot to do here. Most of the basic settings are correct, just with the defaults.\r\n\r\nUnknown Speaker 1:02:10 \r\nNot a whole lot you're gonna do here this just gives you an overview of what your settings are. image optimization is now offered by Cloudflare. But if you have a good WordPress image optimizer, which I recommend, do it there do it at the WordPress site like just control your images don't do that off in the cloud. But you can if you want to. It's all here. You are going to want to make some changes here to content optimization Brotli basically speeds up an H an SSL connection. This is part of the onboarding steps that are recommended. We'll get to that tomorrow. This is super cool. So Cloudflare fonts is a recently in the last six months or so added feature. And it basically pulls all the fonts up into the Cloud Flare cloud. So instead of having to go out to Google fonts and download the font Cloudflare fonts, pulls those up into the cloud. So you, you blood, they load faster, and you don't have privacy issues, because Cloudflare is going to deliver that font in a privacy first manner. It's not like you're pulling fonts off of Google server and as a result, the user's IP addresses exposed and all that. So this is great. Just turn it on. It's gonna be faster. It's pretty good. This is also a super cool feature called early hints. And what this is going to do, you may have a WordPress optimizing plugin that does this as well. And actually this may be part of core WordPress going forward. But like when you mouse over a link in the background, the browser starts to load that page already. This does that at the Cloudflare level, which is pretty cool.\r\n\r\nUnknown Speaker 1:03:47 \r\nRocket loader. This is another one of those things that people say oh, it's speed. I'm going to turn don't turn this on. Rocket loader has a bad habit of breaking WordPress, jQuery and other Java scripts. Just don't don't turn that on. It will create problems. That's a red dot for me. And if you Google other WordPress folks talking about this it's a it's a red.it can cause problems.\r\n\r\nUnknown Speaker 1:04:14 \r\nAuto minify yet you want all that on so all your assets are compressed up there at the network level.\r\n\r\nUnknown Speaker 1:04:21 \r\nI mentioned this automatic platform optimization for WordPress. This is a can be really good. It's $5 a month per site. Okay, but with out having to deal with any of those granular performance settings at the WordPress level with plugins like MP rocket or hummingbird or whatever, you can actually push all that up to the cloud and it moves the really big the real benefit here is it moves all of your assets for your website to cloud flares edge CDN, so that it's right as close to the user as possible and it's optimized all it really does a good job at optimizing traffic. So take a look at that. It is expensive. You know, when you put 10 sites on there, it's going to be $50 a month, but it really you know, if you've got a few sites that you're having performance issues out of five bucks a month solves that problem, pass it on to the client and you're done.\r\n\r\nUnknown Speaker 1:05:19 \r\nLet's see.\r\n\r\nUnknown Speaker 1:05:21 \r\nEven ongoing here. Let's see caching. All right. Cloudflare caching. So Cloud for does a good job of caching things the right way. You do get some basic analytics here with an upgrade of a plan. Let's move into configuration. So here is the place where you can purge all the things out of the Cloudflare cache. So if you're having some sort of Cloudflare issue going on, you can come in to caching configuration purge everything. I'm going to mention also later on in the course that a lot of WordPress optimization plugins have a Cloudflare integration, where they will actually you can like for example, I use Lightspeed as a WordPress optimizer. And you add in your API for Cloudflare. And whenever whenever Lightspeed flushes the cache because a page has been updated or there's WordPress updates, it also flushes the Cloudflare cache most good WordPress optimizing plugins like WP Rocket like Perf Matters like hummingbird have Cloudflare integration and you're going to want to use that because what otherwise what you're going to run into is you got one set of assets that are here on the site that the WordPress performance plugin has flushed, but your Cloudflare cache isn't matching and you get wonky CSS, and you don't want that. So that that helps and it solves that problem.\r\n\r\nUnknown Speaker 1:06:44 \r\nLet's see here caching level we kind of leave that alone unless you know what you're doing. browser cache TTL you're gonna want to set this to at least a month. Google requires that those it's set to 30 days or higher. Otherwise, you get that thing you may have seen in Lighthouse of serve static assets with efficient policy, blah, blah, blah. That's this needs to be at least a month. This is helpful if you have a big website that a lot of people have access to. This is a tool that will scan for child sexual abuse material, which is definitely helpful. These next two are really cool crawler hints. Okay, how many of you remember from the Starter Site webinar? We did do every year. We've got that really cool plugin called index now from Bing and it watches changes on your website and let's Bing and let's see which ones it is Bing, duck, duck go Yandex and Naver, which I've never heard of before.\r\n\r\nUnknown Speaker 1:07:43 \r\nAnd yep, so what this does, I've just lost my Here we go. So crawler hints basically adds index now to your site at the Cloudflare level. So as soon as Cloudflare sees you add a new page, it lets all the search engines No, you absolutely want to do this. And it means you cannot use the index now plugin on WordPress, which is kind of cool. Always online this is another one you're gonna want to toggle on.\r\n\r\nUnknown Speaker 1:08:09 \r\nWe've probably all at some point, use the Wayback Machine to go back and look historically at websites. And some websites are there a lot and some are they're just like every once a month or once every few months or whatever. How do you get the site listed on the Wayback Machine what you toggle this on right here and Cloudflare will make sure that the site is saved into the Wayback Machine and if for some reason this your server goes down Cloudflare will know okay, I'm gonna pull the latest copy out of Wayback Machine to serve and it's not the best thing but it's better than the site being down. So this is pretty cool. Definitely want that on. Here's the actual development mode. We looked at that under the overview settings, but this is where the actual toggle is for turning on development mode. And so that's all the configuration things.\r\n\r\nUnknown Speaker 1:09:02 \r\nAll right, cash rules.\r\n\r\nUnknown Speaker 1:09:05 \r\nWe're going to talk about cash rules later. But this is the spot where you can add rule like what if I don't want Cloudflare to cache the site at all? Great. What if I have an E commerce site and I don't want to cache the cart or checkout page, I can do all that here. And I'll give you those rules when we get into that section in a little bit. So tiered cache or the cache rules are very helpful, and the tiered cache is helpful. You're going to want to make sure you enable smart tiered technology that just moves the stuff closest to the user. It's good stuff cash reserve as a paid feature, which you're not going to use. Now if you're getting tired. You're not alone. It is now 207. We've been at this for a little over an hour, but we're coming to the end. There's only a few more things here and then we'll take a break. First of all workers routes don't have to worry about that at all. unlikely you'll use this rules. There's another place for rules. Here's 10 more sets of configuration rules that you can use. Probably not going to use any of those but you certainly can.\r\n\r\nUnknown Speaker 1:10:06 \r\nTransform rules origin rule. These are all ways to deal with rules and traffic. Probably not going to use those unless you have a unique case. Page rules can be helpful.\r\n\r\nUnknown Speaker 1:10:18 \r\nI'll show you some options on when you might want to use those a little bit later.\r\n\r\nUnknown Speaker 1:10:22 \r\nAnd the default settings are just fine. You never have to really change these. So not a whole lot to do here.\r\n\r\nUnknown Speaker 1:10:29 \r\nAnd the rest of this stuff is pretty much read. So let's network you probably won't have to change anything here. Very unlikely that anything will be needed in this area. All the default settings are fine. Traffic is a paid feature. custom pages paid feature apps, it's being deprecated the scrape shield, okay, let's talk about this.\r\n\r\nUnknown Speaker 1:10:53 \r\nSo there's a couple of things. Remember, if you are a long time I iThemes Training solid Academy member we used to have a shortcode that would obfuscate an email address. Cloudflare will actually do this at the network level, so you don't have to hide email addresses at all. It will just automatically obfuscate email addresses from bots that would scrape the site. The problem is it adds some JavaScript which again can potentially add some weight to the page and make the page load slower. So there's a way to apply that with the rule that we'll get to in a little bit. I would not toggle this on for the whole site. I would only have it on with a rule for like the contact page or a team page where email addresses actually appear.\r\n\r\nUnknown Speaker 1:11:38 \r\nhotlink protection this is something I would toggle on because well in certain cases. So if you want to protect your site, like I don't want my images showing up in Google image search, I don't want anybody linking off the site and pulling my images and to show on their site. This is what that does. It will stop that at the network. Level period. But if you are relying on a lot of SEO people, for example.\r\n\r\nUnknown Speaker 1:12:07 \r\nThey rely on an image optimization strategy for SEO like they want people to find the image in Google Images and then go to the page and it's a legitimate SEO strategy. But this will stop that. So depending on what you want to do, this can be super helpful or completely get in the way of an SEO strategy.\r\n\r\nUnknown Speaker 1:12:26 \r\nAll right.\r\n\r\nUnknown Speaker 1:12:29 \r\nxerez so this is super cool, actually, it's way out of scope for this, this live stream in this course. But think of it like this. This is like Google Tag Manager, but at the Cloudflare level. So at the network level, I can actually go in and add code to pages. Like it's really powerful, but it's way out of scope for what we're trying to do today. So you know, it's it's interesting, and if you're super geeky, you want to get into that have added because it's a very powerful tool. And last of all web three, you're probably not ever gonna get into that stuff. All right, so that's all the settings and I'm out of breath.\r\n\r\nUnknown Speaker 1:13:05 \r\nOkay, how let me check in. How are you? Are you are you panting for breath? Are you okay? We've just done this was the fire hose. Okay? Dizzy is legitimate. That's a lot. Okay. And my goal again in that section was simply to give you a lay of the land. There's only a few things in here. If you notice, there's only a few things that you're gonna need to go in. And set. Primarily we're going to focus on DNS, SSL, and security. Those are my main areas. Okay. So, what are we doing next? I am going to give you my recommended settings for each of the areas we're gonna do that probably I hope we can fit that in before 3pm Central. We're going to take a five minute break, because I need to breathe and then we'll do some recommended settings. So we're actually going to go now right back into these areas that we've looked at and I'm going to show you some the actual recommended rules and things like that, that you're gonna want to implement. Now from that tomorrow. We're actually going to migrate a site into Cloudflare and do all this stuff live. Sound good?\r\n\r\nUnknown Speaker 1:14:17 \r\nOkay, so break for five minutes. It is now about to be 12 minutes after so we'll come back at 217 Central time so 17 minutes after and we will be quiet until then.\r\n\r\nUnknown Speaker 1:18:47 \r\n32nd Warning we're back in 30 seconds. From now.\r\n\r\nUnknown Speaker 1:19:32 \r\nAll right, part two, let's talk about some recommended settings. Now. First of all, in this section, there's a couple of caveats. We're going to look at the Cloudflare settings that I use. Okay, these are the ones that I've decided work well for me in my clients. And I'm specifically going to talk about what has changed from the default. Okay, so we just looked at everything. We're going to put a filter in place and now only the things that are going to change from the default settings are what I'm going to cover now with this again, caveat, disclaimer, slash scary warning, scaly emoji grimacing emoji, okay. Is this is this bold enough for you?\r\n\r\nUnknown Speaker 1:20:16 \r\nVery important. These are based on my experience with how we are using Cloudflare currently in my agency. So as with settings, recommendations of any kind at all, you need to test these for your specific use case. Cloud flares tools can block legitimate traffic if they're not used correctly. Okay. Now in my experience, we've had to adjust certain rules in situations where there's external calls to web hooks, certain SEO tools, uptime, monitoring, all sorts of things can be a little different. So I'm providing some very basic settings that we use on all of our sites. They may not be the right settings for your sites. Okay, that's why it's important to look at those event logs, try it on one site, look at the event logs, make sure nothing's getting blocked, etc. So they get sometimes sites require these granular adjustments and it might take a little bit to dial them in so pick a site. Do that one make sure everything's good before you do. We all put 5080 100 sites into all these settings, because they would then have to be changed individually. That's not fun. All right. So Cloudflare can significantly increase your security but with great power comes great responsibility. So just keep all that in mind. Do not blindly apply these settings with under without understanding how they're going to impact your website. So again, educational purposes only, you alone are responsible for the actions you take. In other words, don't call me if you break something or you know, ask an office hours question but Is that Is that a good enough disclaimer?\r\n\r\nUnknown Speaker 1:21:59 \r\nAll right. Let's take a look at DNS records.\r\n\r\nUnknown Speaker 1:22:04 \r\nSo let's move on into this area first. This is one of the places where I mentioned that you'll probably spend some time so here's a pretty typical DNS record setup that's being used for WP Nathan currently. So the first thing you'll notice here is proxied. Now what proxy means, okay, this is the actual IP address of the server. This this little this liquid web VPS that they're up Nathan exists on. But if I go to ping, this address, notice it doesn't give this server IP address. And why is that Cloudflare is proxying the IP address which basically means it's hiding it. So this 104 2147 162 IP address is what the world sees when it says where's that up Nathan located this IP address, but that's not the IP address of the server. This is really good because you unless you know in most cases you're going to want to hide the actual IP address of the server, the real live raw IP address, you're gonna want to hide that from the world. It just puts a layer of security between hackers and your server itself. So that's what proxying does. You can turn this off if you want, but I wouldn't recommend it. So the recommendation is proxy all A records and the CNAME for www.\r\n\r\nUnknown Speaker 1:23:35 \r\nBut other C names like in this case, I don't even know why we still have this one but FTP dot and like this is the postmark record. postmark will not validate this record for the CNAME unless the proxies turned off. So for a lot of C names, especially those used for validation, you're going to want to make sure that proxying is off.\r\n\r\nUnknown Speaker 1:23:59 \r\nUnless you know for sure that proxying isn't going to get in the way of that traffic proxying a CNAME can often get in the way of the server that's handling that traffic knowing that the traffic is correct, and it can cause weird things to happen. So proxy the A records generally proxy do not proxy CNAME records. Now here's another pro tip.\r\n\r\nUnknown Speaker 1:24:21 \r\nIf you like me enjoy having the ability to spin up quick staging sites. I in my case on cPanel I love the WP toolkit. It'll just spin up a quick staging site.\r\n\r\nUnknown Speaker 1:24:32 \r\nYou would normally have to go out and actually create an A record for whatever that subdomain is. But if if most or all of the subdomains you're ever going to create for this domain are going to the same place. They're all on the same server. Then what you can do is just set up a wildcard record. The name has an asterisk and it points here which means unless otherwise defined by another a record that any other traffic, you know, whatever dot DDP nathan.com goes to this server. So it's super helpful. It doesn't prevent you from directing traffic elsewhere. You know we could, you know, we could specifically define a subdomain to go to another IP address. But otherwise, the catch all is pointed to the server and it's really helpful. So add a star record. That's a good thing. All right. We talked about DNS sec. Let me just show you how this works. Here under DNS and sec. Oh, I haven't. I'm going to disable this earlier. Let's that's going to take a minute Doggone it. Sorry about that, y'all.\r\n\r\nUnknown Speaker 1:25:43 \r\nOh, I'm gonna have to remove it from here. Well, I can probably just show you how this works. So here, oh, it's WP one dot Dev. Let me go. Let me get one second. Let me get over to the VP Nathan.\r\n\r\nUnknown Speaker 1:26:01 \r\nAnd I'll show you where this DNS record is set up.\r\n\r\nUnknown Speaker 1:26:06 \r\nSo again, this is GoDaddy. You've all probably use GoDaddy, most other registrar's you're going to be this way as well. Here under DNS, there's a setting for DNS record. And here is the value that Cloudflare gave me I'm going to delete this\r\n\r\nUnknown Speaker 1:26:23 \r\nlet's see how long it takes to create if it sees it right away. Okay, I'm gonna give that just a minute. We'll come back and I'll show you how to create the record. But it's basically Cloudflare is going to give you the value, you put it in over the registrar and that validates your traffic for DNS sec to work correctly. We'll come back to that. In just a minute.\r\n\r\nUnknown Speaker 1:26:42 \r\nAll right, so SSL TLS again, encryption method full I talked about that a lot earlier, so that hopefully that doesn't need any more explanation. Under edge certificates. Always use HTTPS is on and minimum TLS version 1.3 or 1.2. We talked about that earlier. You're probably fine to go 1.3 I've only the really old browsers, right. So all the rest is default settings. And now we get into the WAF rules slightly that we're already past SSL. It's not that hard. Once you see the lay of the land and all the details now we can just focus on the things we need to change. And it's not that terribly complicated. Let's do a quick check for the Yes, right. Oh, okay, good. That's ready. So here's the process are rewinding a bit to do DNS sec. I'm going to click Enable.\r\n\r\nUnknown Speaker 1:27:37 \r\nAlright, here's all the stuff. Let's go over to DNS records and I'm going to add one.\r\n\r\nUnknown Speaker 1:27:45 \r\nAll right, so I need the first the Key Tag and it's not necessarily an order. So Key Tag is here.\r\n\r\nUnknown Speaker 1:27:52 \r\nBoom algorithm is 13. I don't know what that means. I'm just going to put it there. Digest type is this or I can click to copy.\r\n\r\nUnknown Speaker 1:28:06 \r\nOh, that's this digest. Is there and digest type oh two.\r\n\r\nUnknown Speaker 1:28:13 \r\nRight there, I hit Save.\r\n\r\nUnknown Speaker 1:28:19 \r\nAnd it's gonna think about it for a minute.\r\n\r\nUnknown Speaker 1:28:22 \r\nConfirm.\r\n\r\nUnknown Speaker 1:28:24 \r\nAnd it's got to wait and validate. That's all it is. It's just basically it's like adding any other DNS record. And that will help to further validate that the traffic that's coming to my domain is correct.\r\n\r\nUnknown Speaker 1:28:39 \r\nThere it is. Done. Super simple.\r\n\r\nUnknown Speaker 1:28:44 \r\nclass has a great question.\r\n\r\nUnknown Speaker 1:28:46 \r\nThat this process was for a domain that's registered and an external Registrar for Cloudflare. It knows like if you've registered your domain at Cloudflare. We'll talk about Cloudflare for domain registrations tomorrow. But if there's just a button, you push the button it adds the record and validates it's done. It's like a one click thing. That's all you have to do. Pretty neat.\r\n\r\nUnknown Speaker 1:29:06 \r\nOkay, any other questions about that before we move on?\r\n\r\nUnknown Speaker 1:29:12 \r\nAll right, we went through the rest of this full encryption mode edge certificates. Now we're into the fun part which is security. Here are some suggested WAF rules. And um, they're all defined here already, and I'll show you what they look like. So when you get into a WAF rule as you create a rule you have the ability to either do an Expression Builder, which lets you kind of compose with a visual editor like country does not equal you know, it lets you create records like this. And or and you can stack those down. Now notice what's happening here, though. There's an expression preview and so there's this expression that's being created based on the visual here. So let's see if country does not equal United States and I don't know\r\n\r\nUnknown Speaker 1:30:15 \r\nand it's unknown bought, whatever, right? So it continues to build the expression based on what you build up here. Now for these predefined rules. We don't need all like it will take you a while to actually reproduce this rule in the builder, but instead what we can do is this.\r\n\r\nUnknown Speaker 1:30:37 \r\nCopy this expression. I'm going to call this the challengers rule.\r\n\r\nUnknown Speaker 1:30:43 \r\nYou can do edit expression, and just paste in there.\r\n\r\nUnknown Speaker 1:30:49 \r\nAnd what so the action is going to be managed challenge and hit Deploy.\r\n\r\nUnknown Speaker 1:30:59 \r\nAnd look it actually created the rule in the builder. So I can still modify it here if I want to.\r\n\r\nUnknown Speaker 1:31:06 \r\nBut I don't have to actually create it. I can just paste in the expression. And that's what I would recommend that you do for these basic rules. Does that make sense? Does everybody see the process here?\r\n\r\nUnknown Speaker 1:31:20 \r\nI want to pause just for a minute to make sure there any questions?\r\n\r\nUnknown Speaker 1:31:26 \r\nWhat drop down that I choose here? Or action is managed challenge. There's this drop down up here.\r\n\r\nUnknown Speaker 1:31:35 \r\nCan y'all see this drop down on the screen share?\r\n\r\nUnknown Speaker 1:31:40 \r\nOkay, good.\r\n\r\nUnknown Speaker 1:31:42 \r\nSad. Sorry about that. So this is just an example rule. But when you when you put in your challenge rule, you're gonna whatever country you're in, or whatever, like for example, we have one customer that only does business or they they primarily do business in the US, Canada and about seven European countries. And so all those are in this is not in rule, but every other country as a result is going to get a challenge because they're not typically going to get traffic from those countries. And that lets us weed out bot attacks for example, that aren't coming from those those specifically Devine defined countries makes sense. So add, you're gonna want to add the countries that you're typically going to want legitimate traffic from. Right. So that that really helps Karen first drop down on not getting the open field. Oh, okay. All right. So let's start over again.\r\n\r\nUnknown Speaker 1:32:42 \r\nLet me delete this rule that I just created. eally All right. I'm gonna do create rule once again. I'm gonna give this a rule name, call it whatever you want.\r\n\r\nUnknown Speaker 1:32:54 \r\nChallenges, and click right here. Edit expression and paste in there.\r\n\r\nUnknown Speaker 1:33:01 \r\nThen you can save it as a draft if you want or whatever or just click Use Expression Builder and that puts you back into the builder here.\r\n\r\nUnknown Speaker 1:33:08 \r\nSo this edit expression is 100% Your friend i It makes the so much easier.\r\n\r\nUnknown Speaker 1:33:16 \r\nAll right, any other questions? About the process of adding a rule before I go on?\r\n\r\nUnknown Speaker 1:33:27 \r\nOkay, so these rules I've actually added in here already, and I'm just going to go down one by one and show you how they work. And so the first rule is our challenge now by the way, I put in whenever I'm doing a rule i Our prefix for our agency for code we write in for other things is be WW brilliant web works but your own little this what this lets me know is it's our rule. Basically that's why that's there. So I'm going to go here to our challenges rule. And you'll notice it's this first one here, you can edit the rule in the expression if you want and put the two letter country code and if there's more you can just stack amend the expression itself or use the expression builder. Either way. Melanie, does order matter for firewall rules. Yes. And I'll show you that in just a minute. But Cloudflare processes these rules in order. And that's going to matter here in just a minute. Great question.\r\n\r\nUnknown Speaker 1:34:26 \r\nSo here's something I want to talk about. So we've talked about managed challenge already. This is the kind of the interstitial screen that we saw that challenges are you human. It's it's the same thing as Cloudflare turnstile. Okay. Cloudflare turnstile is the Cloudflare managed challenge in a widget that can be applied to just a form or you know, a login or whatever. Okay? So just think about it in those terms. turnstile equals a manage challenge, manage challenge, just full screen. Whereas turnstile is a widget that can be added to a form submit or login or that sort of thing. There are a bunch of other actions that can be taken here. Like I don't want to do anything. I just want to log this traffic. I want to block this traffic altogether. This is a JavaScript challenge. This is the pre managed challenge way that Cloudflare used to block or challenge traffic. I don't use that at all anymore. It's not as good as manage challenge. Use manage challenge. This also the skip this traffic so some way I can notice that this traffic is good and legitimate. I always want to skip it. I have a rule. That action can do that. And interactive challenge again. It's I don't use that at all use manage challenge. That's just the best way to do it. Because a lot of times the Manage challenge if it's has seen what this browser is doing, it knows it's probably legitimate. And so it's you let Cloudflare manage whether or not this user or bot or whatever. Is going to be challenged with a checkbox, right. So just use manage challenge instead of interactive or JavaScript challenge is just better. Does that make sense?\r\n\r\nUnknown Speaker 1:36:11 \r\nOkay, so let's get into each of these. We just look at this one. So this is and by the way, what I like to do is cluster are my rules, usually around what the action is. I only have five rules, right? And so I want to be able to get the most bang for my buck. And so I tend to cluster the rules around what action I want to happen. So I'm going to start with this, this challenge rule. So any kind of traffic that I want to give a challenge to is going to go into this rule. So the first is, and this is probably my favorite rule out of all the Cloudflare rules. It is probably the most helpful rule and that is if you come to the WP any URL that comes in to WP login, so even by the way, like if you're logged out and you used to go to WP admin to log in, it's going to forward you today P login dot PHP, query string blah blah blah. So if the URI path, this is your URI, same thing, essentially is URL. So if the path coming in being requested from the server contains that AP login, I want to challenge that if it it like for here for a WooCommerce as my account is their default login page, right? If you have a membership site, where you've customized a login page, put that URL here. So whatever the login page is, that I want to challenge that traffic. And what that lets me do is like Stacy is saying, it's way better than hiding the login page to try to make it where bots can't find it. That's that's a terrible strategy that doesn't really work. Or it's even better than using something like aI solid security to put a CAPTCHA on the login page. I don't even do that anymore. Because all of that traffic is being challenged at the network level is it bad to use a plugin like solid security to protect the login page with a with a even Cloudflare turnstile? It's not bad, but I want that traffic filtered out at the network level so that the login page doesn't even have to load, right? So do that at the network level. You don't even have to put a CAPTCHA on your login page at all. Just make sure that all your potential login pages are listed here. So if you've got another URL, you could do like, you know URI path contains, you know, login or whatever it is right?\r\n\r\nUnknown Speaker 1:38:41 \r\nAnd just you can keep stacking those up with AND or OR statements.\r\n\r\nUnknown Speaker 1:38:46 \r\nThat makes sense.\r\n\r\nUnknown Speaker 1:38:49 \r\nSo that's our first rule.\r\n\r\nUnknown Speaker 1:38:52 \r\nSecond rule is a skip rule. Now I put these in order of priority in this skip rule will tell you why.\r\n\r\nUnknown Speaker 1:39:02 \r\nThis is a big rule. There's a lot of stuff here. So I've given you the whole rule to copy here. Now right here, notice, boom, this is the IP address of the server. So whenever you know whenever you go to add this rule, you're gonna want to, for your purposes, wherever you're copying from put your server IP address in here, because any request that comes from my server, I don't want Cloudflare to do anything with we want that to happen. So here's our here's our skip rule.\r\n\r\nUnknown Speaker 1:39:37 \r\nSo if it's a known bot, and it has one of these as numbers.\r\n\r\nUnknown Speaker 1:39:47 \r\nLet's talk about AAS numbers for a minute. So an AAS number probably best to be seen here in our events. Let me load our events page.\r\n\r\nUnknown Speaker 1:39:59 \r\nAlright, so here's a skip rule.\r\n\r\nUnknown Speaker 1:40:12 \r\nKaren, if you're getting an error, it's probably because you haven't selected the action here skip.\r\n\r\nUnknown Speaker 1:40:21 \r\nYou did.\r\n\r\nUnknown Speaker 1:40:23 \r\nWell, let's just try copying the expression in and trying it ourselves here\r\n\r\nUnknown Speaker 1:40:39 \r\nYeah, it's working.\r\n\r\nUnknown Speaker 1:40:42 \r\nI don't know check your check your copy because it does work. That's That's odd.\r\n\r\nUnknown Speaker 1:40:49 \r\nAnyhow, so as ns. You can see these right here. So an ASN is think of it this way. It's like a\r\n\r\nUnknown Speaker 1:41:01 \r\nIt's one number that a company like Google can use when Google has hundreds and hundreds or 1000s of IP addresses. And it would be hard for you and they may even change IP addresses from time to time.\r\n\r\nUnknown Speaker 1:41:15 \r\nThis ASN is sort of a placeholder for all of those addresses. So you can create firewall rules based on the ASN and know that it's going to affect all these Google IP addresses. And so there's all these ASN that are listed here are of known services. I've given you a way down here at the very end of the document what to for Sorry, sorry, if I'm making everybody nauseous. So I've given you a table of popular ASNs here. You can also look those up with links like this one, and add your own but these are the most part some of the most popular ones. And many of these are including that firewall rule, but this is one that again, you're going to want to tweak this to have the traffic that that that you want.\r\n\r\nUnknown Speaker 1:42:09 \r\nBut in general, this is going to work.\r\n\r\nUnknown Speaker 1:42:13 \r\nIn general, what I've got here is going to work in most cases, just make sure you update your IP address here. Okay, so got this list of\r\n\r\nUnknown Speaker 1:42:25 \r\ngood ASN so it's a known bot, and it's one of these bots. Okay. It's an there are a lot of Cloudflare bots that are known that I don't want to, you know, have access to the site. Like one of the really bad ones is sem rush. Like they will hit on your site with their bots sometimes. Anyway.\r\n\r\nUnknown Speaker 1:42:50 \r\nSo, yeah.\r\n\r\nUnknown Speaker 1:42:55 \r\nWhy would you want stamps.com Because, if you are if you're, for example, with a WooCommerce connector, you're going to want if you don't exclude stamps.com, the WAF rule will get in the way of WooCommerce talking back and forth to stamps.com.\r\n\r\nUnknown Speaker 1:43:11 \r\nYep, so this is again, if you're anytime you're this is with much power comes great responsibility. Okay, so you're putting a rule and that's going to block traffic. If traffic is being blocked and something's not connecting. Now you go into the event and say, Oh, here's that traffic now I can you know, you can find that ASN to that external service in your event log and then add it to your list of good ones.\r\n\r\nUnknown Speaker 1:43:39 \r\nOkay, so I've added another few things here that are commonly blocked. So for example, if you're using the Gravity Forms stripe add on, okay, then I want to make like this is part of the query string for every that should have\r\n\r\nUnknown Speaker 1:44:02 \r\nyour your web hook for Gravity Forms, always includes Gravity Forms stripe, your webhook for WooCommerce always contains this bit of text. So basically what this is doing is this is a good rule for all sites. So if the traffic is coming to a Gravity Forms web hook or a stripe web hook, if you're using other plugins that have different web hooks, just add them in here. Like this, or replace Gravity Forms with your plugin, that sort of thing. But you're that way, you're letting tret legitimate traffic to that web web hook for the payment processor come through.\r\n\r\nUnknown Speaker 1:44:36 \r\nHere's another one. User Agent is GT metrics or we use better uptime to monitor our site. So user op agent contains better uptime. If you don't use better uptime. Don't use this part of the rule.\r\n\r\nUnknown Speaker 1:44:49 \r\nHere's our server IP address.\r\n\r\nUnknown Speaker 1:44:53 \r\nRight now in Davis, right? If you are if you have other payment processors, whatever that web hook is that they give you just find the particular piece that's not going to change. Like the the WooCommerce stripe. web hook has a whole bunch of characters after this right? But this part is always the same. That way you can create a rule that you don't have to change from site to site.\r\n\r\nUnknown Speaker 1:45:20 \r\nAnd then, you know, here's the IP source address is my server for verified bot category is search engine crawlers or web hooks. Okay, so why, you know, I can choose web hooks here, but I've also specified some web hooks.\r\n\r\nUnknown Speaker 1:45:36 \r\nI know web hook has having that as a rule is good, but I don't necessarily trust that part. Cloudflare is always going to catch all my web hooks with that. So I'm going to specify just to be sure, so this is fine, but I always specifying the actual some contents of that web hook URL. Okay, so does this bit make sense? In that many external SAS calls this you want to, you want to allow those through, okay. Now the action for this is skip.\r\n\r\nUnknown Speaker 1:46:09 \r\nBut make sure that you check and this actually Karen may be where your error is coming from.\r\n\r\nUnknown Speaker 1:46:14 \r\nCheck all the boxes, check all the boxes, otherwise you're not telling it to skip anything.\r\n\r\nUnknown Speaker 1:46:24 \r\nSo we don't if the traffic meets any of this criteria, I always want to skip it. Okay, that was it. Karen Awesome. Now, does that make sense everybody?\r\n\r\nUnknown Speaker 1:46:40 \r\nOkay, one thing here and I don't know how to fix it in the handout. This is very important. Notice how there's a line break here.\r\n\r\nUnknown Speaker 1:46:50 \r\nThis, if you copy this, it creates a problem. I just just noticed this.\r\n\r\nUnknown Speaker 1:46:57 \r\nLet me go into the expression editor and paste this in.\r\n\r\nUnknown Speaker 1:47:03 \r\nSee how there's a space here.\r\n\r\nUnknown Speaker 1:47:06 \r\nMake sure you delete that space. Otherwise, it's not going to match your the exact URL. I'll see if I can update the handbook for that. I'll figure out how to do that. But just for now. If there's a space here, it's not going to match that URL. So make sure it doesn't have a space\r\n\r\nUnknown Speaker 1:47:26 \r\nokay\r\n\r\nUnknown Speaker 1:47:32 \r\nall right. Next okay. This is a locked down WordPress rule. This is pretty refined from lots of different suggestions that I've read and seen and I've tested.\r\n\r\nUnknown Speaker 1:47:45 \r\nAnd it this is pretty darn powerful. So again, this is one of those rules. Okay. If the traffic meets any criteria in this rule, it's going to be blocked period, which means you better be sure that you're not catching the legit traffic here. Okay. But you'll see how this works. So I'll go copying this. And notice there's some instances of the domain name of the site here that you'll want to replace with your domain.\r\n\r\nUnknown Speaker 1:48:15 \r\nBut let's look at what it does.\r\n\r\nUnknown Speaker 1:48:18 \r\nAll right. There's absolutely no reason whatsoever that any site or any match any request from the server should contain WP config if it's not coming from my site, to block that. There's no legitimate reason that should happen or there's no reason like we don't use XML RPC at all ever. So we're gonna block any traffic that comes to XML RPC. Period.\r\n\r\nUnknown Speaker 1:48:46 \r\nSame thing for if the if the, if somebody is trying to get to wp content, and it's not coming from my site. I'm gonna block now that can all that can impact google image searches. So make sure you may not want this if you want the images on your site showing up in Google image search.\r\n\r\nUnknown Speaker 1:49:05 \r\nBut I don't I don't want that so I'm blocking all that traffic. Same thing for WP includes there's a lot you'd be surprised how much traffic comes in matter of fact, let's just I mean, look at this. Look at the traffic that's coming in. From what traffic that tries to come in from.\r\n\r\nUnknown Speaker 1:49:26 \r\nYeah, look at this garbage. Here's traffic that's coming in. I don't even know what this is there trying to access. This is some image. Here's something that's trying to access a lot of this images. There's all this garbage traffic and look at this. What What the heck would anybody need you know, here's some Amazon server that's trying to get to this dopey content, whatever. This is like they're testing for security issues. And we're just blocking all that traffic. Right? And look, there's 192 items in the last 24 hours that have hit this rule. It's crazy.\r\n\r\nUnknown Speaker 1:50:04 \r\nPlease grab this, this this.\r\n\r\nUnknown Speaker 1:50:08 \r\nSo what's happened here is some hacker has spun up in some Amazon server to do this hacking, or it's a site that's been compromised. Crazy and this is WP Nathan, which is a dumb garbage site. Right?\r\n\r\nUnknown Speaker 1:50:29 \r\nAnyway, you see all this stuff, and so this blocks all that garbage traffic. Another thing here if the country's coming in from the Tor network, you're not going to want that that's going to be bot traffic. A lot of by the way. A lot of form spam comes in this way.\r\n\r\nUnknown Speaker 1:50:45 \r\nIf the URL if the if the path contains dopey content and it's a PHP file, I want that out of there. We don't use ASP at all in WordPress so filter that out if the traffic is not a known bot, and it's trying to do anything, post anything on WP Nathan so this is this filters out a lot of of form spam traffic or you're trying to post either things into login fields, or post comments anything like that this just blocked all that traffic. I did add this when I was testing this rule, just to make sure that the host name it's not coming from my site. And it's not in it's not trying WordPress is trying to do a cron I was finding that legitimate WordPress cron jobs were being blocked by this. So that's why I added this extra little bit here.\r\n\r\nUnknown Speaker 1:51:41 \r\nSo here's another one if it's not a known bot, and it's going to admin Ajax admin AJAX is again another bit of forum spam prevention that filters that out. Here it so we're going to filter out post and let's see, why is this this rule is duplicated.\r\n\r\nUnknown Speaker 1:52:01 \r\nLike that out. Sorry about that. And again, there's just an actual I'm posting to the comments. PHP file. So most of this is a form spam and comment spam traffic.\r\n\r\nUnknown Speaker 1:52:16 \r\nDave, on the ASP if you have redesigned a site that was based on this?\r\n\r\nUnknown Speaker 1:52:22 \r\nThat's a great question. So if you are taking over a site that previously had ASP, it was built on ASP, then that's probably something you want to take out. Yeah. Otherwise, it's going to block the traffic completely. You don't want that you want to show a 404 page with hey, we've redesigned blah, blah, blah. So that's a good example of don't just apply these rules wholesale, know what you're doing and know that oh, I need to take out that part of the rule, at least for now. That makes sense, everybody. So the action here is block and you're blocking stuff at the net, the network level, they're going to see a Cloudflare block screen. It's not ever going to even hit your server.\r\n\r\nUnknown Speaker 1:53:02 \r\nLet me show you a little trick. How many of you are using something like text expander or in my case, I use type desk to do like little macros that explode into things, right? Like this macro here that I use, and sometimes you'll see this. Like it'll come in as slides. When I do slides. Type desk explodes into this pre configured bit of text. So I've set up all these Cloudflare rules actually in pipe desk, and some of them have variables. So watch this if I was going to set this rule up for the first time. This is set up as\r\n\r\nUnknown Speaker 1:53:42 \r\nthe F three boom Okay, so it comes in over here. So here's my thing. Oops.\r\n\r\nUnknown Speaker 1:53:57 \r\nSo it I'm gonna have to show this here. Alright, so you have three this, okay, what is my domain? That would be nathan.com.\r\n\r\nUnknown Speaker 1:54:04 \r\nIt fills out with there's variables. So I've set up my exploder to have the variable for the expression of the website. So now when we go into add rules, I have cf One CF two CF three it just drops all the expression in with a variable for the website, right? So I don't have to go in and change that every single time. So that's just a little time saver. Pretty cool.\r\n\r\nUnknown Speaker 1:54:29 \r\nAll right. Here's our next rule.\r\n\r\nUnknown Speaker 1:54:33 \r\nSo we have our skip rule. We get our block rule. Now. This is one I don't know I added this one, just to have something else to show you.\r\n\r\nUnknown Speaker 1:54:44 \r\nHere we go. So this, this can be heavy handed, but it also might be good. This is an example of how do I filter bot traffic? Right. So you may or may not want to use this rule. I don't know. Look what it does. So if it's not the Google bot or the Bing bot or the bot or the Facebook bot or slurp which is Yahoo I think, or Alexa and it's a known bot. So Cloudflare actually has this list of known bots.\r\n\r\nUnknown Speaker 1:55:17 \r\nAnd it's pretty extensive. There's 717 pages of this you can see all the things they do have categories too anyway.\r\n\r\nUnknown Speaker 1:55:31 \r\nSo this is an example of a rule that I probably wouldn't use on every site.\r\n\r\nUnknown Speaker 1:55:36 \r\nBut so if it's a known bot, and it's not one of these, or like a this, the crawler category is AI crawler, then given a man a challenge or you could say give it block. So if you want to stop AI bots crawling your site, you can do it at the network level if you want. And this is a way to do that. So the bot category, there's a lot of different ones here like you can do. Like I don't want any SEO crawlers. Let's see how about is in.\r\n\r\nUnknown Speaker 1:56:09 \r\nI don't want any SEO crawlers. I don't want any AI crawlers.\r\n\r\nUnknown Speaker 1:56:14 \r\nNow this is not Googlebot for example. This is Seo crawlers like sem rush and things like that. Phoebe Why not say if it's not a known bot instead of listing those out great question, because known bot no means it's any track. Just that doesn't say it's a bot and I know what it is. Known bots means it's not in this list of predefined known bots, right? It doesn't say it's a bot and it's unknown. Now there are rules like that. If you upgrade to the enterprise level, you get a lot more control over. I think it's a bot. I don't think it's a bot but we don't have that control at the free level. So you have to do it. That was That makes sense.\r\n\r\nUnknown Speaker 1:57:04 \r\nDave has a question if you're doing this on an existing site, and the clients looking at traffic. Oh, yeah. Okay. So this is the double edged sword. Okay.\r\n\r\nUnknown Speaker 1:57:14 \r\nSo what Dave is asking is essentially, am I gonna see a traffic drop in Google Analytics? If I do this? And the answer is likely yes. And perhaps a significant amount of traffic drop. But the conversation I have with a client is this is actually making your analytics reports more valuable because the traffic that's reaching the site are actually people and not garbage bought traffic, and attack traffic and things like that. So you will see a drop in traffic. But it's this is this will actually make your analytics reports more valuable. Because I mean, think about this, you know, bot traffic isn't likely going to make a conversion. So if you've got a report set up in Google Analytics for tracking conversions, and only 3% of your traffic is converting, well, what if 90% of your traffic is crap traffic? Well, then your conversions go up significantly. Oh, wow. Actually, this is more successful than we thought. Right.\r\n\r\nUnknown Speaker 1:58:10 \r\nSo does that make sense everybody? Here's an example of a way to filter out some of the stuff I probably would not use this on on every site. And you still even after that, we'll have another rule that you can create. And this is for fine tuning, you know, and moving things. along.\r\n\r\nUnknown Speaker 1:58:29 \r\nOkay, good grief. It's almost three o'clock and I got a lot more to do. So I'm gonna move on. Any other questions about this before we move, move ahead.\r\n\r\nUnknown Speaker 1:58:38 \r\nI do want to show you the rate limiting rule here.\r\n\r\nUnknown Speaker 1:58:43 \r\nWe actually may stop here, before tomorrow. So this is a really good rule, I think is super helpful. So in case you weren't watching, we're at security WAF. We were just at custom rules, which is the default page. We're now going to the rate limiting Rules tab. It's going to delete this and start over.\r\n\r\nUnknown Speaker 1:59:03 \r\nYou see it, we're going to create a rule and in the same way here, this is going to be our anti flood, oops, anti flood rule. We're going to edit our expression\r\n\r\nUnknown Speaker 1:59:15 \r\nand we're going to say\r\n\r\nUnknown Speaker 1:59:21 \r\nwhen the rate exceeds 10 requests, at the free level, we only have a 10 second period.\r\n\r\nUnknown Speaker 1:59:29 \r\nSo let's take a look at what we're doing here.\r\n\r\nUnknown Speaker 1:59:34 \r\nWhy not?\r\n\r\nUnknown Speaker 1:59:53 \r\nInteresting, okay, well, oh, see what it's supposed to be. Alright. So, anti flood if it is not a verified bot\r\n\r\nUnknown Speaker 2:00:06 \r\nand\r\n\r\nUnknown Speaker 2:00:09 \r\nthe URI pass contains\r\n\r\nUnknown Speaker 2:00:18 \r\nthe PF not calm and\r\n\r\nUnknown Speaker 2:00:23 \r\nverified bot category is not a search engine crawler.\r\n\r\nUnknown Speaker 2:00:30 \r\nOkay, so what we're saying is, it's not a good bot.\r\n\r\nUnknown Speaker 2:00:34 \r\nIt's coming to the site. This is actually redundant, we could probably get rid of that.\r\n\r\nUnknown Speaker 2:00:39 \r\nInteresting.\r\n\r\nUnknown Speaker 2:00:41 \r\nAnd it's not a search engine crawler, and it's hitting my site more than 10 times like one time a second. Then I want to block it. For as long as possible, which is 10 seconds.\r\n\r\nUnknown Speaker 2:00:56 \r\nOh, you're right. It was missing the opening parenthesis. So there's another correction.\r\n\r\nUnknown Speaker 2:01:03 \r\nSo we'll deploy this and this is going to stop a lot of bot attacks. You know, you need a higher level. Of Cloudflare to fully blocked the traffic. But this at least throttles it back just a little bit.\r\n\r\nUnknown Speaker 2:01:18 \r\nSo that can be helpful.\r\n\r\nUnknown Speaker 2:01:20 \r\nMoving on down here to our bot setting. Again, we want bot fight mode off. We talked about that already. How much further do I have to go? I got a lot of rules to go. Okay, I'm gonna stop right here. And we'll pick this up tomorrow.\r\n\r\nUnknown Speaker 2:01:35 \r\nAll right, pausing for a moment. Questions, comments?\r\n\r\nUnknown Speaker 2:01:41 \r\nAnything unclear and what we've seen today because your homework is if you don't have a Cloudflare account, go set it up. And do that tonight. Before tomorrow. Come on in with a little bit of experience under your belt. It's free. And maybe you start applying some of these settings to a site and you can actually go forward I've given you all the tools you need to kind of follow this and add the additional rules that's there that are there. We will talk through this starting at speed tomorrow.\r\n\r\nUnknown Speaker 2:02:10 \r\nPaul, I would not do this on a client site unless you're brave enough to you.\r\n\r\nUnknown Speaker 2:02:16 \r\nDo it on a site that you control a low value site, just so you can see how it works. I'll everything clients is going to be tomorrow.\r\n\r\nUnknown Speaker 2:02:24 \r\nDoug regarding the WAF. If I block the UK with a managed challenge, and Google is still indexing my site in the search engine results, what happens to a UK visitor when they click the Search link to my website. They're gonna get a managed challenge.\r\n\r\nUnknown Speaker 2:02:40 \r\nYeah, so just to correct so you don't block anything with the Manage challenge. It just puts up this.\r\n\r\nUnknown Speaker 2:02:51 \r\nIt's going to say if I go to try to log in here this screen right here.\r\n\r\nUnknown Speaker 2:02:58 \r\nWell, eventually who?\r\n\r\nUnknown Speaker 2:03:05 \r\nThis, this screen right there. That whole process was a managed challenge. I didn't have to click anything because it already knew that my was legitimate. But any traffic that you present a managed challenge. So if the rule is if the traffic's coming from the UK, then give a man a challenge. It's there. It's not blocked, you just have to pass through the gateway pass through the turnstile to get in. So if a user is outside your set geographic areas in Cloudflare for a challenge, they'll still see their search result. They'll click it, they'll pass you the challenge, they'll act they'll access the website. Yeah, it does put a barrier you know they have to pass through. Now you know, if you want to block the traffic altogether, you can do that. Just make the action block instead of manage challenge.\r\n\r\nUnknown Speaker 2:03:56 \r\nI wouldn't do that typically, you know, the goal for filtering traffic is generally I want to get rid of bot traffic that's coming from GeoIP sources that are not generally where my customers are going to come from. So that cuts out a lot of the bot traffic at that geo level. Does that make sense? Everybody?\r\n\r\nUnknown Speaker 2:04:19 \r\nAll right. Any other questions? Before we call it a day?\r\n\r\nUnknown Speaker 2:04:27 \r\nOkay, so everybody, all right.\r\n\r\nUnknown Speaker 2:04:32 \r\nOkay, Karen, can you copy all these settings and roles from one site to another? Wouldn't that be great?\r\n\r\nUnknown Speaker 2:04:40 \r\nThat would be great, wouldn't it? And the answer is no. You can't they have to be set up individually. I know right? It may be one day that will let us do that. I don't even think in the premium version. Paul. I've not seen that.\r\n\r\nUnknown Speaker 2:04:54 \r\nBut here's here's the thing.\r\n\r\nUnknown Speaker 2:04:58 \r\nI really really got deep into Cloudflare last fall, when in the process of migrating to a new server we just decided to put all of our clients under Cloudflare in that process.\r\n\r\nUnknown Speaker 2:05:10 \r\nSo we moved, you know, plus or minus 100 sites through Cloudflare and onto the new server. And once you start doing this, like I can move a site to Cloudflare pretty much in my head now and it takes just five minutes or so it's done. Boom, boom, boom, boom, you kind of get used to what the settings are.\r\n\r\nUnknown Speaker 2:05:30 \r\nIt's not it. It looks like a lot at the first glance. But as you're seeing from where we went from all the things, and page by page now down to just the things that need to change. There are far less and at the end of the document by the way at the end of the document to here and resource number two, here is the Cloudflare setup process. And I'll walk you through exactly the things to change. And that's it.\r\n\r\nUnknown Speaker 2:06:06 \r\nIt takes just a few minutes once you get used to how this works.\r\n\r\nUnknown Speaker 2:06:10 \r\nDo I have ASN or IPs for managed WP? No. So this is a good question. Alright. So you will at the beginning before you do your first site what are all the services that I use? Right? And so it's reached out let's just say manage WP I don't know if they have a public list.\r\n\r\nUnknown Speaker 2:06:36 \r\nLet's see right here. So you'll a lot of times find posts like this. What are the IP oh look, here they are.\r\n\r\nUnknown Speaker 2:06:45 \r\nAnd a whole bunch of others. So there's a oh my gosh, Holy mackerel. There's a bunch of them. So, you know, here's a list and and I would verify with the support. So send in a ticket and make sure you have the actual\r\n\r\nUnknown Speaker 2:07:02 \r\nIP set and you can add those to your skip rule that so it always skips that traffic.\r\n\r\nUnknown Speaker 2:07:13 \r\nAnd so my actual skip rule is more thorough than this one because I got a bunch of IPs and things like that.\r\n\r\nUnknown Speaker 2:07:21 \r\nYeah.\r\n\r\nUnknown Speaker 2:07:23 \r\nAnd Dave is correct. You want to go conservative at the beginning for sure. Again, this is with much power comes great responsibility. Implement slowly make make sure you one side tested that you're not blocking legitimate traffic. But once you get these dialed in, you can boop boop boop just apply them to your other sites.\r\n\r\nUnknown Speaker 2:07:46 \r\nYeah, Ahrefs it's eight, like H refs. In particular. They don't tend to want to help you because they don't want to block you or give you ways to block their traffic. What I would suggest doing if a traffic is being blocked, then look at your events. Like do a scan so you know kind of about the time when the event would hit. Then you can look at your event log and probably even filter it with your block rule.\r\n\r\nUnknown Speaker 2:08:16 \r\nAnd hit that hit the traffic that fits your block rule and see if Oh, that's coming from this range of IP addresses or this ASN or whatever.\r\n\r\nUnknown Speaker 2:08:28 \r\nAnd go from there.\r\n\r\nUnknown Speaker 2:08:30 \r\nSo sometimes you can back end it and figure out but there's there's no easy way that I found oh, here's the magic list of IP addresses or whatever.\r\n\r\nUnknown Speaker 2:08:40 \r\nIt's just not very easy.\r\n\r\nUnknown Speaker 2:08:43 \r\nYeah.\r\n\r\nUnknown Speaker 2:08:46 \r\nTanya, oh, how do you know if you're blocking legit traffic? Good question. That's not a stupid question. So I would watch you know the first so when you implement the for the first time you know, put it on your own site or something else site where the impact is going to be low, but that you have enough traffic to actually generate some decent results. And just look at the events and see what's happening. That's how for example, on the skip rule here, I realized oh, no, I've got let's see, hang on, hang on. I know it was the block rule.\r\n\r\nUnknown Speaker 2:09:30 \r\nThis one, it you know, I saw this query string coming up a lot in the block rule. And that's a legitimate, I realize, oh, blocking this and I don't need to be blocking this. So I added a rule to get around it right.\r\n\r\nUnknown Speaker 2:09:47 \r\nSo, Stacy, you find out when the clients customers complain is not exactly incorrect. Like it's that's pretty right. It some of it is a little bit of trial by error, but that's the way it is for firewall rules, okay. And that's why for example, implement these rules with here. Don't just wholesale drop these rules in thinking what could possibly go wrong because the answer to that question is a lot. But once you get them dialed in for your use case, you have really powerful, really powerful tracking.\r\n\r\nUnknown Speaker 2:10:22 \r\nOr filtering. Yeah. Okay. Anybody else? Before we move? Wrap it up for today?\r\n\r\nUnknown Speaker 2:10:34 \r\nOkay, so homework policy when you migrate a site to Cloudflare do you remove them from the Yep, we're gonna cover that tomorrow. Migration is tomorrow\r\n\r\nUnknown Speaker 2:10:48 \r\nokay, Karen, I have tried to enable copy in the chat. For whatever reason zoom webinars just does not allow that. And I don't know why and we've tried, but give the as soon as the We the chat ends up as a file on the replay page, where you can open it up and grab whatever.\r\n\r\nUnknown Speaker 2:11:09 \r\nYeah, it isn't zoom meetings. This is a zoom webinar, and it's different and I don't know why I've talked to zoom support there. No help. It's yeah, it's a thing and I've not been able to solve it. I'm apparently too dumb to figure that out. Because I've tried zoom settings are horrendous. They're worse than Cloudflare and that's saying a lot Okay, all right. Let's go to Wrap it Up homework for tonight. Add a site, drop it in you know your your site or just spin up a site in try adding some of these settings, we will step through. We'll go through the rest of the recommended settings tomorrow. And then we will put that into practice by actually migrating a site's DNS into Cloudflare tomorrow. That will probably take most of our time and then because we'll do it step by step, and then we'll do we'll wrap up with tips and tricks and whatever questions are left. So that's where we're going. Congratulations, you survived day one. You have endured the firehose of things and it gets really practical from here. All right. So I will see you back here tomorrow. One o'clock central time for part two of Cloudflare for agencies here on solid Academy, where we go further together.\r\n\r\nNathan Ingram 0:04 \r\nAll right, everybody. So welcome, welcome. So how about some feedback from yesterday? Did you learn anything? What was your biggest takeaway? Aha. I assume that we're going to do live demo today. So sure, you'll just go into watching the demo without having the basic foundation of knowledge. So sure there's value without watching the replay.\r\n\r\nAll right, let's get these captions connected. There. All right. Oh, goodness. Gotcha. All right. Link bundle is in the chat. Of course handbook if you need to download that. It is updated by the way from yesterday. So make sure you grab the current copy. I probably need to update the link bundle to reflect that\r\n\r\nall right, well, good. That's good news. So really, really glad to hear that. All right. Welcome, everybody as you're coming on in find a seat, get ready to go. Links are in the chat. The course handbook has been updated since yesterday. The fix the two little typos that I had. Those are now fixed and going and a third that I just recognized. All in the WAF rules. So that's all correct. Now. Make sure you read download that course handbook. Just so you have the correct things. All right. We got a lot of the handbook Yes, one handbook for both days. 40 pages of Cloudflare goodness. or 40 pages of Cloudflare. Comma, goodness, exclamation point. That's a lot of Cloudflare. Oh, it's gonna be a long day when I'm entertaining myself already. Okay. So let me hear from you in the chat. What was your biggest takeaway from yesterday if you survived and had lived to tell the tale\r\n\r\nPaul that will be office hours tomorrow, or week or if we have some time at the end. That's funny. Love it. All right, couple of minutes before we get started, welcome, everybody. Glad you're all here. Make sure you download the fresh copy of the course handbook that has three corrections in and around the WAF rules. Just a couple typos and that space problem and so forth. Yeah, look, there are everybody that I'm constantly finding new ideas for rules. I'm going to talk about that at the beginning as we get started here, because there's some really interesting chatter in the admin bar about rules and stuff going on right now. On a reference that\r\n\r\nhey, look at that foul, awesome. How about that? It's small. It's the little things right. Alright folks, two minutes to go. If you're just joining us in zoom, open up the chat. Say hi. Let me know what your biggest takeaway from yesterday was. Did you get in there and try to set up a site yesterday. Did you do any of that? Thanks still broke? Yeah, yeah. Little bit of tripod. Doug. You did it. Awesome. Yes, Doug, indeed. Cloudflare SSL? Yeah. Very good.\r\n\r\nYep, good stuff there. All right, about a minute away, y'all. We got a long way to go today. Long way to go. The handout is updated. Yes. So please read download the course handbook it fixes those typos or like there was a space that shouldn't have been at a line break and that sort of thing. All that is fixed in working in this latest version. Phoebe. So we are you did you you would get a challenge at WP admin if you use the rules that I provided that the the challenge rule by default is going to protect the WordPress login page. That's what allows you not to need a CAPTCHA on the login page. So I want all traffic that hits the WP admin to get challenged.\r\n\r\nAlright, just about ready to start everybody. Yeah, Paul, I saw on that note, and I don't know why that would happen. That's really weird. It feels like it feels like that's a browser. Cookie issue. here and what do you mean it looks weird after the challenge\r\n\r\nno formatting Okay, so that's interesting.\r\n\r\nI've never seen that happen. Sounds like there's some sort of a an optimization issue like the CSS isn't getting loaded for some reason. Where are you hosting? It could be related to your hosting environment. cloudways GS? Ah could be something in the breeze plugin. I would look and make sure that the breeze are using cloud where cloudways Breeze. Yeah, so see if it has that. The connection to Cloudflare that I mentioned with the caching so that it's empty incorrectly the cache I've never used breeze so I can't speak to that one. Yeah, always. It's awesome. That's it. It's not just reason the optimization plugins are some that frequently cause problems. Okay, let's get started. I got a long way to go today. Well, Happy Wednesday everybody. Welcome back to day two of the Cloudflare for agencies course here on solid Academy. My name is Nathan Ingram, and we went a long way yesterday, as we looked at what in the world is Cloudflare how does it all work? We went page by page through the settings just to give you kind of a lay of the land of you know all the things that are there. And then we started with recommended settings yesterday. So that's what we're going to pick up today. We got all the way down to speed we've worked through the Cloudflare WAF rules, and we've made our way down to speed now, I do want to mention that I have updated the course handbook from yesterday. I'm going to drop that link in the chat once again. This fixes those couple of types of the like the linebreak typo I noticed also there's some quotation marks that got styled like outwards and not straight quotation marks and one of the rules. So those things are fixed, and it's there in the updated link that's there in the chat. If you're watching this on the replay. The link that's downloadable on the course page has will be correct for you so that's all there and ready to go. So here's where we're going today. We are going to pick up with our recommended settings at the speed portion which we see on the screen now. Then we're going to set up a site in Cloudflare live and just go through the process using the checklist that is in the resource number two at the end of the course handbook. So we'll be just walking through that checklist. And then we'll the final hour we made that that setup process may actually bleed into the second hour so we'll just kind of see how that works. And take a break at some point in the middle. And then at the very end we'll have the the tips and things that I've learned and basically things that I've messed up along the way and how you could not do that. And how to work with clients and you know, had multiple accounts and all that sort of thing and how's the best way to do that. So that's where we're heading today. As always, if you have questions, if the question is about something we're talking about right now, just drop it in the chat. I'll do my best to see that and talk about it. Otherwise, put it in the q&a, and we'll deal with those at the end of each hour. All right. Well, let's get started, shall we? So we finished up yesterday with our various rules around security with our custom WAF rules, and then an anti flood rate limiting rule and making sure we have bought fight mode off. So now we're going to get to our speed sections. Let me get Cloudflare open and Windows arrange and all of that. All right, so we are now here under speed. And we're gonna go speed and then optimization. So right here under optimization, there's a number of different tabs, and we're going to pick up with content optimization. Now this is an area that they have in the past few months rearranged. So if you haven't looked at Cloudflare in a while, you'll notice this is different and that's because it's different. They move things around and they do this all the time. So let's look at what should be on so we like Brotli this is going to be one of the things it's in the setup guide or the quickstart guide that we'll run through in a minute. Whenever you add a site to Cloudflare Brotli is good to have on it just makes HTTPS connections quicker. We talked about Cloudflare font so we like those those are on early hints we looked at which preloads pages when you hover over a link that's on rocket loader off because it can break WordPress JavaScript pretty easily. And we're gonna auto minify all three boxes here JavaScript, CSS and HTML. And then we're gonna go back to the top, the tab for protocol optimization. And we're going to turn zero RTT on. Now basically what that does is if a person has already visited your site, it makes reconnecting to the site quicker. It's just it saves a step. In the security in the HTTP protocol process. Good speeds things up. If you want to read more about it, just Google zero RTT. And you can learn more. So not a lot to change here in the optimization section. But we do have some things to look at under caching. So let's take a look at caching and our recommended settings here. So we're going to start out with configuration and look at our browser cache. So I believe I can't remember what the default setting is here but we want this to be 30 days. One month or 30 days is what Google recommends in order to receive to get good marks on their tools. We want to make sure your browser cache is set for one month. We want our crawler hints to be on so this is basically the index now protocol and so Cloudflare will do that for you which is really great. It lets certain search engines that support index now know that changes have been made to your website. So go come crawl it. It basically proactively tell search engines to crawl new content so that's good. And we want always online which pushes the site over to the Internet Archive for us. We want that on as well. So now, there may be some times where you don't want always online on if it's a very large ecommerce site with 1000s of products, rolling that and adding it to the Wayback Machine might be taxing on the server. Or if the site is changed all the time. There's every single site I have is always online. But if you have a massive site, it might create some performance issues. So you might want to toggle it off but likely every site you're going to want on here. Alright, let's look at some caching rules. These are very, very helpful. So let's say you have a site in development, or for some reason you have a site and you do not want to use the Cloudflare cache at all. How do we turn the Cloudflare cache off? 100% of the time whether it's in development, or I just don't want it because by default, the Cloudflare cache is on. So we need a rule that's going to say always turn the cache off and afford unfortunately, there's not like a toggle to turn on and off the cache. I don't know why there's just not. So what is a rule that we can create? Well, I've settled on this one that basically says if the incoming request is HTTPS, and that is yes, then bypass the cache. So this is, you know, basically every single request coming in to any site that I manage, is going to come in under HTTPS. And with that rule, this site will not be cached at all period by CloudFlare, because we're going to bypass the cache here and with browser TTL. Now, this is a rule that you only want to implement if you don't want the site cached at all. Does that make sense to everybody? So you know, on our dev server, for example, we don't want Cloudflare caching, like Cloudflare manages the DNS on our dev server because we want the security, but I don't want any Cloudflare caching on any sites. that are under development. So we have this rule that turns off caching completely. Does that make sense to everybody? So this is probably not a rule that you want on a live site. But for dev sites, yes. 100%. So here's one that you probably will want to use. Maybe there are pages on your site that don't ever need to be cached. So for example, with an E commerce site, I never want the cart page cached by CloudFlare, or the checkout page. So here we've got URI path contains cart your app path contains checkout, you can continue to stack these up if there are other different URLs that you don't want to be cached. So when these things match, then I want to bypass cache for Cloudflare. And at the browser cache, right, so just no caching of these frequently changing dynamic type pages. Don't want those cash. So cash rules are super helpful. I Paul Yes. Membership dashboards, things like this. This though, these are the sorts of things that you'll want to put in a rule like this one. You have a lot of rules here actually. So 10 available caching rules at the free level. So you can really add things Yeah, in anything like LMS site membership site where you don't want to cash in really it. It's\r\n\r\nit's really more like check out, you know, forms that Process Payment, perhaps maybe events like Melanie's mentioning in the chat. It depends. So if you run into an issue where oh my gosh, my events page is not updating why? Oh, it's Cloudflare. Well, we can just turn it off here at the edit with a cache rule. That makes sense to everybody. They're super useful. To debug these caching issues. All right, so we mentioned this yesterday, we're gonna have our tiered cache. We're gonna go here, and just make sure that the tiered cache topology is set for smart and again, what that does is it moves the assets to the Cloudflare data center closest to the person requesting the the site so it basically shortens the load time, so it's good you always want to have that on. Alright, let's scroll down to our next section, which is rules. We're not getting into workers routes, that's not a route however you pronounce it. That's not something we're going to look at. But there's a couple of really good page rules that we're going to look at here that I recommend. The first is this one, which says our URL is going to be our domain name. star dot domain name. So this will catch any subdomains also an anything after the repeat admin. So basically, I want this rule to impact anything in the WordPress admin area for the main site and then any subdomains that I might have under this Cloudflare account. So I want security level high, which means that if somebody tries to come in it's also you know, it's gonna look at that browser more with more scrutiny and maybe present a challenge. If it detects any issues. I want that for anything in the WP admin I'm also going to completely bypass the Cloudflare cache. I don't want anything in WP admin cached by Cloudflare. I just don't want that. And then I also want this here disabled performance. Any performance related optimizations that Cloudflare might do? I don't want that for my WP admin because that can tend to get in the way of things and break admin functions and hash things that shouldn't be cached. And, you know, you get weirdness in the back end sometimes. So this says anything in the admin, I want to make these changes and it's a really helpful rule. This makes sense to everybody. This is a good one and you do have to fill in your specific domain name here, or it won't work. You can't just say star.wp admin. I tried that. It's got to have the actual site name. Alright, another really helpful rule. I really really liked this one. This is the email obfuscation rule. Again, a lot of folks in the years past we've done WordPress shortcodes, that obfuscate email addresses where they can't be scraped by website scrapers. Cloudflare has this built in at the network level, which I really like. And the neat thing about it is you can apply it only to certain pages with a rule, so we can say, all right, if it's the Contact page, then I want to turn on email obfuscation. Well, why wouldn't I just want this on the whole site? The reason is because it loads an extra little piece of JavaScript that can affect load time, so it won't affect it very much. But I mean, why load the JavaScript on a page that doesn't have email addresses, right. So if you have a contact page that has email addresses, turn this on, or maybe it's a team, page or series of pages. Like you have, you know, your domain slash team slash person's name, then you can do something like this I'm pointing at my screen like you can see that this so anything that follows team then this for like a team bio page, you can obfuscate the email addresses their policy, if the site has an email address in the footer. You want this on every page? Yes. And I wouldn't put email addresses in the footer. I would much rather have people fill out a contact form and send email but yes, if it's in the footer, every page where there's an email address, you could load this and if that's the case, then you can actually just turn it on for the site. Yeah, okay. So these two rules make sense. You got your WP admin and you got your email obfuscation. You got a bunch of page rules that you can do some other things with. There's actually sorry only three, three page rules. So we still have one extra one here. And you can do a lot with these Okey dokey. Everybody good so far on this? Because that's it. That was all of the rules are all of the recommended settings. So we didn't get that fully finished yesterday, but we got it done today. And now we get to actually do the thing. Okay. So I want to give you the overview of what this migration process looks like. And then we're going to skip to the end of the document where the actual checklist is, and by the way, if you're just coming in the course handbook is updated from yesterday. And so you're gonna want to redownload that because I fixed a couple of little glitches with the WAF rules. Okay, so here is our process. And again, it is a checklist is in resource to you can copy that part out, you know, make it your own, whatever. So, big picture, okay. We're going to add the site to Cloudflare. And then we're going to walk through the Quickstart process. These are the common, most recommended settings to set up. We're going to add the name servers that Cloudflare gives us over in our domain registrar. Then we're going to pause the site on Cloudflare. This is critical if you don't do this, you're going to get SSL issues in almost every case, then we're going to go through. Here's our items for the quickstart guide. We're going to go through all the rules and settings that we need to add. We're going to wait for our SSL to generate and then we're going to resume the site on Cloudflare. That's the big picture. How this is going to work. So let's go down and take a look at our resource scrolling scrolling right here. This is page 38 of our guide. And here's what we're going to do. So I have this domain set up and this is just a Kadence Starter Site that I have inflated on to WP one dot Dev. Now this is a domain that lives at GoDaddy. And so that may be a place where you see a lot of domains that you have, right and so this is just as simple and basic of a domain swap or DNS change as I can show you with a typical common registrar. Okay. So we're not going to walk through this whole process. So what I want to do I want to get back here to home, which I did just by clicking this arrow I'm in WP Nathan. Now I can go back now I'm at my account home, or I can go up here to this little user icon and hit account home. It's at that point where I can add a site. Okay, so we're going to add the site to Cloudflare by entering the domain, selecting the free tier and confirming our plan, but let's add the site right here. And by the way, if you added a site to Cloudflare a few weeks ago, this is now completely different. They have totally changed this adding a site flow as they do. I mentioned this yesterday Cloudflare changes things like worse than Google and that's saying a lot so just be aware of that. If you're white if you're following this video six months from now they've probably moved some things around. They're all there you know, and you can probably find them pretty easy but it's it's very likely to change. So we're going to enter in our WP one dot dev domain name here. Continue. We're going to select our plan scroll all the way down to free and click that and confirm and we're confirming and Okay, let's so we're going to start our Quick Scan. Now at this point what's going to happen Cloudflare is going to go out and it's going to attempt to find all or as many of the DNS records as possible for this domain. I'm going to click Start click Scan. Now here's the thing. Don't ever trust Cloudflare scan because it is likely going to miss some things. So it's now picked up in a record and to CNAME so there's definitely more than that. And we're just going to keep moving. So if you can't bypass that scan, I wish you could but you can't. It's going to do its best to find records and plug those in to your DNS settings. But now we've gone through our quick scan and we're going to hit continue and we're going to start the domain activation. So right here, we're going to add the provided name servers to our domain. So here's our two name servers that Cloudflare has given us a copy the first one, I'm going to go over here to godaddy under DNS, and go to name servers. This will be different for every registrar. We're going to change this to my own name servers, and copy and our two different name servers. Oops, two here, save and continue. Okay, now over here, I'm gonna hit continue and continue.\r\n\r\nSo now we come to our overview page immediately right now before you do anything else. Pause Cloudflare on the site, because otherwise what can happen is traffic can start flowing to your domain before Cloudflare generates an SSL certificate and you'll get that security warning in browsers by pausing Cloudflare at this point, what that does is stop Cloudflare it doesn't stop it from generating a certificate but it doesn't use the Cloudflare certificate. So we're not using any Cloudflare features right now because the site is paused. Don't forget that step or you're going just it's inevitable that you're going to get you know a security warning. Okay, so pause Cloudflare Now let's go through our quickstart guide. Let's see right here. So we're going to review the settings in our quickstart guide and get started. So we want to keep this on Yes. All these settings are here. Save this. Always use HTTPS Yes. Do we want to enable Brotli? Yes, just basically all the recommended settings we want on and finish. Boom. Okay, so we are good. And now we're going to go down to our DNS. Now Cloudflare has imported some records, right. So we've got this going on here. Um, you know, what I forgot to do is I forgot to open up my email. Let me grab that one second, folks, because we're gonna get an email from Cloudflare at some point very soon, telling us that the site is working. I've got to log into my email, my solid Academy solid email here one second, everybody. I have 8000 Google accounts as perhaps you do. as well. And there it is, okay. All right. So there's my solid email. We'll put that over here and we'll just wait on that. Okay. So now we're at the point of validating our DNS records. So here in GoDaddy, if we look at our DNS, there, there's a lot more than it found. There's not many actually. There's an A record and some other things, you know, nor if this is a site you're already managing. Maybe you have postmark records or some other transactional email or google verification or office 365, all all those verification records, right? You're going to want to make sure that what's here in CloudFlare, matches 100%. What is at your current DNS provider? Okay. Many Melani that's a brilliant idea is to screenshot this and add it to a record someplace. So better even than this is the ability to export my DNS. So let's see here. Many registrar's have the option to export DNS records. If they do you absolutely want to do this. If they don't, it sucks because you have to hand enter every one of them it's really awful. But here I can say Export zone file. Even GoDaddy will let you export the DNS. So I want to export this zone file and boom, there it went. It is now right here as a text file that just downloaded to back. It is right here, simple text file. So I can take this and go right here to import and export and just drop it in. And now I have all of my records and they it now matches perfectly. So that is super helpful when you have a ton of records. If you are running your DNS through a cpanel server, we're going to come back to that at the end because there is a there's a way to actually export out of cPanel if cPanel is actually running your your DNS All right, but for now we know that these match because we've done a good Import and Export Now a couple of things we want to look at. Many times your export will contain name server records, these name server records, these pertain to GoDaddy domain control.com. These are GoDaddy, we're not using GoDaddy. name servers anymore, so I can delete these our name servers or at Cloudflare. We don't need these records anymore so we can safely delete those. The other thing is, if you have in the Cloudflare import when it pulls in all those records, if you import record, you know this import file is going to contain some duplicate records. Cloudflare is smart enough not to import duplicates, so it didn't used to be by the way used to import duplicates, you have to go in and delete your duplicates. It now is smart enough not to create double records, which is awesome. But in many cases, you're still going to have to add those records one by one because, you know this old antiquated registrar doesn't support exporting of DNS, which is just really annoying but Paul is saying Don't forget to turn off some records that need the original. I'm not quite sure what you mean there, Paul. But you're gonna The key here so you don't mess up DNS is at the end of all this. My DNS records in Cloudflare need to match my DNS records with whatever the registrar is now. Other than the name servers, the DNS records you can delete just like we just did, but everything else needs to match 100% Otherwise you might break their email or something like that.\r\n\r\nSo yes, the for example, if there are see names that come in, like right here, this here's another one we can delete. This is a GoDaddy domain connects that we don't need that. We can delete this. Any that are there other registrar's that have specific records. We're not using that anymore, so we can delete this and if it's a CNAME generally, any CNAME other than the www record we want to proc we do not want to proxy correct. So this is a really simple DNS setup because there's no email or anything there. Okay, everybody good on this part, moving DNS records in hopefully you can export them and import them otherwise. This is also helpful if you can if DNS is currently managed by another Cloudflare account, then you can export the records out of the current Cloudflare account and import them into to your Cloudflare account. Sue if there's email Yeah, yeah, so like all the MX records, all the text validation records CNAME records that are all all the DNS needs to match exactly. Unless it has to do with, you know, like the name servers or like these GoDaddy specific records that we don't need anymore, but all the other records need to match exactly. You'll probably find that Cloudflare their import gets about 90%. But it will typically especially if it's a complicated DNS setup, it will typically Miss TXT records, like the valid validation records. It usually gets all the C names and the A records, but it misses it tends to miss the TXT records. Okay, everybody, good. All right. So at this point, it's usually taken, you know, five minutes or so to get our DNS all lined up. So now we're gonna go check and see where we are with our SSL. So we're going to click on here, and let's just look at our edge certificates to see okay, so right here, this is showing us it's in process. So this is live demo. I don't know how this is gonna go, okay. If this breaks, we'll fix it. We'll figure it out. But right here, notice that the SSL has not yet been generated for this domain. So we don't want traffic coming through Cloudflare yet, so let's just move on with our settings and we'll keep watching this edge certificate to see if it's ever finished. So we want to go down to minimum TLS of 1.31 dot O is the default for some reason. So we're going to make that 1.3. Now we're going to go down and add our WAF rules. Just following our checklist here. There's my use your four suggested rules that I've given you or your own variations. So we'll go to Security and WAF. Now again, as I mentioned yesterday, I've got this shortcut set up in my text expander CF one. Here's our manage challenge rule. So what I do in my text expander I have this title here. And so I'll copy cut that and put it up there and this is going to be a managed challenge. Boom, and deploy the quick that was that was done. We're going to create rule number two. I'm going to use my shortcode otherwise, you can copy and paste from your notes. There's our second rule the title, cut and paste up here. So choose the action skip and check all the boxes. All the all the boxes just like that deploy great our rule number three now this one has the the variable in it that fills in my domain I've got that. So these are our block rules. Deploy and one more rule\r\n\r\nthese are our crawler blocks. And this gets a block deploy. So you see how quickly it goes. If you have something like text expander or in my case type desk or one of these macro type programs, apps on your on your computer. It just makes these rules go really fast. Otherwise, you can just copy paste, that's fine too. But we've got all those rules added. Does that make sense? Everybody? Got our rules added there. Any questions about that? If so, ask in the chat. If not, I'm going to keep going under security and bots we want to make sure that bot fight mode is off. It should be by default. I always want to make sure of that because that is it can it causes so many headaches. Speed. Oh, you ask a question. Okay, Paul, I explained why I use the web as a prefix. Is there a possibility of some sort of mix up? If we do not have a prefix? No. This is just for convenience, knowing that these are our rules. So we do have some clients that get into Cloudflare and do some things themselves. If you're the only one that's going to be in Cloudflare it doesn't matter but I prefix everything with be WWE, you know functions code all that is just a habit. So this just lets me know these are our rules. Okay, speed. Let's go back to these rules we just covered so speed optimization, content optimization, only the things we need to change here are Cloudflare fonts are on early hints are on check all three boxes on auto minify boom, boom, boom. And we want to go up to protocol optimization and turn zero RTT on. Great. Now let's look at caching. Let's see configuration crawler hints. Okay, browser cache is one month that's the default. That's awesome. Let's see crawler hints are on always online is on. We'll go over to cache rules. Is there anything we want to fix with our cache? Probably not on this one. It's not an ecommerce site. And you know, it's not in development. So there's no cache rules. To set up here for this one. We do though, want to go into tier two cache and turn on our smart tear topology. Okay, now go down to rules and we're going to add our WP admin rule. Let's see page rules and we're going to be star that dopey one dot dev slash WP admin come on admin star. The settings will be about we spell that correctly. All right, first thing we want to do cache level is bypass then it was performance is disabled and our browser integrity check. Oh, no, it was security. Security level is high. Alright, so there's our DP admin rule. And let's go ahead and add a contact page rule\r\n\r\nand we're going to want email occupation on our contact page. On you can add these rules or not just depending on your setup like we've talked about. Thanks. We got our page rules added. Now we're waiting for SSL generations out look, I've got a an email from Cloudflare. It's now active Boom. That's awesome. Let's see if our SSL certificate generated so you may have the email that says it's active active meaning Cloudflare has detected that its name servers are now being used for the domain. So GoDaddy has gone ahead and updated the name servers and Cloudflare sees that so they're connected. Now that doesn't necessarily mean the certificate is generated yet. So let's go take a look under SSL edge certificates. I look it's active boom, perfect. Okay. As soon as this is active, that means the certificate is there and we can unpause Cloudflare. So we're watching for an email that Cloudflare is protecting. We're watching at edge certificates for the universal SSL right here to be active and it can take time. Okay, so let's talk about what happens if it's if it takes some time. Officially, Cloudflare says this can take 24 hours I've never ever had it take that long. You have had to take a few hours in this was you know, this was actually right after remember last year Cloudflare had that data center issue. It a lot of these things were delayed after that. Usually now it's just like what you just saw, it generally just takes a few minutes. And you're good to go. But it can take a few hours. That's nothing to worry about. Now. If you if you get hours and hours and hours and out like the next morning if it's still not working. Then what I would suggest that you do. Let's see I've given a pointer that put those notes troubleshooting down here, okay, so here's how to troubleshoot if you're stuck on pending validation after an hour. So make sure that you delete those NS records. I've found that sometimes when my sometimes when I'm not getting my certificate generated, it's been because I accidentally left those those NS records in the DNS, that old name server, and that can mess around with validating traffic. So make sure that the NS records are deleted like we showed earlier. Also, again, officially it can take 24 hours. If it's still waiting after 24 hours, go down here, here on edge certificates and down at the bottom. Disable doo doo doo doo doo right here. Disable universal SSL, click that button, wait a couple of minutes for things to the dust to settle. Then you re enable it and it starts that validation process again, and I've never had it not work the second time. So that's maybe that's just lucky on my part. But generally that fix is something that stuck. And I've only had that happen like once or twice and all the sites and that was actually a long time ago. So that's a good way of troubleshooting. If you're still having issues then it's time to go to Cloudflare community and ask them questions. But now, we've got our SSL generated so we're good to go there. So we're going to pick up the process when you see the SSL is there under edge. Right here the universal one now we don't have to wait for that saw this question a minute. ago. We don't have to wait for the backup certificate to get set that can take a little bit of time. We have a good SSL, we're good to go. So now we're going to resume the site on Cloudflare. So back to overview and scroll down to the bottom of the page again, enable the Cloudflare on the site. It is now enabled. And okay, here's where it was before and notice that this is what I had up before we made this move. So connection secure. And this is a Let's Encrypt certificate which which the server generated. Now if we refresh this page, and we look at that certificate, we should see a Google certificate now. So let's do a hard refresh. And actually, Chrome may have cached that certificate, which is fine. Yeah, Chrome cache that certificate if we go let's go into the browser, and you can see that it's the Google cert and for some reason Firefox is taking all day to start. Here we go. All right.\r\n\r\nAll right. So let's see. Where is oh, I clicked the wrong thing. There we go. Now it's still interesting. All right. So it's still showing the Let's Encrypt certificate. That's interesting. I wonder why that is.\r\n\r\nWe can also check with what's my dns.com. Job. Okay, and we are on Cloudflare. So the world is seeing that it's under Cloudflare. When you see to these two IP addresses, that's cloud flares, backup IP address, that's what you want. And so it is it is seeing everywhere in the DNS shows. It's running through Cloudflare. So we're good. I'm not sure why it's not showing that let's or white showing that Let's Encrypt. Let me try it in Safari. Just to see I wonder if I loaded that site in Firefox and it still has it cached. That's interesting. We know it's working though. That's what's that's the most important thing.\r\n\r\nYeah, no, that's interesting. Let's take a look at Oh, because here make sure that you set it to full Am I following my instructions? Now, I didn't follow my instructions. So we would have checked that right here. If we set this to full then I bet that's going to change our SSL certificate helps to follow your own instructions. Now it's still showing. I'm not sure why that is. Well, let me just get back to following my instructions and we'll move on. So we've resumed the site on Cloudflare right. Now we're going to enable DNS sec. So you don't want to do this until Cloudflare has traffic for your site. But we're gonna go here under DNS settings, enable DNS sec. Right here, and again, this is the little bit of code, you're going to add to the registrar to validate that Cloudflare does have legitimate control over the DNS. So this is all the stuff that Cloudflare gives you. You don't necessarily need all of it in every registrar is gonna be a little different. But here in GoDaddy, you just scroll over to DNS sec. And we can turn this on\r\n\r\nnot when I'm around, hang on, hang on, hang on. Go Daddy. It's under DNS, DNS records. And oh, hang on. My goodness gracious. Let me refresh this page.\r\n\r\nRight here, DNS records is what we want. So I had to refresh the GoDaddy page because prior it was it was loaded prior to knowing that GoDaddy had handed off the name servers to Cloudflare. But now we've refreshed this and there is a DNS record tab most registrar's are going to have this. You click that and we're going to add the DNS record. So first, we demonstrated this yesterday but first we add the Key Tag and this is all out of order. But Key Tag is here. The algorithm is 13 the digest type is two. And the digest is this string of characters and that's all we're going to need. Save All right, and it may take a minute, but we're going to click Confirm and it needs to wait it's going to look for this and we'll come back to this in a minute. But it will eventually validate that record with the record at the registrar. Why do you have to add this on GoDaddy? Because GoDaddy is the domain registrar for this domain name. If Cloudflare is your domain registrar you just click a button and it works. It's really simple. And then at the end, we go through and we verify our encryption method. SSL overview bool good to go. All right. So we've just added the site to Cloudflare. wasn't that complicated? Was it I'm gonna pause for a minute questions or comments\r\n\r\nthis is when nothing goes wrong. Oh, if they are all this easy, and they usually aren't terribly complicated\r\n\r\nAll right. Other questions how question is How hard is it to move your domain to Cloudflare I can't really demonstrate that because I don't want to move any domains to Cloudflare right now, but it's really pretty simple. We're going to cover domain registrar things in just a minute in the second hour today. We'll talk more about it then. All right, any other questions before we take a break? That actually took less time than I thought it would? We are now completely set up. If we go to WP admin here we'll get to manage challenge as we would expect. Boom. Good. All good logging in. Yep. and log in. There I am. Pretty cool. I Su ever ever worked with inom? Yes, they do not have an export tool. And generally here's what I found. The more the more the back end of your domain registrar looks like 2004 The less likely they're going to have a DNS record export. CEU I don't know if e nam has a DS dropped down or not. inom is pretty old school on the back end, as you know. They really need to and that's a good reason to not be with Vietnam anymore. And maybe to move domain registration to Cloudflare. We're going to talk about domain registration at Cloudflare the next hour. But yeah, Network Solutions is really bad enough. I'm really bad. Yeah, I don't know. So those are some of the ones I've never used Dotster or web dot actually Dotster I used like 8000 years ago. I haven't used them recently. I don't know in it tends to what I've noticed is if the UI in the domain registration looks fairly modern like this, it's more likely they're going to support exporting of records. If it looks awful, like 1995 or whatever, then they probably don't. Yeah. What do you do about DNS if there's no option if the registrar doesn't support it, they don't support it. And again, that's DNS records. have been around for a while and they're an important part of Domain validation. And if your registrar doesn't support it, I mean, I would start looking for new registrar. Yeah. All right. Any other questions before we take a break? Okay, there is a multi part question here.\r\n\r\nOkay, um So first question here is in regard to the WAF rule, the skip good traffic rule. Does we watch your website have a whitelist of IPs? I can't find them anywhere and Thomas is not getting back. No, I'm not aware of one. But I don't think the rules block them. There's I don't think there's anything in a rule that's going to block that traffic. But so it's a good if you put a rule in and if they're getting blocked. This is an exercise of looking at the event and find what it's trying to do and then allow that but I don't have any specific whitelist for we watch. Second question is about Pay Pal. Do we use the ASN for Pay Pal, as you added at the bottom of the dock? Or do we need to find the API or the web? And I'm guessing what you mean. I'm not sure who's asking this question that came in as an anonymous attendee. Or do we and I think what you mean is the web hook. So and I'll reiterate what I said yesterday about this. Oh, no problem, Karen. So I so let's see, as things are good. web hook URL is better. Because as NS I mean, maybe there's they might change or something might happen. So it's good to add the ASN. But if you know like, there's always going to be a pattern in the Pay Pal web hook for their IPN or whatever. Then try to get the little snippet of that web hook like I showed with the WooCommerce or the Gravity Forms stripe web hook, get that little snippet and always allow that traffic that way you're, you're certain that it's not going to get blocked. Does that make sense? And number three, I added all the H refs IP to a Cloudflare list and then added the list to the good bots rule. Today. I got a report that the score was cut in half. Robots. txt is not accessible. Okay, so that okay, so something is still blocking H refs, for you, Karen. And so it could be the country rule. I've had this happen. So some like you can have, let's, let's let's look at our rules here. So, if we look at our rules, oh, there we go. So we've got block rules, right? Let's just say that for whatever reason, your list of IP addresses, it's not in that or it's not coming in that way. And you're blocking based on country and maybe a traffic that's coming in from a country it's not in your allowed list or whatever. So what I would recommend that you do this is this goes back to the refining of rules. Look at your block rules like this. We've already gotten some hits on our block rule. Look at your block rule and see if you can find the Ahrefs traffic and see what it was doing. That was causing the block to happen and then use that to inform a skip rule. And unfortunately, there's not an easy way around this. You just have to investigate and but once you find that, the thing that allows it to skip then you can use that all the rest of your sites. So this is goes back to yesterday when I was saying of, you know, get it right for a good typical site, and then you can use that rule for your setup on all the rest of your sites. Does that make sense? I wish I had like a silver bullet answer, but that's just not the way WAF rules work. Unfortunately, 364 IP addresses Holy mackerel, yeah. So what I would look for instead of that, find it here. You know, does H refs have a user agent? They likely do. Matter of fact, let's just look. So rather than let's see. Yes. So here's their user agent. So maybe what you would do here is say instead of that ginormous block of IP addresses we can just as easily say, in our allow our skip rule here or user agent contains a tres bot. Like this. And see if that doesn't help. Make sure all of your other see this. This is why the order matters because the skip rule comes in number two. And if you are, if you've identified correctly, that traffic, it's going to skip all your block rules and everything else that's there. So we can deploy this and now ah, refs should be able to scan our site. Give that a try and see. Again, this is just kind of have to experiment and find what works for each of the various things. I really, really wish there was an easier way to do this. I've not found it and it could be that I've just not stumbled upon the right method. But in lots of practical hands on work I've not found an easier way to do this. Other than, Oh, here's a good way to disallow to skip the traffic and now it's not a problem anymore. And we know that going forward now. Okay, question from Paul. When looking at security events, can you see what the trigger values are? That caused the rule to get triggered? Not really. Like we can see here, there's three block events that have already happened since we set the site up. And so here, we've got this block, and so you kind of have to look at what's going on.\r\n\r\nLet's look at this block rule. am I allowing Canada?\r\n\r\nOh duck you got blocked sorry about that.\r\n\r\nUnknown Speaker 59:55 \r\nInteresting.\r\n\r\nNathan Ingram 1:00:16 \r\nDoug, when you saw the site, could you see images? Weird?\r\n\r\nI'm not sure. But yeah, this is how you would identify Paul you you. It doesn't tell you what about the traffic triggered the log but looking at the details, you can probably narrow it down again, I wish there was an easier way All right.\r\n\r\nStacey, yeah, you probably you got to dopey admin without a managed challenge. Probably because, okay, again, if you get to someplace without a managed challenge then Cloudflare has been watching your browser and it knows you don't need challenging. Like that's that's okay. It's a managed challenge. It's not an every time challenge.\r\n\r\nBut generally, like, here's a raw browser. If I try to go to the WP admin, it's going to give it a managed challenge because it doesn't know this browser.\r\n\r\nBut if I go back there, see there if I go back to this page, it's probably not going to challenge it again. Because I've already passed the challenge. Yeah, it's a managed challenge. So Cloudflare manages whether or not it wants to challenge the traffic based on the fact that it's processing billions and billions and billions of requests every day. Okay, well, let's take a break here. It is straight, just right about to be two o'clock Central. Let's take a five minute break. We'll come back with the final bit here, which is scrolling, scrolling, scrolling, scrolling, all the tips and tricks, cetera, et cetera, right there. Cloudflare tips and tools and tips that starting at page 32. We'll have a good q&a time at the end, and that'll be it. So we'll take a break five minutes back at five minutes. After two Central Time.\r\n\r\n32nd warning folks, we're back in 30 seconds.\r\n\r\nAll right, we're back for the final hour of Cloudflare for agencies got a long way in the last few hours together and everybody's still alive. Seems like that's, that's really good. Okay, so in this last bit of time we have together we'll do plenty of time for q&a and also go through some of the tools and tips that I think are helpful to know about Cloudflare. A question came in during the break from Paul, with the rules and effect is this where you no longer set the reCAPTCHA and solid security. So the answer to that question is yes. Because in our WAF rule, we are we have a managed challenge. That's going to challenge any of our WP login now when I when we talk about no longer set the reCAPTCHA for the login page, okay? If you are using solid security to protect your comment forum or whatever. And by the way, are y'all listening? Can we can I share something just between you and me? There may be some ecommerce protections that are coming in solid security maybe that's maybe so this you'll want that those in place right. So this Manage challenge protects the login page if you're using solid security and and turnstile reCAPTCHA, or whatever other recaptures for comments or registration or that sort of thing, then, you know, you either want to put those pages into your rule here or continue to use the CAPTCHA rule. The CAPTCHA is there installed security. Does that make sense Paul? But it's it is redundant. To set a CAPTCHA on a page where they've already had the past through a managed challenge to get there. Does that make sense? Everybody? Nobody's talking in the chat. That's okay. All right. So I'm gonna move on okay. Everybody's gone to sleep. That's okay. All right. So the other thing I'll mention is this and this is a very important note. These as you've seen already web application firewall rules are very flexible and need to be changed for your use case. And may be modified over time, right? The firewall rules that I have in place now work really, really well. But I'm likely going to modify those as I learn new things and you probably will too. So one thing I would watch, for example, there's an ongoing discussion right now in the admin bar. From Troy Glancy Troy is really good at this sort of thing. And he's at his far original Cloudflare rules from a couple of years ago are the ones that kind of got me looking into this to begin with. And he's actually perfected several others and he's going to post at some point soon. So I would recommend if you're in the admin bar, watch this post. Just search for Cloudflare in the admin bar, it'll pop right up and see what his advice is on this right because he may very well and probably will have some ideas for things I haven't seen or thought of yet. So you know, borrow and steal the best firewall rules from others, just with the remembrance that firewall rules can block legitimate traffic. So don't just wholesale apply them to everything. Make sure you know what you're doing. Right. So don't consider these rules or settings even as a silver bullet. I've tried to give you some perspective on when and where and how to apply those rules. Does that make sense? Okay, so let's look now at some Cloudflare tools and tips. So we're going to start with the Cloudflare WordPress plugin. So let's go there. And we're just going to add it to this new WP one dot dev site. So we're just going to search for Cloudflare Cloudflare. And it'll be the official Cloudflare plugin right here. Now, disclaimer, I don't use this plugin, but it is it is there and it's free and you might like it. It's particularly helpful if you don't have a performance optimization plugin. So let's go back to Cloudflare and are actually settings under Settings and Cloudflare. Unlike many plugins, what you're going to do, we're going to sign in, we need our email, which is Nathan and ithemes.com and a global token. So you always find those that your account home. And actually it's where is that it's at profile, actually my profile in API tokens. I'm going to create a token for WordPress. I'm gonna rename this to WP one dot dev so I know which side it is. Scroll down, continue to summary, create token and there's my token. And I'm going to paste that over into here. And save. Now Cloudflare is connected to my site now basically what this plugin does is bringing some of the Cloudflare dashboard functions into WordPress. So you know I can automatically apply Cloudflare settings that are best for WordPress if I want. I don't want to do that. So I've already done that over in Cloudflare. But I can go here to settings for example. And I can turn on development mode just right here from within WordPress. It's got some interesting little things. I don't use this because I prefer just to go to the Cloudflare dashboard to manage my settings. But this plugin does exist. It's pretty, you know it has it has some good use cases and you might just want to play around with it. Like, oh, there's a button right here to get into. I'm under attack mode, right from the WordPress dashboard. So it's there, it's available, it's free. You connect it with an API key just like I showed you. And you know, it can be helpful in certain circumstances where I would recommend though that you add Cloudflare is into whatever WordPress performance plugin that you have chosen. So in our case, we use Lightspeed as an agency because we use Lightspeed server on our server. You might be using we had the discussion earlier about cloud ways breeze, you might be using hummingbird or DEP rocket or whatever. Each of these have a little area for Cloudflare most good WordPress performance plugins have some sort of Cloudflare integration and you know, like right here, the API token I just created, you'd go through that same process, create the token and drop it in with your email address and the domain and it'll be connected. Now why would you want to do this? The reason is, most of these WordPress performance plugins, you know, they've got caching and you know, optimization of JavaScript and all that stuff. And they're smart enough to know, okay, when WordPress runs in Update, clear the cache, okay. Or if you edit a page, we're the cache Cloudflare sitting up here at the network level has no idea that you've made those changes here on WordPress. So the assets that it has cached up here at the network level might differ from what's at WordPress. And the end result is you go to the site, the CSS looks wonky or things just aren't right. So we need something that's going to connect Cloudflare and our WordPress performance plugin so that in effect, in our case, like we're using Lightspeed, so whenever we run plug in updates, Lightspeed clears the local cache, and it clears the Cloudflare cache, so that everything stays in sync and that's what you want. So do not let me just underscore this. Do not use the Cloudflare cache. If you have a performance plugin at the WordPress level that isn't connected in some way to Cloudflare. Because what you will see you'll go to the site one day, and the CSS will be all wonky. And it's because the caches are different and that's what's happened. Does that make sense to everybody? Don't use a WordPress performance plugin and the Cloudflare cache unless you've connected them together. With an API key. Otherwise bad things happen.\r\n\r\nAs Sue is asking, How did I get to the screen? What screen are we talking about? This is the doc Oh, lightspeed. This is just a screenshot. This is in the document. This is just a screenshot. Of the Lightspeed cache settings. It is under CDN in lightspeed. It's in a different spot in every WordPress performance plugin. So just look through your plugin of choice and you'll likely find Cloudflare settings virtually all the good ones support Cloudflare. Oh, okay. So if your server uses Lightspeed, you go under Lightspeed cache on the admin bar, go to the CDN, tab, or link and you'll see it down toward the bottom. The Lightspeed cache Yep, good. Everybody. Okay with this makes sense? Does Perf Matters not connect? I'm shocked at that.\r\n\r\nInteresting, yeah, I don't use perf matters. So I can't speak to that. But you'll definitely want to visit with them on that. So it probably this primarily affects hashing. And I don't Perf Matters doesn't do caching, right. It only does asset optimization. Like, okay, so you may not need Cloudflare connection in that case. So this really, this really comes into play. When it comes to Caching, caching those assets in various places. So if the changes that Perf Matters makes are likely pulled up to Cloudflare anyway, but I would I would still if you're, if in whatever WordPress performance plugin you use, if you don't see Cloudflare settings, reach out to their support and make sure there's not going to be a conflict. That would be my recommendation. Okay, everybody good on that. Does that make sense? Because you will come in one day or you'll get an email from your client. Hey, everything looks weird and wonky and you'll go in there and the CSS is all jacked up. And it's because the cache is wrong. Or worse than that. It'll look fine for you, but it will look wonky for everybody else. And so you know, it's just, it's, it's a Cloudflare cache issue. And what you have to do is go out and let me just show this. This is if you hit that problem, go into your website, go into cache, and configuration and purge everything, and it's probably going to look just fine. Because that's going to cause it to go in and pull assets back up and refresh everything and then connect your performance plugin to Cloudflare and it likely will not happen again. Okay, everybody, good to move on. Everybody has gone to take a nap. Okay. Let's move on and talk about clients and Cloudflare so this is one of the big questions. So if we move our DNS into CloudFlare, can we give clients access? And the answer is yes. And it's beautifully simple. It is so simple. So I delegate access to the Cloudflare DNS to any client who requests it. We have many clients who for various reasons, need to manage their own DNS that didn't used to be the case, when we served a much simpler level of client. They just wanted us to do everything, and many still do. But we also have a lot of clients that manage their own. So we give them access and so here's how you do it. You're gonna go up here to the account icon in the top right, you're gonna go to Account home and scrolling, scrolling, manage account and members. So right here, we can invite members to join our account. So let's invite Nathan to join our account. Nathan at boom. A fan at Nathan ingram.com. I can't type. There we go. And what are we going to do we want to include it can be all domains that are in this Cloudflare account probably don't want to do that. A specific domain Yes, I want to give Nathan access to WP one dot Dev. Well, what if I have multiple domains that Nathan needs access to a domain group? Oh, no, sorry, a specific domain. And I'll just add another one. Or actually we'll do it this include a specific domain. Okay, Nathan needs access to both of these domains that are in my account. What level generally I'm gonna give them domain administrator access, you can restrict it to just DNS if that's all they need. But in these cases, I want my the clients that are going to want Cloudflare access are going to need to have control of everything. Just like I would make sure clients have access to their own domain name. Same thing. I'm going to grant domain administrator rights continue to summary. Yes, yes, yes. Invite an email was just been sent to my other email address that would give me access to that, that this email address. Nathan at Nathan ingram.com doesn't have a Cloudflare account. So I would go through a flow of setting up a Cloudflare account. And it's just that easy. If you want to get rid of their access, you just hit edit and you revoke access x let's see. Let's see. How do we do this? It's a delete. Yeah, cancel the invite. Or at this point, we would like here's this, I can. Here's one where I've given other email address access, and I can remove access from somebody if I want. So pretty helpful. Yes, so Ben, like Dennis saying, this is like a reverse way of giving a client their own account. And it's not their own account. It's you're giving them access to domains in this account, that's yours. But either way they in the end, they have the access that they need, and it's super easy to do this. What's also helpful is you can enforce to FA SO by toggling this on, you can force anyone that you add to this account to add to FA to their account. So I always turn that on. It's not on for this one because this is a test account. Class since client domains are registered with Cloudflare I had them set up account and delegate access to me that works too. Yeah, either way that that works. But the delegation is really simple and smooth. And Cloudflare as you just saw, it's just click click like and you're done. And it gives everybody everything that they need. Any questions about this part? Are we good? Rolling, rolling. Speaking of domain registrar ah Cloudflare is I think the best place to register domains now. Because they don't make any money on domain registration. They charge you a.com Is $9.77 per year. That is the flat cost of a domain plus the ICANN fees. It's literally they're selling you domains at costs. So if you want to get to domain management, you go here, manage our account home. Domain Registration. We're right here. And we can manage domains. So you can register a domain name here and do a search. It even has the suggested domain names if you want to brainstorm a little bit about Dr. nathan.net. That's pretty funny. Anyway, but you see how cheap they are really at 977 for a.com 494 for a.uk. Anyway, you just go through a registration process. Do you want to transfer a domain in right here? You just they have a flow to bring in domains to Cloudflare this way. Yeah, Stacy. So this is a great spot to move clients that were once at Google domains. And now at Squarespace, move them into Cloudflare it's gonna be cheaper and the UI is really simple. And there's not you know, unlike some registrar's, which shall remain nameless. Nameless. There's not a bunch of crap on the screen to upsell. Yeah, Paul, you pay a year when transferring? Yes. But I think also they give you an extra year.\r\n\r\nLet's see. Seems like I read that somewhere. Oh, this is an interesting little point. I didn't mention this earlier with DNS sec. We went and validated the domain. You have to turn that off before you transfer a domain. So just stick that in your back pocket to remember. You cannot transfer a domain like you have to unlock the domain and turn off DNS sec if you've turned it on, if you're going to transfer Yeah, Stacey, I can't I think you're right there Stacy. Yeah, and classes saying the same thing. I can't find where it says that here but when I've transferred a domain to Cloudflare they add it you pay for a year but they add a year to whatever the current date is. So it's a it's as good of a deal as you're gonna get on a transfer. Okay, class that's a good yeah. If if you're already at the max prepay level, then yeah, they don't add a year but that's generally not the case. So really easy to use them as a registrar and now so here it by the way, here is one caveat with using Cloudflare as the domain registrar, you cannot or let me say it this way. You must use Cloudflare to manage your DNS. If Cloudflare is the registrar, so you can't I don't know why you'd want to but you can't manage DNS elsewhere. If you're registering the domain at Cloudflare. I've never found that to be a problem. But just note that that is that's a thing. Oh, there's something I meant to cover in the last hour and I'm going to do that now. I'm going to scroll back up here in the Cloudflare setup process, okay, so we were here we talked about let's this this issue with importing DNS records. I showed you the process of importing from a DNS provider like we exported the DNS from GoDaddy, import it into Cloudflare. There is something here that I want to show you because it's not immediately apparent. And this is super helpful. So you may like I did have a number of sites where the DNS was actually managed with cPanel cPanel. DNS is great, really easy to use. But there's not a clear way in the cPanel UI to export a domain file. Like we just imported from GoDaddy. I don't know why that is. It's been requested for years, but cPanel has never done it. But there is a way to do it and it will save you time from hand entering all those records. Let me show you how it works. So I'm going to jump over to the WP Nathan's cPanel and just There we go. And what you're going to do, and this is again, this is weird, and I wish they would do this differently, but this is what they do. So we're going to grab a recent cPanel backup, and we're going to go here to backup and just download our most recent full account I just hit the cloud for a rule. I wonder what that's all about. There we go. That was really weird. Okay, so if we have time, we'll go and look at the rule and see what hit that. So here's a recent recent account backup. I'm just going to download this and it's downloading this tarball which is like a zip file. It's downloading it to my desktop\r\n\r\ncan take a minute. You're going it's rather large. It's a gigabyte loading, loading loading. Let's go and Okay, so here is our backup file. All right. Now this is so weird and I wish they would do something different but this is what you can do and it works. So we're going to unzip or uncompressed this tarball again, takes just a minute to do because there's a lot of stuff in here it's a full cPanel account backup. What's got to expand all the things\r\n\r\nYeah, this is a really old backup, but it'll still work for illustrative purposes. Slowly, very, very slowly. There is a file in here that you can use to import but you have to download the whole stupid thing to get there. Moving moving, okay, almost almost. Come on. Come on. There we go. Okay, so once we open up our folder here, we're gonna go to the DNS zones folder. So right here is this uncompressed. There's our DNS zone and look, there's WP nathan.com.db. We're going to rename this to dot txt. So it's just a text file. And yes, I want to use this and now this file can just be imported right into Cloudflare. Just like that. It's a backwards process, but it will allow you to import from cPanel and even as long as that takes to download and whatever that's still better than hand entering DNS records. Yeah.\r\n\r\nPaul is saying you did not have to rename the dbx file. Great. Well, that may have been a change in Cloudflare because you used to have to rename it to dot txt so great if you can import that. I haven't tested this recently. So yeah, if you can enter the.db file then you don't have to rename it. That's great. Good. Good, good news. So that will save you time if you're coming out of cPanel and into Cloudflare. Any questions about that before we move on?\r\n\r\nAll right, let's talk a little about turnstile. So Cloudflare turnstile is a CAPTCHA replacement, that many of you are aware of. It's been integrated into solid security for some time now, and again, think of it as turnstile is the same thing as a managed challenge? Only in widget form that can be added to some sort of form like a login form or a comment form or a checkout form or whatever. So it is the same thing as a managed challenge. It's just a widget instead. So now you do have to create turnstile API keys to use it right and so you do that at so many windows. All right. So we're gonna go to account icon account home, turnstile, account home and scroll down to turns turnstile and here's our keys. Now, here's the catch. Wild Slayer lets you have 10 turnstile keys per account. So, a couple of things. First, you might not need more than 10 turnstyle keysets. So for me, I don't need more with all the sites that we manage because in most sites comments are turned off so we don't need comment protection. We're not using it to protect forms because we use Gravity Forms zero spam, and we're protecting the WordPress login page with a well last rule. So I'm not really using turnstyle API keys at all except for WooCommerce sites, which we protect with the simple Cloudflare turnstyle plugin. And for those we do need turnstyle keys. Now if you need more than 10 just created an account Cloudflare account. So the beautiful thing here is you can create multiple Cloudflare accounts with different email addresses and then what you do is just make them members of each other. So that whatever account you log into has access to all the domains that are in all the accounts and it just makes it really easy to manage. So don't let the account limit necessarily bother you. Because you can just simply create more accounts and link them together as members of each other does that make sense? Everybody? So you create turnstile keys right here just like you would a reCAPTCHA key. The domain does have to be in the this account. And you just go from there any questions about that? pod for turnstile? Super, super helpful. All right. We talked a little bit about this Cloudflare does give a lot for free. They do play certain limitations like 10 turnstyle key pairs per account 50 API keys per account. So we actually limit are the number of domains in any account is 50. Even though you can have unlimited domains in a Cloudflare account, you can only have 50 API keys so we only put 50 domains in an account. So we have multiple accounts that meant that are linked to each other as I described. Because the API keys are needed for to connect Lightspeed to flush the cache. So you can again just like I described, use the same delegation process to to connect those accounts to each other. And it's really easy. So when you log in to any of your accounts, and this is what's really neat, when you go to Account home\r\n\r\nhang on a minute. Let's see profile isn't no hang on. I can't see it here. When you log into account that shared with other accounts. You can actually see all the websites you have access to and find the website very easily that way. I can't demonstrate that on the screen right now. But even you know we have like five different Cloudflare accounts now that we're juggling, but you log into one of them. You can search and find the website you're looking for because it's been we have access to it and you just go right to it. It's really simple to connect those accounts together. That was poor explanation, I think But does that make sense? Any questions about that? Linking Cloudflare accounts makes things super easy. Okay. Paul has a good question in the chat. So let's say you have a client in Cloudflare and you give them account access, and they come back in with I don't know anything about Cloudflare if they want to leave. So at that point, the answer is I'm sorry. That's why you hired me Cloudflare manages your DNS and give their next web provider access to the Cloudflare account and if they don't understand how to use it, I mean, that's on them. Right? I really don't have I mean, Cloudflare is pretty industry standard now and if you don't understand how to use it as a web professional, then you probably need to learn. I don't want that to sound arrogant. I just think that's the way it is. Yeah. If they leave then they leave. Yeah. Is that fair? That's good. Stacey. Yeah, give them a DNS export. Good. Yes, send them to this webinar. I mean, honestly, if you're a web, a web professional, even if you didn't know anything about anything we were doing here, you can log into Cloudflare and see what to do with DNS. It's really simple. If the DNS settings and Cloudflare and I'm not talking about firewall rules and all of that, like oh, so if a client were going to leave me then I would probably set up. Yeah, fit. Let me let me reverse my thinking on this a bit. Paul. If if I was going to offboard, a client whose site is managed on CloudFlare, I would probably set up a new Cloudflare account without any of our firewall or any of the security settings that just had the DNS and move the site to that account and give them access to that because I would I wouldn't want any of our security settings to go forward with them the world whatever's next. So been saying he had to do that on Monday. Yeah.\r\n\r\nYeah, that give them a naked Cloudflare account that just has the DNS in it. All right. Something else that's really neat is Cloudflare email routing. We talked a little bit about this on yesterday, and I've given the whole process there for that. I'm not going to go back and re get into that. Pretty, pretty thorough, but basically Cloudflare lets you set up email addresses without an email server that forward to another address and if they're forwarding to a Gmail account, for example, you can set up a send as address so that it can receive email as info at your domain, and it can send email as info at your domain all that can be done free within the Cloudflare email route routing settings. Let's see it looks like this. The last thing Yep. The last thing I'll mention, and we've already sort of dealt with this is troubleshooting WAF rules, you may run into things. If legitimate traffic is blocked by a WAF rule. Go to that activity log. That's right here. Websites AP Nathan. Wow. Yeah, go to your block rule and see what traffic has come in that's been blocked. Oh, this was maybe this was good traffic. So we need to figure out a way there. How do we let this come through? Now, by the way, don't you know if he's Oh, Google is blocked? Well, I don't think that's the Google bot. That's actually a Google Cloud Server. So a lot of times this may be a compromised server. That's trying to get access to things. So just because you see Google doesn't mean it's legit, or you know, Amazon, AWS or whatever. Sometimes those are legitimate, or they are, they are compromised sites that are hosted on Google's infrastructure. For example, anyway, you look at look at the activity log load entries that pertain to that specific rule by clicking this little number in the analytics here that loads one day, there we go.\r\n\r\nAnd actually, I don't know what this flex potential is, maybe we wanted to allow that so we could add this as into our skip rule or whatever. But the log entries here are what you're going to look at to further refine your your rules. All right. So that brings us to the end of the course. That's it. We've gone a long way in the last few days. We got our site live on Cloudflare. We've got recommended settings and all of these things. Now we've got some time for open q&a. What do you think questions, comments, snide remarks all of them are available at this point. Questions from Paul, okay. All of this setup work is built into the cost of a website for a new client correct or do you factor in a cost for this going forward? How much extra if anything would you charge for doing this? Great question. So I would actually wrote this is a management service. So this is part of security that we provide for the client. And it's part of onboarding a site into our website management process. So I don't charge extra for this. And honestly, it took a little while to go through all of this. But once you start to do this over and over again, you'll migrate a site into Cloudflare in like five minutes, like it'll be. It's pretty quick once you get used to it, and especially if you set up little shortcuts like I did with my TextExpander it really doesn't take long once you get all your rules dialed in and how you like things. It doesn't take long to do. And so I don't charge extra for that it actually what happens is, it saves me work on you know, in the future because the site's being protected and much better. And Tanya Yes, I just dropped in the link in the chat for the updated course handbook. There were three different edits I made around web application firewall rules that were like little typos and some of the quotes were squiggly quotes instead of straight quotes, that sort of thing. That's all fixed. Second question for Paul, how about setting this up for existing clients extra service? And the same answer for me on that when we migrated all of our clients over to Cloudflare back last fall. We didn't charge extra for that because it makes things easier for us to have those clients all in Cloudflare more secure less traffic on the server. All of that. Yeah. When there's nothing as you could certainly charge more for it. I chose not to because it's part of the management service. Do I notify clients? The ones that I thought would be interested? Yes. The ones that just want to know their site is secure. No, no, but you know, we'll raise our rates again here probably in two months. And I'll let them know all these extra things we've done at that point. But in a very, you know, you got to communicate with clients. Some clients don't care about all the little things right. So you don't want to overwhelm them with information. So for the clients that are non technical and they just want to know that we're taking care of their site. I would just mention that we've added a network layer of security that blocks you know, something like I'd worded in such a way that was, you know, a high level a level of security that blocks a lot of bad traffic before it ever hits the site. Just to show them, you know, we're constantly improving their security, and that's what they're paying us for. Others, you know, they have a technical person, the ones that have access to Cloudflare. And by the way, some of those that's a that's an interesting little point here. Some of the, our clients, the ones particularly that have access to Cloudflare our clients that have an internal IT department or things like that. And so there was a bit of a process. So we had a canned email that went out of hey, we're in the process of moving to a new server and in doing this we're also getting all of our DNS uniform. And we want to move everything to Cloudflare. Here's why. In some of them we actually had a you know, a quick call with many of those IT folks like yes, great, let's do it. We'd like Cloudflare you know, we know about it, whatever. And so we just set up the account delegated access, good to go but it really depends on the client and their level of involvement or if they have it people, etc. Doug for the web application firewall, if I use the block action for country equals UK, and Google is still indexing my website in the SERP. What happens to a UK visitor when they click the Search link to my website? Yeah. So the blocking traffic from a different country shouldn't impact your SERP and where your site shows up in the SERPs, what will happen is if you're in the UK and you click the search result, you're now going to WP nathan.com with a geo origin of UK which triggers that firewall rule to present a manage challenge. So we're not challenging Google. We're challenging traffic with an origin and a location where we're saying it needs to be challenged. So that's why you want to modify those rules such that any you know if you have legitimate clients that typically come from other countries, you know, whatever, let me say it this way, whatever countries that you have legitimate customers, clients, whatever in that would be coming to that site, allow those but turning off or only allowing traffic from those known good countries can filter out a lot of garbage traffic bots that are coming in from all over the world.\r\n\r\nPaul is asking how do anonymizer is get affected by geo locations or VPN? I mean, it's if I come in if you if I turn on my VPN right now, and I say I'm in Belgium, and I try to visit a site where the WAF rule only allows US and Canada I'm gonna get a managed challenge because the geolocation is coming in as a different country. Yeah. So anonymizer errs impact weath rules, because they they present as coming from that country, because I mean, they actually are they're routing traffic through a server in another country. So that's just how that works. Generally, though, the bot garbage traffic isn't proxying they're not standing there. They're coming from other parts of the world and it's noticeable\r\n\r\nBen when using support like from India for like WP all import, they need access? Yeah, but you can still challenge that traffic. That's the thing is, we're not blocking traffic from those countries. We're putting a manage challenge in place, meaning people you know, if it's a support technician coming in from a country that hasn't been specifically allowed, they're just gonna get a managed challenge. And they can log in with the you know, it's not blocking the traffic. And so I wouldn't change my WAF rules. If support is coming in from a different country. They'll just pass through the Manage challenge and then do what they need to do. So you're, it's a challenge rule, not a block rule does that make sense?\r\n\r\nThe man is challenge will stop bot traffic because bots don't really have a way to validate a managed challenge yet. But who knows, right? The bots will get better and then Cloudflare will get better and then the bots will get better and the Cloudflare will get better. That's just the way it goes. Right. All right. Anybody else before we wrap this one up? Okay, who's ready to add Cloudflare to some client sites do you have everything you need? Are you equipped to to add a client site to Cloudflare? Any final questions before we wrap up? Awesome. All right. Well, hopefully this was helpful to you. We are back tomorrow for office hours. We joke that in the pre show today that anything that breaks when you add these rules just asked me to borrow in office hours we'll deal with all right, we'll see you back here tomorrow office hours one o'clock central time on solid Academy where we go further together.\r\n\r\nTranscribed by https:\/\/otter.ai\r\n\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:968:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:249:\"\r\n\r\n\r\n\r\n\r\nWelcome to Cloudflare!\r\n\r\nCloudflare Page by Page\r\n\r\nRecommended Cloudflare Settings\r\n\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938374439\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1o7Y8xSGeEx8ZF7yBmMsRat6XNkkjEXWc\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/Xr3bZcpfJBN9iV2YsapSA3avN0Q?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:971:\"a:7:{s:18:\"event_replay_title\";s:5:\"Day 2\";s:25:\"day_description_cloneable\";s:254:\"\r\n\r\n\r\n\r\nRecommended Cloudflare Settings (continued)\r\nMigrating a Site to Cloudflare\r\nMore Cloudflare Tools and Tips\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938814771\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1Nr3wkfCzHZ7Nr4PEzVWhV1lKn40abQUV\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/qIa-JHSQCRIijFOyeMsIQX00B1g?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448512,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \nNote: this course assumes you have a basic understanding of DNS. You can learn more about DNS in the first hour of the Web Foundations Workshop.\n\n\n\nIncluded in this Course\n\n\n\n\nAn overview of Cloudflare and a walkthrough of the major features\n\n\n\nHow to set up Cloudflare for WordPress client sites\n\n\n\nHow to set up important WAF rules\n\n\n\nA proven process for migrating sites into Cloudflare with no mistakes\n\n\n\nOther Cloudflare features like domain registration and email forwarding\n\n\n\nProtips for smoothing out your Cloudflare workflows\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_text":"Unknown Speaker 0:18 \r\nAll right, let me hear from you in the chat. What are you most excited about learning this week in the Cloudflare course?\r\n\r\nUnknown Speaker 0:26 \r\nWhat are you most excited to learn?\r\n\r\nUnknown Speaker 0:32 \r\nAs you answer that I am getting our captions all set.\r\n\r\nUnknown Speaker 0:38 \r\nAlright, captions should now be working for everybody.\r\n\r\nUnknown Speaker 0:43 \r\nFingers crossed\r\n\r\nUnknown Speaker 0:47 \r\nthe whole thing.\r\n\r\nUnknown Speaker 0:49 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:51 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:53 \r\nWe'll see what we can do, Debra. Love it.\r\n\r\nUnknown Speaker 0:59 \r\nAlright folks, we are about four ish minutes away.\r\n\r\nUnknown Speaker 1:06 \r\nFour ish minutes away from getting started with Cloudflare for agencies if you're just joining us in zoom, open up the chat and I'm dropping in once again, the link bundle which has the very large 40 Page course handbook that I've put together for you here. Many many, many things here in the handbook.\r\n\r\nUnknown Speaker 1:32 \r\nAnything you can learn? Yeah, all right.\r\n\r\nUnknown Speaker 1:35 \r\nDefinitely.\r\n\r\nUnknown Speaker 1:37 \r\nYes, Stacy. There are so many things and this is not I'll talk about this as we get started. There's no way this is going to be an exhaustive Cloudflare overview because there are just too many things.\r\n\r\nUnknown Speaker 1:51 \r\nHow much to just do so it doesn't work that way. Like some of these rules, you really do have to decide, you know, what you want to use and so forth. And actually, well, I'm gonna I'm getting ahead of myself. But yeah, some of this is what you want to do for your settings. But I'm gonna give you my recommended things and why. And then you can it should give you a really good basis to make decisions on how you want to implement.\r\n\r\nUnknown Speaker 2:24 \r\nPaul, you make the website and then we'll talk\r\n\r\nUnknown Speaker 2:31 \r\ny'all, I promise once you get into this, it's really not that complicated. Seriously. Once you see how it all fits together.\r\n\r\nUnknown Speaker 2:42 \r\nYeah, I promise it's really not that complicated.\r\n\r\nUnknown Speaker 2:47 \r\nAll right. So if you're just joining us in zoom, welcome, welcome. The chat is open. I'm dropping in once again, the link bundle that has the course handbook. The one the Yes. Yep, of course handbook is there and waiting on you to download also, of course the replay link.\r\n\r\nUnknown Speaker 3:08 \r\nIf you want to go back and rewatch today\r\n\r\nUnknown Speaker 3:16 \r\nmy oldest daughter is currently blowing me up on text messages. So I got to hit the mute button on that.\r\n\r\nUnknown Speaker 3:27 \r\nAlright, y'all just about two minutes ago. hope everybody's doing well hope your week has gotten started. Well check in question today. Let me just hear from you what you are most excited to learn about Cloudflare what you want to know what parts confuse you other than everything, as some folks have said. If there's a particular area I'd love to hear that\r\n\r\nUnknown Speaker 3:52 \r\nOh, Beth. I mean priorities right.\r\n\r\nUnknown Speaker 4:00 \r\nLove it.\r\n\r\nUnknown Speaker 4:02 \r\nYeah, laptop on the beach. Back. Yeah.\r\n\r\nUnknown Speaker 4:07 \r\nActually, Myrtle Beach is gorgeous. This time of year. Good for you, Beth.\r\n\r\nUnknown Speaker 4:15 \r\nturnstyle WAF Yes.\r\n\r\nUnknown Speaker 4:20 \r\nThere's no dancing and Cloudflare\r\n\r\nUnknown Speaker 4:28 \r\nthat's why you take a tablet to the beach, not your laptop.\r\n\r\nUnknown Speaker 4:34 \r\nStacey, that's awesome. That's 100% True. And actually, if you find dancing and Cloudflare just wait because they'll move it to another menu link later or they'll rename it.\r\n\r\nUnknown Speaker 4:48 \r\nYeah, so we'll bet Beth will invent for us the Cloudflare dance which we'll call the turnstile. I love it. Yes, that's it.\r\n\r\nUnknown Speaker 4:59 \r\nDo the turnstile through the turnstile. Alright folks, just about 30 seconds to go. hope everybody's doing well today. Come on in find a seat and grab the course handbook. But to drop the link bundle in once again.\r\n\r\nUnknown Speaker 5:14 \r\ni Yes, exactly. Karen\r\n\r\nUnknown Speaker 5:19 \r\nand what you're talking about there, Karen. There's no easy answer to that. Unfortunately. A lot of the Cloudflare rules that I'm going to give you are pretty good. But you're you're always going to want to fine tune these for your setup. And there's always new suggestions and rules that are coming along. So I'm going to give you what I'm using today. And then you'll have it's it's one of those things that will it's a work in progress. Yeah.\r\n\r\nUnknown Speaker 5:46 \r\nAll right, y'all. It's three minutes after let us get the recording started and we will dive right in.\r\n\r\nUnknown Speaker 5:56 \r\nWell, good afternoon, everybody. Good morning. Good evening, wherever you happen to be around the world. Welcome to this premium course here on solid Academy. Glad you're all here with us for Cloudflare for agencies. So over the next couple of days. We're going to take two hours today two hours tomorrow and unpack Cloudflare through the filter of you manage WordPress sites for clients. So what do you need to know right? And also interestingly, hopefully helpfully, the way that I put this course together is really there's so much that we have to know as WordPress agency owners, right like there's just so many things. And so this is not an exhaustive course on Cloudflare. Like who's got time for that? So what I'm going to give you is an overview of how things work and where the settings are and the big picture of the settings but really, our focus is going to be on okay, what do I need to do to use Cloudflare and leverage all the free stuff in Cloudflare to protect the sites that I manage. So that's where we're headed. And hopefully at the end of this course, you'll have a good idea of what all the things that Cloudflare can do. But really focused in on the practical things that you can do right away to use Cloudflare in your agency.\r\n\r\nUnknown Speaker 7:21 \r\nSo I Karen has asked a great question in the chat just now. This is very different than the Cloudflare livestream I did a couple of years ago or last year, a year and a half, something like that. So I was just I just kind of gotten knee deep into Cloudflare at that point. And so a lot of things have changed since then. This is a much more detailed look. This is I think the first Cloudflare one was like an hour and a half. So just timewise this is a much deeper dive and I've learned a lot since then, and hopefully can give you some better tools and rules and those sorts of things to use. So if you are just now coming in once again, the link bundle is in the chat you're going to want to download this course handbook, it is 40 pages of Cloudflare goodness, and grab that and follow along and I've made it such that you know this is the document you can keep in reference. The table of contents is clickable to jump to, you know the various areas that you want to get to. So hopefully it's a very usable document. All right, so let's dive into what we're going to be talking about. So I mentioned this a little bit earlier and even more in the pre show.\r\n\r\nUnknown Speaker 8:34 \r\nThe idea here is okay, I'm a web agency owner I've heard how Cloudflare is helpful. What do I need to know give me the basics. This is not an exhaustive study of Cloudflare there are far too many things Cloudflare can do to fit into four hours of of course content. So what we want to do is through the lens of what do I need to know as a WordPress website manager about Cloudflare to use it to the best of my ability. If you want a deeper dive Cloudflare has excellent documentation. It's some of the best that I've seen. And you can click the Cloudflare fundamentals link there and it'll take you through all the things if there are pieces that you want to know. So the goal here a no fluff explanation of all the Cloudflare things that you will find the most useful and that you can implement right away in your business of managing WordPress sites. Tomorrow we're going to demonstrate the live setup of a Cloudflare site after we look at some of the basics today. And that's going to include security settings, setting up WAF rules and those sorts of things. So here's the overview we're gonna do and a big overview of what is Cloudflare how does it fit? How do I use it, you know, where does it fit in with solid security and those sorts of things. And then we're going to go through a Cloudflare page by page looking at the various pieces of Cloudflare and how they fit together tomorrow, migrating a site to Cloudflare and then more Cloudflare tools and tips. All right now, this course, assumes that this was on the course intro page. So hopefully you saw this. This assumes that you have a basic understanding of DNS, so I really can't, I'm not going to be able to answer questions about how DNS works in this course. So this is a prerequisite if you need to understand a little bit more about how DNS works. There's a course here we did last year called the web foundations workshop, in which we did an hour on DNS and what the records are and how all that works, et cetera, et cetera. So please let well really I'm just not going to answer questions about DNS in general. If you have those questions, you can grab this prerequisite course it's out there, you can replay it right away. And we're going to focus in on implementing Cloudflare. Alright, so just a couple of housekeeping notes. If you're a see several folks who've just joined us, let me drop in again, our link bundle in the chat force handbook is there. Since I am presenting today, I'm going to be watching the chat as usual. So if you want to ask your questions in the chat, you can do that. It may be that I missed some because I'm presenting. I'll try to catch questions in context. But if I miss one, and it's gone past just stick it in the q&a and we'll get to those at the end of each hour as usual. So all right, let's dive in, shall we? We had some really good check in responses as we were getting ready in the pre show about what you most want to learn. And so let's just start from the top. A lot of folks were like I need to know from the cloud to the flare, the whole thing. So what is Cloudflare?\r\n\r\nUnknown Speaker 11:44 \r\nAt its heart Cloudflare is a web performance and security company. They are they have all sorts of services to secure and protect and accelerate websites. So Cloudflare is sort of like an umbrella. It is a protective barrier between your website and the traffic that comes into your website. And it can shield you from many kinds of online threats just automatically. I Cloudflare. Security Services are comprehensive. They offer protection against DDoS attacks, data breaches, other malicious activities. It works by filtering incoming traffic to your website. So at the heart of all of this is your domain has to have the Cloudflare name servers. So that's how you turn on Cloudflare is by adding the Cloudflare name servers to the domain. So that way, all traffic that goes to the domain has to pass through the filter of Cloudflare and you can think about it sort of like you know, a water filter like we got this new refrigerator when we redid our kitchen a couple of years ago and it's got you know, the fancy water in the door. You know, we're not that usually that fancy kind of people and this is the first fridge we've had like this, but we love it it because there's a water filter in there and it filters out all the impurities and garbage so that we just get really pure water when we put a glass up there. Now Cloudflare sort of works the same way. Think of it in the same way. It's like a traffic filtration system that based on some of the stuff it just knows automatically that this is a bad bot and it filters it out or based on some of the rules that you can set up. It's filtering that traffic through so you get really good pure traffic that actually hits the website.\r\n\r\nUnknown Speaker 13:30 \r\nSo Cloudflare provides free ssl certificates. Also, they use the Google certificate authority as the primary and then sectigo as a secondary. We'll get to all that when we get to the SSL section. They also have a suite of tools designed to optimize website performance, including caching, image optimization, content optimization Cloudflare Cloudflare also provides a CDN that can move your website assets closer to the requester. They have data centers all around the world. So using their CDN even their free CDN, you can move things from your the images and scripts and so forth from your website to the closest point so there's not a lot of jumps between the user and what they're trying to download, which can effectively speed up the website. And the beautiful thing is Cloudflare provides many of its services at no cost with the option to upgrade to more advanced features on a subscription basis. Now a great question in the chat from Dave. So who's monitoring Cloudflare Cloudflare is a private company and so this is you know, like whose basket are you going to put your eggs in? Right? They offer a lot of things for free, but they're making their money. It's a freemium model just like many things that are out there. So you are you have the option to upgrade but a lot of the basic features they're providing at no cost and pushing you towards some of the paid features that can be helpful. So that's how they make their money. I don't know that there's anybody watching Cloudflare like us, they're not like responsible to any governing authority necessarily because they are a private company, but they're used by an immense number of websites. Matter of fact, 32% of the top 1 million sites on the web are using Cloudflare. So that in that way, there's a lot of people watching them from high level, you know, big fortune 500 company websites, so if anything weird is happening, it's likely going to come out but they are a private company. So that is something to take into consideration.\r\n\r\nUnknown Speaker 15:41 \r\nSo a few other interesting Cloudflare statistics, again, more than 15 million websites 32% of the top million websites. Their global network has 300 data centers all over the globe at more than 120 different countries. So the the good thing about that is when traffic is requested by somebody, the hop to the Cloudflare data center is generally very short. They've strategically placed those data centers for that reason. So more than 80% of sites whose reverse proxy we know is Cloudflare. Now what does that mean? It means that if somebody's you know, has started to use proxy, which is hiding the actual IP address of the server, which is a good practice as we'll get into Cloudflare is doing that for more than 80% of sites that are doing this so that is super helpful. It's a huge chunk of the internet relies on Cloudflare to do these things. Also Cloudflare bought blocks look at this number 182 billion threats a day. On average. It's a lot and so simply by virtue of the amount of traffic that they're filtering Cloudflare you know, they, you know, they they just see patterns emerging, and they can protect sites better. It's like, you know, we have Thomas Rafe on here from we watch your website. He's managing over 17 million WordPress sites right now and watching for patterns and you get that much data under your belt, and you can immediately see how you know what's happening, what the trends are, and so forth.\r\n\r\nUnknown Speaker 17:18 \r\nAll right. So why should we use Cloudflare? So the first reason likely and probably the reason that you're here listening is the security benefits. They're just phenomenal. So Cloudflare is free services give you really robust security features at the network level. We'll talk about that in a minute. Like DDoS protection, a web application firewall, again, at the network level, which is where you want those sorts of things. They can also help improve performance with CDN caching, again, moving the downloadable assets closer to the the requester so that those things are fulfilled more quickly. They offer free SSL as we mentioned, they also do DDoS mitigation. There's this great tool in Cloudflare that says I'm under attack, toggle that on and it will effectively stop the impact of a DDoS attack on a website and it works. It's really good. We'll get to that later.\r\n\r\nUnknown Speaker 18:17 \r\nIt's very easy to implement, actually. You just change your name servers and you're into Cloudflare.\r\n\r\nUnknown Speaker 18:24 \r\nThe setup process is straightforward as you'll see as we actually work on that.\r\n\r\nUnknown Speaker 18:30 \r\nLast of all, they do provide some analytics and insights. The statistics in Cloudflare if you are a statistics person, you will love love, love the Statistics reports because it'll show you like on your firewall rules, what's hitting it and you know what the information about that traffic is it can help you further refine your rules. It's really neat once you get some data in there to start digging in and seeing how these turkeys are trying to attack your website. It's really quite interesting. Also, cloud flares analytics are GDPR compliant. They're designed to be privacy first, and so they are GDPR compliant, they state that so that's that's not an issue. So a lot of the confusion that comes in when we start talking about Cloudflare is okay. isn't just installing a WordPress security plug in enough I've been watching it it's really funny. This discussion has come up a number of times in the admin bar just in the last couple of weeks of hey, there's this cloud, this WordPress security plugin and that one and really, isn't it good enough just to install a WordPress security plug in and you're protected? And the answer is no. Heck no. Absolutely not. So let's talk about where Cloudflare fits into all this is Cloudflare a replacement for solid security? Also no. So we need to understand where does Cloudflare fit in the whole matrix of security. So, first of all, Cloudflare becomes active for a site when you change the name servers of a domain name to those that Cloudflare will provide you. So it starts at the name server level, which means Cloudflare at that point becomes responsible for every request that comes into your domain name about you know where does the subdomain live? How's the mail routed? What are the demark records, the txt validation records, all those things? Cloudflare is answering all of those requests. And it's doing it from a security perspective. So you can you can change who gets to make those requests and filter those things out. And so forth. So since all traffic to your website, and everything about that domain name now has to pass through Cloudflare they can filter it. So that's how this all works. Cloudflare can then as a result block a significant portion of malicious traffic before it ever reaches your server. That is the key.\r\n\r\nUnknown Speaker 21:04 \r\nThat is the key. So like, here's your browser, it's gotta pass through Cloudflare to get to your server where the website lives. So this is where we start to talk about a multi layered approach to WordPress security. It is not enough just to have a WordPress security plugin. It's just not because there are jobs that are there are jobs that need to be done to protect WordPress that are better done at a network. level rather than at a WordPress level. So this multi layered approach is something you need to get your mind around. And we've been talking about this now for some time here. On solid Academy. It's not just as simple as installing a plugin. So the best practice for making your site secure is multiple layers of protection. Okay, and each layer has a role that it needs to play and it does that layer best. All right, so let's talk about this. So first, we have network layer level security, which we're going to trust to Cloudflare right so that's wrapping around the whole thing. No traffic gets in until it passes through Cloudflare. Then we go to the server level security, which hopefully is handled by your web hosting provider. So there's certain things that are better done at a server level. We'll get to that in a minute. And then we have our WordPress application level or, or user level security that a really good WordPress security plugin should do. So these are the three layers of security that you should be thinking about when it comes to protecting your WordPress site. So let's unpack those just for a minute. First of all, network security. So Cloudflare is going to mitigate the impact of the distributed denial of service attacks or DDoS. And they can filter out malicious traffic before it ever gets to your server. So if a lot of that traffic can't even get past that Cloudflare wall it makes your server have to work less it makes WordPress have to work less. So it's better to handle all that stuff. Get all the primary garbage filter done at the network level before it even hits the server. So Cloudflare gives you this blanket protection by filtering the websites before a web traffic before it ever gets to the site. Relying on your server alone or worse relying on WordPress alone to filter all the traffic. It takes a lot of resources. Now does solid security have functions that can help to prevent bad traffic? Yes. But that shouldn't be the primary level at which it occurs. If Timothy was here, he tell you the same thing. We want to filter the the lion's share of that out at the network level. So if you do that, it's going to save a lot of valuable server resources. So traffic passes through the network gets to the server. So what role does the server play in this multi layered support? So good web hosting providers implement security measures like server level firewalls, and most importantly in my book is server level file level malware scanning and intrusion detection systems. So I want something at the server level that's actually scanning the files. Now I know that there are some WordPress plugins that provide malware scanning, you don't want a plugin, doing malware scanning. First of all, it's going to be incredibly inefficient at doing that and restricted to only the WordPress install and a lot of malware gets installed out in the server structure and not within WordPress itself.\r\n\r\nUnknown Speaker 24:45 \r\nAlso, if there's malware in WordPress, and the we're in and the the malware scanner exists at the WordPress level, the malware can overwrite. You know, the malware scanner so the malware can actually rewrite the malware scanner saying hey, this is bad and say no, it's actually good. You can ignore that. So you don't want the malware and the scanner. processes running in the same environment. malware scanning needs to happen at the server level, and intrusion detection systems as well. So that's the role of a good server so whoever's providing your server, this is where you have a conversation and say, What malware scanning Do you provide? What intrusion detection services do you provide to keep the server itself safe? Right, so we're filtering out most of the bad traffic at network. We're watching the we're watching the file system and intrusion level at the server. And now we get into WordPress application security. Now WordPress security might have some traffic filtering and blocking features, but that's really the third level like WordPress is consuming a lot of server resources just running and serving pages and doing things. I don't want WordPress to also have to be filtering every bit of bad traffic that comes in. And that's what can cause your website to grind to a halt. If it's getting pounded by login page attacks and all this stuff. I don't want WordPress doing that job at all, or at least as little as possible. Maybe just a few little drops of bad traffic. That have gotten through the other two layers. We pause. Does that make sense to everybody? That this whole approach? Are you getting what I'm saying? Like we want WordPress to do as little work as possible. We want WordPress to do the job of word pressing right not of security. So it's not bad to have those features in the WordPress security plugin. That's why they're included in solid security. But that's like my third level of defense. Okay. All right. So your WordPress security should focus on more specific issues. Starting again, this is exactly what solid Security does, which is why I love it. It is providing vulnerability detection. So I'm scanning my so like Cloudflare is not going to tell me I have vulnerable things in plugins. The server is not going to tell me that it's maybe watching for malware or the malware scanner but if my things and plugins aren't infected yet, I don't know that there's a problem. So I want something like solid security, which is looking at my installed themes and plugins and saying, Oh, this one has a vulnerability. I need to know about that. I need to do virtual patching. I need to do automatic updates if a patch is released, right, so it's doing exactly the job that I want a security plugin doing in WordPress and nothing else. Like the the of the kinds of plugins that exist for WordPress. The most bloat often happens in security plugins and that's why, you know, if you line up a feature list of the things that solid security Pro does, versus some of the other security plugins like it doesn't do as much. Right, exactly. That's the point. You don't want it doing some of those things. You want your server and your network doing those jobs because it's gonna make a more efficient WordPress.\r\n\r\nUnknown Speaker 28:08 \r\nSo WordPress, security should also heavily focus on user security. So we got these great features like you know, the function that bounces out and make sure that the password hasn't been compromised, and that have I been poned database. We're looking at, you know, having to FA for users and pass keys and et cetera, et cetera. We want the users user level security needs to be done by WordPress. So we want that to be done really well by our WordPress security also session cookie protection, right having that like the trusted devices features of solid security that is the perfect use case for a WordPress security plugin. So I want those features in my WordPress security, nothing else that's gonna do you know, be consuming tons and tons of server resources. Okay, so another role for WordPress security is adding in a CAPTCHA for areas that might be prone to attack, like comment form or the WordPress login page. We're actually going to protect that at the network level though. I'll show you that later. But having those captures again, two great use case and job for a WordPress security plugin. Finally, WordPress security plugins can also help you to harden WordPress, by all the little you know there's all those boxes in solid security about don't allow PHP to execute and themes and plugins, you know, turn off the file editor, all those sorts of things. perfect use case for a WordPress security plugin. So, again, think about this in layers. Most of the traffic get that filtered out at the network level so our server doesn't ever have to bother with it. Let our server do the job of file level scanning protection and intrusion detection and let WordPress primarily do the job of just keeping WordPress secure as an application themes and plugins and users.\r\n\r\nUnknown Speaker 30:02 \r\nAnd now we've got a pretty darn good approach to security. I'm gonna pause right there, because that was a, you know, a big firehose of information. I'm gonna pause, make sense questions about this before we move on to the next bit.\r\n\r\nUnknown Speaker 30:17 \r\nYou if you arrange your security approach this way, you're going to have a more efficient server and site and you're going to do a better job all the way around keeping things secure.\r\n\r\nUnknown Speaker 30:31 \r\nMan Polytune m&ms Already Okay.\r\n\r\nUnknown Speaker 30:35 \r\nHope you got a lock then.\r\n\r\nUnknown Speaker 30:38 \r\nYou have any to share with the rest of the class. I'm gonna have to move that around.\r\n\r\nUnknown Speaker 30:41 \r\nAll right. Well, I'm gonna move on then. If you're just joining us link bundle is in the chat that has the course handbook if you want to download this that you're looking at.\r\n\r\nUnknown Speaker 30:49 \r\nAll right, folks, look, we're already on page eight. Moving around, moving right along here.\r\n\r\nUnknown Speaker 30:55 \r\nAll right, now comes the fun part. Cloudflare page by page. So I thought long and hard about how's the best way to do a quick orientation to all the things that Cloudflare can do. And this is what I settled on this Cloudflare page by page. So one second before we get into that, one thing I want to mention is I've added some color coding here. And you know, I was thinking how can I best present this in a quick way to let you know you know what? really to focus on and what not to focus on and so forth.\r\n\r\nUnknown Speaker 31:35 \r\nSo it's basically like this. If I think you're probably going to want to use this feature, it's going to be great. If it's a maybe depending on the circumstance, it's a yellow, if it's probably you're not going to use this there's red. There's also one other emoji in there. That is a money bag and that's it costs money to add this. Those are usually also red because our goal here is to use as much of the free Cloudflare stuff as possible.\r\n\r\nUnknown Speaker 32:01 \r\nSo yeah, that that's, that's the way we're going to approach this now. I'm just looking at timing and where we are in the course of things right now.\r\n\r\nUnknown Speaker 32:11 \r\nOkay.\r\n\r\nUnknown Speaker 32:13 \r\nAll right. This is where it's going to be interesting to see actually how we do this.\r\n\r\nUnknown Speaker 32:24 \r\nOkay, well, let's just, I'm sorry, thinking to myself here and we'll figure out that we may go long in this first hour. So let's look at this Cloudflare page by page. Now if you would like. I would suggest that if you don't have a Cloudflare account, just go quick create one doesn't matter. Just make a make a quick Cloudflare account I'm going to log in to my I iThemes Cloudflare account that I experiment on. I would always recommend that you set up two factor authentication on your Cloudflare install Of course. All right, so what we're going to do is primarily focus on the website settings. We're gonna go down page by page, and I'm gonna explain basically what, what each of them does, just so you have a big picture understanding. Now there's a ton of stuff here. We're currently at the home or the account page you get back here by going to account home. That is this page that we're going to live for most of the course here is in the website settings. So you can you know, you'll add a website you can click that and these are the settings that pertain to the individual websites themselves. And this is where we're going to live for most of the time in this course. So let's take a quick look. Alright, so we're on the overview page, a turn off this ad. Again, you know, they're they make their money by upselling things so I'm constantly closing those boxes. Alright, so the first thing we get, is there an analytics overview. This is kind of helpful if you just want a quick overview of at the network level, what your traffic looks like. You don't get any like, you know where the traffic came from or search terms. It's not about that. It's actually about the stats of the traffic coming in.\r\n\r\nUnknown Speaker 34:12 \r\nYou can set that by days, weeks or months. Something else that's really helpful over here is the Under Attack Mode. So let's just say that you've got a problem on a site you're getting it's an E commerce site and you're getting card testing attacks. Well, I'm just going to toggle that on. And with that one toggle, what's going to happen is every single bit of traffic that comes into the site is going to get a manage challenge from Cloudflare. Now what that looks like is this\r\n\r\nUnknown Speaker 34:45 \r\nso it's going to pass through this challenge. I've got to verify and then move right on. Now that's not ideal, but that will stop a DDoS attack period, because a bot cannot pass Cloudflare turnstile, at least yet. So Todd simply toggling that on is going to stop the DDoS attack it does put a you know that that turnstile pass through manage challenge between every single visitor so it's not ideal to leave on forever. You'll want to add a WAF rule to filter out whatever's attacking you but that this is a great little setting in case something immediately is happening.\r\n\r\nUnknown Speaker 35:29 \r\nIt essentially off.\r\n\r\nUnknown Speaker 35:33 \r\nOkay, the next thing that's helpful here is development mode. So Cloudflare does provide some caching and caching can be absolutely.\r\n\r\nUnknown Speaker 35:43 \r\nYou might use it makes you want to bang your head into the wall sometimes like you you've edited something, it's not showing up then you remember, oh yeah, I've got caching turned on. So if you're making changes to your site, you might just want to toggle this on. And that turns off all caching all optimizations like that, where you're seeing what you see, right. So a lot of times we have to deal with browser caching with WordPress plugin caching. If you have set up.\r\n\r\nUnknown Speaker 36:11 \r\nIf you have set up Cloudflare for your site, you also have Cloudflare caching, it's on by default. So just don't forget that if you want like why isn't why are these changes? Not all? Yeah, Cloudflare caching, so turn on development mode, and that will help you immediately get around that. So very, very helpful. Also, something to draw your attention to here on this overview page is down here at the bottom of the pause Cloudflare. Right here, this is an incredibly important link that we'll get to in the process of adding a site to Cloudflare. You're going to want to click this every time so that you don't get SSL errors. I'll explain that when we get to the process but again, this is your friend. Also if you want to get rid of the site and delete it completely, you can just remove from Cloudflare and it'll it'll kill your whole account.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:59 \r\nYou can set up this you can set up an address here. You just add whatever you want this address to be and where it's going to forward to. And then you validate that email and you're done. And so you can set up these catch you can set up a catch all address or individual addresses. And it'll just forward right to your Gmail account or whatever other free account that you have. And you can also in Gmail, set up a send as address which is really nice. If you want to provide that level of support for your client. Email can come into that Gmail account and they can send as that info at or whatever account with this little process here. So it's really helpful. If a client doesn't want to pay for full email yet you can set up this email routing at really no cost. Cloudflare just handles that traffic for you.\r\n\r\nUnknown Speaker 42:58 \r\nI've given you that whole process right here. If you're interested.\r\n\r\nUnknown Speaker 43:02 \r\nUnder email here also we have demark management you may or may not want to use this. It's free and it's decent demark reporting it's not the best, certainly not the worst. It's really good for free. And it allows you to when you first set it up to add the correct demark record to your DNS, and then it's set up and ready to go. It adds the very basic D equals none demark record if if you have watched those live streams with us recently, it's a very basic level that meets this new Google and Yahoo criteria. So that can all be done from right here. This email security is a more advanced and so paid area.\r\n\r\nUnknown Speaker 43:45 \r\nAll right moving down to SSL. So again, Cloudflare does provide a free ssl certificate for every site that that it's filtering traffic for.\r\n\r\nUnknown Speaker 43:56 \r\nThe first thing you're going to want to look at here is your encryption mode. Now I recommend full there are four levels so you can turn SSL completely off. Don't do that. You can also do flexible which encrypts the traffic between the browser and Cloudflare. But then there's no SSL between Cloudflare and the server. That's for weird scenarios. You don't want to do that. What you want is this one here. This is going to encrypt from the blowout of the browser to Cloudflare with a Google certificate, and then from Cloudflare to the to your server with a self signed certificate at the server. Virtually every server is going to provide a self signed certificate and Cloudflare can use that the encryption tunnel is perfectly it's perfectly secure. There is this full level which says okay, I want to install a trusted like one of those, you know, you buy it certificates on the server. You can do that if you want to or Cloudflare will actually provide you an origin certificate for your server I don't ever do that. It's not necessary for security. As long as there's self sign on the server, which usually is and Cloudflare to the browser is giving Google it's one one clean tunnel.\r\n\r\nUnknown Speaker 45:13 \r\nSo if you have SSL at the server, yeah, that you don't have to worry about it most most of the P SS that are set up by a reputable hosting company like if you have a liquid web VPS it's going to have a self signed certificate on the server and Cloudflare will use that to create encryption.\r\n\r\nUnknown Speaker 45:32 \r\nOkay, all right. So Paul, great question in the chat. That's tomorrow. We're talking about all the whole process and client stuff tomorrow. All right, so this is an area you're going to want to be familiar with here. Other settings here.\r\n\r\nUnknown Speaker 45:49 \r\nWe're gonna go down to let's see, Edge certificates. I do keep this on if they're sometimes you'll get an email. This lets you know if there's anything you can do better with SSL.\r\n\r\nUnknown Speaker 46:03 \r\nIt's helpful. All right, so edge certificates. This says okay, there is an active certificate that's been created for this website. And a backup. This is pretty cool. This tells me that this is a Google trust certificate. This is the primary one so if I go to WP nathan.com And I look at the certificate details here it is valid. It is Google Trust Services right there. So that's what it shows to the user is this Google certificate. If something goes wrong, or there's some weirdness with the Google certificate, it's very unlikely that would ever happen. But if there is then it does have a backup, as this it's a Let's Encrypt certificate here. On the up Nathan it can also be set for set Teego doesn't really matter. Very, very rarely.\r\n\r\nUnknown Speaker 47:00 \r\nWill this backup certificate ever be used?\r\n\r\nUnknown Speaker 47:03 \r\nOkay, so Stacy, Stacy's mentioning here and let me just make let me let me address this. So if you are using CloudFlare, you cannot use Let's Encrypt on your server, because your server isn't it can't validate right or it's the the server isn't controlling the traffic anymore. It's passing through Cloudflare. So you might have Let's Encrypt turned on at your server. But the but like, you may be able to have full strict at the beginning because the Let's Encrypt certificate exists. But eventually that Let's Encrypt certificate is not going to be able to renew in many cases because Cloudflare is in the middle. So that's why I recommend full because there's always a self signed certificate at the server. If you do strict, and something happens to that Let's Encrypt certificate, it's going to create an SSL error. So you don't want that. That's why I'm saying full it's going to be just as secure as having a Let's Encrypt on the server. And you're not going to get those SSL errors Does that make sense?\r\n\r\nUnknown Speaker 48:18 \r\nYeah, so Melanie's encountered that like full string, that sounds great. I want that but you don't want that. It's you want to be able to set this and forever. So yeah, and Stacy, it may be dependent on the host you'll want to know you'll want to look into that. And that's where I just recommend setting it at full and then you want to have any problems.\r\n\r\nUnknown Speaker 48:37 \r\nThere is no limit. Let me say it this way. There is no extra security benefit from full or full strict because the self signed certificate at the server is the same level of encryption as a Let's Encrypt, or you know, your purchased your favorite purchase certificate for whatever. It's generally the same encryption level.\r\n\r\nUnknown Speaker 49:02 \r\nSo it doesn't matter. What's important is what does the user see? And in this case, it's Google first and then you know one of those so does that make sense everybody? Do I need to answer any more questions about that?\r\n\r\nUnknown Speaker 49:15 \r\nFall is easy. It's always going to work unless there's something wrong with your server.\r\n\r\nUnknown Speaker 49:24 \r\nOkay let's keep going. So edge certificates. We talked about these, you're not going to want that cost money. You don't really need it. You don't total TLS this lets you choose like if I toggle this, Oh, I gotta pay. Yeah, it used to let you do this for free. They've changed that. It's another paid feature. This you always want on it's part of the onboarding process that we'll cover tomorrow as we move a site into Cloudflare.\r\n\r\nUnknown Speaker 49:54 \r\nSo, all right, this is a complicated feature that I would not turn on because it's real, real easy to screw things up. And if like, for example, I had a site where I really mess things up on this. Thankfully, it was one of my own, but it took for some traffic almost a month before it straightened out. This is really bad. So it's a way to enforce HTTPS. I'm just going to recommend that you don't use it unless like it can heighten your security. And sometimes, if you have a client that has like a security, like a level of security, they have to reach for their own internal audits or whatever you may have to turn this on. But don't do it if you're planning to make any changes, like migrate the site or change Cloudflare to some other DNS provider because it can lock down it'll lock out traffic. It's just it's very powerful, but also could be very damaging in some cases. So if you're in a scenario where this comes up, you'll want to read more into that minimum TLS version. I'm going to recommend here 1.2 Because it's kind of the it's everybody can use 1.2 But you really might want to consider 1.3. So 1.2 is required for if you're trying to get PCI compliance. You have to have 1.2 layer level of TLS TLS, which is the next level of SSL but really only really, really, really old browsers can't use TLS 1.3. So if you look here, like Internet Explorer can't use.\r\n\r\nUnknown Speaker 51:46 \r\nCan't use TLS 1.3 and Opera Mini like those are the only two browsers. So the chances I mean those are teeny tiny percent. So I'm at the point of where I might just bump everything to 1.3 because it is more secure. It is a little faster.\r\n\r\nUnknown Speaker 52:01 \r\nBut at least 1.2.\r\n\r\nUnknown Speaker 52:06 \r\nAll right, opportunistic encryption, you're going to want to turn that on. I believe that's on by default. You want to enable TLS 1.3, which says, if the browser can support 1.3, use it. That's basically what that's about. I do want to rewrite everything to HTTPS at the network level. That's good. I think that's one by default. I do want to toggle this transparency on what this does is basically, if something if some other server or authority or whatever, issues an SSL certificate for this domain, I'm gonna get an email about it. Where that's helpful is if somebody has hijacked your domain somewhere along the way, or they've got traffic going somewhere something odd is happening. And a certificate gets issued. And I'm not aware of it. I want to be aware of it. So that's what this does. Pretty nice. Works pretty cool.\r\n\r\nUnknown Speaker 52:56 \r\nSo let's see. Moving on down here, the most of the stuff you're not really going to use. You're not going to use this most likely it's complicated scenarios. origin server. This is where if you want to install a Cloudflare generated certificate on your server to do full strict, you can do that here. I don't recommend that it's not super necessary. And then custom host names you're probably not going to use so that gets us all the way through SSL. That was a lot. Let me pause just for a minute. And any questions about this bit, I realized that was a lot. So walking through all the settings is the most tedious part of this, but And my goal here is to kind of set the table and let you know what all is here.\r\n\r\nUnknown Speaker 53:42 \r\nAll right.\r\n\r\nUnknown Speaker 53:44 \r\nLet's move into security. You're gonna live in security a lot. So the main two let places you're going to live in Cloudflare our DNS and security. So security is awesome. I love this area, the events page. This is a log of all the things that have hit my firewall rules. So any event has happened on the server where a firewall a WAF rule was hit by something or whatever.\r\n\r\nUnknown Speaker 54:11 \r\nHere's some examples of some skip rules that I've put into place. And I can see what's going on here.\r\n\r\nUnknown Speaker 54:18 \r\nIt gives me a great amount of detail about what was the IP address that came in? What was the ASN in this case, it is I have a pass a skip rule created for WordPress doing cron, so sometimes the query string here can cause weird security things to go on. And so that's one of the skip rules that I put in.\r\n\r\nUnknown Speaker 54:40 \r\nAnd it's logging here just to show you what that looks like. Here's one look here. Here's something that came in earlier.\r\n\r\nUnknown Speaker 54:48 \r\nAnd this was something from the UK. I don't know what that ASN is but it was trying to get to a weird port like what the heck is this one a 53 I don't even know what that is. This was bad traffic and it got to manage challenge primarily because it was coming from outside the US actually no I've got this setup for to accept UK traffic. So this, this hit Oh no, it hit a challenge right here.\r\n\r\nUnknown Speaker 55:19 \r\nSo it hit a rule that says okay, something's not right here. We're going to challenge this traffic and so it wouldn't have made it through to the site. So this is a great place to look after you've implemented a rule make sure you're not getting legitimate traffic caught or as you are refining your rules later on. Really, really helpful.\r\n\r\nUnknown Speaker 55:40 \r\nHere's something from Netherlands same thing. We'll get into all these as ins and things later. Like look here. They tried to hit XML RPC. This is garbage traffic.\r\n\r\nUnknown Speaker 55:49 \r\nIs there a setting in solid security that turns off XML RPC? Yes. But WordPress would have had to wake up and do something when this traffic and server resources would have been expended. We block this traffic at the network level before it even hit the server. So that's why you do these things. So events is super helpful gives you a lot of good information. Now we move into WAF which stands for web application firewall. Now, these are your this is a place again, you're gonna spend some time here as you're setting up Cloudflare there are five rules available at the free plan. I've suggested four, and so you have room to add your own rule.\r\n\r\nUnknown Speaker 56:28 \r\nSo we'll get into all these rules later. But this is where those are defined and set up. You can actually click the link here and see traffic that just hit that rule. There's a ton of traffic here. Like this first rule here. These are challenges. So you know trying to go to their PII login or my account or if the country is not in Canada or the USA, it's going to get a challenge.\r\n\r\nUnknown Speaker 56:53 \r\nAnd I can go back and look at what traffic actually is hitting that rule by clicking on that number. So it's pretty nice to be able to look and see what all is going on here with my individual rules.\r\n\r\nUnknown Speaker 57:08 \r\nSo I'll give you the rules a little bit later. Now let's keep going here. So those are our custom rules. We also have rate limiting rules and this is pretty neat.\r\n\r\nUnknown Speaker 57:16 \r\nSo you can actually blocked traffic that is pounding away at your website. And we'll go into rate limiting rules later in our recommended settings. But like if there's anything that's hitting my site more than like once a second, I want to block that traffic because there's no legitimate traffic that's going to be making multiple requests per second. Unless it's like a Google bot or something like that. And even it usually throttles back how many requests are being made. So this is a really helpful rule to be able to put into place we'll get into that in the rules section.\r\n\r\nUnknown Speaker 57:53 \r\nHere in tools, there is a the ability to block IP addresses or ranges even over and above the WAF rules themselves. So you can block user agents you have 10 user agent blocking rules if you want to use those. I typically don't but it's there if you want to use it.\r\n\r\nUnknown Speaker 58:15 \r\nMoving down to security the page shield This is a paid feature basically keeps your content safe. Bots feature okay, this is probably the place where most people make a mistake. Bot fight mode on I recommend that you leave this off because of a number of things.\r\n\r\nUnknown Speaker 58:33 \r\nBot fight mode. If there's anything that I've had to troubleshoot more, there's nothing I've had to troubleshoot more than bot fight mode creating problems for X legitimate external connections to websites like web hooks, and, you know, syncing up one thing with another or whatever. It's always bought fight mode. And honestly, bot fight mode gets in the way of a lot of legitimate traffic in an effort to prevent bot traffic. So it's like you know, this ongoing war of how do we keep bots away versus legitimate traffic. It's too heavy handed in my opinion. Also, it adds JavaScript to every single page load on your website, that bot activity and that can actually add as much as two seconds to a page load speed. So just don't do this. Try to get a lot of that traffic out with web application firewall rules, which we'll cover as we move forward. But don't turn this on. It looks like a good idea. It's not a good idea. Don't turn this on is my recommendation. Unless you know what you're doing. There is also in Cloudflare super bot fight mode that actually lets you make some granular changes to the bot fight mode. That's great, but it's an enterprise level. It does cost money.\r\n\r\nUnknown Speaker 59:51 \r\nAlright, let's move on to the DDoS section. This is super helpful. Like let's say you're under attack and you toggle on under attack mode and you can sort it you get to see you know a little bit of what this traffic pattern looks like. You can add a rule here that can stop a lot of those floods that's beyond the scope of this course. But it is there and it's pretty helpful.\r\n\r\nUnknown Speaker 1:00:16 \r\nThere's really good documentation for that's available at this link. And finally, there's some settings here that you may or may not find useful, probably not. The default settings are generally what I use, which is just right here. A security levels essentially off meaning that the average traffic the average user is not going to get a manage challenge to say that I'm human I don't want that in the way of average users. 30 minute, Pat challenged passage meaning like if I'm good, I'm good for the next 30 minutes at least. And then you definitely want this browser integrity check on that just it blocks garbage traffic where there's problems with the requests. So those are all the default settings. You probably don't need to ever change those. But they're there if you do need to.\r\n\r\nUnknown Speaker 1:00:58 \r\nThis access this is actually going away will probably be removed from this menu pretty soon and let me just mention also if you're watching this on a replay and it's like a year from now, a lot of these menu changes may change. Cloudflare is as bad as Google about renaming and moving things and changing it they they change stuff all the time. They literally last week changed the onboarding process for adding a new account. They're constantly changing things and so, you know, the things that I'm talking about here are likely going to be in other places. But yeah, it may not be in exactly the same spot. kind of frustrating.\r\n\r\nUnknown Speaker 1:01:37 \r\nHere under speed, these are some moderately useful things. The observatory is you know, what is my White House speed. So that's kind of cool. I mean, it can show you, you can schedule a test to run at a at certain intervals. It's kind of cool. I like that.\r\n\r\nUnknown Speaker 1:01:56 \r\nYou may or may or may not want to do that. The optimization here not a whole lot to do here. Most of the basic settings are correct, just with the defaults.\r\n\r\nUnknown Speaker 1:02:10 \r\nNot a whole lot you're gonna do here this just gives you an overview of what your settings are. image optimization is now offered by Cloudflare. But if you have a good WordPress image optimizer, which I recommend, do it there do it at the WordPress site like just control your images don't do that off in the cloud. But you can if you want to. It's all here. You are going to want to make some changes here to content optimization Brotli basically speeds up an H an SSL connection. This is part of the onboarding steps that are recommended. We'll get to that tomorrow. This is super cool. So Cloudflare fonts is a recently in the last six months or so added feature. And it basically pulls all the fonts up into the Cloud Flare cloud. So instead of having to go out to Google fonts and download the font Cloudflare fonts, pulls those up into the cloud. So you, you blood, they load faster, and you don't have privacy issues, because Cloudflare is going to deliver that font in a privacy first manner. It's not like you're pulling fonts off of Google server and as a result, the user's IP addresses exposed and all that. So this is great. Just turn it on. It's gonna be faster. It's pretty good. This is also a super cool feature called early hints. And what this is going to do, you may have a WordPress optimizing plugin that does this as well. And actually this may be part of core WordPress going forward. But like when you mouse over a link in the background, the browser starts to load that page already. This does that at the Cloudflare level, which is pretty cool.\r\n\r\nUnknown Speaker 1:03:47 \r\nRocket loader. This is another one of those things that people say oh, it's speed. I'm going to turn don't turn this on. Rocket loader has a bad habit of breaking WordPress, jQuery and other Java scripts. Just don't don't turn that on. It will create problems. That's a red dot for me. And if you Google other WordPress folks talking about this it's a it's a red.it can cause problems.\r\n\r\nUnknown Speaker 1:04:14 \r\nAuto minify yet you want all that on so all your assets are compressed up there at the network level.\r\n\r\nUnknown Speaker 1:04:21 \r\nI mentioned this automatic platform optimization for WordPress. This is a can be really good. It's $5 a month per site. Okay, but with out having to deal with any of those granular performance settings at the WordPress level with plugins like MP rocket or hummingbird or whatever, you can actually push all that up to the cloud and it moves the really big the real benefit here is it moves all of your assets for your website to cloud flares edge CDN, so that it's right as close to the user as possible and it's optimized all it really does a good job at optimizing traffic. So take a look at that. It is expensive. You know, when you put 10 sites on there, it's going to be $50 a month, but it really you know, if you've got a few sites that you're having performance issues out of five bucks a month solves that problem, pass it on to the client and you're done.\r\n\r\nUnknown Speaker 1:05:19 \r\nLet's see.\r\n\r\nUnknown Speaker 1:05:21 \r\nEven ongoing here. Let's see caching. All right. Cloudflare caching. So Cloud for does a good job of caching things the right way. You do get some basic analytics here with an upgrade of a plan. Let's move into configuration. So here is the place where you can purge all the things out of the Cloudflare cache. So if you're having some sort of Cloudflare issue going on, you can come in to caching configuration purge everything. I'm going to mention also later on in the course that a lot of WordPress optimization plugins have a Cloudflare integration, where they will actually you can like for example, I use Lightspeed as a WordPress optimizer. And you add in your API for Cloudflare. And whenever whenever Lightspeed flushes the cache because a page has been updated or there's WordPress updates, it also flushes the Cloudflare cache most good WordPress optimizing plugins like WP Rocket like Perf Matters like hummingbird have Cloudflare integration and you're going to want to use that because what otherwise what you're going to run into is you got one set of assets that are here on the site that the WordPress performance plugin has flushed, but your Cloudflare cache isn't matching and you get wonky CSS, and you don't want that. So that that helps and it solves that problem.\r\n\r\nUnknown Speaker 1:06:44 \r\nLet's see here caching level we kind of leave that alone unless you know what you're doing. browser cache TTL you're gonna want to set this to at least a month. Google requires that those it's set to 30 days or higher. Otherwise, you get that thing you may have seen in Lighthouse of serve static assets with efficient policy, blah, blah, blah. That's this needs to be at least a month. This is helpful if you have a big website that a lot of people have access to. This is a tool that will scan for child sexual abuse material, which is definitely helpful. These next two are really cool crawler hints. Okay, how many of you remember from the Starter Site webinar? We did do every year. We've got that really cool plugin called index now from Bing and it watches changes on your website and let's Bing and let's see which ones it is Bing, duck, duck go Yandex and Naver, which I've never heard of before.\r\n\r\nUnknown Speaker 1:07:43 \r\nAnd yep, so what this does, I've just lost my Here we go. So crawler hints basically adds index now to your site at the Cloudflare level. So as soon as Cloudflare sees you add a new page, it lets all the search engines No, you absolutely want to do this. And it means you cannot use the index now plugin on WordPress, which is kind of cool. Always online this is another one you're gonna want to toggle on.\r\n\r\nUnknown Speaker 1:08:09 \r\nWe've probably all at some point, use the Wayback Machine to go back and look historically at websites. And some websites are there a lot and some are they're just like every once a month or once every few months or whatever. How do you get the site listed on the Wayback Machine what you toggle this on right here and Cloudflare will make sure that the site is saved into the Wayback Machine and if for some reason this your server goes down Cloudflare will know okay, I'm gonna pull the latest copy out of Wayback Machine to serve and it's not the best thing but it's better than the site being down. So this is pretty cool. Definitely want that on. Here's the actual development mode. We looked at that under the overview settings, but this is where the actual toggle is for turning on development mode. And so that's all the configuration things.\r\n\r\nUnknown Speaker 1:09:02 \r\nAll right, cash rules.\r\n\r\nUnknown Speaker 1:09:05 \r\nWe're going to talk about cash rules later. But this is the spot where you can add rule like what if I don't want Cloudflare to cache the site at all? Great. What if I have an E commerce site and I don't want to cache the cart or checkout page, I can do all that here. And I'll give you those rules when we get into that section in a little bit. So tiered cache or the cache rules are very helpful, and the tiered cache is helpful. You're going to want to make sure you enable smart tiered technology that just moves the stuff closest to the user. It's good stuff cash reserve as a paid feature, which you're not going to use. Now if you're getting tired. You're not alone. It is now 207. We've been at this for a little over an hour, but we're coming to the end. There's only a few more things here and then we'll take a break. First of all workers routes don't have to worry about that at all. unlikely you'll use this rules. There's another place for rules. Here's 10 more sets of configuration rules that you can use. Probably not going to use any of those but you certainly can.\r\n\r\nUnknown Speaker 1:10:06 \r\nTransform rules origin rule. These are all ways to deal with rules and traffic. Probably not going to use those unless you have a unique case. Page rules can be helpful.\r\n\r\nUnknown Speaker 1:10:18 \r\nI'll show you some options on when you might want to use those a little bit later.\r\n\r\nUnknown Speaker 1:10:22 \r\nAnd the default settings are just fine. You never have to really change these. So not a whole lot to do here.\r\n\r\nUnknown Speaker 1:10:29 \r\nAnd the rest of this stuff is pretty much read. So let's network you probably won't have to change anything here. Very unlikely that anything will be needed in this area. All the default settings are fine. Traffic is a paid feature. custom pages paid feature apps, it's being deprecated the scrape shield, okay, let's talk about this.\r\n\r\nUnknown Speaker 1:10:53 \r\nSo there's a couple of things. Remember, if you are a long time I iThemes Training solid Academy member we used to have a shortcode that would obfuscate an email address. Cloudflare will actually do this at the network level, so you don't have to hide email addresses at all. It will just automatically obfuscate email addresses from bots that would scrape the site. The problem is it adds some JavaScript which again can potentially add some weight to the page and make the page load slower. So there's a way to apply that with the rule that we'll get to in a little bit. I would not toggle this on for the whole site. I would only have it on with a rule for like the contact page or a team page where email addresses actually appear.\r\n\r\nUnknown Speaker 1:11:38 \r\nhotlink protection this is something I would toggle on because well in certain cases. So if you want to protect your site, like I don't want my images showing up in Google image search, I don't want anybody linking off the site and pulling my images and to show on their site. This is what that does. It will stop that at the network. Level period. But if you are relying on a lot of SEO people, for example.\r\n\r\nUnknown Speaker 1:12:07 \r\nThey rely on an image optimization strategy for SEO like they want people to find the image in Google Images and then go to the page and it's a legitimate SEO strategy. But this will stop that. So depending on what you want to do, this can be super helpful or completely get in the way of an SEO strategy.\r\n\r\nUnknown Speaker 1:12:26 \r\nAll right.\r\n\r\nUnknown Speaker 1:12:29 \r\nxerez so this is super cool, actually, it's way out of scope for this, this live stream in this course. But think of it like this. This is like Google Tag Manager, but at the Cloudflare level. So at the network level, I can actually go in and add code to pages. Like it's really powerful, but it's way out of scope for what we're trying to do today. So you know, it's it's interesting, and if you're super geeky, you want to get into that have added because it's a very powerful tool. And last of all web three, you're probably not ever gonna get into that stuff. All right, so that's all the settings and I'm out of breath.\r\n\r\nUnknown Speaker 1:13:05 \r\nOkay, how let me check in. How are you? Are you are you panting for breath? Are you okay? We've just done this was the fire hose. Okay? Dizzy is legitimate. That's a lot. Okay. And my goal again in that section was simply to give you a lay of the land. There's only a few things in here. If you notice, there's only a few things that you're gonna need to go in. And set. Primarily we're going to focus on DNS, SSL, and security. Those are my main areas. Okay. So, what are we doing next? I am going to give you my recommended settings for each of the areas we're gonna do that probably I hope we can fit that in before 3pm Central. We're going to take a five minute break, because I need to breathe and then we'll do some recommended settings. So we're actually going to go now right back into these areas that we've looked at and I'm going to show you some the actual recommended rules and things like that, that you're gonna want to implement. Now from that tomorrow. We're actually going to migrate a site into Cloudflare and do all this stuff live. Sound good?\r\n\r\nUnknown Speaker 1:14:17 \r\nOkay, so break for five minutes. It is now about to be 12 minutes after so we'll come back at 217 Central time so 17 minutes after and we will be quiet until then.\r\n\r\nUnknown Speaker 1:18:47 \r\n32nd Warning we're back in 30 seconds. From now.\r\n\r\nUnknown Speaker 1:19:32 \r\nAll right, part two, let's talk about some recommended settings. Now. First of all, in this section, there's a couple of caveats. We're going to look at the Cloudflare settings that I use. Okay, these are the ones that I've decided work well for me in my clients. And I'm specifically going to talk about what has changed from the default. Okay, so we just looked at everything. We're going to put a filter in place and now only the things that are going to change from the default settings are what I'm going to cover now with this again, caveat, disclaimer, slash scary warning, scaly emoji grimacing emoji, okay. Is this is this bold enough for you?\r\n\r\nUnknown Speaker 1:20:16 \r\nVery important. These are based on my experience with how we are using Cloudflare currently in my agency. So as with settings, recommendations of any kind at all, you need to test these for your specific use case. Cloud flares tools can block legitimate traffic if they're not used correctly. Okay. Now in my experience, we've had to adjust certain rules in situations where there's external calls to web hooks, certain SEO tools, uptime, monitoring, all sorts of things can be a little different. So I'm providing some very basic settings that we use on all of our sites. They may not be the right settings for your sites. Okay, that's why it's important to look at those event logs, try it on one site, look at the event logs, make sure nothing's getting blocked, etc. So they get sometimes sites require these granular adjustments and it might take a little bit to dial them in so pick a site. Do that one make sure everything's good before you do. We all put 5080 100 sites into all these settings, because they would then have to be changed individually. That's not fun. All right. So Cloudflare can significantly increase your security but with great power comes great responsibility. So just keep all that in mind. Do not blindly apply these settings with under without understanding how they're going to impact your website. So again, educational purposes only, you alone are responsible for the actions you take. In other words, don't call me if you break something or you know, ask an office hours question but Is that Is that a good enough disclaimer?\r\n\r\nUnknown Speaker 1:21:59 \r\nAll right. Let's take a look at DNS records.\r\n\r\nUnknown Speaker 1:22:04 \r\nSo let's move on into this area first. This is one of the places where I mentioned that you'll probably spend some time so here's a pretty typical DNS record setup that's being used for WP Nathan currently. So the first thing you'll notice here is proxied. Now what proxy means, okay, this is the actual IP address of the server. This this little this liquid web VPS that they're up Nathan exists on. But if I go to ping, this address, notice it doesn't give this server IP address. And why is that Cloudflare is proxying the IP address which basically means it's hiding it. So this 104 2147 162 IP address is what the world sees when it says where's that up Nathan located this IP address, but that's not the IP address of the server. This is really good because you unless you know in most cases you're going to want to hide the actual IP address of the server, the real live raw IP address, you're gonna want to hide that from the world. It just puts a layer of security between hackers and your server itself. So that's what proxying does. You can turn this off if you want, but I wouldn't recommend it. So the recommendation is proxy all A records and the CNAME for www.\r\n\r\nUnknown Speaker 1:23:35 \r\nBut other C names like in this case, I don't even know why we still have this one but FTP dot and like this is the postmark record. postmark will not validate this record for the CNAME unless the proxies turned off. So for a lot of C names, especially those used for validation, you're going to want to make sure that proxying is off.\r\n\r\nUnknown Speaker 1:23:59 \r\nUnless you know for sure that proxying isn't going to get in the way of that traffic proxying a CNAME can often get in the way of the server that's handling that traffic knowing that the traffic is correct, and it can cause weird things to happen. So proxy the A records generally proxy do not proxy CNAME records. Now here's another pro tip.\r\n\r\nUnknown Speaker 1:24:21 \r\nIf you like me enjoy having the ability to spin up quick staging sites. I in my case on cPanel I love the WP toolkit. It'll just spin up a quick staging site.\r\n\r\nUnknown Speaker 1:24:32 \r\nYou would normally have to go out and actually create an A record for whatever that subdomain is. But if if most or all of the subdomains you're ever going to create for this domain are going to the same place. They're all on the same server. Then what you can do is just set up a wildcard record. The name has an asterisk and it points here which means unless otherwise defined by another a record that any other traffic, you know, whatever dot DDP nathan.com goes to this server. So it's super helpful. It doesn't prevent you from directing traffic elsewhere. You know we could, you know, we could specifically define a subdomain to go to another IP address. But otherwise, the catch all is pointed to the server and it's really helpful. So add a star record. That's a good thing. All right. We talked about DNS sec. Let me just show you how this works. Here under DNS and sec. Oh, I haven't. I'm going to disable this earlier. Let's that's going to take a minute Doggone it. Sorry about that, y'all.\r\n\r\nUnknown Speaker 1:25:43 \r\nOh, I'm gonna have to remove it from here. Well, I can probably just show you how this works. So here, oh, it's WP one dot Dev. Let me go. Let me get one second. Let me get over to the VP Nathan.\r\n\r\nUnknown Speaker 1:26:01 \r\nAnd I'll show you where this DNS record is set up.\r\n\r\nUnknown Speaker 1:26:06 \r\nSo again, this is GoDaddy. You've all probably use GoDaddy, most other registrar's you're going to be this way as well. Here under DNS, there's a setting for DNS record. And here is the value that Cloudflare gave me I'm going to delete this\r\n\r\nUnknown Speaker 1:26:23 \r\nlet's see how long it takes to create if it sees it right away. Okay, I'm gonna give that just a minute. We'll come back and I'll show you how to create the record. But it's basically Cloudflare is going to give you the value, you put it in over the registrar and that validates your traffic for DNS sec to work correctly. We'll come back to that. In just a minute.\r\n\r\nUnknown Speaker 1:26:42 \r\nAll right, so SSL TLS again, encryption method full I talked about that a lot earlier, so that hopefully that doesn't need any more explanation. Under edge certificates. Always use HTTPS is on and minimum TLS version 1.3 or 1.2. We talked about that earlier. You're probably fine to go 1.3 I've only the really old browsers, right. So all the rest is default settings. And now we get into the WAF rules slightly that we're already past SSL. It's not that hard. Once you see the lay of the land and all the details now we can just focus on the things we need to change. And it's not that terribly complicated. Let's do a quick check for the Yes, right. Oh, okay, good. That's ready. So here's the process are rewinding a bit to do DNS sec. I'm going to click Enable.\r\n\r\nUnknown Speaker 1:27:37 \r\nAlright, here's all the stuff. Let's go over to DNS records and I'm going to add one.\r\n\r\nUnknown Speaker 1:27:45 \r\nAll right, so I need the first the Key Tag and it's not necessarily an order. So Key Tag is here.\r\n\r\nUnknown Speaker 1:27:52 \r\nBoom algorithm is 13. I don't know what that means. I'm just going to put it there. Digest type is this or I can click to copy.\r\n\r\nUnknown Speaker 1:28:06 \r\nOh, that's this digest. Is there and digest type oh two.\r\n\r\nUnknown Speaker 1:28:13 \r\nRight there, I hit Save.\r\n\r\nUnknown Speaker 1:28:19 \r\nAnd it's gonna think about it for a minute.\r\n\r\nUnknown Speaker 1:28:22 \r\nConfirm.\r\n\r\nUnknown Speaker 1:28:24 \r\nAnd it's got to wait and validate. That's all it is. It's just basically it's like adding any other DNS record. And that will help to further validate that the traffic that's coming to my domain is correct.\r\n\r\nUnknown Speaker 1:28:39 \r\nThere it is. Done. Super simple.\r\n\r\nUnknown Speaker 1:28:44 \r\nclass has a great question.\r\n\r\nUnknown Speaker 1:28:46 \r\nThat this process was for a domain that's registered and an external Registrar for Cloudflare. It knows like if you've registered your domain at Cloudflare. We'll talk about Cloudflare for domain registrations tomorrow. But if there's just a button, you push the button it adds the record and validates it's done. It's like a one click thing. That's all you have to do. Pretty neat.\r\n\r\nUnknown Speaker 1:29:06 \r\nOkay, any other questions about that before we move on?\r\n\r\nUnknown Speaker 1:29:12 \r\nAll right, we went through the rest of this full encryption mode edge certificates. Now we're into the fun part which is security. Here are some suggested WAF rules. And um, they're all defined here already, and I'll show you what they look like. So when you get into a WAF rule as you create a rule you have the ability to either do an Expression Builder, which lets you kind of compose with a visual editor like country does not equal you know, it lets you create records like this. And or and you can stack those down. Now notice what's happening here, though. There's an expression preview and so there's this expression that's being created based on the visual here. So let's see if country does not equal United States and I don't know\r\n\r\nUnknown Speaker 1:30:15 \r\nand it's unknown bought, whatever, right? So it continues to build the expression based on what you build up here. Now for these predefined rules. We don't need all like it will take you a while to actually reproduce this rule in the builder, but instead what we can do is this.\r\n\r\nUnknown Speaker 1:30:37 \r\nCopy this expression. I'm going to call this the challengers rule.\r\n\r\nUnknown Speaker 1:30:43 \r\nYou can do edit expression, and just paste in there.\r\n\r\nUnknown Speaker 1:30:49 \r\nAnd what so the action is going to be managed challenge and hit Deploy.\r\n\r\nUnknown Speaker 1:30:59 \r\nAnd look it actually created the rule in the builder. So I can still modify it here if I want to.\r\n\r\nUnknown Speaker 1:31:06 \r\nBut I don't have to actually create it. I can just paste in the expression. And that's what I would recommend that you do for these basic rules. Does that make sense? Does everybody see the process here?\r\n\r\nUnknown Speaker 1:31:20 \r\nI want to pause just for a minute to make sure there any questions?\r\n\r\nUnknown Speaker 1:31:26 \r\nWhat drop down that I choose here? Or action is managed challenge. There's this drop down up here.\r\n\r\nUnknown Speaker 1:31:35 \r\nCan y'all see this drop down on the screen share?\r\n\r\nUnknown Speaker 1:31:40 \r\nOkay, good.\r\n\r\nUnknown Speaker 1:31:42 \r\nSad. Sorry about that. So this is just an example rule. But when you when you put in your challenge rule, you're gonna whatever country you're in, or whatever, like for example, we have one customer that only does business or they they primarily do business in the US, Canada and about seven European countries. And so all those are in this is not in rule, but every other country as a result is going to get a challenge because they're not typically going to get traffic from those countries. And that lets us weed out bot attacks for example, that aren't coming from those those specifically Devine defined countries makes sense. So add, you're gonna want to add the countries that you're typically going to want legitimate traffic from. Right. So that that really helps Karen first drop down on not getting the open field. Oh, okay. All right. So let's start over again.\r\n\r\nUnknown Speaker 1:32:42 \r\nLet me delete this rule that I just created. eally All right. I'm gonna do create rule once again. I'm gonna give this a rule name, call it whatever you want.\r\n\r\nUnknown Speaker 1:32:54 \r\nChallenges, and click right here. Edit expression and paste in there.\r\n\r\nUnknown Speaker 1:33:01 \r\nThen you can save it as a draft if you want or whatever or just click Use Expression Builder and that puts you back into the builder here.\r\n\r\nUnknown Speaker 1:33:08 \r\nSo this edit expression is 100% Your friend i It makes the so much easier.\r\n\r\nUnknown Speaker 1:33:16 \r\nAll right, any other questions? About the process of adding a rule before I go on?\r\n\r\nUnknown Speaker 1:33:27 \r\nOkay, so these rules I've actually added in here already, and I'm just going to go down one by one and show you how they work. And so the first rule is our challenge now by the way, I put in whenever I'm doing a rule i Our prefix for our agency for code we write in for other things is be WW brilliant web works but your own little this what this lets me know is it's our rule. Basically that's why that's there. So I'm going to go here to our challenges rule. And you'll notice it's this first one here, you can edit the rule in the expression if you want and put the two letter country code and if there's more you can just stack amend the expression itself or use the expression builder. Either way. Melanie, does order matter for firewall rules. Yes. And I'll show you that in just a minute. But Cloudflare processes these rules in order. And that's going to matter here in just a minute. Great question.\r\n\r\nUnknown Speaker 1:34:26 \r\nSo here's something I want to talk about. So we've talked about managed challenge already. This is the kind of the interstitial screen that we saw that challenges are you human. It's it's the same thing as Cloudflare turnstile. Okay. Cloudflare turnstile is the Cloudflare managed challenge in a widget that can be applied to just a form or you know, a login or whatever. Okay? So just think about it in those terms. turnstile equals a manage challenge, manage challenge, just full screen. Whereas turnstile is a widget that can be added to a form submit or login or that sort of thing. There are a bunch of other actions that can be taken here. Like I don't want to do anything. I just want to log this traffic. I want to block this traffic altogether. This is a JavaScript challenge. This is the pre managed challenge way that Cloudflare used to block or challenge traffic. I don't use that at all anymore. It's not as good as manage challenge. Use manage challenge. This also the skip this traffic so some way I can notice that this traffic is good and legitimate. I always want to skip it. I have a rule. That action can do that. And interactive challenge again. It's I don't use that at all use manage challenge. That's just the best way to do it. Because a lot of times the Manage challenge if it's has seen what this browser is doing, it knows it's probably legitimate. And so it's you let Cloudflare manage whether or not this user or bot or whatever. Is going to be challenged with a checkbox, right. So just use manage challenge instead of interactive or JavaScript challenge is just better. Does that make sense?\r\n\r\nUnknown Speaker 1:36:11 \r\nOkay, so let's get into each of these. We just look at this one. So this is and by the way, what I like to do is cluster are my rules, usually around what the action is. I only have five rules, right? And so I want to be able to get the most bang for my buck. And so I tend to cluster the rules around what action I want to happen. So I'm going to start with this, this challenge rule. So any kind of traffic that I want to give a challenge to is going to go into this rule. So the first is, and this is probably my favorite rule out of all the Cloudflare rules. It is probably the most helpful rule and that is if you come to the WP any URL that comes in to WP login, so even by the way, like if you're logged out and you used to go to WP admin to log in, it's going to forward you today P login dot PHP, query string blah blah blah. So if the URI path, this is your URI, same thing, essentially is URL. So if the path coming in being requested from the server contains that AP login, I want to challenge that if it it like for here for a WooCommerce as my account is their default login page, right? If you have a membership site, where you've customized a login page, put that URL here. So whatever the login page is, that I want to challenge that traffic. And what that lets me do is like Stacy is saying, it's way better than hiding the login page to try to make it where bots can't find it. That's that's a terrible strategy that doesn't really work. Or it's even better than using something like aI solid security to put a CAPTCHA on the login page. I don't even do that anymore. Because all of that traffic is being challenged at the network level is it bad to use a plugin like solid security to protect the login page with a with a even Cloudflare turnstile? It's not bad, but I want that traffic filtered out at the network level so that the login page doesn't even have to load, right? So do that at the network level. You don't even have to put a CAPTCHA on your login page at all. Just make sure that all your potential login pages are listed here. So if you've got another URL, you could do like, you know URI path contains, you know, login or whatever it is right?\r\n\r\nUnknown Speaker 1:38:41 \r\nAnd just you can keep stacking those up with AND or OR statements.\r\n\r\nUnknown Speaker 1:38:46 \r\nThat makes sense.\r\n\r\nUnknown Speaker 1:38:49 \r\nSo that's our first rule.\r\n\r\nUnknown Speaker 1:38:52 \r\nSecond rule is a skip rule. Now I put these in order of priority in this skip rule will tell you why.\r\n\r\nUnknown Speaker 1:39:02 \r\nThis is a big rule. There's a lot of stuff here. So I've given you the whole rule to copy here. Now right here, notice, boom, this is the IP address of the server. So whenever you know whenever you go to add this rule, you're gonna want to, for your purposes, wherever you're copying from put your server IP address in here, because any request that comes from my server, I don't want Cloudflare to do anything with we want that to happen. So here's our here's our skip rule.\r\n\r\nUnknown Speaker 1:39:37 \r\nSo if it's a known bot, and it has one of these as numbers.\r\n\r\nUnknown Speaker 1:39:47 \r\nLet's talk about AAS numbers for a minute. So an AAS number probably best to be seen here in our events. Let me load our events page.\r\n\r\nUnknown Speaker 1:39:59 \r\nAlright, so here's a skip rule.\r\n\r\nUnknown Speaker 1:40:12 \r\nKaren, if you're getting an error, it's probably because you haven't selected the action here skip.\r\n\r\nUnknown Speaker 1:40:21 \r\nYou did.\r\n\r\nUnknown Speaker 1:40:23 \r\nWell, let's just try copying the expression in and trying it ourselves here\r\n\r\nUnknown Speaker 1:40:39 \r\nYeah, it's working.\r\n\r\nUnknown Speaker 1:40:42 \r\nI don't know check your check your copy because it does work. That's That's odd.\r\n\r\nUnknown Speaker 1:40:49 \r\nAnyhow, so as ns. You can see these right here. So an ASN is think of it this way. It's like a\r\n\r\nUnknown Speaker 1:41:01 \r\nIt's one number that a company like Google can use when Google has hundreds and hundreds or 1000s of IP addresses. And it would be hard for you and they may even change IP addresses from time to time.\r\n\r\nUnknown Speaker 1:41:15 \r\nThis ASN is sort of a placeholder for all of those addresses. So you can create firewall rules based on the ASN and know that it's going to affect all these Google IP addresses. And so there's all these ASN that are listed here are of known services. I've given you a way down here at the very end of the document what to for Sorry, sorry, if I'm making everybody nauseous. So I've given you a table of popular ASNs here. You can also look those up with links like this one, and add your own but these are the most part some of the most popular ones. And many of these are including that firewall rule, but this is one that again, you're going to want to tweak this to have the traffic that that that you want.\r\n\r\nUnknown Speaker 1:42:09 \r\nBut in general, this is going to work.\r\n\r\nUnknown Speaker 1:42:13 \r\nIn general, what I've got here is going to work in most cases, just make sure you update your IP address here. Okay, so got this list of\r\n\r\nUnknown Speaker 1:42:25 \r\ngood ASN so it's a known bot, and it's one of these bots. Okay. It's an there are a lot of Cloudflare bots that are known that I don't want to, you know, have access to the site. Like one of the really bad ones is sem rush. Like they will hit on your site with their bots sometimes. Anyway.\r\n\r\nUnknown Speaker 1:42:50 \r\nSo, yeah.\r\n\r\nUnknown Speaker 1:42:55 \r\nWhy would you want stamps.com Because, if you are if you're, for example, with a WooCommerce connector, you're going to want if you don't exclude stamps.com, the WAF rule will get in the way of WooCommerce talking back and forth to stamps.com.\r\n\r\nUnknown Speaker 1:43:11 \r\nYep, so this is again, if you're anytime you're this is with much power comes great responsibility. Okay, so you're putting a rule and that's going to block traffic. If traffic is being blocked and something's not connecting. Now you go into the event and say, Oh, here's that traffic now I can you know, you can find that ASN to that external service in your event log and then add it to your list of good ones.\r\n\r\nUnknown Speaker 1:43:39 \r\nOkay, so I've added another few things here that are commonly blocked. So for example, if you're using the Gravity Forms stripe add on, okay, then I want to make like this is part of the query string for every that should have\r\n\r\nUnknown Speaker 1:44:02 \r\nyour your web hook for Gravity Forms, always includes Gravity Forms stripe, your webhook for WooCommerce always contains this bit of text. So basically what this is doing is this is a good rule for all sites. So if the traffic is coming to a Gravity Forms web hook or a stripe web hook, if you're using other plugins that have different web hooks, just add them in here. Like this, or replace Gravity Forms with your plugin, that sort of thing. But you're that way, you're letting tret legitimate traffic to that web web hook for the payment processor come through.\r\n\r\nUnknown Speaker 1:44:36 \r\nHere's another one. User Agent is GT metrics or we use better uptime to monitor our site. So user op agent contains better uptime. If you don't use better uptime. Don't use this part of the rule.\r\n\r\nUnknown Speaker 1:44:49 \r\nHere's our server IP address.\r\n\r\nUnknown Speaker 1:44:53 \r\nRight now in Davis, right? If you are if you have other payment processors, whatever that web hook is that they give you just find the particular piece that's not going to change. Like the the WooCommerce stripe. web hook has a whole bunch of characters after this right? But this part is always the same. That way you can create a rule that you don't have to change from site to site.\r\n\r\nUnknown Speaker 1:45:20 \r\nAnd then, you know, here's the IP source address is my server for verified bot category is search engine crawlers or web hooks. Okay, so why, you know, I can choose web hooks here, but I've also specified some web hooks.\r\n\r\nUnknown Speaker 1:45:36 \r\nI know web hook has having that as a rule is good, but I don't necessarily trust that part. Cloudflare is always going to catch all my web hooks with that. So I'm going to specify just to be sure, so this is fine, but I always specifying the actual some contents of that web hook URL. Okay, so does this bit make sense? In that many external SAS calls this you want to, you want to allow those through, okay. Now the action for this is skip.\r\n\r\nUnknown Speaker 1:46:09 \r\nBut make sure that you check and this actually Karen may be where your error is coming from.\r\n\r\nUnknown Speaker 1:46:14 \r\nCheck all the boxes, check all the boxes, otherwise you're not telling it to skip anything.\r\n\r\nUnknown Speaker 1:46:24 \r\nSo we don't if the traffic meets any of this criteria, I always want to skip it. Okay, that was it. Karen Awesome. Now, does that make sense everybody?\r\n\r\nUnknown Speaker 1:46:40 \r\nOkay, one thing here and I don't know how to fix it in the handout. This is very important. Notice how there's a line break here.\r\n\r\nUnknown Speaker 1:46:50 \r\nThis, if you copy this, it creates a problem. I just just noticed this.\r\n\r\nUnknown Speaker 1:46:57 \r\nLet me go into the expression editor and paste this in.\r\n\r\nUnknown Speaker 1:47:03 \r\nSee how there's a space here.\r\n\r\nUnknown Speaker 1:47:06 \r\nMake sure you delete that space. Otherwise, it's not going to match your the exact URL. I'll see if I can update the handbook for that. I'll figure out how to do that. But just for now. If there's a space here, it's not going to match that URL. So make sure it doesn't have a space\r\n\r\nUnknown Speaker 1:47:26 \r\nokay\r\n\r\nUnknown Speaker 1:47:32 \r\nall right. Next okay. This is a locked down WordPress rule. This is pretty refined from lots of different suggestions that I've read and seen and I've tested.\r\n\r\nUnknown Speaker 1:47:45 \r\nAnd it this is pretty darn powerful. So again, this is one of those rules. Okay. If the traffic meets any criteria in this rule, it's going to be blocked period, which means you better be sure that you're not catching the legit traffic here. Okay. But you'll see how this works. So I'll go copying this. And notice there's some instances of the domain name of the site here that you'll want to replace with your domain.\r\n\r\nUnknown Speaker 1:48:15 \r\nBut let's look at what it does.\r\n\r\nUnknown Speaker 1:48:18 \r\nAll right. There's absolutely no reason whatsoever that any site or any match any request from the server should contain WP config if it's not coming from my site, to block that. There's no legitimate reason that should happen or there's no reason like we don't use XML RPC at all ever. So we're gonna block any traffic that comes to XML RPC. Period.\r\n\r\nUnknown Speaker 1:48:46 \r\nSame thing for if the if the, if somebody is trying to get to wp content, and it's not coming from my site. I'm gonna block now that can all that can impact google image searches. So make sure you may not want this if you want the images on your site showing up in Google image search.\r\n\r\nUnknown Speaker 1:49:05 \r\nBut I don't I don't want that so I'm blocking all that traffic. Same thing for WP includes there's a lot you'd be surprised how much traffic comes in matter of fact, let's just I mean, look at this. Look at the traffic that's coming in. From what traffic that tries to come in from.\r\n\r\nUnknown Speaker 1:49:26 \r\nYeah, look at this garbage. Here's traffic that's coming in. I don't even know what this is there trying to access. This is some image. Here's something that's trying to access a lot of this images. There's all this garbage traffic and look at this. What What the heck would anybody need you know, here's some Amazon server that's trying to get to this dopey content, whatever. This is like they're testing for security issues. And we're just blocking all that traffic. Right? And look, there's 192 items in the last 24 hours that have hit this rule. It's crazy.\r\n\r\nUnknown Speaker 1:50:04 \r\nPlease grab this, this this.\r\n\r\nUnknown Speaker 1:50:08 \r\nSo what's happened here is some hacker has spun up in some Amazon server to do this hacking, or it's a site that's been compromised. Crazy and this is WP Nathan, which is a dumb garbage site. Right?\r\n\r\nUnknown Speaker 1:50:29 \r\nAnyway, you see all this stuff, and so this blocks all that garbage traffic. Another thing here if the country's coming in from the Tor network, you're not going to want that that's going to be bot traffic. A lot of by the way. A lot of form spam comes in this way.\r\n\r\nUnknown Speaker 1:50:45 \r\nIf the URL if the if the path contains dopey content and it's a PHP file, I want that out of there. We don't use ASP at all in WordPress so filter that out if the traffic is not a known bot, and it's trying to do anything, post anything on WP Nathan so this is this filters out a lot of of form spam traffic or you're trying to post either things into login fields, or post comments anything like that this just blocked all that traffic. I did add this when I was testing this rule, just to make sure that the host name it's not coming from my site. And it's not in it's not trying WordPress is trying to do a cron I was finding that legitimate WordPress cron jobs were being blocked by this. So that's why I added this extra little bit here.\r\n\r\nUnknown Speaker 1:51:41 \r\nSo here's another one if it's not a known bot, and it's going to admin Ajax admin AJAX is again another bit of forum spam prevention that filters that out. Here it so we're going to filter out post and let's see, why is this this rule is duplicated.\r\n\r\nUnknown Speaker 1:52:01 \r\nLike that out. Sorry about that. And again, there's just an actual I'm posting to the comments. PHP file. So most of this is a form spam and comment spam traffic.\r\n\r\nUnknown Speaker 1:52:16 \r\nDave, on the ASP if you have redesigned a site that was based on this?\r\n\r\nUnknown Speaker 1:52:22 \r\nThat's a great question. So if you are taking over a site that previously had ASP, it was built on ASP, then that's probably something you want to take out. Yeah. Otherwise, it's going to block the traffic completely. You don't want that you want to show a 404 page with hey, we've redesigned blah, blah, blah. So that's a good example of don't just apply these rules wholesale, know what you're doing and know that oh, I need to take out that part of the rule, at least for now. That makes sense, everybody. So the action here is block and you're blocking stuff at the net, the network level, they're going to see a Cloudflare block screen. It's not ever going to even hit your server.\r\n\r\nUnknown Speaker 1:53:02 \r\nLet me show you a little trick. How many of you are using something like text expander or in my case, I use type desk to do like little macros that explode into things, right? Like this macro here that I use, and sometimes you'll see this. Like it'll come in as slides. When I do slides. Type desk explodes into this pre configured bit of text. So I've set up all these Cloudflare rules actually in pipe desk, and some of them have variables. So watch this if I was going to set this rule up for the first time. This is set up as\r\n\r\nUnknown Speaker 1:53:42 \r\nthe F three boom Okay, so it comes in over here. So here's my thing. Oops.\r\n\r\nUnknown Speaker 1:53:57 \r\nSo it I'm gonna have to show this here. Alright, so you have three this, okay, what is my domain? That would be nathan.com.\r\n\r\nUnknown Speaker 1:54:04 \r\nIt fills out with there's variables. So I've set up my exploder to have the variable for the expression of the website. So now when we go into add rules, I have cf One CF two CF three it just drops all the expression in with a variable for the website, right? So I don't have to go in and change that every single time. So that's just a little time saver. Pretty cool.\r\n\r\nUnknown Speaker 1:54:29 \r\nAll right. Here's our next rule.\r\n\r\nUnknown Speaker 1:54:33 \r\nSo we have our skip rule. We get our block rule. Now. This is one I don't know I added this one, just to have something else to show you.\r\n\r\nUnknown Speaker 1:54:44 \r\nHere we go. So this, this can be heavy handed, but it also might be good. This is an example of how do I filter bot traffic? Right. So you may or may not want to use this rule. I don't know. Look what it does. So if it's not the Google bot or the Bing bot or the bot or the Facebook bot or slurp which is Yahoo I think, or Alexa and it's a known bot. So Cloudflare actually has this list of known bots.\r\n\r\nUnknown Speaker 1:55:17 \r\nAnd it's pretty extensive. There's 717 pages of this you can see all the things they do have categories too anyway.\r\n\r\nUnknown Speaker 1:55:31 \r\nSo this is an example of a rule that I probably wouldn't use on every site.\r\n\r\nUnknown Speaker 1:55:36 \r\nBut so if it's a known bot, and it's not one of these, or like a this, the crawler category is AI crawler, then given a man a challenge or you could say give it block. So if you want to stop AI bots crawling your site, you can do it at the network level if you want. And this is a way to do that. So the bot category, there's a lot of different ones here like you can do. Like I don't want any SEO crawlers. Let's see how about is in.\r\n\r\nUnknown Speaker 1:56:09 \r\nI don't want any SEO crawlers. I don't want any AI crawlers.\r\n\r\nUnknown Speaker 1:56:14 \r\nNow this is not Googlebot for example. This is Seo crawlers like sem rush and things like that. Phoebe Why not say if it's not a known bot instead of listing those out great question, because known bot no means it's any track. Just that doesn't say it's a bot and I know what it is. Known bots means it's not in this list of predefined known bots, right? It doesn't say it's a bot and it's unknown. Now there are rules like that. If you upgrade to the enterprise level, you get a lot more control over. I think it's a bot. I don't think it's a bot but we don't have that control at the free level. So you have to do it. That was That makes sense.\r\n\r\nUnknown Speaker 1:57:04 \r\nDave has a question if you're doing this on an existing site, and the clients looking at traffic. Oh, yeah. Okay. So this is the double edged sword. Okay.\r\n\r\nUnknown Speaker 1:57:14 \r\nSo what Dave is asking is essentially, am I gonna see a traffic drop in Google Analytics? If I do this? And the answer is likely yes. And perhaps a significant amount of traffic drop. But the conversation I have with a client is this is actually making your analytics reports more valuable because the traffic that's reaching the site are actually people and not garbage bought traffic, and attack traffic and things like that. So you will see a drop in traffic. But it's this is this will actually make your analytics reports more valuable. Because I mean, think about this, you know, bot traffic isn't likely going to make a conversion. So if you've got a report set up in Google Analytics for tracking conversions, and only 3% of your traffic is converting, well, what if 90% of your traffic is crap traffic? Well, then your conversions go up significantly. Oh, wow. Actually, this is more successful than we thought. Right.\r\n\r\nUnknown Speaker 1:58:10 \r\nSo does that make sense everybody? Here's an example of a way to filter out some of the stuff I probably would not use this on on every site. And you still even after that, we'll have another rule that you can create. And this is for fine tuning, you know, and moving things. along.\r\n\r\nUnknown Speaker 1:58:29 \r\nOkay, good grief. It's almost three o'clock and I got a lot more to do. So I'm gonna move on. Any other questions about this before we move, move ahead.\r\n\r\nUnknown Speaker 1:58:38 \r\nI do want to show you the rate limiting rule here.\r\n\r\nUnknown Speaker 1:58:43 \r\nWe actually may stop here, before tomorrow. So this is a really good rule, I think is super helpful. So in case you weren't watching, we're at security WAF. We were just at custom rules, which is the default page. We're now going to the rate limiting Rules tab. It's going to delete this and start over.\r\n\r\nUnknown Speaker 1:59:03 \r\nYou see it, we're going to create a rule and in the same way here, this is going to be our anti flood, oops, anti flood rule. We're going to edit our expression\r\n\r\nUnknown Speaker 1:59:15 \r\nand we're going to say\r\n\r\nUnknown Speaker 1:59:21 \r\nwhen the rate exceeds 10 requests, at the free level, we only have a 10 second period.\r\n\r\nUnknown Speaker 1:59:29 \r\nSo let's take a look at what we're doing here.\r\n\r\nUnknown Speaker 1:59:34 \r\nWhy not?\r\n\r\nUnknown Speaker 1:59:53 \r\nInteresting, okay, well, oh, see what it's supposed to be. Alright. So, anti flood if it is not a verified bot\r\n\r\nUnknown Speaker 2:00:06 \r\nand\r\n\r\nUnknown Speaker 2:00:09 \r\nthe URI pass contains\r\n\r\nUnknown Speaker 2:00:18 \r\nthe PF not calm and\r\n\r\nUnknown Speaker 2:00:23 \r\nverified bot category is not a search engine crawler.\r\n\r\nUnknown Speaker 2:00:30 \r\nOkay, so what we're saying is, it's not a good bot.\r\n\r\nUnknown Speaker 2:00:34 \r\nIt's coming to the site. This is actually redundant, we could probably get rid of that.\r\n\r\nUnknown Speaker 2:00:39 \r\nInteresting.\r\n\r\nUnknown Speaker 2:00:41 \r\nAnd it's not a search engine crawler, and it's hitting my site more than 10 times like one time a second. Then I want to block it. For as long as possible, which is 10 seconds.\r\n\r\nUnknown Speaker 2:00:56 \r\nOh, you're right. It was missing the opening parenthesis. So there's another correction.\r\n\r\nUnknown Speaker 2:01:03 \r\nSo we'll deploy this and this is going to stop a lot of bot attacks. You know, you need a higher level. Of Cloudflare to fully blocked the traffic. But this at least throttles it back just a little bit.\r\n\r\nUnknown Speaker 2:01:18 \r\nSo that can be helpful.\r\n\r\nUnknown Speaker 2:01:20 \r\nMoving on down here to our bot setting. Again, we want bot fight mode off. We talked about that already. How much further do I have to go? I got a lot of rules to go. Okay, I'm gonna stop right here. And we'll pick this up tomorrow.\r\n\r\nUnknown Speaker 2:01:35 \r\nAll right, pausing for a moment. Questions, comments?\r\n\r\nUnknown Speaker 2:01:41 \r\nAnything unclear and what we've seen today because your homework is if you don't have a Cloudflare account, go set it up. And do that tonight. Before tomorrow. Come on in with a little bit of experience under your belt. It's free. And maybe you start applying some of these settings to a site and you can actually go forward I've given you all the tools you need to kind of follow this and add the additional rules that's there that are there. We will talk through this starting at speed tomorrow.\r\n\r\nUnknown Speaker 2:02:10 \r\nPaul, I would not do this on a client site unless you're brave enough to you.\r\n\r\nUnknown Speaker 2:02:16 \r\nDo it on a site that you control a low value site, just so you can see how it works. I'll everything clients is going to be tomorrow.\r\n\r\nUnknown Speaker 2:02:24 \r\nDoug regarding the WAF. If I block the UK with a managed challenge, and Google is still indexing my site in the search engine results, what happens to a UK visitor when they click the Search link to my website. They're gonna get a managed challenge.\r\n\r\nUnknown Speaker 2:02:40 \r\nYeah, so just to correct so you don't block anything with the Manage challenge. It just puts up this.\r\n\r\nUnknown Speaker 2:02:51 \r\nIt's going to say if I go to try to log in here this screen right here.\r\n\r\nUnknown Speaker 2:02:58 \r\nWell, eventually who?\r\n\r\nUnknown Speaker 2:03:05 \r\nThis, this screen right there. That whole process was a managed challenge. I didn't have to click anything because it already knew that my was legitimate. But any traffic that you present a managed challenge. So if the rule is if the traffic's coming from the UK, then give a man a challenge. It's there. It's not blocked, you just have to pass through the gateway pass through the turnstile to get in. So if a user is outside your set geographic areas in Cloudflare for a challenge, they'll still see their search result. They'll click it, they'll pass you the challenge, they'll act they'll access the website. Yeah, it does put a barrier you know they have to pass through. Now you know, if you want to block the traffic altogether, you can do that. Just make the action block instead of manage challenge.\r\n\r\nUnknown Speaker 2:03:56 \r\nI wouldn't do that typically, you know, the goal for filtering traffic is generally I want to get rid of bot traffic that's coming from GeoIP sources that are not generally where my customers are going to come from. So that cuts out a lot of the bot traffic at that geo level. Does that make sense? Everybody?\r\n\r\nUnknown Speaker 2:04:19 \r\nAll right. Any other questions? Before we call it a day?\r\n\r\nUnknown Speaker 2:04:27 \r\nOkay, so everybody, all right.\r\n\r\nUnknown Speaker 2:04:32 \r\nOkay, Karen, can you copy all these settings and roles from one site to another? Wouldn't that be great?\r\n\r\nUnknown Speaker 2:04:40 \r\nThat would be great, wouldn't it? And the answer is no. You can't they have to be set up individually. I know right? It may be one day that will let us do that. I don't even think in the premium version. Paul. I've not seen that.\r\n\r\nUnknown Speaker 2:04:54 \r\nBut here's here's the thing.\r\n\r\nUnknown Speaker 2:04:58 \r\nI really really got deep into Cloudflare last fall, when in the process of migrating to a new server we just decided to put all of our clients under Cloudflare in that process.\r\n\r\nUnknown Speaker 2:05:10 \r\nSo we moved, you know, plus or minus 100 sites through Cloudflare and onto the new server. And once you start doing this, like I can move a site to Cloudflare pretty much in my head now and it takes just five minutes or so it's done. Boom, boom, boom, boom, you kind of get used to what the settings are.\r\n\r\nUnknown Speaker 2:05:30 \r\nIt's not it. It looks like a lot at the first glance. But as you're seeing from where we went from all the things, and page by page now down to just the things that need to change. There are far less and at the end of the document by the way at the end of the document to here and resource number two, here is the Cloudflare setup process. And I'll walk you through exactly the things to change. And that's it.\r\n\r\nUnknown Speaker 2:06:06 \r\nIt takes just a few minutes once you get used to how this works.\r\n\r\nUnknown Speaker 2:06:10 \r\nDo I have ASN or IPs for managed WP? No. So this is a good question. Alright. So you will at the beginning before you do your first site what are all the services that I use? Right? And so it's reached out let's just say manage WP I don't know if they have a public list.\r\n\r\nUnknown Speaker 2:06:36 \r\nLet's see right here. So you'll a lot of times find posts like this. What are the IP oh look, here they are.\r\n\r\nUnknown Speaker 2:06:45 \r\nAnd a whole bunch of others. So there's a oh my gosh, Holy mackerel. There's a bunch of them. So, you know, here's a list and and I would verify with the support. So send in a ticket and make sure you have the actual\r\n\r\nUnknown Speaker 2:07:02 \r\nIP set and you can add those to your skip rule that so it always skips that traffic.\r\n\r\nUnknown Speaker 2:07:13 \r\nAnd so my actual skip rule is more thorough than this one because I got a bunch of IPs and things like that.\r\n\r\nUnknown Speaker 2:07:21 \r\nYeah.\r\n\r\nUnknown Speaker 2:07:23 \r\nAnd Dave is correct. You want to go conservative at the beginning for sure. Again, this is with much power comes great responsibility. Implement slowly make make sure you one side tested that you're not blocking legitimate traffic. But once you get these dialed in, you can boop boop boop just apply them to your other sites.\r\n\r\nUnknown Speaker 2:07:46 \r\nYeah, Ahrefs it's eight, like H refs. In particular. They don't tend to want to help you because they don't want to block you or give you ways to block their traffic. What I would suggest doing if a traffic is being blocked, then look at your events. Like do a scan so you know kind of about the time when the event would hit. Then you can look at your event log and probably even filter it with your block rule.\r\n\r\nUnknown Speaker 2:08:16 \r\nAnd hit that hit the traffic that fits your block rule and see if Oh, that's coming from this range of IP addresses or this ASN or whatever.\r\n\r\nUnknown Speaker 2:08:28 \r\nAnd go from there.\r\n\r\nUnknown Speaker 2:08:30 \r\nSo sometimes you can back end it and figure out but there's there's no easy way that I found oh, here's the magic list of IP addresses or whatever.\r\n\r\nUnknown Speaker 2:08:40 \r\nIt's just not very easy.\r\n\r\nUnknown Speaker 2:08:43 \r\nYeah.\r\n\r\nUnknown Speaker 2:08:46 \r\nTanya, oh, how do you know if you're blocking legit traffic? Good question. That's not a stupid question. So I would watch you know the first so when you implement the for the first time you know, put it on your own site or something else site where the impact is going to be low, but that you have enough traffic to actually generate some decent results. And just look at the events and see what's happening. That's how for example, on the skip rule here, I realized oh, no, I've got let's see, hang on, hang on. I know it was the block rule.\r\n\r\nUnknown Speaker 2:09:30 \r\nThis one, it you know, I saw this query string coming up a lot in the block rule. And that's a legitimate, I realize, oh, blocking this and I don't need to be blocking this. So I added a rule to get around it right.\r\n\r\nUnknown Speaker 2:09:47 \r\nSo, Stacy, you find out when the clients customers complain is not exactly incorrect. Like it's that's pretty right. It some of it is a little bit of trial by error, but that's the way it is for firewall rules, okay. And that's why for example, implement these rules with here. Don't just wholesale drop these rules in thinking what could possibly go wrong because the answer to that question is a lot. But once you get them dialed in for your use case, you have really powerful, really powerful tracking.\r\n\r\nUnknown Speaker 2:10:22 \r\nOr filtering. Yeah. Okay. Anybody else? Before we move? Wrap it up for today?\r\n\r\nUnknown Speaker 2:10:34 \r\nOkay, so homework policy when you migrate a site to Cloudflare do you remove them from the Yep, we're gonna cover that tomorrow. Migration is tomorrow\r\n\r\nUnknown Speaker 2:10:48 \r\nokay, Karen, I have tried to enable copy in the chat. For whatever reason zoom webinars just does not allow that. And I don't know why and we've tried, but give the as soon as the We the chat ends up as a file on the replay page, where you can open it up and grab whatever.\r\n\r\nUnknown Speaker 2:11:09 \r\nYeah, it isn't zoom meetings. This is a zoom webinar, and it's different and I don't know why I've talked to zoom support there. No help. It's yeah, it's a thing and I've not been able to solve it. I'm apparently too dumb to figure that out. Because I've tried zoom settings are horrendous. They're worse than Cloudflare and that's saying a lot Okay, all right. Let's go to Wrap it Up homework for tonight. Add a site, drop it in you know your your site or just spin up a site in try adding some of these settings, we will step through. We'll go through the rest of the recommended settings tomorrow. And then we will put that into practice by actually migrating a site's DNS into Cloudflare tomorrow. That will probably take most of our time and then because we'll do it step by step, and then we'll do we'll wrap up with tips and tricks and whatever questions are left. So that's where we're going. Congratulations, you survived day one. You have endured the firehose of things and it gets really practical from here. All right. So I will see you back here tomorrow. One o'clock central time for part two of Cloudflare for agencies here on solid Academy, where we go further together.\r\n\r\nNathan Ingram 0:04 \r\nAll right, everybody. So welcome, welcome. So how about some feedback from yesterday? Did you learn anything? What was your biggest takeaway? Aha. I assume that we're going to do live demo today. So sure, you'll just go into watching the demo without having the basic foundation of knowledge. So sure there's value without watching the replay.\r\n\r\nAll right, let's get these captions connected. There. All right. Oh, goodness. Gotcha. All right. Link bundle is in the chat. Of course handbook if you need to download that. It is updated by the way from yesterday. So make sure you grab the current copy. I probably need to update the link bundle to reflect that\r\n\r\nall right, well, good. That's good news. So really, really glad to hear that. All right. Welcome, everybody as you're coming on in find a seat, get ready to go. Links are in the chat. The course handbook has been updated since yesterday. The fix the two little typos that I had. Those are now fixed and going and a third that I just recognized. All in the WAF rules. So that's all correct. Now. Make sure you read download that course handbook. Just so you have the correct things. All right. We got a lot of the handbook Yes, one handbook for both days. 40 pages of Cloudflare goodness. or 40 pages of Cloudflare. Comma, goodness, exclamation point. That's a lot of Cloudflare. Oh, it's gonna be a long day when I'm entertaining myself already. Okay. So let me hear from you in the chat. What was your biggest takeaway from yesterday if you survived and had lived to tell the tale\r\n\r\nPaul that will be office hours tomorrow, or week or if we have some time at the end. That's funny. Love it. All right, couple of minutes before we get started, welcome, everybody. Glad you're all here. Make sure you download the fresh copy of the course handbook that has three corrections in and around the WAF rules. Just a couple typos and that space problem and so forth. Yeah, look, there are everybody that I'm constantly finding new ideas for rules. I'm going to talk about that at the beginning as we get started here, because there's some really interesting chatter in the admin bar about rules and stuff going on right now. On a reference that\r\n\r\nhey, look at that foul, awesome. How about that? It's small. It's the little things right. Alright folks, two minutes to go. If you're just joining us in zoom, open up the chat. Say hi. Let me know what your biggest takeaway from yesterday was. Did you get in there and try to set up a site yesterday. Did you do any of that? Thanks still broke? Yeah, yeah. Little bit of tripod. Doug. You did it. Awesome. Yes, Doug, indeed. Cloudflare SSL? Yeah. Very good.\r\n\r\nYep, good stuff there. All right, about a minute away, y'all. We got a long way to go today. Long way to go. The handout is updated. Yes. So please read download the course handbook it fixes those typos or like there was a space that shouldn't have been at a line break and that sort of thing. All that is fixed in working in this latest version. Phoebe. So we are you did you you would get a challenge at WP admin if you use the rules that I provided that the the challenge rule by default is going to protect the WordPress login page. That's what allows you not to need a CAPTCHA on the login page. So I want all traffic that hits the WP admin to get challenged.\r\n\r\nAlright, just about ready to start everybody. Yeah, Paul, I saw on that note, and I don't know why that would happen. That's really weird. It feels like it feels like that's a browser. Cookie issue. here and what do you mean it looks weird after the challenge\r\n\r\nno formatting Okay, so that's interesting.\r\n\r\nI've never seen that happen. Sounds like there's some sort of a an optimization issue like the CSS isn't getting loaded for some reason. Where are you hosting? It could be related to your hosting environment. cloudways GS? Ah could be something in the breeze plugin. I would look and make sure that the breeze are using cloud where cloudways Breeze. Yeah, so see if it has that. The connection to Cloudflare that I mentioned with the caching so that it's empty incorrectly the cache I've never used breeze so I can't speak to that one. Yeah, always. It's awesome. That's it. It's not just reason the optimization plugins are some that frequently cause problems. Okay, let's get started. I got a long way to go today. Well, Happy Wednesday everybody. Welcome back to day two of the Cloudflare for agencies course here on solid Academy. My name is Nathan Ingram, and we went a long way yesterday, as we looked at what in the world is Cloudflare how does it all work? We went page by page through the settings just to give you kind of a lay of the land of you know all the things that are there. And then we started with recommended settings yesterday. So that's what we're going to pick up today. We got all the way down to speed we've worked through the Cloudflare WAF rules, and we've made our way down to speed now, I do want to mention that I have updated the course handbook from yesterday. I'm going to drop that link in the chat once again. This fixes those couple of types of the like the linebreak typo I noticed also there's some quotation marks that got styled like outwards and not straight quotation marks and one of the rules. So those things are fixed, and it's there in the updated link that's there in the chat. If you're watching this on the replay. The link that's downloadable on the course page has will be correct for you so that's all there and ready to go. So here's where we're going today. We are going to pick up with our recommended settings at the speed portion which we see on the screen now. Then we're going to set up a site in Cloudflare live and just go through the process using the checklist that is in the resource number two at the end of the course handbook. So we'll be just walking through that checklist. And then we'll the final hour we made that that setup process may actually bleed into the second hour so we'll just kind of see how that works. And take a break at some point in the middle. And then at the very end we'll have the the tips and things that I've learned and basically things that I've messed up along the way and how you could not do that. And how to work with clients and you know, had multiple accounts and all that sort of thing and how's the best way to do that. So that's where we're heading today. As always, if you have questions, if the question is about something we're talking about right now, just drop it in the chat. I'll do my best to see that and talk about it. Otherwise, put it in the q&a, and we'll deal with those at the end of each hour. All right. Well, let's get started, shall we? So we finished up yesterday with our various rules around security with our custom WAF rules, and then an anti flood rate limiting rule and making sure we have bought fight mode off. So now we're going to get to our speed sections. Let me get Cloudflare open and Windows arrange and all of that. All right, so we are now here under speed. And we're gonna go speed and then optimization. So right here under optimization, there's a number of different tabs, and we're going to pick up with content optimization. Now this is an area that they have in the past few months rearranged. So if you haven't looked at Cloudflare in a while, you'll notice this is different and that's because it's different. They move things around and they do this all the time. So let's look at what should be on so we like Brotli this is going to be one of the things it's in the setup guide or the quickstart guide that we'll run through in a minute. Whenever you add a site to Cloudflare Brotli is good to have on it just makes HTTPS connections quicker. We talked about Cloudflare font so we like those those are on early hints we looked at which preloads pages when you hover over a link that's on rocket loader off because it can break WordPress JavaScript pretty easily. And we're gonna auto minify all three boxes here JavaScript, CSS and HTML. And then we're gonna go back to the top, the tab for protocol optimization. And we're going to turn zero RTT on. Now basically what that does is if a person has already visited your site, it makes reconnecting to the site quicker. It's just it saves a step. In the security in the HTTP protocol process. Good speeds things up. If you want to read more about it, just Google zero RTT. And you can learn more. So not a lot to change here in the optimization section. But we do have some things to look at under caching. So let's take a look at caching and our recommended settings here. So we're going to start out with configuration and look at our browser cache. So I believe I can't remember what the default setting is here but we want this to be 30 days. One month or 30 days is what Google recommends in order to receive to get good marks on their tools. We want to make sure your browser cache is set for one month. We want our crawler hints to be on so this is basically the index now protocol and so Cloudflare will do that for you which is really great. It lets certain search engines that support index now know that changes have been made to your website. So go come crawl it. It basically proactively tell search engines to crawl new content so that's good. And we want always online which pushes the site over to the Internet Archive for us. We want that on as well. So now, there may be some times where you don't want always online on if it's a very large ecommerce site with 1000s of products, rolling that and adding it to the Wayback Machine might be taxing on the server. Or if the site is changed all the time. There's every single site I have is always online. But if you have a massive site, it might create some performance issues. So you might want to toggle it off but likely every site you're going to want on here. Alright, let's look at some caching rules. These are very, very helpful. So let's say you have a site in development, or for some reason you have a site and you do not want to use the Cloudflare cache at all. How do we turn the Cloudflare cache off? 100% of the time whether it's in development, or I just don't want it because by default, the Cloudflare cache is on. So we need a rule that's going to say always turn the cache off and afford unfortunately, there's not like a toggle to turn on and off the cache. I don't know why there's just not. So what is a rule that we can create? Well, I've settled on this one that basically says if the incoming request is HTTPS, and that is yes, then bypass the cache. So this is, you know, basically every single request coming in to any site that I manage, is going to come in under HTTPS. And with that rule, this site will not be cached at all period by CloudFlare, because we're going to bypass the cache here and with browser TTL. Now, this is a rule that you only want to implement if you don't want the site cached at all. Does that make sense to everybody? So you know, on our dev server, for example, we don't want Cloudflare caching, like Cloudflare manages the DNS on our dev server because we want the security, but I don't want any Cloudflare caching on any sites. that are under development. So we have this rule that turns off caching completely. Does that make sense to everybody? So this is probably not a rule that you want on a live site. But for dev sites, yes. 100%. So here's one that you probably will want to use. Maybe there are pages on your site that don't ever need to be cached. So for example, with an E commerce site, I never want the cart page cached by CloudFlare, or the checkout page. So here we've got URI path contains cart your app path contains checkout, you can continue to stack these up if there are other different URLs that you don't want to be cached. So when these things match, then I want to bypass cache for Cloudflare. And at the browser cache, right, so just no caching of these frequently changing dynamic type pages. Don't want those cash. So cash rules are super helpful. I Paul Yes. Membership dashboards, things like this. This though, these are the sorts of things that you'll want to put in a rule like this one. You have a lot of rules here actually. So 10 available caching rules at the free level. So you can really add things Yeah, in anything like LMS site membership site where you don't want to cash in really it. It's\r\n\r\nit's really more like check out, you know, forms that Process Payment, perhaps maybe events like Melanie's mentioning in the chat. It depends. So if you run into an issue where oh my gosh, my events page is not updating why? Oh, it's Cloudflare. Well, we can just turn it off here at the edit with a cache rule. That makes sense to everybody. They're super useful. To debug these caching issues. All right, so we mentioned this yesterday, we're gonna have our tiered cache. We're gonna go here, and just make sure that the tiered cache topology is set for smart and again, what that does is it moves the assets to the Cloudflare data center closest to the person requesting the the site so it basically shortens the load time, so it's good you always want to have that on. Alright, let's scroll down to our next section, which is rules. We're not getting into workers routes, that's not a route however you pronounce it. That's not something we're going to look at. But there's a couple of really good page rules that we're going to look at here that I recommend. The first is this one, which says our URL is going to be our domain name. star dot domain name. So this will catch any subdomains also an anything after the repeat admin. So basically, I want this rule to impact anything in the WordPress admin area for the main site and then any subdomains that I might have under this Cloudflare account. So I want security level high, which means that if somebody tries to come in it's also you know, it's gonna look at that browser more with more scrutiny and maybe present a challenge. If it detects any issues. I want that for anything in the WP admin I'm also going to completely bypass the Cloudflare cache. I don't want anything in WP admin cached by Cloudflare. I just don't want that. And then I also want this here disabled performance. Any performance related optimizations that Cloudflare might do? I don't want that for my WP admin because that can tend to get in the way of things and break admin functions and hash things that shouldn't be cached. And, you know, you get weirdness in the back end sometimes. So this says anything in the admin, I want to make these changes and it's a really helpful rule. This makes sense to everybody. This is a good one and you do have to fill in your specific domain name here, or it won't work. You can't just say star.wp admin. I tried that. It's got to have the actual site name. Alright, another really helpful rule. I really really liked this one. This is the email obfuscation rule. Again, a lot of folks in the years past we've done WordPress shortcodes, that obfuscate email addresses where they can't be scraped by website scrapers. Cloudflare has this built in at the network level, which I really like. And the neat thing about it is you can apply it only to certain pages with a rule, so we can say, all right, if it's the Contact page, then I want to turn on email obfuscation. Well, why wouldn't I just want this on the whole site? The reason is because it loads an extra little piece of JavaScript that can affect load time, so it won't affect it very much. But I mean, why load the JavaScript on a page that doesn't have email addresses, right. So if you have a contact page that has email addresses, turn this on, or maybe it's a team, page or series of pages. Like you have, you know, your domain slash team slash person's name, then you can do something like this I'm pointing at my screen like you can see that this so anything that follows team then this for like a team bio page, you can obfuscate the email addresses their policy, if the site has an email address in the footer. You want this on every page? Yes. And I wouldn't put email addresses in the footer. I would much rather have people fill out a contact form and send email but yes, if it's in the footer, every page where there's an email address, you could load this and if that's the case, then you can actually just turn it on for the site. Yeah, okay. So these two rules make sense. You got your WP admin and you got your email obfuscation. You got a bunch of page rules that you can do some other things with. There's actually sorry only three, three page rules. So we still have one extra one here. And you can do a lot with these Okey dokey. Everybody good so far on this? Because that's it. That was all of the rules are all of the recommended settings. So we didn't get that fully finished yesterday, but we got it done today. And now we get to actually do the thing. Okay. So I want to give you the overview of what this migration process looks like. And then we're going to skip to the end of the document where the actual checklist is, and by the way, if you're just coming in the course handbook is updated from yesterday. And so you're gonna want to redownload that because I fixed a couple of little glitches with the WAF rules. Okay, so here is our process. And again, it is a checklist is in resource to you can copy that part out, you know, make it your own, whatever. So, big picture, okay. We're going to add the site to Cloudflare. And then we're going to walk through the Quickstart process. These are the common, most recommended settings to set up. We're going to add the name servers that Cloudflare gives us over in our domain registrar. Then we're going to pause the site on Cloudflare. This is critical if you don't do this, you're going to get SSL issues in almost every case, then we're going to go through. Here's our items for the quickstart guide. We're going to go through all the rules and settings that we need to add. We're going to wait for our SSL to generate and then we're going to resume the site on Cloudflare. That's the big picture. How this is going to work. So let's go down and take a look at our resource scrolling scrolling right here. This is page 38 of our guide. And here's what we're going to do. So I have this domain set up and this is just a Kadence Starter Site that I have inflated on to WP one dot Dev. Now this is a domain that lives at GoDaddy. And so that may be a place where you see a lot of domains that you have, right and so this is just as simple and basic of a domain swap or DNS change as I can show you with a typical common registrar. Okay. So we're not going to walk through this whole process. So what I want to do I want to get back here to home, which I did just by clicking this arrow I'm in WP Nathan. Now I can go back now I'm at my account home, or I can go up here to this little user icon and hit account home. It's at that point where I can add a site. Okay, so we're going to add the site to Cloudflare by entering the domain, selecting the free tier and confirming our plan, but let's add the site right here. And by the way, if you added a site to Cloudflare a few weeks ago, this is now completely different. They have totally changed this adding a site flow as they do. I mentioned this yesterday Cloudflare changes things like worse than Google and that's saying a lot so just be aware of that. If you're white if you're following this video six months from now they've probably moved some things around. They're all there you know, and you can probably find them pretty easy but it's it's very likely to change. So we're going to enter in our WP one dot dev domain name here. Continue. We're going to select our plan scroll all the way down to free and click that and confirm and we're confirming and Okay, let's so we're going to start our Quick Scan. Now at this point what's going to happen Cloudflare is going to go out and it's going to attempt to find all or as many of the DNS records as possible for this domain. I'm going to click Start click Scan. Now here's the thing. Don't ever trust Cloudflare scan because it is likely going to miss some things. So it's now picked up in a record and to CNAME so there's definitely more than that. And we're just going to keep moving. So if you can't bypass that scan, I wish you could but you can't. It's going to do its best to find records and plug those in to your DNS settings. But now we've gone through our quick scan and we're going to hit continue and we're going to start the domain activation. So right here, we're going to add the provided name servers to our domain. So here's our two name servers that Cloudflare has given us a copy the first one, I'm going to go over here to godaddy under DNS, and go to name servers. This will be different for every registrar. We're going to change this to my own name servers, and copy and our two different name servers. Oops, two here, save and continue. Okay, now over here, I'm gonna hit continue and continue.\r\n\r\nSo now we come to our overview page immediately right now before you do anything else. Pause Cloudflare on the site, because otherwise what can happen is traffic can start flowing to your domain before Cloudflare generates an SSL certificate and you'll get that security warning in browsers by pausing Cloudflare at this point, what that does is stop Cloudflare it doesn't stop it from generating a certificate but it doesn't use the Cloudflare certificate. So we're not using any Cloudflare features right now because the site is paused. Don't forget that step or you're going just it's inevitable that you're going to get you know a security warning. Okay, so pause Cloudflare Now let's go through our quickstart guide. Let's see right here. So we're going to review the settings in our quickstart guide and get started. So we want to keep this on Yes. All these settings are here. Save this. Always use HTTPS Yes. Do we want to enable Brotli? Yes, just basically all the recommended settings we want on and finish. Boom. Okay, so we are good. And now we're going to go down to our DNS. Now Cloudflare has imported some records, right. So we've got this going on here. Um, you know, what I forgot to do is I forgot to open up my email. Let me grab that one second, folks, because we're gonna get an email from Cloudflare at some point very soon, telling us that the site is working. I've got to log into my email, my solid Academy solid email here one second, everybody. I have 8000 Google accounts as perhaps you do. as well. And there it is, okay. All right. So there's my solid email. We'll put that over here and we'll just wait on that. Okay. So now we're at the point of validating our DNS records. So here in GoDaddy, if we look at our DNS, there, there's a lot more than it found. There's not many actually. There's an A record and some other things, you know, nor if this is a site you're already managing. Maybe you have postmark records or some other transactional email or google verification or office 365, all all those verification records, right? You're going to want to make sure that what's here in CloudFlare, matches 100%. What is at your current DNS provider? Okay. Many Melani that's a brilliant idea is to screenshot this and add it to a record someplace. So better even than this is the ability to export my DNS. So let's see here. Many registrar's have the option to export DNS records. If they do you absolutely want to do this. If they don't, it sucks because you have to hand enter every one of them it's really awful. But here I can say Export zone file. Even GoDaddy will let you export the DNS. So I want to export this zone file and boom, there it went. It is now right here as a text file that just downloaded to back. It is right here, simple text file. So I can take this and go right here to import and export and just drop it in. And now I have all of my records and they it now matches perfectly. So that is super helpful when you have a ton of records. If you are running your DNS through a cpanel server, we're going to come back to that at the end because there is a there's a way to actually export out of cPanel if cPanel is actually running your your DNS All right, but for now we know that these match because we've done a good Import and Export Now a couple of things we want to look at. Many times your export will contain name server records, these name server records, these pertain to GoDaddy domain control.com. These are GoDaddy, we're not using GoDaddy. name servers anymore, so I can delete these our name servers or at Cloudflare. We don't need these records anymore so we can safely delete those. The other thing is, if you have in the Cloudflare import when it pulls in all those records, if you import record, you know this import file is going to contain some duplicate records. Cloudflare is smart enough not to import duplicates, so it didn't used to be by the way used to import duplicates, you have to go in and delete your duplicates. It now is smart enough not to create double records, which is awesome. But in many cases, you're still going to have to add those records one by one because, you know this old antiquated registrar doesn't support exporting of DNS, which is just really annoying but Paul is saying Don't forget to turn off some records that need the original. I'm not quite sure what you mean there, Paul. But you're gonna The key here so you don't mess up DNS is at the end of all this. My DNS records in Cloudflare need to match my DNS records with whatever the registrar is now. Other than the name servers, the DNS records you can delete just like we just did, but everything else needs to match 100% Otherwise you might break their email or something like that.\r\n\r\nSo yes, the for example, if there are see names that come in, like right here, this here's another one we can delete. This is a GoDaddy domain connects that we don't need that. We can delete this. Any that are there other registrar's that have specific records. We're not using that anymore, so we can delete this and if it's a CNAME generally, any CNAME other than the www record we want to proc we do not want to proxy correct. So this is a really simple DNS setup because there's no email or anything there. Okay, everybody good on this part, moving DNS records in hopefully you can export them and import them otherwise. This is also helpful if you can if DNS is currently managed by another Cloudflare account, then you can export the records out of the current Cloudflare account and import them into to your Cloudflare account. Sue if there's email Yeah, yeah, so like all the MX records, all the text validation records CNAME records that are all all the DNS needs to match exactly. Unless it has to do with, you know, like the name servers or like these GoDaddy specific records that we don't need anymore, but all the other records need to match exactly. You'll probably find that Cloudflare their import gets about 90%. But it will typically especially if it's a complicated DNS setup, it will typically Miss TXT records, like the valid validation records. It usually gets all the C names and the A records, but it misses it tends to miss the TXT records. Okay, everybody, good. All right. So at this point, it's usually taken, you know, five minutes or so to get our DNS all lined up. So now we're gonna go check and see where we are with our SSL. So we're going to click on here, and let's just look at our edge certificates to see okay, so right here, this is showing us it's in process. So this is live demo. I don't know how this is gonna go, okay. If this breaks, we'll fix it. We'll figure it out. But right here, notice that the SSL has not yet been generated for this domain. So we don't want traffic coming through Cloudflare yet, so let's just move on with our settings and we'll keep watching this edge certificate to see if it's ever finished. So we want to go down to minimum TLS of 1.31 dot O is the default for some reason. So we're going to make that 1.3. Now we're going to go down and add our WAF rules. Just following our checklist here. There's my use your four suggested rules that I've given you or your own variations. So we'll go to Security and WAF. Now again, as I mentioned yesterday, I've got this shortcut set up in my text expander CF one. Here's our manage challenge rule. So what I do in my text expander I have this title here. And so I'll copy cut that and put it up there and this is going to be a managed challenge. Boom, and deploy the quick that was that was done. We're going to create rule number two. I'm going to use my shortcode otherwise, you can copy and paste from your notes. There's our second rule the title, cut and paste up here. So choose the action skip and check all the boxes. All the all the boxes just like that deploy great our rule number three now this one has the the variable in it that fills in my domain I've got that. So these are our block rules. Deploy and one more rule\r\n\r\nthese are our crawler blocks. And this gets a block deploy. So you see how quickly it goes. If you have something like text expander or in my case type desk or one of these macro type programs, apps on your on your computer. It just makes these rules go really fast. Otherwise, you can just copy paste, that's fine too. But we've got all those rules added. Does that make sense? Everybody? Got our rules added there. Any questions about that? If so, ask in the chat. If not, I'm going to keep going under security and bots we want to make sure that bot fight mode is off. It should be by default. I always want to make sure of that because that is it can it causes so many headaches. Speed. Oh, you ask a question. Okay, Paul, I explained why I use the web as a prefix. Is there a possibility of some sort of mix up? If we do not have a prefix? No. This is just for convenience, knowing that these are our rules. So we do have some clients that get into Cloudflare and do some things themselves. If you're the only one that's going to be in Cloudflare it doesn't matter but I prefix everything with be WWE, you know functions code all that is just a habit. So this just lets me know these are our rules. Okay, speed. Let's go back to these rules we just covered so speed optimization, content optimization, only the things we need to change here are Cloudflare fonts are on early hints are on check all three boxes on auto minify boom, boom, boom. And we want to go up to protocol optimization and turn zero RTT on. Great. Now let's look at caching. Let's see configuration crawler hints. Okay, browser cache is one month that's the default. That's awesome. Let's see crawler hints are on always online is on. We'll go over to cache rules. Is there anything we want to fix with our cache? Probably not on this one. It's not an ecommerce site. And you know, it's not in development. So there's no cache rules. To set up here for this one. We do though, want to go into tier two cache and turn on our smart tear topology. Okay, now go down to rules and we're going to add our WP admin rule. Let's see page rules and we're going to be star that dopey one dot dev slash WP admin come on admin star. The settings will be about we spell that correctly. All right, first thing we want to do cache level is bypass then it was performance is disabled and our browser integrity check. Oh, no, it was security. Security level is high. Alright, so there's our DP admin rule. And let's go ahead and add a contact page rule\r\n\r\nand we're going to want email occupation on our contact page. On you can add these rules or not just depending on your setup like we've talked about. Thanks. We got our page rules added. Now we're waiting for SSL generations out look, I've got a an email from Cloudflare. It's now active Boom. That's awesome. Let's see if our SSL certificate generated so you may have the email that says it's active active meaning Cloudflare has detected that its name servers are now being used for the domain. So GoDaddy has gone ahead and updated the name servers and Cloudflare sees that so they're connected. Now that doesn't necessarily mean the certificate is generated yet. So let's go take a look under SSL edge certificates. I look it's active boom, perfect. Okay. As soon as this is active, that means the certificate is there and we can unpause Cloudflare. So we're watching for an email that Cloudflare is protecting. We're watching at edge certificates for the universal SSL right here to be active and it can take time. Okay, so let's talk about what happens if it's if it takes some time. Officially, Cloudflare says this can take 24 hours I've never ever had it take that long. You have had to take a few hours in this was you know, this was actually right after remember last year Cloudflare had that data center issue. It a lot of these things were delayed after that. Usually now it's just like what you just saw, it generally just takes a few minutes. And you're good to go. But it can take a few hours. That's nothing to worry about. Now. If you if you get hours and hours and hours and out like the next morning if it's still not working. Then what I would suggest that you do. Let's see I've given a pointer that put those notes troubleshooting down here, okay, so here's how to troubleshoot if you're stuck on pending validation after an hour. So make sure that you delete those NS records. I've found that sometimes when my sometimes when I'm not getting my certificate generated, it's been because I accidentally left those those NS records in the DNS, that old name server, and that can mess around with validating traffic. So make sure that the NS records are deleted like we showed earlier. Also, again, officially it can take 24 hours. If it's still waiting after 24 hours, go down here, here on edge certificates and down at the bottom. Disable doo doo doo doo doo right here. Disable universal SSL, click that button, wait a couple of minutes for things to the dust to settle. Then you re enable it and it starts that validation process again, and I've never had it not work the second time. So that's maybe that's just lucky on my part. But generally that fix is something that stuck. And I've only had that happen like once or twice and all the sites and that was actually a long time ago. So that's a good way of troubleshooting. If you're still having issues then it's time to go to Cloudflare community and ask them questions. But now, we've got our SSL generated so we're good to go there. So we're going to pick up the process when you see the SSL is there under edge. Right here the universal one now we don't have to wait for that saw this question a minute. ago. We don't have to wait for the backup certificate to get set that can take a little bit of time. We have a good SSL, we're good to go. So now we're going to resume the site on Cloudflare. So back to overview and scroll down to the bottom of the page again, enable the Cloudflare on the site. It is now enabled. And okay, here's where it was before and notice that this is what I had up before we made this move. So connection secure. And this is a Let's Encrypt certificate which which the server generated. Now if we refresh this page, and we look at that certificate, we should see a Google certificate now. So let's do a hard refresh. And actually, Chrome may have cached that certificate, which is fine. Yeah, Chrome cache that certificate if we go let's go into the browser, and you can see that it's the Google cert and for some reason Firefox is taking all day to start. Here we go. All right.\r\n\r\nAll right. So let's see. Where is oh, I clicked the wrong thing. There we go. Now it's still interesting. All right. So it's still showing the Let's Encrypt certificate. That's interesting. I wonder why that is.\r\n\r\nWe can also check with what's my dns.com. Job. Okay, and we are on Cloudflare. So the world is seeing that it's under Cloudflare. When you see to these two IP addresses, that's cloud flares, backup IP address, that's what you want. And so it is it is seeing everywhere in the DNS shows. It's running through Cloudflare. So we're good. I'm not sure why it's not showing that let's or white showing that Let's Encrypt. Let me try it in Safari. Just to see I wonder if I loaded that site in Firefox and it still has it cached. That's interesting. We know it's working though. That's what's that's the most important thing.\r\n\r\nYeah, no, that's interesting. Let's take a look at Oh, because here make sure that you set it to full Am I following my instructions? Now, I didn't follow my instructions. So we would have checked that right here. If we set this to full then I bet that's going to change our SSL certificate helps to follow your own instructions. Now it's still showing. I'm not sure why that is. Well, let me just get back to following my instructions and we'll move on. So we've resumed the site on Cloudflare right. Now we're going to enable DNS sec. So you don't want to do this until Cloudflare has traffic for your site. But we're gonna go here under DNS settings, enable DNS sec. Right here, and again, this is the little bit of code, you're going to add to the registrar to validate that Cloudflare does have legitimate control over the DNS. So this is all the stuff that Cloudflare gives you. You don't necessarily need all of it in every registrar is gonna be a little different. But here in GoDaddy, you just scroll over to DNS sec. And we can turn this on\r\n\r\nnot when I'm around, hang on, hang on, hang on. Go Daddy. It's under DNS, DNS records. And oh, hang on. My goodness gracious. Let me refresh this page.\r\n\r\nRight here, DNS records is what we want. So I had to refresh the GoDaddy page because prior it was it was loaded prior to knowing that GoDaddy had handed off the name servers to Cloudflare. But now we've refreshed this and there is a DNS record tab most registrar's are going to have this. You click that and we're going to add the DNS record. So first, we demonstrated this yesterday but first we add the Key Tag and this is all out of order. But Key Tag is here. The algorithm is 13 the digest type is two. And the digest is this string of characters and that's all we're going to need. Save All right, and it may take a minute, but we're going to click Confirm and it needs to wait it's going to look for this and we'll come back to this in a minute. But it will eventually validate that record with the record at the registrar. Why do you have to add this on GoDaddy? Because GoDaddy is the domain registrar for this domain name. If Cloudflare is your domain registrar you just click a button and it works. It's really simple. And then at the end, we go through and we verify our encryption method. SSL overview bool good to go. All right. So we've just added the site to Cloudflare. wasn't that complicated? Was it I'm gonna pause for a minute questions or comments\r\n\r\nthis is when nothing goes wrong. Oh, if they are all this easy, and they usually aren't terribly complicated\r\n\r\nAll right. Other questions how question is How hard is it to move your domain to Cloudflare I can't really demonstrate that because I don't want to move any domains to Cloudflare right now, but it's really pretty simple. We're going to cover domain registrar things in just a minute in the second hour today. We'll talk more about it then. All right, any other questions before we take a break? That actually took less time than I thought it would? We are now completely set up. If we go to WP admin here we'll get to manage challenge as we would expect. Boom. Good. All good logging in. Yep. and log in. There I am. Pretty cool. I Su ever ever worked with inom? Yes, they do not have an export tool. And generally here's what I found. The more the more the back end of your domain registrar looks like 2004 The less likely they're going to have a DNS record export. CEU I don't know if e nam has a DS dropped down or not. inom is pretty old school on the back end, as you know. They really need to and that's a good reason to not be with Vietnam anymore. And maybe to move domain registration to Cloudflare. We're going to talk about domain registration at Cloudflare the next hour. But yeah, Network Solutions is really bad enough. I'm really bad. Yeah, I don't know. So those are some of the ones I've never used Dotster or web dot actually Dotster I used like 8000 years ago. I haven't used them recently. I don't know in it tends to what I've noticed is if the UI in the domain registration looks fairly modern like this, it's more likely they're going to support exporting of records. If it looks awful, like 1995 or whatever, then they probably don't. Yeah. What do you do about DNS if there's no option if the registrar doesn't support it, they don't support it. And again, that's DNS records. have been around for a while and they're an important part of Domain validation. And if your registrar doesn't support it, I mean, I would start looking for new registrar. Yeah. All right. Any other questions before we take a break? Okay, there is a multi part question here.\r\n\r\nOkay, um So first question here is in regard to the WAF rule, the skip good traffic rule. Does we watch your website have a whitelist of IPs? I can't find them anywhere and Thomas is not getting back. No, I'm not aware of one. But I don't think the rules block them. There's I don't think there's anything in a rule that's going to block that traffic. But so it's a good if you put a rule in and if they're getting blocked. This is an exercise of looking at the event and find what it's trying to do and then allow that but I don't have any specific whitelist for we watch. Second question is about Pay Pal. Do we use the ASN for Pay Pal, as you added at the bottom of the dock? Or do we need to find the API or the web? And I'm guessing what you mean. I'm not sure who's asking this question that came in as an anonymous attendee. Or do we and I think what you mean is the web hook. So and I'll reiterate what I said yesterday about this. Oh, no problem, Karen. So I so let's see, as things are good. web hook URL is better. Because as NS I mean, maybe there's they might change or something might happen. So it's good to add the ASN. But if you know like, there's always going to be a pattern in the Pay Pal web hook for their IPN or whatever. Then try to get the little snippet of that web hook like I showed with the WooCommerce or the Gravity Forms stripe web hook, get that little snippet and always allow that traffic that way you're, you're certain that it's not going to get blocked. Does that make sense? And number three, I added all the H refs IP to a Cloudflare list and then added the list to the good bots rule. Today. I got a report that the score was cut in half. Robots. txt is not accessible. Okay, so that okay, so something is still blocking H refs, for you, Karen. And so it could be the country rule. I've had this happen. So some like you can have, let's, let's let's look at our rules here. So, if we look at our rules, oh, there we go. So we've got block rules, right? Let's just say that for whatever reason, your list of IP addresses, it's not in that or it's not coming in that way. And you're blocking based on country and maybe a traffic that's coming in from a country it's not in your allowed list or whatever. So what I would recommend that you do this is this goes back to the refining of rules. Look at your block rules like this. We've already gotten some hits on our block rule. Look at your block rule and see if you can find the Ahrefs traffic and see what it was doing. That was causing the block to happen and then use that to inform a skip rule. And unfortunately, there's not an easy way around this. You just have to investigate and but once you find that, the thing that allows it to skip then you can use that all the rest of your sites. So this is goes back to yesterday when I was saying of, you know, get it right for a good typical site, and then you can use that rule for your setup on all the rest of your sites. Does that make sense? I wish I had like a silver bullet answer, but that's just not the way WAF rules work. Unfortunately, 364 IP addresses Holy mackerel, yeah. So what I would look for instead of that, find it here. You know, does H refs have a user agent? They likely do. Matter of fact, let's just look. So rather than let's see. Yes. So here's their user agent. So maybe what you would do here is say instead of that ginormous block of IP addresses we can just as easily say, in our allow our skip rule here or user agent contains a tres bot. Like this. And see if that doesn't help. Make sure all of your other see this. This is why the order matters because the skip rule comes in number two. And if you are, if you've identified correctly, that traffic, it's going to skip all your block rules and everything else that's there. So we can deploy this and now ah, refs should be able to scan our site. Give that a try and see. Again, this is just kind of have to experiment and find what works for each of the various things. I really, really wish there was an easier way to do this. I've not found it and it could be that I've just not stumbled upon the right method. But in lots of practical hands on work I've not found an easier way to do this. Other than, Oh, here's a good way to disallow to skip the traffic and now it's not a problem anymore. And we know that going forward now. Okay, question from Paul. When looking at security events, can you see what the trigger values are? That caused the rule to get triggered? Not really. Like we can see here, there's three block events that have already happened since we set the site up. And so here, we've got this block, and so you kind of have to look at what's going on.\r\n\r\nLet's look at this block rule. am I allowing Canada?\r\n\r\nOh duck you got blocked sorry about that.\r\n\r\nUnknown Speaker 59:55 \r\nInteresting.\r\n\r\nNathan Ingram 1:00:16 \r\nDoug, when you saw the site, could you see images? Weird?\r\n\r\nI'm not sure. But yeah, this is how you would identify Paul you you. It doesn't tell you what about the traffic triggered the log but looking at the details, you can probably narrow it down again, I wish there was an easier way All right.\r\n\r\nStacey, yeah, you probably you got to dopey admin without a managed challenge. Probably because, okay, again, if you get to someplace without a managed challenge then Cloudflare has been watching your browser and it knows you don't need challenging. Like that's that's okay. It's a managed challenge. It's not an every time challenge.\r\n\r\nBut generally, like, here's a raw browser. If I try to go to the WP admin, it's going to give it a managed challenge because it doesn't know this browser.\r\n\r\nBut if I go back there, see there if I go back to this page, it's probably not going to challenge it again. Because I've already passed the challenge. Yeah, it's a managed challenge. So Cloudflare manages whether or not it wants to challenge the traffic based on the fact that it's processing billions and billions and billions of requests every day. Okay, well, let's take a break here. It is straight, just right about to be two o'clock Central. Let's take a five minute break. We'll come back with the final bit here, which is scrolling, scrolling, scrolling, scrolling, all the tips and tricks, cetera, et cetera, right there. Cloudflare tips and tools and tips that starting at page 32. We'll have a good q&a time at the end, and that'll be it. So we'll take a break five minutes back at five minutes. After two Central Time.\r\n\r\n32nd warning folks, we're back in 30 seconds.\r\n\r\nAll right, we're back for the final hour of Cloudflare for agencies got a long way in the last few hours together and everybody's still alive. Seems like that's, that's really good. Okay, so in this last bit of time we have together we'll do plenty of time for q&a and also go through some of the tools and tips that I think are helpful to know about Cloudflare. A question came in during the break from Paul, with the rules and effect is this where you no longer set the reCAPTCHA and solid security. So the answer to that question is yes. Because in our WAF rule, we are we have a managed challenge. That's going to challenge any of our WP login now when I when we talk about no longer set the reCAPTCHA for the login page, okay? If you are using solid security to protect your comment forum or whatever. And by the way, are y'all listening? Can we can I share something just between you and me? There may be some ecommerce protections that are coming in solid security maybe that's maybe so this you'll want that those in place right. So this Manage challenge protects the login page if you're using solid security and and turnstile reCAPTCHA, or whatever other recaptures for comments or registration or that sort of thing, then, you know, you either want to put those pages into your rule here or continue to use the CAPTCHA rule. The CAPTCHA is there installed security. Does that make sense Paul? But it's it is redundant. To set a CAPTCHA on a page where they've already had the past through a managed challenge to get there. Does that make sense? Everybody? Nobody's talking in the chat. That's okay. All right. So I'm gonna move on okay. Everybody's gone to sleep. That's okay. All right. So the other thing I'll mention is this and this is a very important note. These as you've seen already web application firewall rules are very flexible and need to be changed for your use case. And may be modified over time, right? The firewall rules that I have in place now work really, really well. But I'm likely going to modify those as I learn new things and you probably will too. So one thing I would watch, for example, there's an ongoing discussion right now in the admin bar. From Troy Glancy Troy is really good at this sort of thing. And he's at his far original Cloudflare rules from a couple of years ago are the ones that kind of got me looking into this to begin with. And he's actually perfected several others and he's going to post at some point soon. So I would recommend if you're in the admin bar, watch this post. Just search for Cloudflare in the admin bar, it'll pop right up and see what his advice is on this right because he may very well and probably will have some ideas for things I haven't seen or thought of yet. So you know, borrow and steal the best firewall rules from others, just with the remembrance that firewall rules can block legitimate traffic. So don't just wholesale apply them to everything. Make sure you know what you're doing. Right. So don't consider these rules or settings even as a silver bullet. I've tried to give you some perspective on when and where and how to apply those rules. Does that make sense? Okay, so let's look now at some Cloudflare tools and tips. So we're going to start with the Cloudflare WordPress plugin. So let's go there. And we're just going to add it to this new WP one dot dev site. So we're just going to search for Cloudflare Cloudflare. And it'll be the official Cloudflare plugin right here. Now, disclaimer, I don't use this plugin, but it is it is there and it's free and you might like it. It's particularly helpful if you don't have a performance optimization plugin. So let's go back to Cloudflare and are actually settings under Settings and Cloudflare. Unlike many plugins, what you're going to do, we're going to sign in, we need our email, which is Nathan and ithemes.com and a global token. So you always find those that your account home. And actually it's where is that it's at profile, actually my profile in API tokens. I'm going to create a token for WordPress. I'm gonna rename this to WP one dot dev so I know which side it is. Scroll down, continue to summary, create token and there's my token. And I'm going to paste that over into here. And save. Now Cloudflare is connected to my site now basically what this plugin does is bringing some of the Cloudflare dashboard functions into WordPress. So you know I can automatically apply Cloudflare settings that are best for WordPress if I want. I don't want to do that. So I've already done that over in Cloudflare. But I can go here to settings for example. And I can turn on development mode just right here from within WordPress. It's got some interesting little things. I don't use this because I prefer just to go to the Cloudflare dashboard to manage my settings. But this plugin does exist. It's pretty, you know it has it has some good use cases and you might just want to play around with it. Like, oh, there's a button right here to get into. I'm under attack mode, right from the WordPress dashboard. So it's there, it's available, it's free. You connect it with an API key just like I showed you. And you know, it can be helpful in certain circumstances where I would recommend though that you add Cloudflare is into whatever WordPress performance plugin that you have chosen. So in our case, we use Lightspeed as an agency because we use Lightspeed server on our server. You might be using we had the discussion earlier about cloud ways breeze, you might be using hummingbird or DEP rocket or whatever. Each of these have a little area for Cloudflare most good WordPress performance plugins have some sort of Cloudflare integration and you know, like right here, the API token I just created, you'd go through that same process, create the token and drop it in with your email address and the domain and it'll be connected. Now why would you want to do this? The reason is, most of these WordPress performance plugins, you know, they've got caching and you know, optimization of JavaScript and all that stuff. And they're smart enough to know, okay, when WordPress runs in Update, clear the cache, okay. Or if you edit a page, we're the cache Cloudflare sitting up here at the network level has no idea that you've made those changes here on WordPress. So the assets that it has cached up here at the network level might differ from what's at WordPress. And the end result is you go to the site, the CSS looks wonky or things just aren't right. So we need something that's going to connect Cloudflare and our WordPress performance plugin so that in effect, in our case, like we're using Lightspeed, so whenever we run plug in updates, Lightspeed clears the local cache, and it clears the Cloudflare cache, so that everything stays in sync and that's what you want. So do not let me just underscore this. Do not use the Cloudflare cache. If you have a performance plugin at the WordPress level that isn't connected in some way to Cloudflare. Because what you will see you'll go to the site one day, and the CSS will be all wonky. And it's because the caches are different and that's what's happened. Does that make sense to everybody? Don't use a WordPress performance plugin and the Cloudflare cache unless you've connected them together. With an API key. Otherwise bad things happen.\r\n\r\nAs Sue is asking, How did I get to the screen? What screen are we talking about? This is the doc Oh, lightspeed. This is just a screenshot. This is in the document. This is just a screenshot. Of the Lightspeed cache settings. It is under CDN in lightspeed. It's in a different spot in every WordPress performance plugin. So just look through your plugin of choice and you'll likely find Cloudflare settings virtually all the good ones support Cloudflare. Oh, okay. So if your server uses Lightspeed, you go under Lightspeed cache on the admin bar, go to the CDN, tab, or link and you'll see it down toward the bottom. The Lightspeed cache Yep, good. Everybody. Okay with this makes sense? Does Perf Matters not connect? I'm shocked at that.\r\n\r\nInteresting, yeah, I don't use perf matters. So I can't speak to that. But you'll definitely want to visit with them on that. So it probably this primarily affects hashing. And I don't Perf Matters doesn't do caching, right. It only does asset optimization. Like, okay, so you may not need Cloudflare connection in that case. So this really, this really comes into play. When it comes to Caching, caching those assets in various places. So if the changes that Perf Matters makes are likely pulled up to Cloudflare anyway, but I would I would still if you're, if in whatever WordPress performance plugin you use, if you don't see Cloudflare settings, reach out to their support and make sure there's not going to be a conflict. That would be my recommendation. Okay, everybody good on that. Does that make sense? Because you will come in one day or you'll get an email from your client. Hey, everything looks weird and wonky and you'll go in there and the CSS is all jacked up. And it's because the cache is wrong. Or worse than that. It'll look fine for you, but it will look wonky for everybody else. And so you know, it's just, it's, it's a Cloudflare cache issue. And what you have to do is go out and let me just show this. This is if you hit that problem, go into your website, go into cache, and configuration and purge everything, and it's probably going to look just fine. Because that's going to cause it to go in and pull assets back up and refresh everything and then connect your performance plugin to Cloudflare and it likely will not happen again. Okay, everybody, good to move on. Everybody has gone to take a nap. Okay. Let's move on and talk about clients and Cloudflare so this is one of the big questions. So if we move our DNS into CloudFlare, can we give clients access? And the answer is yes. And it's beautifully simple. It is so simple. So I delegate access to the Cloudflare DNS to any client who requests it. We have many clients who for various reasons, need to manage their own DNS that didn't used to be the case, when we served a much simpler level of client. They just wanted us to do everything, and many still do. But we also have a lot of clients that manage their own. So we give them access and so here's how you do it. You're gonna go up here to the account icon in the top right, you're gonna go to Account home and scrolling, scrolling, manage account and members. So right here, we can invite members to join our account. So let's invite Nathan to join our account. Nathan at boom. A fan at Nathan ingram.com. I can't type. There we go. And what are we going to do we want to include it can be all domains that are in this Cloudflare account probably don't want to do that. A specific domain Yes, I want to give Nathan access to WP one dot Dev. Well, what if I have multiple domains that Nathan needs access to a domain group? Oh, no, sorry, a specific domain. And I'll just add another one. Or actually we'll do it this include a specific domain. Okay, Nathan needs access to both of these domains that are in my account. What level generally I'm gonna give them domain administrator access, you can restrict it to just DNS if that's all they need. But in these cases, I want my the clients that are going to want Cloudflare access are going to need to have control of everything. Just like I would make sure clients have access to their own domain name. Same thing. I'm going to grant domain administrator rights continue to summary. Yes, yes, yes. Invite an email was just been sent to my other email address that would give me access to that, that this email address. Nathan at Nathan ingram.com doesn't have a Cloudflare account. So I would go through a flow of setting up a Cloudflare account. And it's just that easy. If you want to get rid of their access, you just hit edit and you revoke access x let's see. Let's see. How do we do this? It's a delete. Yeah, cancel the invite. Or at this point, we would like here's this, I can. Here's one where I've given other email address access, and I can remove access from somebody if I want. So pretty helpful. Yes, so Ben, like Dennis saying, this is like a reverse way of giving a client their own account. And it's not their own account. It's you're giving them access to domains in this account, that's yours. But either way they in the end, they have the access that they need, and it's super easy to do this. What's also helpful is you can enforce to FA SO by toggling this on, you can force anyone that you add to this account to add to FA to their account. So I always turn that on. It's not on for this one because this is a test account. Class since client domains are registered with Cloudflare I had them set up account and delegate access to me that works too. Yeah, either way that that works. But the delegation is really simple and smooth. And Cloudflare as you just saw, it's just click click like and you're done. And it gives everybody everything that they need. Any questions about this part? Are we good? Rolling, rolling. Speaking of domain registrar ah Cloudflare is I think the best place to register domains now. Because they don't make any money on domain registration. They charge you a.com Is $9.77 per year. That is the flat cost of a domain plus the ICANN fees. It's literally they're selling you domains at costs. So if you want to get to domain management, you go here, manage our account home. Domain Registration. We're right here. And we can manage domains. So you can register a domain name here and do a search. It even has the suggested domain names if you want to brainstorm a little bit about Dr. nathan.net. That's pretty funny. Anyway, but you see how cheap they are really at 977 for a.com 494 for a.uk. Anyway, you just go through a registration process. Do you want to transfer a domain in right here? You just they have a flow to bring in domains to Cloudflare this way. Yeah, Stacy. So this is a great spot to move clients that were once at Google domains. And now at Squarespace, move them into Cloudflare it's gonna be cheaper and the UI is really simple. And there's not you know, unlike some registrar's, which shall remain nameless. Nameless. There's not a bunch of crap on the screen to upsell. Yeah, Paul, you pay a year when transferring? Yes. But I think also they give you an extra year.\r\n\r\nLet's see. Seems like I read that somewhere. Oh, this is an interesting little point. I didn't mention this earlier with DNS sec. We went and validated the domain. You have to turn that off before you transfer a domain. So just stick that in your back pocket to remember. You cannot transfer a domain like you have to unlock the domain and turn off DNS sec if you've turned it on, if you're going to transfer Yeah, Stacey, I can't I think you're right there Stacy. Yeah, and classes saying the same thing. I can't find where it says that here but when I've transferred a domain to Cloudflare they add it you pay for a year but they add a year to whatever the current date is. So it's a it's as good of a deal as you're gonna get on a transfer. Okay, class that's a good yeah. If if you're already at the max prepay level, then yeah, they don't add a year but that's generally not the case. So really easy to use them as a registrar and now so here it by the way, here is one caveat with using Cloudflare as the domain registrar, you cannot or let me say it this way. You must use Cloudflare to manage your DNS. If Cloudflare is the registrar, so you can't I don't know why you'd want to but you can't manage DNS elsewhere. If you're registering the domain at Cloudflare. I've never found that to be a problem. But just note that that is that's a thing. Oh, there's something I meant to cover in the last hour and I'm going to do that now. I'm going to scroll back up here in the Cloudflare setup process, okay, so we were here we talked about let's this this issue with importing DNS records. I showed you the process of importing from a DNS provider like we exported the DNS from GoDaddy, import it into Cloudflare. There is something here that I want to show you because it's not immediately apparent. And this is super helpful. So you may like I did have a number of sites where the DNS was actually managed with cPanel cPanel. DNS is great, really easy to use. But there's not a clear way in the cPanel UI to export a domain file. Like we just imported from GoDaddy. I don't know why that is. It's been requested for years, but cPanel has never done it. But there is a way to do it and it will save you time from hand entering all those records. Let me show you how it works. So I'm going to jump over to the WP Nathan's cPanel and just There we go. And what you're going to do, and this is again, this is weird, and I wish they would do this differently, but this is what they do. So we're going to grab a recent cPanel backup, and we're going to go here to backup and just download our most recent full account I just hit the cloud for a rule. I wonder what that's all about. There we go. That was really weird. Okay, so if we have time, we'll go and look at the rule and see what hit that. So here's a recent recent account backup. I'm just going to download this and it's downloading this tarball which is like a zip file. It's downloading it to my desktop\r\n\r\ncan take a minute. You're going it's rather large. It's a gigabyte loading, loading loading. Let's go and Okay, so here is our backup file. All right. Now this is so weird and I wish they would do something different but this is what you can do and it works. So we're going to unzip or uncompressed this tarball again, takes just a minute to do because there's a lot of stuff in here it's a full cPanel account backup. What's got to expand all the things\r\n\r\nYeah, this is a really old backup, but it'll still work for illustrative purposes. Slowly, very, very slowly. There is a file in here that you can use to import but you have to download the whole stupid thing to get there. Moving moving, okay, almost almost. Come on. Come on. There we go. Okay, so once we open up our folder here, we're gonna go to the DNS zones folder. So right here is this uncompressed. There's our DNS zone and look, there's WP nathan.com.db. We're going to rename this to dot txt. So it's just a text file. And yes, I want to use this and now this file can just be imported right into Cloudflare. Just like that. It's a backwards process, but it will allow you to import from cPanel and even as long as that takes to download and whatever that's still better than hand entering DNS records. Yeah.\r\n\r\nPaul is saying you did not have to rename the dbx file. Great. Well, that may have been a change in Cloudflare because you used to have to rename it to dot txt so great if you can import that. I haven't tested this recently. So yeah, if you can enter the.db file then you don't have to rename it. That's great. Good. Good, good news. So that will save you time if you're coming out of cPanel and into Cloudflare. Any questions about that before we move on?\r\n\r\nAll right, let's talk a little about turnstile. So Cloudflare turnstile is a CAPTCHA replacement, that many of you are aware of. It's been integrated into solid security for some time now, and again, think of it as turnstile is the same thing as a managed challenge? Only in widget form that can be added to some sort of form like a login form or a comment form or a checkout form or whatever. So it is the same thing as a managed challenge. It's just a widget instead. So now you do have to create turnstile API keys to use it right and so you do that at so many windows. All right. So we're gonna go to account icon account home, turnstile, account home and scroll down to turns turnstile and here's our keys. Now, here's the catch. Wild Slayer lets you have 10 turnstile keys per account. So, a couple of things. First, you might not need more than 10 turnstyle keysets. So for me, I don't need more with all the sites that we manage because in most sites comments are turned off so we don't need comment protection. We're not using it to protect forms because we use Gravity Forms zero spam, and we're protecting the WordPress login page with a well last rule. So I'm not really using turnstyle API keys at all except for WooCommerce sites, which we protect with the simple Cloudflare turnstyle plugin. And for those we do need turnstyle keys. Now if you need more than 10 just created an account Cloudflare account. So the beautiful thing here is you can create multiple Cloudflare accounts with different email addresses and then what you do is just make them members of each other. So that whatever account you log into has access to all the domains that are in all the accounts and it just makes it really easy to manage. So don't let the account limit necessarily bother you. Because you can just simply create more accounts and link them together as members of each other does that make sense? Everybody? So you create turnstile keys right here just like you would a reCAPTCHA key. The domain does have to be in the this account. And you just go from there any questions about that? pod for turnstile? Super, super helpful. All right. We talked a little bit about this Cloudflare does give a lot for free. They do play certain limitations like 10 turnstyle key pairs per account 50 API keys per account. So we actually limit are the number of domains in any account is 50. Even though you can have unlimited domains in a Cloudflare account, you can only have 50 API keys so we only put 50 domains in an account. So we have multiple accounts that meant that are linked to each other as I described. Because the API keys are needed for to connect Lightspeed to flush the cache. So you can again just like I described, use the same delegation process to to connect those accounts to each other. And it's really easy. So when you log in to any of your accounts, and this is what's really neat, when you go to Account home\r\n\r\nhang on a minute. Let's see profile isn't no hang on. I can't see it here. When you log into account that shared with other accounts. You can actually see all the websites you have access to and find the website very easily that way. I can't demonstrate that on the screen right now. But even you know we have like five different Cloudflare accounts now that we're juggling, but you log into one of them. You can search and find the website you're looking for because it's been we have access to it and you just go right to it. It's really simple to connect those accounts together. That was poor explanation, I think But does that make sense? Any questions about that? Linking Cloudflare accounts makes things super easy. Okay. Paul has a good question in the chat. So let's say you have a client in Cloudflare and you give them account access, and they come back in with I don't know anything about Cloudflare if they want to leave. So at that point, the answer is I'm sorry. That's why you hired me Cloudflare manages your DNS and give their next web provider access to the Cloudflare account and if they don't understand how to use it, I mean, that's on them. Right? I really don't have I mean, Cloudflare is pretty industry standard now and if you don't understand how to use it as a web professional, then you probably need to learn. I don't want that to sound arrogant. I just think that's the way it is. Yeah. If they leave then they leave. Yeah. Is that fair? That's good. Stacey. Yeah, give them a DNS export. Good. Yes, send them to this webinar. I mean, honestly, if you're a web, a web professional, even if you didn't know anything about anything we were doing here, you can log into Cloudflare and see what to do with DNS. It's really simple. If the DNS settings and Cloudflare and I'm not talking about firewall rules and all of that, like oh, so if a client were going to leave me then I would probably set up. Yeah, fit. Let me let me reverse my thinking on this a bit. Paul. If if I was going to offboard, a client whose site is managed on CloudFlare, I would probably set up a new Cloudflare account without any of our firewall or any of the security settings that just had the DNS and move the site to that account and give them access to that because I would I wouldn't want any of our security settings to go forward with them the world whatever's next. So been saying he had to do that on Monday. Yeah.\r\n\r\nYeah, that give them a naked Cloudflare account that just has the DNS in it. All right. Something else that's really neat is Cloudflare email routing. We talked a little bit about this on yesterday, and I've given the whole process there for that. I'm not going to go back and re get into that. Pretty, pretty thorough, but basically Cloudflare lets you set up email addresses without an email server that forward to another address and if they're forwarding to a Gmail account, for example, you can set up a send as address so that it can receive email as info at your domain, and it can send email as info at your domain all that can be done free within the Cloudflare email route routing settings. Let's see it looks like this. The last thing Yep. The last thing I'll mention, and we've already sort of dealt with this is troubleshooting WAF rules, you may run into things. If legitimate traffic is blocked by a WAF rule. Go to that activity log. That's right here. Websites AP Nathan. Wow. Yeah, go to your block rule and see what traffic has come in that's been blocked. Oh, this was maybe this was good traffic. So we need to figure out a way there. How do we let this come through? Now, by the way, don't you know if he's Oh, Google is blocked? Well, I don't think that's the Google bot. That's actually a Google Cloud Server. So a lot of times this may be a compromised server. That's trying to get access to things. So just because you see Google doesn't mean it's legit, or you know, Amazon, AWS or whatever. Sometimes those are legitimate, or they are, they are compromised sites that are hosted on Google's infrastructure. For example, anyway, you look at look at the activity log load entries that pertain to that specific rule by clicking this little number in the analytics here that loads one day, there we go.\r\n\r\nAnd actually, I don't know what this flex potential is, maybe we wanted to allow that so we could add this as into our skip rule or whatever. But the log entries here are what you're going to look at to further refine your your rules. All right. So that brings us to the end of the course. That's it. We've gone a long way in the last few days. We got our site live on Cloudflare. We've got recommended settings and all of these things. Now we've got some time for open q&a. What do you think questions, comments, snide remarks all of them are available at this point. Questions from Paul, okay. All of this setup work is built into the cost of a website for a new client correct or do you factor in a cost for this going forward? How much extra if anything would you charge for doing this? Great question. So I would actually wrote this is a management service. So this is part of security that we provide for the client. And it's part of onboarding a site into our website management process. So I don't charge extra for this. And honestly, it took a little while to go through all of this. But once you start to do this over and over again, you'll migrate a site into Cloudflare in like five minutes, like it'll be. It's pretty quick once you get used to it, and especially if you set up little shortcuts like I did with my TextExpander it really doesn't take long once you get all your rules dialed in and how you like things. It doesn't take long to do. And so I don't charge extra for that it actually what happens is, it saves me work on you know, in the future because the site's being protected and much better. And Tanya Yes, I just dropped in the link in the chat for the updated course handbook. There were three different edits I made around web application firewall rules that were like little typos and some of the quotes were squiggly quotes instead of straight quotes, that sort of thing. That's all fixed. Second question for Paul, how about setting this up for existing clients extra service? And the same answer for me on that when we migrated all of our clients over to Cloudflare back last fall. We didn't charge extra for that because it makes things easier for us to have those clients all in Cloudflare more secure less traffic on the server. All of that. Yeah. When there's nothing as you could certainly charge more for it. I chose not to because it's part of the management service. Do I notify clients? The ones that I thought would be interested? Yes. The ones that just want to know their site is secure. No, no, but you know, we'll raise our rates again here probably in two months. And I'll let them know all these extra things we've done at that point. But in a very, you know, you got to communicate with clients. Some clients don't care about all the little things right. So you don't want to overwhelm them with information. So for the clients that are non technical and they just want to know that we're taking care of their site. I would just mention that we've added a network layer of security that blocks you know, something like I'd worded in such a way that was, you know, a high level a level of security that blocks a lot of bad traffic before it ever hits the site. Just to show them, you know, we're constantly improving their security, and that's what they're paying us for. Others, you know, they have a technical person, the ones that have access to Cloudflare. And by the way, some of those that's a that's an interesting little point here. Some of the, our clients, the ones particularly that have access to Cloudflare our clients that have an internal IT department or things like that. And so there was a bit of a process. So we had a canned email that went out of hey, we're in the process of moving to a new server and in doing this we're also getting all of our DNS uniform. And we want to move everything to Cloudflare. Here's why. In some of them we actually had a you know, a quick call with many of those IT folks like yes, great, let's do it. We'd like Cloudflare you know, we know about it, whatever. And so we just set up the account delegated access, good to go but it really depends on the client and their level of involvement or if they have it people, etc. Doug for the web application firewall, if I use the block action for country equals UK, and Google is still indexing my website in the SERP. What happens to a UK visitor when they click the Search link to my website? Yeah. So the blocking traffic from a different country shouldn't impact your SERP and where your site shows up in the SERPs, what will happen is if you're in the UK and you click the search result, you're now going to WP nathan.com with a geo origin of UK which triggers that firewall rule to present a manage challenge. So we're not challenging Google. We're challenging traffic with an origin and a location where we're saying it needs to be challenged. So that's why you want to modify those rules such that any you know if you have legitimate clients that typically come from other countries, you know, whatever, let me say it this way, whatever countries that you have legitimate customers, clients, whatever in that would be coming to that site, allow those but turning off or only allowing traffic from those known good countries can filter out a lot of garbage traffic bots that are coming in from all over the world.\r\n\r\nPaul is asking how do anonymizer is get affected by geo locations or VPN? I mean, it's if I come in if you if I turn on my VPN right now, and I say I'm in Belgium, and I try to visit a site where the WAF rule only allows US and Canada I'm gonna get a managed challenge because the geolocation is coming in as a different country. Yeah. So anonymizer errs impact weath rules, because they they present as coming from that country, because I mean, they actually are they're routing traffic through a server in another country. So that's just how that works. Generally, though, the bot garbage traffic isn't proxying they're not standing there. They're coming from other parts of the world and it's noticeable\r\n\r\nBen when using support like from India for like WP all import, they need access? Yeah, but you can still challenge that traffic. That's the thing is, we're not blocking traffic from those countries. We're putting a manage challenge in place, meaning people you know, if it's a support technician coming in from a country that hasn't been specifically allowed, they're just gonna get a managed challenge. And they can log in with the you know, it's not blocking the traffic. And so I wouldn't change my WAF rules. If support is coming in from a different country. They'll just pass through the Manage challenge and then do what they need to do. So you're, it's a challenge rule, not a block rule does that make sense?\r\n\r\nThe man is challenge will stop bot traffic because bots don't really have a way to validate a managed challenge yet. But who knows, right? The bots will get better and then Cloudflare will get better and then the bots will get better and the Cloudflare will get better. That's just the way it goes. Right. All right. Anybody else before we wrap this one up? Okay, who's ready to add Cloudflare to some client sites do you have everything you need? Are you equipped to to add a client site to Cloudflare? Any final questions before we wrap up? Awesome. All right. Well, hopefully this was helpful to you. We are back tomorrow for office hours. We joke that in the pre show today that anything that breaks when you add these rules just asked me to borrow in office hours we'll deal with all right, we'll see you back here tomorrow office hours one o'clock central time on solid Academy where we go further together.\r\n\r\nTranscribed by https:\/\/otter.ai\r\n\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:968:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:249:\"\r\n\r\n\r\n\r\n\r\nWelcome to Cloudflare!\r\n\r\nCloudflare Page by Page\r\n\r\nRecommended Cloudflare Settings\r\n\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938374439\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1o7Y8xSGeEx8ZF7yBmMsRat6XNkkjEXWc\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/Xr3bZcpfJBN9iV2YsapSA3avN0Q?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:971:\"a:7:{s:18:\"event_replay_title\";s:5:\"Day 2\";s:25:\"day_description_cloneable\";s:254:\"\r\n\r\n\r\n\r\nRecommended Cloudflare Settings (continued)\r\nMigrating a Site to Cloudflare\r\nMore Cloudflare Tools and Tips\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938814771\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1Nr3wkfCzHZ7Nr4PEzVWhV1lKn40abQUV\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/qIa-JHSQCRIijFOyeMsIQX00B1g?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448512,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \nYou’re a busy web agency owner. You’ve heard about how others are using Cloudflare to protect their websites but you’re not sure where to start. This course from Nathan Ingram explains how to implement free Cloudflare features to substantially increase the security of your websites. It will save you time by giving a no fluff explanation of the features you should use and the ones you should ignore. Included is a proven checklist for setting up a site in Cloudflare, including suggested WAF rules.\n\n\n\nNote: this course assumes you have a basic understanding of DNS. You can learn more about DNS in the first hour of the Web Foundations Workshop.\n\n\n\nIncluded in this Course\n\n\n\n\nAn overview of Cloudflare and a walkthrough of the major features\n\n\n\nHow to set up Cloudflare for WordPress client sites\n\n\n\nHow to set up important WAF rules\n\n\n\nA proven process for migrating sites into Cloudflare with no mistakes\n\n\n\nOther Cloudflare features like domain registration and email forwarding\n\n\n\nProtips for smoothing out your Cloudflare workflows\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_text":"Unknown Speaker 0:18 \r\nAll right, let me hear from you in the chat. What are you most excited about learning this week in the Cloudflare course?\r\n\r\nUnknown Speaker 0:26 \r\nWhat are you most excited to learn?\r\n\r\nUnknown Speaker 0:32 \r\nAs you answer that I am getting our captions all set.\r\n\r\nUnknown Speaker 0:38 \r\nAlright, captions should now be working for everybody.\r\n\r\nUnknown Speaker 0:43 \r\nFingers crossed\r\n\r\nUnknown Speaker 0:47 \r\nthe whole thing.\r\n\r\nUnknown Speaker 0:49 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:51 \r\nI'll take it.\r\n\r\nUnknown Speaker 0:53 \r\nWe'll see what we can do, Debra. Love it.\r\n\r\nUnknown Speaker 0:59 \r\nAlright folks, we are about four ish minutes away.\r\n\r\nUnknown Speaker 1:06 \r\nFour ish minutes away from getting started with Cloudflare for agencies if you're just joining us in zoom, open up the chat and I'm dropping in once again, the link bundle which has the very large 40 Page course handbook that I've put together for you here. Many many, many things here in the handbook.\r\n\r\nUnknown Speaker 1:32 \r\nAnything you can learn? Yeah, all right.\r\n\r\nUnknown Speaker 1:35 \r\nDefinitely.\r\n\r\nUnknown Speaker 1:37 \r\nYes, Stacy. There are so many things and this is not I'll talk about this as we get started. There's no way this is going to be an exhaustive Cloudflare overview because there are just too many things.\r\n\r\nUnknown Speaker 1:51 \r\nHow much to just do so it doesn't work that way. Like some of these rules, you really do have to decide, you know, what you want to use and so forth. And actually, well, I'm gonna I'm getting ahead of myself. But yeah, some of this is what you want to do for your settings. But I'm gonna give you my recommended things and why. And then you can it should give you a really good basis to make decisions on how you want to implement.\r\n\r\nUnknown Speaker 2:24 \r\nPaul, you make the website and then we'll talk\r\n\r\nUnknown Speaker 2:31 \r\ny'all, I promise once you get into this, it's really not that complicated. Seriously. Once you see how it all fits together.\r\n\r\nUnknown Speaker 2:42 \r\nYeah, I promise it's really not that complicated.\r\n\r\nUnknown Speaker 2:47 \r\nAll right. So if you're just joining us in zoom, welcome, welcome. The chat is open. I'm dropping in once again, the link bundle that has the course handbook. The one the Yes. Yep, of course handbook is there and waiting on you to download also, of course the replay link.\r\n\r\nUnknown Speaker 3:08 \r\nIf you want to go back and rewatch today\r\n\r\nUnknown Speaker 3:16 \r\nmy oldest daughter is currently blowing me up on text messages. So I got to hit the mute button on that.\r\n\r\nUnknown Speaker 3:27 \r\nAlright, y'all just about two minutes ago. hope everybody's doing well hope your week has gotten started. Well check in question today. Let me just hear from you what you are most excited to learn about Cloudflare what you want to know what parts confuse you other than everything, as some folks have said. If there's a particular area I'd love to hear that\r\n\r\nUnknown Speaker 3:52 \r\nOh, Beth. I mean priorities right.\r\n\r\nUnknown Speaker 4:00 \r\nLove it.\r\n\r\nUnknown Speaker 4:02 \r\nYeah, laptop on the beach. Back. Yeah.\r\n\r\nUnknown Speaker 4:07 \r\nActually, Myrtle Beach is gorgeous. This time of year. Good for you, Beth.\r\n\r\nUnknown Speaker 4:15 \r\nturnstyle WAF Yes.\r\n\r\nUnknown Speaker 4:20 \r\nThere's no dancing and Cloudflare\r\n\r\nUnknown Speaker 4:28 \r\nthat's why you take a tablet to the beach, not your laptop.\r\n\r\nUnknown Speaker 4:34 \r\nStacey, that's awesome. That's 100% True. And actually, if you find dancing and Cloudflare just wait because they'll move it to another menu link later or they'll rename it.\r\n\r\nUnknown Speaker 4:48 \r\nYeah, so we'll bet Beth will invent for us the Cloudflare dance which we'll call the turnstile. I love it. Yes, that's it.\r\n\r\nUnknown Speaker 4:59 \r\nDo the turnstile through the turnstile. Alright folks, just about 30 seconds to go. hope everybody's doing well today. Come on in find a seat and grab the course handbook. But to drop the link bundle in once again.\r\n\r\nUnknown Speaker 5:14 \r\ni Yes, exactly. Karen\r\n\r\nUnknown Speaker 5:19 \r\nand what you're talking about there, Karen. There's no easy answer to that. Unfortunately. A lot of the Cloudflare rules that I'm going to give you are pretty good. But you're you're always going to want to fine tune these for your setup. And there's always new suggestions and rules that are coming along. So I'm going to give you what I'm using today. And then you'll have it's it's one of those things that will it's a work in progress. Yeah.\r\n\r\nUnknown Speaker 5:46 \r\nAll right, y'all. It's three minutes after let us get the recording started and we will dive right in.\r\n\r\nUnknown Speaker 5:56 \r\nWell, good afternoon, everybody. Good morning. Good evening, wherever you happen to be around the world. Welcome to this premium course here on solid Academy. Glad you're all here with us for Cloudflare for agencies. So over the next couple of days. We're going to take two hours today two hours tomorrow and unpack Cloudflare through the filter of you manage WordPress sites for clients. So what do you need to know right? And also interestingly, hopefully helpfully, the way that I put this course together is really there's so much that we have to know as WordPress agency owners, right like there's just so many things. And so this is not an exhaustive course on Cloudflare. Like who's got time for that? So what I'm going to give you is an overview of how things work and where the settings are and the big picture of the settings but really, our focus is going to be on okay, what do I need to do to use Cloudflare and leverage all the free stuff in Cloudflare to protect the sites that I manage. So that's where we're headed. And hopefully at the end of this course, you'll have a good idea of what all the things that Cloudflare can do. But really focused in on the practical things that you can do right away to use Cloudflare in your agency.\r\n\r\nUnknown Speaker 7:21 \r\nSo I Karen has asked a great question in the chat just now. This is very different than the Cloudflare livestream I did a couple of years ago or last year, a year and a half, something like that. So I was just I just kind of gotten knee deep into Cloudflare at that point. And so a lot of things have changed since then. This is a much more detailed look. This is I think the first Cloudflare one was like an hour and a half. So just timewise this is a much deeper dive and I've learned a lot since then, and hopefully can give you some better tools and rules and those sorts of things to use. So if you are just now coming in once again, the link bundle is in the chat you're going to want to download this course handbook, it is 40 pages of Cloudflare goodness, and grab that and follow along and I've made it such that you know this is the document you can keep in reference. The table of contents is clickable to jump to, you know the various areas that you want to get to. So hopefully it's a very usable document. All right, so let's dive into what we're going to be talking about. So I mentioned this a little bit earlier and even more in the pre show.\r\n\r\nUnknown Speaker 8:34 \r\nThe idea here is okay, I'm a web agency owner I've heard how Cloudflare is helpful. What do I need to know give me the basics. This is not an exhaustive study of Cloudflare there are far too many things Cloudflare can do to fit into four hours of of course content. So what we want to do is through the lens of what do I need to know as a WordPress website manager about Cloudflare to use it to the best of my ability. If you want a deeper dive Cloudflare has excellent documentation. It's some of the best that I've seen. And you can click the Cloudflare fundamentals link there and it'll take you through all the things if there are pieces that you want to know. So the goal here a no fluff explanation of all the Cloudflare things that you will find the most useful and that you can implement right away in your business of managing WordPress sites. Tomorrow we're going to demonstrate the live setup of a Cloudflare site after we look at some of the basics today. And that's going to include security settings, setting up WAF rules and those sorts of things. So here's the overview we're gonna do and a big overview of what is Cloudflare how does it fit? How do I use it, you know, where does it fit in with solid security and those sorts of things. And then we're going to go through a Cloudflare page by page looking at the various pieces of Cloudflare and how they fit together tomorrow, migrating a site to Cloudflare and then more Cloudflare tools and tips. All right now, this course, assumes that this was on the course intro page. So hopefully you saw this. This assumes that you have a basic understanding of DNS, so I really can't, I'm not going to be able to answer questions about how DNS works in this course. So this is a prerequisite if you need to understand a little bit more about how DNS works. There's a course here we did last year called the web foundations workshop, in which we did an hour on DNS and what the records are and how all that works, et cetera, et cetera. So please let well really I'm just not going to answer questions about DNS in general. If you have those questions, you can grab this prerequisite course it's out there, you can replay it right away. And we're going to focus in on implementing Cloudflare. Alright, so just a couple of housekeeping notes. If you're a see several folks who've just joined us, let me drop in again, our link bundle in the chat force handbook is there. Since I am presenting today, I'm going to be watching the chat as usual. So if you want to ask your questions in the chat, you can do that. It may be that I missed some because I'm presenting. I'll try to catch questions in context. But if I miss one, and it's gone past just stick it in the q&a and we'll get to those at the end of each hour as usual. So all right, let's dive in, shall we? We had some really good check in responses as we were getting ready in the pre show about what you most want to learn. And so let's just start from the top. A lot of folks were like I need to know from the cloud to the flare, the whole thing. So what is Cloudflare?\r\n\r\nUnknown Speaker 11:44 \r\nAt its heart Cloudflare is a web performance and security company. They are they have all sorts of services to secure and protect and accelerate websites. So Cloudflare is sort of like an umbrella. It is a protective barrier between your website and the traffic that comes into your website. And it can shield you from many kinds of online threats just automatically. I Cloudflare. Security Services are comprehensive. They offer protection against DDoS attacks, data breaches, other malicious activities. It works by filtering incoming traffic to your website. So at the heart of all of this is your domain has to have the Cloudflare name servers. So that's how you turn on Cloudflare is by adding the Cloudflare name servers to the domain. So that way, all traffic that goes to the domain has to pass through the filter of Cloudflare and you can think about it sort of like you know, a water filter like we got this new refrigerator when we redid our kitchen a couple of years ago and it's got you know, the fancy water in the door. You know, we're not that usually that fancy kind of people and this is the first fridge we've had like this, but we love it it because there's a water filter in there and it filters out all the impurities and garbage so that we just get really pure water when we put a glass up there. Now Cloudflare sort of works the same way. Think of it in the same way. It's like a traffic filtration system that based on some of the stuff it just knows automatically that this is a bad bot and it filters it out or based on some of the rules that you can set up. It's filtering that traffic through so you get really good pure traffic that actually hits the website.\r\n\r\nUnknown Speaker 13:30 \r\nSo Cloudflare provides free ssl certificates. Also, they use the Google certificate authority as the primary and then sectigo as a secondary. We'll get to all that when we get to the SSL section. They also have a suite of tools designed to optimize website performance, including caching, image optimization, content optimization Cloudflare Cloudflare also provides a CDN that can move your website assets closer to the requester. They have data centers all around the world. So using their CDN even their free CDN, you can move things from your the images and scripts and so forth from your website to the closest point so there's not a lot of jumps between the user and what they're trying to download, which can effectively speed up the website. And the beautiful thing is Cloudflare provides many of its services at no cost with the option to upgrade to more advanced features on a subscription basis. Now a great question in the chat from Dave. So who's monitoring Cloudflare Cloudflare is a private company and so this is you know, like whose basket are you going to put your eggs in? Right? They offer a lot of things for free, but they're making their money. It's a freemium model just like many things that are out there. So you are you have the option to upgrade but a lot of the basic features they're providing at no cost and pushing you towards some of the paid features that can be helpful. So that's how they make their money. I don't know that there's anybody watching Cloudflare like us, they're not like responsible to any governing authority necessarily because they are a private company, but they're used by an immense number of websites. Matter of fact, 32% of the top 1 million sites on the web are using Cloudflare. So that in that way, there's a lot of people watching them from high level, you know, big fortune 500 company websites, so if anything weird is happening, it's likely going to come out but they are a private company. So that is something to take into consideration.\r\n\r\nUnknown Speaker 15:41 \r\nSo a few other interesting Cloudflare statistics, again, more than 15 million websites 32% of the top million websites. Their global network has 300 data centers all over the globe at more than 120 different countries. So the the good thing about that is when traffic is requested by somebody, the hop to the Cloudflare data center is generally very short. They've strategically placed those data centers for that reason. So more than 80% of sites whose reverse proxy we know is Cloudflare. Now what does that mean? It means that if somebody's you know, has started to use proxy, which is hiding the actual IP address of the server, which is a good practice as we'll get into Cloudflare is doing that for more than 80% of sites that are doing this so that is super helpful. It's a huge chunk of the internet relies on Cloudflare to do these things. Also Cloudflare bought blocks look at this number 182 billion threats a day. On average. It's a lot and so simply by virtue of the amount of traffic that they're filtering Cloudflare you know, they, you know, they they just see patterns emerging, and they can protect sites better. It's like, you know, we have Thomas Rafe on here from we watch your website. He's managing over 17 million WordPress sites right now and watching for patterns and you get that much data under your belt, and you can immediately see how you know what's happening, what the trends are, and so forth.\r\n\r\nUnknown Speaker 17:18 \r\nAll right. So why should we use Cloudflare? So the first reason likely and probably the reason that you're here listening is the security benefits. They're just phenomenal. So Cloudflare is free services give you really robust security features at the network level. We'll talk about that in a minute. Like DDoS protection, a web application firewall, again, at the network level, which is where you want those sorts of things. They can also help improve performance with CDN caching, again, moving the downloadable assets closer to the the requester so that those things are fulfilled more quickly. They offer free SSL as we mentioned, they also do DDoS mitigation. There's this great tool in Cloudflare that says I'm under attack, toggle that on and it will effectively stop the impact of a DDoS attack on a website and it works. It's really good. We'll get to that later.\r\n\r\nUnknown Speaker 18:17 \r\nIt's very easy to implement, actually. You just change your name servers and you're into Cloudflare.\r\n\r\nUnknown Speaker 18:24 \r\nThe setup process is straightforward as you'll see as we actually work on that.\r\n\r\nUnknown Speaker 18:30 \r\nLast of all, they do provide some analytics and insights. The statistics in Cloudflare if you are a statistics person, you will love love, love the Statistics reports because it'll show you like on your firewall rules, what's hitting it and you know what the information about that traffic is it can help you further refine your rules. It's really neat once you get some data in there to start digging in and seeing how these turkeys are trying to attack your website. It's really quite interesting. Also, cloud flares analytics are GDPR compliant. They're designed to be privacy first, and so they are GDPR compliant, they state that so that's that's not an issue. So a lot of the confusion that comes in when we start talking about Cloudflare is okay. isn't just installing a WordPress security plug in enough I've been watching it it's really funny. This discussion has come up a number of times in the admin bar just in the last couple of weeks of hey, there's this cloud, this WordPress security plugin and that one and really, isn't it good enough just to install a WordPress security plug in and you're protected? And the answer is no. Heck no. Absolutely not. So let's talk about where Cloudflare fits into all this is Cloudflare a replacement for solid security? Also no. So we need to understand where does Cloudflare fit in the whole matrix of security. So, first of all, Cloudflare becomes active for a site when you change the name servers of a domain name to those that Cloudflare will provide you. So it starts at the name server level, which means Cloudflare at that point becomes responsible for every request that comes into your domain name about you know where does the subdomain live? How's the mail routed? What are the demark records, the txt validation records, all those things? Cloudflare is answering all of those requests. And it's doing it from a security perspective. So you can you can change who gets to make those requests and filter those things out. And so forth. So since all traffic to your website, and everything about that domain name now has to pass through Cloudflare they can filter it. So that's how this all works. Cloudflare can then as a result block a significant portion of malicious traffic before it ever reaches your server. That is the key.\r\n\r\nUnknown Speaker 21:04 \r\nThat is the key. So like, here's your browser, it's gotta pass through Cloudflare to get to your server where the website lives. So this is where we start to talk about a multi layered approach to WordPress security. It is not enough just to have a WordPress security plugin. It's just not because there are jobs that are there are jobs that need to be done to protect WordPress that are better done at a network. level rather than at a WordPress level. So this multi layered approach is something you need to get your mind around. And we've been talking about this now for some time here. On solid Academy. It's not just as simple as installing a plugin. So the best practice for making your site secure is multiple layers of protection. Okay, and each layer has a role that it needs to play and it does that layer best. All right, so let's talk about this. So first, we have network layer level security, which we're going to trust to Cloudflare right so that's wrapping around the whole thing. No traffic gets in until it passes through Cloudflare. Then we go to the server level security, which hopefully is handled by your web hosting provider. So there's certain things that are better done at a server level. We'll get to that in a minute. And then we have our WordPress application level or, or user level security that a really good WordPress security plugin should do. So these are the three layers of security that you should be thinking about when it comes to protecting your WordPress site. So let's unpack those just for a minute. First of all, network security. So Cloudflare is going to mitigate the impact of the distributed denial of service attacks or DDoS. And they can filter out malicious traffic before it ever gets to your server. So if a lot of that traffic can't even get past that Cloudflare wall it makes your server have to work less it makes WordPress have to work less. So it's better to handle all that stuff. Get all the primary garbage filter done at the network level before it even hits the server. So Cloudflare gives you this blanket protection by filtering the websites before a web traffic before it ever gets to the site. Relying on your server alone or worse relying on WordPress alone to filter all the traffic. It takes a lot of resources. Now does solid security have functions that can help to prevent bad traffic? Yes. But that shouldn't be the primary level at which it occurs. If Timothy was here, he tell you the same thing. We want to filter the the lion's share of that out at the network level. So if you do that, it's going to save a lot of valuable server resources. So traffic passes through the network gets to the server. So what role does the server play in this multi layered support? So good web hosting providers implement security measures like server level firewalls, and most importantly in my book is server level file level malware scanning and intrusion detection systems. So I want something at the server level that's actually scanning the files. Now I know that there are some WordPress plugins that provide malware scanning, you don't want a plugin, doing malware scanning. First of all, it's going to be incredibly inefficient at doing that and restricted to only the WordPress install and a lot of malware gets installed out in the server structure and not within WordPress itself.\r\n\r\nUnknown Speaker 24:45 \r\nAlso, if there's malware in WordPress, and the we're in and the the malware scanner exists at the WordPress level, the malware can overwrite. You know, the malware scanner so the malware can actually rewrite the malware scanner saying hey, this is bad and say no, it's actually good. You can ignore that. So you don't want the malware and the scanner. processes running in the same environment. malware scanning needs to happen at the server level, and intrusion detection systems as well. So that's the role of a good server so whoever's providing your server, this is where you have a conversation and say, What malware scanning Do you provide? What intrusion detection services do you provide to keep the server itself safe? Right, so we're filtering out most of the bad traffic at network. We're watching the we're watching the file system and intrusion level at the server. And now we get into WordPress application security. Now WordPress security might have some traffic filtering and blocking features, but that's really the third level like WordPress is consuming a lot of server resources just running and serving pages and doing things. I don't want WordPress to also have to be filtering every bit of bad traffic that comes in. And that's what can cause your website to grind to a halt. If it's getting pounded by login page attacks and all this stuff. I don't want WordPress doing that job at all, or at least as little as possible. Maybe just a few little drops of bad traffic. That have gotten through the other two layers. We pause. Does that make sense to everybody? That this whole approach? Are you getting what I'm saying? Like we want WordPress to do as little work as possible. We want WordPress to do the job of word pressing right not of security. So it's not bad to have those features in the WordPress security plugin. That's why they're included in solid security. But that's like my third level of defense. Okay. All right. So your WordPress security should focus on more specific issues. Starting again, this is exactly what solid Security does, which is why I love it. It is providing vulnerability detection. So I'm scanning my so like Cloudflare is not going to tell me I have vulnerable things in plugins. The server is not going to tell me that it's maybe watching for malware or the malware scanner but if my things and plugins aren't infected yet, I don't know that there's a problem. So I want something like solid security, which is looking at my installed themes and plugins and saying, Oh, this one has a vulnerability. I need to know about that. I need to do virtual patching. I need to do automatic updates if a patch is released, right, so it's doing exactly the job that I want a security plugin doing in WordPress and nothing else. Like the the of the kinds of plugins that exist for WordPress. The most bloat often happens in security plugins and that's why, you know, if you line up a feature list of the things that solid security Pro does, versus some of the other security plugins like it doesn't do as much. Right, exactly. That's the point. You don't want it doing some of those things. You want your server and your network doing those jobs because it's gonna make a more efficient WordPress.\r\n\r\nUnknown Speaker 28:08 \r\nSo WordPress, security should also heavily focus on user security. So we got these great features like you know, the function that bounces out and make sure that the password hasn't been compromised, and that have I been poned database. We're looking at, you know, having to FA for users and pass keys and et cetera, et cetera. We want the users user level security needs to be done by WordPress. So we want that to be done really well by our WordPress security also session cookie protection, right having that like the trusted devices features of solid security that is the perfect use case for a WordPress security plugin. So I want those features in my WordPress security, nothing else that's gonna do you know, be consuming tons and tons of server resources. Okay, so another role for WordPress security is adding in a CAPTCHA for areas that might be prone to attack, like comment form or the WordPress login page. We're actually going to protect that at the network level though. I'll show you that later. But having those captures again, two great use case and job for a WordPress security plugin. Finally, WordPress security plugins can also help you to harden WordPress, by all the little you know there's all those boxes in solid security about don't allow PHP to execute and themes and plugins, you know, turn off the file editor, all those sorts of things. perfect use case for a WordPress security plugin. So, again, think about this in layers. Most of the traffic get that filtered out at the network level so our server doesn't ever have to bother with it. Let our server do the job of file level scanning protection and intrusion detection and let WordPress primarily do the job of just keeping WordPress secure as an application themes and plugins and users.\r\n\r\nUnknown Speaker 30:02 \r\nAnd now we've got a pretty darn good approach to security. I'm gonna pause right there, because that was a, you know, a big firehose of information. I'm gonna pause, make sense questions about this before we move on to the next bit.\r\n\r\nUnknown Speaker 30:17 \r\nYou if you arrange your security approach this way, you're going to have a more efficient server and site and you're going to do a better job all the way around keeping things secure.\r\n\r\nUnknown Speaker 30:31 \r\nMan Polytune m&ms Already Okay.\r\n\r\nUnknown Speaker 30:35 \r\nHope you got a lock then.\r\n\r\nUnknown Speaker 30:38 \r\nYou have any to share with the rest of the class. I'm gonna have to move that around.\r\n\r\nUnknown Speaker 30:41 \r\nAll right. Well, I'm gonna move on then. If you're just joining us link bundle is in the chat that has the course handbook if you want to download this that you're looking at.\r\n\r\nUnknown Speaker 30:49 \r\nAll right, folks, look, we're already on page eight. Moving around, moving right along here.\r\n\r\nUnknown Speaker 30:55 \r\nAll right, now comes the fun part. Cloudflare page by page. So I thought long and hard about how's the best way to do a quick orientation to all the things that Cloudflare can do. And this is what I settled on this Cloudflare page by page. So one second before we get into that, one thing I want to mention is I've added some color coding here. And you know, I was thinking how can I best present this in a quick way to let you know you know what? really to focus on and what not to focus on and so forth.\r\n\r\nUnknown Speaker 31:35 \r\nSo it's basically like this. If I think you're probably going to want to use this feature, it's going to be great. If it's a maybe depending on the circumstance, it's a yellow, if it's probably you're not going to use this there's red. There's also one other emoji in there. That is a money bag and that's it costs money to add this. Those are usually also red because our goal here is to use as much of the free Cloudflare stuff as possible.\r\n\r\nUnknown Speaker 32:01 \r\nSo yeah, that that's, that's the way we're going to approach this now. I'm just looking at timing and where we are in the course of things right now.\r\n\r\nUnknown Speaker 32:11 \r\nOkay.\r\n\r\nUnknown Speaker 32:13 \r\nAll right. This is where it's going to be interesting to see actually how we do this.\r\n\r\nUnknown Speaker 32:24 \r\nOkay, well, let's just, I'm sorry, thinking to myself here and we'll figure out that we may go long in this first hour. So let's look at this Cloudflare page by page. Now if you would like. I would suggest that if you don't have a Cloudflare account, just go quick create one doesn't matter. Just make a make a quick Cloudflare account I'm going to log in to my I iThemes Cloudflare account that I experiment on. I would always recommend that you set up two factor authentication on your Cloudflare install Of course. All right, so what we're going to do is primarily focus on the website settings. We're gonna go down page by page, and I'm gonna explain basically what, what each of them does, just so you have a big picture understanding. Now there's a ton of stuff here. We're currently at the home or the account page you get back here by going to account home. That is this page that we're going to live for most of the course here is in the website settings. So you can you know, you'll add a website you can click that and these are the settings that pertain to the individual websites themselves. And this is where we're going to live for most of the time in this course. So let's take a quick look. Alright, so we're on the overview page, a turn off this ad. Again, you know, they're they make their money by upselling things so I'm constantly closing those boxes. Alright, so the first thing we get, is there an analytics overview. This is kind of helpful if you just want a quick overview of at the network level, what your traffic looks like. You don't get any like, you know where the traffic came from or search terms. It's not about that. It's actually about the stats of the traffic coming in.\r\n\r\nUnknown Speaker 34:12 \r\nYou can set that by days, weeks or months. Something else that's really helpful over here is the Under Attack Mode. So let's just say that you've got a problem on a site you're getting it's an E commerce site and you're getting card testing attacks. Well, I'm just going to toggle that on. And with that one toggle, what's going to happen is every single bit of traffic that comes into the site is going to get a manage challenge from Cloudflare. Now what that looks like is this\r\n\r\nUnknown Speaker 34:45 \r\nso it's going to pass through this challenge. I've got to verify and then move right on. Now that's not ideal, but that will stop a DDoS attack period, because a bot cannot pass Cloudflare turnstile, at least yet. So Todd simply toggling that on is going to stop the DDoS attack it does put a you know that that turnstile pass through manage challenge between every single visitor so it's not ideal to leave on forever. You'll want to add a WAF rule to filter out whatever's attacking you but that this is a great little setting in case something immediately is happening.\r\n\r\nUnknown Speaker 35:29 \r\nIt essentially off.\r\n\r\nUnknown Speaker 35:33 \r\nOkay, the next thing that's helpful here is development mode. So Cloudflare does provide some caching and caching can be absolutely.\r\n\r\nUnknown Speaker 35:43 \r\nYou might use it makes you want to bang your head into the wall sometimes like you you've edited something, it's not showing up then you remember, oh yeah, I've got caching turned on. So if you're making changes to your site, you might just want to toggle this on. And that turns off all caching all optimizations like that, where you're seeing what you see, right. So a lot of times we have to deal with browser caching with WordPress plugin caching. If you have set up.\r\n\r\nUnknown Speaker 36:11 \r\nIf you have set up Cloudflare for your site, you also have Cloudflare caching, it's on by default. So just don't forget that if you want like why isn't why are these changes? Not all? Yeah, Cloudflare caching, so turn on development mode, and that will help you immediately get around that. So very, very helpful. Also, something to draw your attention to here on this overview page is down here at the bottom of the pause Cloudflare. Right here, this is an incredibly important link that we'll get to in the process of adding a site to Cloudflare. You're going to want to click this every time so that you don't get SSL errors. I'll explain that when we get to the process but again, this is your friend. Also if you want to get rid of the site and delete it completely, you can just remove from Cloudflare and it'll it'll kill your whole account.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:01 \r\nAlright, so let's move on down the list. So analytics, I've given that a yellow this whole area is yellow, you know, it's not super detailed analytics. It does give you some basic ideas and kind of cool charts about where your traffic is coming from. So you can you can sort of see this, I mean, it's interesting, but it's not terribly helpful.\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:23 \r\nYou know, your overall view of security is here that's kind of neat. You know, where are these attacks coming from?\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:30 \r\nLook at your quick look at your performance. I mean, there's some interesting network level security or logs that are being kept here.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:41 \r\nAnd it's there like if you like logs, you're gonna like to click through here. It's there's some interesting stuff but again, it's not essential by any means.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 37:49 \r\nOkay, so I see questions about clients and accounts, that's tomorrow. So that's gonna be in the last bit. I'm gonna go all into that and talk about my process for how we manage clients on CloudFlare, and so forth.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:01 \r\nAll right. The next thing down here is DNS records this is an area that you are going to live in if you start using Cloudflare. This is where all your DNS records are managed. And listen. There are if you're using, for example, a registrar to manage your domain DNS.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:22 \r\nMost registrar DNS panels are pretty awful. They're just pretty awful.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:28 \r\nCloudflare is a breath of fresh air when it comes to these things and you got some neat things like here's all my here's all the records. If I make a change or something it gives me the ability to enter 100 character comment to remind myself maybe when this was changed, or why you get a little bit of a note there that you can add on each of these records, like especially, hey, here's a TXT record. What the heck was this for? So I can say oh, that was em. That's a postmark.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 38:59 \r\nValidation. Right. So I can leave little notes to myself there to remind myself what these records were for, which is super cool.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:08 \r\nReally, really helpful. You can also right here, you can import records from registrar's, we're going to get into this when we walked through the bringing in of the the migration of a site to Cloudflare process tomorrow. You can actually drop in an export from another registrar or DNS management service if they offer that and it just brings them all in it's beautiful. You can also export your DNS records to a flat file here, which can be then imported to another DNS manager if you want to leave Cloudflare or moving it to another Cloudflare account if you want to do that. So it's just a simple flat file. That's a format that most DNS importers can manage.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 39:58 \r\nSo very easy to add records here, you just click Add Record, select the type, enter in your details. Do you want to proxy it or not? I'll give you I'll walk more through this and best practices in just a little bit. So moving on down here into settings, you're going to want to make some changes here. I've called it green, especially DNS sec. If you're not familiar with DNS sec, this is basically it validates that your domain is correct. Right. So if Cloudflare is handing handling my DNS, how can I validate that the domain that this registrar has is actually this traffic is passing correctly through the direct DNS servers etc. This is basically some it's a little bit of it's an encryption key that just validates all of that. And long story short, you want to do this, it's a little bit of an extra step. It's usually one little record at the registrar wherever the domain is managed, and it improves your security of your domain and traffic. You're going to want to do that Multiset I don't use that. It's a pretty complex CNAME flattening it does that by default, and then you can get into email security, which we'll get to below. So again, these are pretty basic settings, getting into Cloudflare email.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:21 \r\nSo I've got email routing setup currently. So this is a beautiful little tool that answers this question. So you've got a client, maybe they're a brand new business getting started out there watching every dollar, they don't want to pay, you know, $10 a month or whatever for a Google workspace address for five of their employees or whatever they all have Gmail addresses, and they just want like an info at their domain that forwards to their team or whatever. Cloudflare will do this for you for free. So email routing, is it's really great. You'd basically just set it up. Here, I've given you the whole process.\r\n\r\nUnknown Speaker 41:59 \r\nYou can set up this you can set up an address here. You just add whatever you want this address to be and where it's going to forward to. And then you validate that email and you're done. And so you can set up these catch you can set up a catch all address or individual addresses. And it'll just forward right to your Gmail account or whatever other free account that you have. And you can also in Gmail, set up a send as address which is really nice. If you want to provide that level of support for your client. Email can come into that Gmail account and they can send as that info at or whatever account with this little process here. So it's really helpful. If a client doesn't want to pay for full email yet you can set up this email routing at really no cost. Cloudflare just handles that traffic for you.\r\n\r\nUnknown Speaker 42:58 \r\nI've given you that whole process right here. If you're interested.\r\n\r\nUnknown Speaker 43:02 \r\nUnder email here also we have demark management you may or may not want to use this. It's free and it's decent demark reporting it's not the best, certainly not the worst. It's really good for free. And it allows you to when you first set it up to add the correct demark record to your DNS, and then it's set up and ready to go. It adds the very basic D equals none demark record if if you have watched those live streams with us recently, it's a very basic level that meets this new Google and Yahoo criteria. So that can all be done from right here. This email security is a more advanced and so paid area.\r\n\r\nUnknown Speaker 43:45 \r\nAll right moving down to SSL. So again, Cloudflare does provide a free ssl certificate for every site that that it's filtering traffic for.\r\n\r\nUnknown Speaker 43:56 \r\nThe first thing you're going to want to look at here is your encryption mode. Now I recommend full there are four levels so you can turn SSL completely off. Don't do that. You can also do flexible which encrypts the traffic between the browser and Cloudflare. But then there's no SSL between Cloudflare and the server. That's for weird scenarios. You don't want to do that. What you want is this one here. This is going to encrypt from the blowout of the browser to Cloudflare with a Google certificate, and then from Cloudflare to the to your server with a self signed certificate at the server. Virtually every server is going to provide a self signed certificate and Cloudflare can use that the encryption tunnel is perfectly it's perfectly secure. There is this full level which says okay, I want to install a trusted like one of those, you know, you buy it certificates on the server. You can do that if you want to or Cloudflare will actually provide you an origin certificate for your server I don't ever do that. It's not necessary for security. As long as there's self sign on the server, which usually is and Cloudflare to the browser is giving Google it's one one clean tunnel.\r\n\r\nUnknown Speaker 45:13 \r\nSo if you have SSL at the server, yeah, that you don't have to worry about it most most of the P SS that are set up by a reputable hosting company like if you have a liquid web VPS it's going to have a self signed certificate on the server and Cloudflare will use that to create encryption.\r\n\r\nUnknown Speaker 45:32 \r\nOkay, all right. So Paul, great question in the chat. That's tomorrow. We're talking about all the whole process and client stuff tomorrow. All right, so this is an area you're going to want to be familiar with here. Other settings here.\r\n\r\nUnknown Speaker 45:49 \r\nWe're gonna go down to let's see, Edge certificates. I do keep this on if they're sometimes you'll get an email. This lets you know if there's anything you can do better with SSL.\r\n\r\nUnknown Speaker 46:03 \r\nIt's helpful. All right, so edge certificates. This says okay, there is an active certificate that's been created for this website. And a backup. This is pretty cool. This tells me that this is a Google trust certificate. This is the primary one so if I go to WP nathan.com And I look at the certificate details here it is valid. It is Google Trust Services right there. So that's what it shows to the user is this Google certificate. If something goes wrong, or there's some weirdness with the Google certificate, it's very unlikely that would ever happen. But if there is then it does have a backup, as this it's a Let's Encrypt certificate here. On the up Nathan it can also be set for set Teego doesn't really matter. Very, very rarely.\r\n\r\nUnknown Speaker 47:00 \r\nWill this backup certificate ever be used?\r\n\r\nUnknown Speaker 47:03 \r\nOkay, so Stacy, Stacy's mentioning here and let me just make let me let me address this. So if you are using CloudFlare, you cannot use Let's Encrypt on your server, because your server isn't it can't validate right or it's the the server isn't controlling the traffic anymore. It's passing through Cloudflare. So you might have Let's Encrypt turned on at your server. But the but like, you may be able to have full strict at the beginning because the Let's Encrypt certificate exists. But eventually that Let's Encrypt certificate is not going to be able to renew in many cases because Cloudflare is in the middle. So that's why I recommend full because there's always a self signed certificate at the server. If you do strict, and something happens to that Let's Encrypt certificate, it's going to create an SSL error. So you don't want that. That's why I'm saying full it's going to be just as secure as having a Let's Encrypt on the server. And you're not going to get those SSL errors Does that make sense?\r\n\r\nUnknown Speaker 48:18 \r\nYeah, so Melanie's encountered that like full string, that sounds great. I want that but you don't want that. It's you want to be able to set this and forever. So yeah, and Stacy, it may be dependent on the host you'll want to know you'll want to look into that. And that's where I just recommend setting it at full and then you want to have any problems.\r\n\r\nUnknown Speaker 48:37 \r\nThere is no limit. Let me say it this way. There is no extra security benefit from full or full strict because the self signed certificate at the server is the same level of encryption as a Let's Encrypt, or you know, your purchased your favorite purchase certificate for whatever. It's generally the same encryption level.\r\n\r\nUnknown Speaker 49:02 \r\nSo it doesn't matter. What's important is what does the user see? And in this case, it's Google first and then you know one of those so does that make sense everybody? Do I need to answer any more questions about that?\r\n\r\nUnknown Speaker 49:15 \r\nFall is easy. It's always going to work unless there's something wrong with your server.\r\n\r\nUnknown Speaker 49:24 \r\nOkay let's keep going. So edge certificates. We talked about these, you're not going to want that cost money. You don't really need it. You don't total TLS this lets you choose like if I toggle this, Oh, I gotta pay. Yeah, it used to let you do this for free. They've changed that. It's another paid feature. This you always want on it's part of the onboarding process that we'll cover tomorrow as we move a site into Cloudflare.\r\n\r\nUnknown Speaker 49:54 \r\nSo, all right, this is a complicated feature that I would not turn on because it's real, real easy to screw things up. And if like, for example, I had a site where I really mess things up on this. Thankfully, it was one of my own, but it took for some traffic almost a month before it straightened out. This is really bad. So it's a way to enforce HTTPS. I'm just going to recommend that you don't use it unless like it can heighten your security. And sometimes, if you have a client that has like a security, like a level of security, they have to reach for their own internal audits or whatever you may have to turn this on. But don't do it if you're planning to make any changes, like migrate the site or change Cloudflare to some other DNS provider because it can lock down it'll lock out traffic. It's just it's very powerful, but also could be very damaging in some cases. So if you're in a scenario where this comes up, you'll want to read more into that minimum TLS version. I'm going to recommend here 1.2 Because it's kind of the it's everybody can use 1.2 But you really might want to consider 1.3. So 1.2 is required for if you're trying to get PCI compliance. You have to have 1.2 layer level of TLS TLS, which is the next level of SSL but really only really, really, really old browsers can't use TLS 1.3. So if you look here, like Internet Explorer can't use.\r\n\r\nUnknown Speaker 51:46 \r\nCan't use TLS 1.3 and Opera Mini like those are the only two browsers. So the chances I mean those are teeny tiny percent. So I'm at the point of where I might just bump everything to 1.3 because it is more secure. It is a little faster.\r\n\r\nUnknown Speaker 52:01 \r\nBut at least 1.2.\r\n\r\nUnknown Speaker 52:06 \r\nAll right, opportunistic encryption, you're going to want to turn that on. I believe that's on by default. You want to enable TLS 1.3, which says, if the browser can support 1.3, use it. That's basically what that's about. I do want to rewrite everything to HTTPS at the network level. That's good. I think that's one by default. I do want to toggle this transparency on what this does is basically, if something if some other server or authority or whatever, issues an SSL certificate for this domain, I'm gonna get an email about it. Where that's helpful is if somebody has hijacked your domain somewhere along the way, or they've got traffic going somewhere something odd is happening. And a certificate gets issued. And I'm not aware of it. I want to be aware of it. So that's what this does. Pretty nice. Works pretty cool.\r\n\r\nUnknown Speaker 52:56 \r\nSo let's see. Moving on down here, the most of the stuff you're not really going to use. You're not going to use this most likely it's complicated scenarios. origin server. This is where if you want to install a Cloudflare generated certificate on your server to do full strict, you can do that here. I don't recommend that it's not super necessary. And then custom host names you're probably not going to use so that gets us all the way through SSL. That was a lot. Let me pause just for a minute. And any questions about this bit, I realized that was a lot. So walking through all the settings is the most tedious part of this, but And my goal here is to kind of set the table and let you know what all is here.\r\n\r\nUnknown Speaker 53:42 \r\nAll right.\r\n\r\nUnknown Speaker 53:44 \r\nLet's move into security. You're gonna live in security a lot. So the main two let places you're going to live in Cloudflare our DNS and security. So security is awesome. I love this area, the events page. This is a log of all the things that have hit my firewall rules. So any event has happened on the server where a firewall a WAF rule was hit by something or whatever.\r\n\r\nUnknown Speaker 54:11 \r\nHere's some examples of some skip rules that I've put into place. And I can see what's going on here.\r\n\r\nUnknown Speaker 54:18 \r\nIt gives me a great amount of detail about what was the IP address that came in? What was the ASN in this case, it is I have a pass a skip rule created for WordPress doing cron, so sometimes the query string here can cause weird security things to go on. And so that's one of the skip rules that I put in.\r\n\r\nUnknown Speaker 54:40 \r\nAnd it's logging here just to show you what that looks like. Here's one look here. Here's something that came in earlier.\r\n\r\nUnknown Speaker 54:48 \r\nAnd this was something from the UK. I don't know what that ASN is but it was trying to get to a weird port like what the heck is this one a 53 I don't even know what that is. This was bad traffic and it got to manage challenge primarily because it was coming from outside the US actually no I've got this setup for to accept UK traffic. So this, this hit Oh no, it hit a challenge right here.\r\n\r\nUnknown Speaker 55:19 \r\nSo it hit a rule that says okay, something's not right here. We're going to challenge this traffic and so it wouldn't have made it through to the site. So this is a great place to look after you've implemented a rule make sure you're not getting legitimate traffic caught or as you are refining your rules later on. Really, really helpful.\r\n\r\nUnknown Speaker 55:40 \r\nHere's something from Netherlands same thing. We'll get into all these as ins and things later. Like look here. They tried to hit XML RPC. This is garbage traffic.\r\n\r\nUnknown Speaker 55:49 \r\nIs there a setting in solid security that turns off XML RPC? Yes. But WordPress would have had to wake up and do something when this traffic and server resources would have been expended. We block this traffic at the network level before it even hit the server. So that's why you do these things. So events is super helpful gives you a lot of good information. Now we move into WAF which stands for web application firewall. Now, these are your this is a place again, you're gonna spend some time here as you're setting up Cloudflare there are five rules available at the free plan. I've suggested four, and so you have room to add your own rule.\r\n\r\nUnknown Speaker 56:28 \r\nSo we'll get into all these rules later. But this is where those are defined and set up. You can actually click the link here and see traffic that just hit that rule. There's a ton of traffic here. Like this first rule here. These are challenges. So you know trying to go to their PII login or my account or if the country is not in Canada or the USA, it's going to get a challenge.\r\n\r\nUnknown Speaker 56:53 \r\nAnd I can go back and look at what traffic actually is hitting that rule by clicking on that number. So it's pretty nice to be able to look and see what all is going on here with my individual rules.\r\n\r\nUnknown Speaker 57:08 \r\nSo I'll give you the rules a little bit later. Now let's keep going here. So those are our custom rules. We also have rate limiting rules and this is pretty neat.\r\n\r\nUnknown Speaker 57:16 \r\nSo you can actually blocked traffic that is pounding away at your website. And we'll go into rate limiting rules later in our recommended settings. But like if there's anything that's hitting my site more than like once a second, I want to block that traffic because there's no legitimate traffic that's going to be making multiple requests per second. Unless it's like a Google bot or something like that. And even it usually throttles back how many requests are being made. So this is a really helpful rule to be able to put into place we'll get into that in the rules section.\r\n\r\nUnknown Speaker 57:53 \r\nHere in tools, there is a the ability to block IP addresses or ranges even over and above the WAF rules themselves. So you can block user agents you have 10 user agent blocking rules if you want to use those. I typically don't but it's there if you want to use it.\r\n\r\nUnknown Speaker 58:15 \r\nMoving down to security the page shield This is a paid feature basically keeps your content safe. Bots feature okay, this is probably the place where most people make a mistake. Bot fight mode on I recommend that you leave this off because of a number of things.\r\n\r\nUnknown Speaker 58:33 \r\nBot fight mode. If there's anything that I've had to troubleshoot more, there's nothing I've had to troubleshoot more than bot fight mode creating problems for X legitimate external connections to websites like web hooks, and, you know, syncing up one thing with another or whatever. It's always bought fight mode. And honestly, bot fight mode gets in the way of a lot of legitimate traffic in an effort to prevent bot traffic. So it's like you know, this ongoing war of how do we keep bots away versus legitimate traffic. It's too heavy handed in my opinion. Also, it adds JavaScript to every single page load on your website, that bot activity and that can actually add as much as two seconds to a page load speed. So just don't do this. Try to get a lot of that traffic out with web application firewall rules, which we'll cover as we move forward. But don't turn this on. It looks like a good idea. It's not a good idea. Don't turn this on is my recommendation. Unless you know what you're doing. There is also in Cloudflare super bot fight mode that actually lets you make some granular changes to the bot fight mode. That's great, but it's an enterprise level. It does cost money.\r\n\r\nUnknown Speaker 59:51 \r\nAlright, let's move on to the DDoS section. This is super helpful. Like let's say you're under attack and you toggle on under attack mode and you can sort it you get to see you know a little bit of what this traffic pattern looks like. You can add a rule here that can stop a lot of those floods that's beyond the scope of this course. But it is there and it's pretty helpful.\r\n\r\nUnknown Speaker 1:00:16 \r\nThere's really good documentation for that's available at this link. And finally, there's some settings here that you may or may not find useful, probably not. The default settings are generally what I use, which is just right here. A security levels essentially off meaning that the average traffic the average user is not going to get a manage challenge to say that I'm human I don't want that in the way of average users. 30 minute, Pat challenged passage meaning like if I'm good, I'm good for the next 30 minutes at least. And then you definitely want this browser integrity check on that just it blocks garbage traffic where there's problems with the requests. So those are all the default settings. You probably don't need to ever change those. But they're there if you do need to.\r\n\r\nUnknown Speaker 1:00:58 \r\nThis access this is actually going away will probably be removed from this menu pretty soon and let me just mention also if you're watching this on a replay and it's like a year from now, a lot of these menu changes may change. Cloudflare is as bad as Google about renaming and moving things and changing it they they change stuff all the time. They literally last week changed the onboarding process for adding a new account. They're constantly changing things and so, you know, the things that I'm talking about here are likely going to be in other places. But yeah, it may not be in exactly the same spot. kind of frustrating.\r\n\r\nUnknown Speaker 1:01:37 \r\nHere under speed, these are some moderately useful things. The observatory is you know, what is my White House speed. So that's kind of cool. I mean, it can show you, you can schedule a test to run at a at certain intervals. It's kind of cool. I like that.\r\n\r\nUnknown Speaker 1:01:56 \r\nYou may or may or may not want to do that. The optimization here not a whole lot to do here. Most of the basic settings are correct, just with the defaults.\r\n\r\nUnknown Speaker 1:02:10 \r\nNot a whole lot you're gonna do here this just gives you an overview of what your settings are. image optimization is now offered by Cloudflare. But if you have a good WordPress image optimizer, which I recommend, do it there do it at the WordPress site like just control your images don't do that off in the cloud. But you can if you want to. It's all here. You are going to want to make some changes here to content optimization Brotli basically speeds up an H an SSL connection. This is part of the onboarding steps that are recommended. We'll get to that tomorrow. This is super cool. So Cloudflare fonts is a recently in the last six months or so added feature. And it basically pulls all the fonts up into the Cloud Flare cloud. So instead of having to go out to Google fonts and download the font Cloudflare fonts, pulls those up into the cloud. So you, you blood, they load faster, and you don't have privacy issues, because Cloudflare is going to deliver that font in a privacy first manner. It's not like you're pulling fonts off of Google server and as a result, the user's IP addresses exposed and all that. So this is great. Just turn it on. It's gonna be faster. It's pretty good. This is also a super cool feature called early hints. And what this is going to do, you may have a WordPress optimizing plugin that does this as well. And actually this may be part of core WordPress going forward. But like when you mouse over a link in the background, the browser starts to load that page already. This does that at the Cloudflare level, which is pretty cool.\r\n\r\nUnknown Speaker 1:03:47 \r\nRocket loader. This is another one of those things that people say oh, it's speed. I'm going to turn don't turn this on. Rocket loader has a bad habit of breaking WordPress, jQuery and other Java scripts. Just don't don't turn that on. It will create problems. That's a red dot for me. And if you Google other WordPress folks talking about this it's a it's a red.it can cause problems.\r\n\r\nUnknown Speaker 1:04:14 \r\nAuto minify yet you want all that on so all your assets are compressed up there at the network level.\r\n\r\nUnknown Speaker 1:04:21 \r\nI mentioned this automatic platform optimization for WordPress. This is a can be really good. It's $5 a month per site. Okay, but with out having to deal with any of those granular performance settings at the WordPress level with plugins like MP rocket or hummingbird or whatever, you can actually push all that up to the cloud and it moves the really big the real benefit here is it moves all of your assets for your website to cloud flares edge CDN, so that it's right as close to the user as possible and it's optimized all it really does a good job at optimizing traffic. So take a look at that. It is expensive. You know, when you put 10 sites on there, it's going to be $50 a month, but it really you know, if you've got a few sites that you're having performance issues out of five bucks a month solves that problem, pass it on to the client and you're done.\r\n\r\nUnknown Speaker 1:05:19 \r\nLet's see.\r\n\r\nUnknown Speaker 1:05:21 \r\nEven ongoing here. Let's see caching. All right. Cloudflare caching. So Cloud for does a good job of caching things the right way. You do get some basic analytics here with an upgrade of a plan. Let's move into configuration. So here is the place where you can purge all the things out of the Cloudflare cache. So if you're having some sort of Cloudflare issue going on, you can come in to caching configuration purge everything. I'm going to mention also later on in the course that a lot of WordPress optimization plugins have a Cloudflare integration, where they will actually you can like for example, I use Lightspeed as a WordPress optimizer. And you add in your API for Cloudflare. And whenever whenever Lightspeed flushes the cache because a page has been updated or there's WordPress updates, it also flushes the Cloudflare cache most good WordPress optimizing plugins like WP Rocket like Perf Matters like hummingbird have Cloudflare integration and you're going to want to use that because what otherwise what you're going to run into is you got one set of assets that are here on the site that the WordPress performance plugin has flushed, but your Cloudflare cache isn't matching and you get wonky CSS, and you don't want that. So that that helps and it solves that problem.\r\n\r\nUnknown Speaker 1:06:44 \r\nLet's see here caching level we kind of leave that alone unless you know what you're doing. browser cache TTL you're gonna want to set this to at least a month. Google requires that those it's set to 30 days or higher. Otherwise, you get that thing you may have seen in Lighthouse of serve static assets with efficient policy, blah, blah, blah. That's this needs to be at least a month. This is helpful if you have a big website that a lot of people have access to. This is a tool that will scan for child sexual abuse material, which is definitely helpful. These next two are really cool crawler hints. Okay, how many of you remember from the Starter Site webinar? We did do every year. We've got that really cool plugin called index now from Bing and it watches changes on your website and let's Bing and let's see which ones it is Bing, duck, duck go Yandex and Naver, which I've never heard of before.\r\n\r\nUnknown Speaker 1:07:43 \r\nAnd yep, so what this does, I've just lost my Here we go. So crawler hints basically adds index now to your site at the Cloudflare level. So as soon as Cloudflare sees you add a new page, it lets all the search engines No, you absolutely want to do this. And it means you cannot use the index now plugin on WordPress, which is kind of cool. Always online this is another one you're gonna want to toggle on.\r\n\r\nUnknown Speaker 1:08:09 \r\nWe've probably all at some point, use the Wayback Machine to go back and look historically at websites. And some websites are there a lot and some are they're just like every once a month or once every few months or whatever. How do you get the site listed on the Wayback Machine what you toggle this on right here and Cloudflare will make sure that the site is saved into the Wayback Machine and if for some reason this your server goes down Cloudflare will know okay, I'm gonna pull the latest copy out of Wayback Machine to serve and it's not the best thing but it's better than the site being down. So this is pretty cool. Definitely want that on. Here's the actual development mode. We looked at that under the overview settings, but this is where the actual toggle is for turning on development mode. And so that's all the configuration things.\r\n\r\nUnknown Speaker 1:09:02 \r\nAll right, cash rules.\r\n\r\nUnknown Speaker 1:09:05 \r\nWe're going to talk about cash rules later. But this is the spot where you can add rule like what if I don't want Cloudflare to cache the site at all? Great. What if I have an E commerce site and I don't want to cache the cart or checkout page, I can do all that here. And I'll give you those rules when we get into that section in a little bit. So tiered cache or the cache rules are very helpful, and the tiered cache is helpful. You're going to want to make sure you enable smart tiered technology that just moves the stuff closest to the user. It's good stuff cash reserve as a paid feature, which you're not going to use. Now if you're getting tired. You're not alone. It is now 207. We've been at this for a little over an hour, but we're coming to the end. There's only a few more things here and then we'll take a break. First of all workers routes don't have to worry about that at all. unlikely you'll use this rules. There's another place for rules. Here's 10 more sets of configuration rules that you can use. Probably not going to use any of those but you certainly can.\r\n\r\nUnknown Speaker 1:10:06 \r\nTransform rules origin rule. These are all ways to deal with rules and traffic. Probably not going to use those unless you have a unique case. Page rules can be helpful.\r\n\r\nUnknown Speaker 1:10:18 \r\nI'll show you some options on when you might want to use those a little bit later.\r\n\r\nUnknown Speaker 1:10:22 \r\nAnd the default settings are just fine. You never have to really change these. So not a whole lot to do here.\r\n\r\nUnknown Speaker 1:10:29 \r\nAnd the rest of this stuff is pretty much read. So let's network you probably won't have to change anything here. Very unlikely that anything will be needed in this area. All the default settings are fine. Traffic is a paid feature. custom pages paid feature apps, it's being deprecated the scrape shield, okay, let's talk about this.\r\n\r\nUnknown Speaker 1:10:53 \r\nSo there's a couple of things. Remember, if you are a long time I iThemes Training solid Academy member we used to have a shortcode that would obfuscate an email address. Cloudflare will actually do this at the network level, so you don't have to hide email addresses at all. It will just automatically obfuscate email addresses from bots that would scrape the site. The problem is it adds some JavaScript which again can potentially add some weight to the page and make the page load slower. So there's a way to apply that with the rule that we'll get to in a little bit. I would not toggle this on for the whole site. I would only have it on with a rule for like the contact page or a team page where email addresses actually appear.\r\n\r\nUnknown Speaker 1:11:38 \r\nhotlink protection this is something I would toggle on because well in certain cases. So if you want to protect your site, like I don't want my images showing up in Google image search, I don't want anybody linking off the site and pulling my images and to show on their site. This is what that does. It will stop that at the network. Level period. But if you are relying on a lot of SEO people, for example.\r\n\r\nUnknown Speaker 1:12:07 \r\nThey rely on an image optimization strategy for SEO like they want people to find the image in Google Images and then go to the page and it's a legitimate SEO strategy. But this will stop that. So depending on what you want to do, this can be super helpful or completely get in the way of an SEO strategy.\r\n\r\nUnknown Speaker 1:12:26 \r\nAll right.\r\n\r\nUnknown Speaker 1:12:29 \r\nxerez so this is super cool, actually, it's way out of scope for this, this live stream in this course. But think of it like this. This is like Google Tag Manager, but at the Cloudflare level. So at the network level, I can actually go in and add code to pages. Like it's really powerful, but it's way out of scope for what we're trying to do today. So you know, it's it's interesting, and if you're super geeky, you want to get into that have added because it's a very powerful tool. And last of all web three, you're probably not ever gonna get into that stuff. All right, so that's all the settings and I'm out of breath.\r\n\r\nUnknown Speaker 1:13:05 \r\nOkay, how let me check in. How are you? Are you are you panting for breath? Are you okay? We've just done this was the fire hose. Okay? Dizzy is legitimate. That's a lot. Okay. And my goal again in that section was simply to give you a lay of the land. There's only a few things in here. If you notice, there's only a few things that you're gonna need to go in. And set. Primarily we're going to focus on DNS, SSL, and security. Those are my main areas. Okay. So, what are we doing next? I am going to give you my recommended settings for each of the areas we're gonna do that probably I hope we can fit that in before 3pm Central. We're going to take a five minute break, because I need to breathe and then we'll do some recommended settings. So we're actually going to go now right back into these areas that we've looked at and I'm going to show you some the actual recommended rules and things like that, that you're gonna want to implement. Now from that tomorrow. We're actually going to migrate a site into Cloudflare and do all this stuff live. Sound good?\r\n\r\nUnknown Speaker 1:14:17 \r\nOkay, so break for five minutes. It is now about to be 12 minutes after so we'll come back at 217 Central time so 17 minutes after and we will be quiet until then.\r\n\r\nUnknown Speaker 1:18:47 \r\n32nd Warning we're back in 30 seconds. From now.\r\n\r\nUnknown Speaker 1:19:32 \r\nAll right, part two, let's talk about some recommended settings. Now. First of all, in this section, there's a couple of caveats. We're going to look at the Cloudflare settings that I use. Okay, these are the ones that I've decided work well for me in my clients. And I'm specifically going to talk about what has changed from the default. Okay, so we just looked at everything. We're going to put a filter in place and now only the things that are going to change from the default settings are what I'm going to cover now with this again, caveat, disclaimer, slash scary warning, scaly emoji grimacing emoji, okay. Is this is this bold enough for you?\r\n\r\nUnknown Speaker 1:20:16 \r\nVery important. These are based on my experience with how we are using Cloudflare currently in my agency. So as with settings, recommendations of any kind at all, you need to test these for your specific use case. Cloud flares tools can block legitimate traffic if they're not used correctly. Okay. Now in my experience, we've had to adjust certain rules in situations where there's external calls to web hooks, certain SEO tools, uptime, monitoring, all sorts of things can be a little different. So I'm providing some very basic settings that we use on all of our sites. They may not be the right settings for your sites. Okay, that's why it's important to look at those event logs, try it on one site, look at the event logs, make sure nothing's getting blocked, etc. So they get sometimes sites require these granular adjustments and it might take a little bit to dial them in so pick a site. Do that one make sure everything's good before you do. We all put 5080 100 sites into all these settings, because they would then have to be changed individually. That's not fun. All right. So Cloudflare can significantly increase your security but with great power comes great responsibility. So just keep all that in mind. Do not blindly apply these settings with under without understanding how they're going to impact your website. So again, educational purposes only, you alone are responsible for the actions you take. In other words, don't call me if you break something or you know, ask an office hours question but Is that Is that a good enough disclaimer?\r\n\r\nUnknown Speaker 1:21:59 \r\nAll right. Let's take a look at DNS records.\r\n\r\nUnknown Speaker 1:22:04 \r\nSo let's move on into this area first. This is one of the places where I mentioned that you'll probably spend some time so here's a pretty typical DNS record setup that's being used for WP Nathan currently. So the first thing you'll notice here is proxied. Now what proxy means, okay, this is the actual IP address of the server. This this little this liquid web VPS that they're up Nathan exists on. But if I go to ping, this address, notice it doesn't give this server IP address. And why is that Cloudflare is proxying the IP address which basically means it's hiding it. So this 104 2147 162 IP address is what the world sees when it says where's that up Nathan located this IP address, but that's not the IP address of the server. This is really good because you unless you know in most cases you're going to want to hide the actual IP address of the server, the real live raw IP address, you're gonna want to hide that from the world. It just puts a layer of security between hackers and your server itself. So that's what proxying does. You can turn this off if you want, but I wouldn't recommend it. So the recommendation is proxy all A records and the CNAME for www.\r\n\r\nUnknown Speaker 1:23:35 \r\nBut other C names like in this case, I don't even know why we still have this one but FTP dot and like this is the postmark record. postmark will not validate this record for the CNAME unless the proxies turned off. So for a lot of C names, especially those used for validation, you're going to want to make sure that proxying is off.\r\n\r\nUnknown Speaker 1:23:59 \r\nUnless you know for sure that proxying isn't going to get in the way of that traffic proxying a CNAME can often get in the way of the server that's handling that traffic knowing that the traffic is correct, and it can cause weird things to happen. So proxy the A records generally proxy do not proxy CNAME records. Now here's another pro tip.\r\n\r\nUnknown Speaker 1:24:21 \r\nIf you like me enjoy having the ability to spin up quick staging sites. I in my case on cPanel I love the WP toolkit. It'll just spin up a quick staging site.\r\n\r\nUnknown Speaker 1:24:32 \r\nYou would normally have to go out and actually create an A record for whatever that subdomain is. But if if most or all of the subdomains you're ever going to create for this domain are going to the same place. They're all on the same server. Then what you can do is just set up a wildcard record. The name has an asterisk and it points here which means unless otherwise defined by another a record that any other traffic, you know, whatever dot DDP nathan.com goes to this server. So it's super helpful. It doesn't prevent you from directing traffic elsewhere. You know we could, you know, we could specifically define a subdomain to go to another IP address. But otherwise, the catch all is pointed to the server and it's really helpful. So add a star record. That's a good thing. All right. We talked about DNS sec. Let me just show you how this works. Here under DNS and sec. Oh, I haven't. I'm going to disable this earlier. Let's that's going to take a minute Doggone it. Sorry about that, y'all.\r\n\r\nUnknown Speaker 1:25:43 \r\nOh, I'm gonna have to remove it from here. Well, I can probably just show you how this works. So here, oh, it's WP one dot Dev. Let me go. Let me get one second. Let me get over to the VP Nathan.\r\n\r\nUnknown Speaker 1:26:01 \r\nAnd I'll show you where this DNS record is set up.\r\n\r\nUnknown Speaker 1:26:06 \r\nSo again, this is GoDaddy. You've all probably use GoDaddy, most other registrar's you're going to be this way as well. Here under DNS, there's a setting for DNS record. And here is the value that Cloudflare gave me I'm going to delete this\r\n\r\nUnknown Speaker 1:26:23 \r\nlet's see how long it takes to create if it sees it right away. Okay, I'm gonna give that just a minute. We'll come back and I'll show you how to create the record. But it's basically Cloudflare is going to give you the value, you put it in over the registrar and that validates your traffic for DNS sec to work correctly. We'll come back to that. In just a minute.\r\n\r\nUnknown Speaker 1:26:42 \r\nAll right, so SSL TLS again, encryption method full I talked about that a lot earlier, so that hopefully that doesn't need any more explanation. Under edge certificates. Always use HTTPS is on and minimum TLS version 1.3 or 1.2. We talked about that earlier. You're probably fine to go 1.3 I've only the really old browsers, right. So all the rest is default settings. And now we get into the WAF rules slightly that we're already past SSL. It's not that hard. Once you see the lay of the land and all the details now we can just focus on the things we need to change. And it's not that terribly complicated. Let's do a quick check for the Yes, right. Oh, okay, good. That's ready. So here's the process are rewinding a bit to do DNS sec. I'm going to click Enable.\r\n\r\nUnknown Speaker 1:27:37 \r\nAlright, here's all the stuff. Let's go over to DNS records and I'm going to add one.\r\n\r\nUnknown Speaker 1:27:45 \r\nAll right, so I need the first the Key Tag and it's not necessarily an order. So Key Tag is here.\r\n\r\nUnknown Speaker 1:27:52 \r\nBoom algorithm is 13. I don't know what that means. I'm just going to put it there. Digest type is this or I can click to copy.\r\n\r\nUnknown Speaker 1:28:06 \r\nOh, that's this digest. Is there and digest type oh two.\r\n\r\nUnknown Speaker 1:28:13 \r\nRight there, I hit Save.\r\n\r\nUnknown Speaker 1:28:19 \r\nAnd it's gonna think about it for a minute.\r\n\r\nUnknown Speaker 1:28:22 \r\nConfirm.\r\n\r\nUnknown Speaker 1:28:24 \r\nAnd it's got to wait and validate. That's all it is. It's just basically it's like adding any other DNS record. And that will help to further validate that the traffic that's coming to my domain is correct.\r\n\r\nUnknown Speaker 1:28:39 \r\nThere it is. Done. Super simple.\r\n\r\nUnknown Speaker 1:28:44 \r\nclass has a great question.\r\n\r\nUnknown Speaker 1:28:46 \r\nThat this process was for a domain that's registered and an external Registrar for Cloudflare. It knows like if you've registered your domain at Cloudflare. We'll talk about Cloudflare for domain registrations tomorrow. But if there's just a button, you push the button it adds the record and validates it's done. It's like a one click thing. That's all you have to do. Pretty neat.\r\n\r\nUnknown Speaker 1:29:06 \r\nOkay, any other questions about that before we move on?\r\n\r\nUnknown Speaker 1:29:12 \r\nAll right, we went through the rest of this full encryption mode edge certificates. Now we're into the fun part which is security. Here are some suggested WAF rules. And um, they're all defined here already, and I'll show you what they look like. So when you get into a WAF rule as you create a rule you have the ability to either do an Expression Builder, which lets you kind of compose with a visual editor like country does not equal you know, it lets you create records like this. And or and you can stack those down. Now notice what's happening here, though. There's an expression preview and so there's this expression that's being created based on the visual here. So let's see if country does not equal United States and I don't know\r\n\r\nUnknown Speaker 1:30:15 \r\nand it's unknown bought, whatever, right? So it continues to build the expression based on what you build up here. Now for these predefined rules. We don't need all like it will take you a while to actually reproduce this rule in the builder, but instead what we can do is this.\r\n\r\nUnknown Speaker 1:30:37 \r\nCopy this expression. I'm going to call this the challengers rule.\r\n\r\nUnknown Speaker 1:30:43 \r\nYou can do edit expression, and just paste in there.\r\n\r\nUnknown Speaker 1:30:49 \r\nAnd what so the action is going to be managed challenge and hit Deploy.\r\n\r\nUnknown Speaker 1:30:59 \r\nAnd look it actually created the rule in the builder. So I can still modify it here if I want to.\r\n\r\nUnknown Speaker 1:31:06 \r\nBut I don't have to actually create it. I can just paste in the expression. And that's what I would recommend that you do for these basic rules. Does that make sense? Does everybody see the process here?\r\n\r\nUnknown Speaker 1:31:20 \r\nI want to pause just for a minute to make sure there any questions?\r\n\r\nUnknown Speaker 1:31:26 \r\nWhat drop down that I choose here? Or action is managed challenge. There's this drop down up here.\r\n\r\nUnknown Speaker 1:31:35 \r\nCan y'all see this drop down on the screen share?\r\n\r\nUnknown Speaker 1:31:40 \r\nOkay, good.\r\n\r\nUnknown Speaker 1:31:42 \r\nSad. Sorry about that. So this is just an example rule. But when you when you put in your challenge rule, you're gonna whatever country you're in, or whatever, like for example, we have one customer that only does business or they they primarily do business in the US, Canada and about seven European countries. And so all those are in this is not in rule, but every other country as a result is going to get a challenge because they're not typically going to get traffic from those countries. And that lets us weed out bot attacks for example, that aren't coming from those those specifically Devine defined countries makes sense. So add, you're gonna want to add the countries that you're typically going to want legitimate traffic from. Right. So that that really helps Karen first drop down on not getting the open field. Oh, okay. All right. So let's start over again.\r\n\r\nUnknown Speaker 1:32:42 \r\nLet me delete this rule that I just created. eally All right. I'm gonna do create rule once again. I'm gonna give this a rule name, call it whatever you want.\r\n\r\nUnknown Speaker 1:32:54 \r\nChallenges, and click right here. Edit expression and paste in there.\r\n\r\nUnknown Speaker 1:33:01 \r\nThen you can save it as a draft if you want or whatever or just click Use Expression Builder and that puts you back into the builder here.\r\n\r\nUnknown Speaker 1:33:08 \r\nSo this edit expression is 100% Your friend i It makes the so much easier.\r\n\r\nUnknown Speaker 1:33:16 \r\nAll right, any other questions? About the process of adding a rule before I go on?\r\n\r\nUnknown Speaker 1:33:27 \r\nOkay, so these rules I've actually added in here already, and I'm just going to go down one by one and show you how they work. And so the first rule is our challenge now by the way, I put in whenever I'm doing a rule i Our prefix for our agency for code we write in for other things is be WW brilliant web works but your own little this what this lets me know is it's our rule. Basically that's why that's there. So I'm going to go here to our challenges rule. And you'll notice it's this first one here, you can edit the rule in the expression if you want and put the two letter country code and if there's more you can just stack amend the expression itself or use the expression builder. Either way. Melanie, does order matter for firewall rules. Yes. And I'll show you that in just a minute. But Cloudflare processes these rules in order. And that's going to matter here in just a minute. Great question.\r\n\r\nUnknown Speaker 1:34:26 \r\nSo here's something I want to talk about. So we've talked about managed challenge already. This is the kind of the interstitial screen that we saw that challenges are you human. It's it's the same thing as Cloudflare turnstile. Okay. Cloudflare turnstile is the Cloudflare managed challenge in a widget that can be applied to just a form or you know, a login or whatever. Okay? So just think about it in those terms. turnstile equals a manage challenge, manage challenge, just full screen. Whereas turnstile is a widget that can be added to a form submit or login or that sort of thing. There are a bunch of other actions that can be taken here. Like I don't want to do anything. I just want to log this traffic. I want to block this traffic altogether. This is a JavaScript challenge. This is the pre managed challenge way that Cloudflare used to block or challenge traffic. I don't use that at all anymore. It's not as good as manage challenge. Use manage challenge. This also the skip this traffic so some way I can notice that this traffic is good and legitimate. I always want to skip it. I have a rule. That action can do that. And interactive challenge again. It's I don't use that at all use manage challenge. That's just the best way to do it. Because a lot of times the Manage challenge if it's has seen what this browser is doing, it knows it's probably legitimate. And so it's you let Cloudflare manage whether or not this user or bot or whatever. Is going to be challenged with a checkbox, right. So just use manage challenge instead of interactive or JavaScript challenge is just better. Does that make sense?\r\n\r\nUnknown Speaker 1:36:11 \r\nOkay, so let's get into each of these. We just look at this one. So this is and by the way, what I like to do is cluster are my rules, usually around what the action is. I only have five rules, right? And so I want to be able to get the most bang for my buck. And so I tend to cluster the rules around what action I want to happen. So I'm going to start with this, this challenge rule. So any kind of traffic that I want to give a challenge to is going to go into this rule. So the first is, and this is probably my favorite rule out of all the Cloudflare rules. It is probably the most helpful rule and that is if you come to the WP any URL that comes in to WP login, so even by the way, like if you're logged out and you used to go to WP admin to log in, it's going to forward you today P login dot PHP, query string blah blah blah. So if the URI path, this is your URI, same thing, essentially is URL. So if the path coming in being requested from the server contains that AP login, I want to challenge that if it it like for here for a WooCommerce as my account is their default login page, right? If you have a membership site, where you've customized a login page, put that URL here. So whatever the login page is, that I want to challenge that traffic. And what that lets me do is like Stacy is saying, it's way better than hiding the login page to try to make it where bots can't find it. That's that's a terrible strategy that doesn't really work. Or it's even better than using something like aI solid security to put a CAPTCHA on the login page. I don't even do that anymore. Because all of that traffic is being challenged at the network level is it bad to use a plugin like solid security to protect the login page with a with a even Cloudflare turnstile? It's not bad, but I want that traffic filtered out at the network level so that the login page doesn't even have to load, right? So do that at the network level. You don't even have to put a CAPTCHA on your login page at all. Just make sure that all your potential login pages are listed here. So if you've got another URL, you could do like, you know URI path contains, you know, login or whatever it is right?\r\n\r\nUnknown Speaker 1:38:41 \r\nAnd just you can keep stacking those up with AND or OR statements.\r\n\r\nUnknown Speaker 1:38:46 \r\nThat makes sense.\r\n\r\nUnknown Speaker 1:38:49 \r\nSo that's our first rule.\r\n\r\nUnknown Speaker 1:38:52 \r\nSecond rule is a skip rule. Now I put these in order of priority in this skip rule will tell you why.\r\n\r\nUnknown Speaker 1:39:02 \r\nThis is a big rule. There's a lot of stuff here. So I've given you the whole rule to copy here. Now right here, notice, boom, this is the IP address of the server. So whenever you know whenever you go to add this rule, you're gonna want to, for your purposes, wherever you're copying from put your server IP address in here, because any request that comes from my server, I don't want Cloudflare to do anything with we want that to happen. So here's our here's our skip rule.\r\n\r\nUnknown Speaker 1:39:37 \r\nSo if it's a known bot, and it has one of these as numbers.\r\n\r\nUnknown Speaker 1:39:47 \r\nLet's talk about AAS numbers for a minute. So an AAS number probably best to be seen here in our events. Let me load our events page.\r\n\r\nUnknown Speaker 1:39:59 \r\nAlright, so here's a skip rule.\r\n\r\nUnknown Speaker 1:40:12 \r\nKaren, if you're getting an error, it's probably because you haven't selected the action here skip.\r\n\r\nUnknown Speaker 1:40:21 \r\nYou did.\r\n\r\nUnknown Speaker 1:40:23 \r\nWell, let's just try copying the expression in and trying it ourselves here\r\n\r\nUnknown Speaker 1:40:39 \r\nYeah, it's working.\r\n\r\nUnknown Speaker 1:40:42 \r\nI don't know check your check your copy because it does work. That's That's odd.\r\n\r\nUnknown Speaker 1:40:49 \r\nAnyhow, so as ns. You can see these right here. So an ASN is think of it this way. It's like a\r\n\r\nUnknown Speaker 1:41:01 \r\nIt's one number that a company like Google can use when Google has hundreds and hundreds or 1000s of IP addresses. And it would be hard for you and they may even change IP addresses from time to time.\r\n\r\nUnknown Speaker 1:41:15 \r\nThis ASN is sort of a placeholder for all of those addresses. So you can create firewall rules based on the ASN and know that it's going to affect all these Google IP addresses. And so there's all these ASN that are listed here are of known services. I've given you a way down here at the very end of the document what to for Sorry, sorry, if I'm making everybody nauseous. So I've given you a table of popular ASNs here. You can also look those up with links like this one, and add your own but these are the most part some of the most popular ones. And many of these are including that firewall rule, but this is one that again, you're going to want to tweak this to have the traffic that that that you want.\r\n\r\nUnknown Speaker 1:42:09 \r\nBut in general, this is going to work.\r\n\r\nUnknown Speaker 1:42:13 \r\nIn general, what I've got here is going to work in most cases, just make sure you update your IP address here. Okay, so got this list of\r\n\r\nUnknown Speaker 1:42:25 \r\ngood ASN so it's a known bot, and it's one of these bots. Okay. It's an there are a lot of Cloudflare bots that are known that I don't want to, you know, have access to the site. Like one of the really bad ones is sem rush. Like they will hit on your site with their bots sometimes. Anyway.\r\n\r\nUnknown Speaker 1:42:50 \r\nSo, yeah.\r\n\r\nUnknown Speaker 1:42:55 \r\nWhy would you want stamps.com Because, if you are if you're, for example, with a WooCommerce connector, you're going to want if you don't exclude stamps.com, the WAF rule will get in the way of WooCommerce talking back and forth to stamps.com.\r\n\r\nUnknown Speaker 1:43:11 \r\nYep, so this is again, if you're anytime you're this is with much power comes great responsibility. Okay, so you're putting a rule and that's going to block traffic. If traffic is being blocked and something's not connecting. Now you go into the event and say, Oh, here's that traffic now I can you know, you can find that ASN to that external service in your event log and then add it to your list of good ones.\r\n\r\nUnknown Speaker 1:43:39 \r\nOkay, so I've added another few things here that are commonly blocked. So for example, if you're using the Gravity Forms stripe add on, okay, then I want to make like this is part of the query string for every that should have\r\n\r\nUnknown Speaker 1:44:02 \r\nyour your web hook for Gravity Forms, always includes Gravity Forms stripe, your webhook for WooCommerce always contains this bit of text. So basically what this is doing is this is a good rule for all sites. So if the traffic is coming to a Gravity Forms web hook or a stripe web hook, if you're using other plugins that have different web hooks, just add them in here. Like this, or replace Gravity Forms with your plugin, that sort of thing. But you're that way, you're letting tret legitimate traffic to that web web hook for the payment processor come through.\r\n\r\nUnknown Speaker 1:44:36 \r\nHere's another one. User Agent is GT metrics or we use better uptime to monitor our site. So user op agent contains better uptime. If you don't use better uptime. Don't use this part of the rule.\r\n\r\nUnknown Speaker 1:44:49 \r\nHere's our server IP address.\r\n\r\nUnknown Speaker 1:44:53 \r\nRight now in Davis, right? If you are if you have other payment processors, whatever that web hook is that they give you just find the particular piece that's not going to change. Like the the WooCommerce stripe. web hook has a whole bunch of characters after this right? But this part is always the same. That way you can create a rule that you don't have to change from site to site.\r\n\r\nUnknown Speaker 1:45:20 \r\nAnd then, you know, here's the IP source address is my server for verified bot category is search engine crawlers or web hooks. Okay, so why, you know, I can choose web hooks here, but I've also specified some web hooks.\r\n\r\nUnknown Speaker 1:45:36 \r\nI know web hook has having that as a rule is good, but I don't necessarily trust that part. Cloudflare is always going to catch all my web hooks with that. So I'm going to specify just to be sure, so this is fine, but I always specifying the actual some contents of that web hook URL. Okay, so does this bit make sense? In that many external SAS calls this you want to, you want to allow those through, okay. Now the action for this is skip.\r\n\r\nUnknown Speaker 1:46:09 \r\nBut make sure that you check and this actually Karen may be where your error is coming from.\r\n\r\nUnknown Speaker 1:46:14 \r\nCheck all the boxes, check all the boxes, otherwise you're not telling it to skip anything.\r\n\r\nUnknown Speaker 1:46:24 \r\nSo we don't if the traffic meets any of this criteria, I always want to skip it. Okay, that was it. Karen Awesome. Now, does that make sense everybody?\r\n\r\nUnknown Speaker 1:46:40 \r\nOkay, one thing here and I don't know how to fix it in the handout. This is very important. Notice how there's a line break here.\r\n\r\nUnknown Speaker 1:46:50 \r\nThis, if you copy this, it creates a problem. I just just noticed this.\r\n\r\nUnknown Speaker 1:46:57 \r\nLet me go into the expression editor and paste this in.\r\n\r\nUnknown Speaker 1:47:03 \r\nSee how there's a space here.\r\n\r\nUnknown Speaker 1:47:06 \r\nMake sure you delete that space. Otherwise, it's not going to match your the exact URL. I'll see if I can update the handbook for that. I'll figure out how to do that. But just for now. If there's a space here, it's not going to match that URL. So make sure it doesn't have a space\r\n\r\nUnknown Speaker 1:47:26 \r\nokay\r\n\r\nUnknown Speaker 1:47:32 \r\nall right. Next okay. This is a locked down WordPress rule. This is pretty refined from lots of different suggestions that I've read and seen and I've tested.\r\n\r\nUnknown Speaker 1:47:45 \r\nAnd it this is pretty darn powerful. So again, this is one of those rules. Okay. If the traffic meets any criteria in this rule, it's going to be blocked period, which means you better be sure that you're not catching the legit traffic here. Okay. But you'll see how this works. So I'll go copying this. And notice there's some instances of the domain name of the site here that you'll want to replace with your domain.\r\n\r\nUnknown Speaker 1:48:15 \r\nBut let's look at what it does.\r\n\r\nUnknown Speaker 1:48:18 \r\nAll right. There's absolutely no reason whatsoever that any site or any match any request from the server should contain WP config if it's not coming from my site, to block that. There's no legitimate reason that should happen or there's no reason like we don't use XML RPC at all ever. So we're gonna block any traffic that comes to XML RPC. Period.\r\n\r\nUnknown Speaker 1:48:46 \r\nSame thing for if the if the, if somebody is trying to get to wp content, and it's not coming from my site. I'm gonna block now that can all that can impact google image searches. So make sure you may not want this if you want the images on your site showing up in Google image search.\r\n\r\nUnknown Speaker 1:49:05 \r\nBut I don't I don't want that so I'm blocking all that traffic. Same thing for WP includes there's a lot you'd be surprised how much traffic comes in matter of fact, let's just I mean, look at this. Look at the traffic that's coming in. From what traffic that tries to come in from.\r\n\r\nUnknown Speaker 1:49:26 \r\nYeah, look at this garbage. Here's traffic that's coming in. I don't even know what this is there trying to access. This is some image. Here's something that's trying to access a lot of this images. There's all this garbage traffic and look at this. What What the heck would anybody need you know, here's some Amazon server that's trying to get to this dopey content, whatever. This is like they're testing for security issues. And we're just blocking all that traffic. Right? And look, there's 192 items in the last 24 hours that have hit this rule. It's crazy.\r\n\r\nUnknown Speaker 1:50:04 \r\nPlease grab this, this this.\r\n\r\nUnknown Speaker 1:50:08 \r\nSo what's happened here is some hacker has spun up in some Amazon server to do this hacking, or it's a site that's been compromised. Crazy and this is WP Nathan, which is a dumb garbage site. Right?\r\n\r\nUnknown Speaker 1:50:29 \r\nAnyway, you see all this stuff, and so this blocks all that garbage traffic. Another thing here if the country's coming in from the Tor network, you're not going to want that that's going to be bot traffic. A lot of by the way. A lot of form spam comes in this way.\r\n\r\nUnknown Speaker 1:50:45 \r\nIf the URL if the if the path contains dopey content and it's a PHP file, I want that out of there. We don't use ASP at all in WordPress so filter that out if the traffic is not a known bot, and it's trying to do anything, post anything on WP Nathan so this is this filters out a lot of of form spam traffic or you're trying to post either things into login fields, or post comments anything like that this just blocked all that traffic. I did add this when I was testing this rule, just to make sure that the host name it's not coming from my site. And it's not in it's not trying WordPress is trying to do a cron I was finding that legitimate WordPress cron jobs were being blocked by this. So that's why I added this extra little bit here.\r\n\r\nUnknown Speaker 1:51:41 \r\nSo here's another one if it's not a known bot, and it's going to admin Ajax admin AJAX is again another bit of forum spam prevention that filters that out. Here it so we're going to filter out post and let's see, why is this this rule is duplicated.\r\n\r\nUnknown Speaker 1:52:01 \r\nLike that out. Sorry about that. And again, there's just an actual I'm posting to the comments. PHP file. So most of this is a form spam and comment spam traffic.\r\n\r\nUnknown Speaker 1:52:16 \r\nDave, on the ASP if you have redesigned a site that was based on this?\r\n\r\nUnknown Speaker 1:52:22 \r\nThat's a great question. So if you are taking over a site that previously had ASP, it was built on ASP, then that's probably something you want to take out. Yeah. Otherwise, it's going to block the traffic completely. You don't want that you want to show a 404 page with hey, we've redesigned blah, blah, blah. So that's a good example of don't just apply these rules wholesale, know what you're doing and know that oh, I need to take out that part of the rule, at least for now. That makes sense, everybody. So the action here is block and you're blocking stuff at the net, the network level, they're going to see a Cloudflare block screen. It's not ever going to even hit your server.\r\n\r\nUnknown Speaker 1:53:02 \r\nLet me show you a little trick. How many of you are using something like text expander or in my case, I use type desk to do like little macros that explode into things, right? Like this macro here that I use, and sometimes you'll see this. Like it'll come in as slides. When I do slides. Type desk explodes into this pre configured bit of text. So I've set up all these Cloudflare rules actually in pipe desk, and some of them have variables. So watch this if I was going to set this rule up for the first time. This is set up as\r\n\r\nUnknown Speaker 1:53:42 \r\nthe F three boom Okay, so it comes in over here. So here's my thing. Oops.\r\n\r\nUnknown Speaker 1:53:57 \r\nSo it I'm gonna have to show this here. Alright, so you have three this, okay, what is my domain? That would be nathan.com.\r\n\r\nUnknown Speaker 1:54:04 \r\nIt fills out with there's variables. So I've set up my exploder to have the variable for the expression of the website. So now when we go into add rules, I have cf One CF two CF three it just drops all the expression in with a variable for the website, right? So I don't have to go in and change that every single time. So that's just a little time saver. Pretty cool.\r\n\r\nUnknown Speaker 1:54:29 \r\nAll right. Here's our next rule.\r\n\r\nUnknown Speaker 1:54:33 \r\nSo we have our skip rule. We get our block rule. Now. This is one I don't know I added this one, just to have something else to show you.\r\n\r\nUnknown Speaker 1:54:44 \r\nHere we go. So this, this can be heavy handed, but it also might be good. This is an example of how do I filter bot traffic? Right. So you may or may not want to use this rule. I don't know. Look what it does. So if it's not the Google bot or the Bing bot or the bot or the Facebook bot or slurp which is Yahoo I think, or Alexa and it's a known bot. So Cloudflare actually has this list of known bots.\r\n\r\nUnknown Speaker 1:55:17 \r\nAnd it's pretty extensive. There's 717 pages of this you can see all the things they do have categories too anyway.\r\n\r\nUnknown Speaker 1:55:31 \r\nSo this is an example of a rule that I probably wouldn't use on every site.\r\n\r\nUnknown Speaker 1:55:36 \r\nBut so if it's a known bot, and it's not one of these, or like a this, the crawler category is AI crawler, then given a man a challenge or you could say give it block. So if you want to stop AI bots crawling your site, you can do it at the network level if you want. And this is a way to do that. So the bot category, there's a lot of different ones here like you can do. Like I don't want any SEO crawlers. Let's see how about is in.\r\n\r\nUnknown Speaker 1:56:09 \r\nI don't want any SEO crawlers. I don't want any AI crawlers.\r\n\r\nUnknown Speaker 1:56:14 \r\nNow this is not Googlebot for example. This is Seo crawlers like sem rush and things like that. Phoebe Why not say if it's not a known bot instead of listing those out great question, because known bot no means it's any track. Just that doesn't say it's a bot and I know what it is. Known bots means it's not in this list of predefined known bots, right? It doesn't say it's a bot and it's unknown. Now there are rules like that. If you upgrade to the enterprise level, you get a lot more control over. I think it's a bot. I don't think it's a bot but we don't have that control at the free level. So you have to do it. That was That makes sense.\r\n\r\nUnknown Speaker 1:57:04 \r\nDave has a question if you're doing this on an existing site, and the clients looking at traffic. Oh, yeah. Okay. So this is the double edged sword. Okay.\r\n\r\nUnknown Speaker 1:57:14 \r\nSo what Dave is asking is essentially, am I gonna see a traffic drop in Google Analytics? If I do this? And the answer is likely yes. And perhaps a significant amount of traffic drop. But the conversation I have with a client is this is actually making your analytics reports more valuable because the traffic that's reaching the site are actually people and not garbage bought traffic, and attack traffic and things like that. So you will see a drop in traffic. But it's this is this will actually make your analytics reports more valuable. Because I mean, think about this, you know, bot traffic isn't likely going to make a conversion. So if you've got a report set up in Google Analytics for tracking conversions, and only 3% of your traffic is converting, well, what if 90% of your traffic is crap traffic? Well, then your conversions go up significantly. Oh, wow. Actually, this is more successful than we thought. Right.\r\n\r\nUnknown Speaker 1:58:10 \r\nSo does that make sense everybody? Here's an example of a way to filter out some of the stuff I probably would not use this on on every site. And you still even after that, we'll have another rule that you can create. And this is for fine tuning, you know, and moving things. along.\r\n\r\nUnknown Speaker 1:58:29 \r\nOkay, good grief. It's almost three o'clock and I got a lot more to do. So I'm gonna move on. Any other questions about this before we move, move ahead.\r\n\r\nUnknown Speaker 1:58:38 \r\nI do want to show you the rate limiting rule here.\r\n\r\nUnknown Speaker 1:58:43 \r\nWe actually may stop here, before tomorrow. So this is a really good rule, I think is super helpful. So in case you weren't watching, we're at security WAF. We were just at custom rules, which is the default page. We're now going to the rate limiting Rules tab. It's going to delete this and start over.\r\n\r\nUnknown Speaker 1:59:03 \r\nYou see it, we're going to create a rule and in the same way here, this is going to be our anti flood, oops, anti flood rule. We're going to edit our expression\r\n\r\nUnknown Speaker 1:59:15 \r\nand we're going to say\r\n\r\nUnknown Speaker 1:59:21 \r\nwhen the rate exceeds 10 requests, at the free level, we only have a 10 second period.\r\n\r\nUnknown Speaker 1:59:29 \r\nSo let's take a look at what we're doing here.\r\n\r\nUnknown Speaker 1:59:34 \r\nWhy not?\r\n\r\nUnknown Speaker 1:59:53 \r\nInteresting, okay, well, oh, see what it's supposed to be. Alright. So, anti flood if it is not a verified bot\r\n\r\nUnknown Speaker 2:00:06 \r\nand\r\n\r\nUnknown Speaker 2:00:09 \r\nthe URI pass contains\r\n\r\nUnknown Speaker 2:00:18 \r\nthe PF not calm and\r\n\r\nUnknown Speaker 2:00:23 \r\nverified bot category is not a search engine crawler.\r\n\r\nUnknown Speaker 2:00:30 \r\nOkay, so what we're saying is, it's not a good bot.\r\n\r\nUnknown Speaker 2:00:34 \r\nIt's coming to the site. This is actually redundant, we could probably get rid of that.\r\n\r\nUnknown Speaker 2:00:39 \r\nInteresting.\r\n\r\nUnknown Speaker 2:00:41 \r\nAnd it's not a search engine crawler, and it's hitting my site more than 10 times like one time a second. Then I want to block it. For as long as possible, which is 10 seconds.\r\n\r\nUnknown Speaker 2:00:56 \r\nOh, you're right. It was missing the opening parenthesis. So there's another correction.\r\n\r\nUnknown Speaker 2:01:03 \r\nSo we'll deploy this and this is going to stop a lot of bot attacks. You know, you need a higher level. Of Cloudflare to fully blocked the traffic. But this at least throttles it back just a little bit.\r\n\r\nUnknown Speaker 2:01:18 \r\nSo that can be helpful.\r\n\r\nUnknown Speaker 2:01:20 \r\nMoving on down here to our bot setting. Again, we want bot fight mode off. We talked about that already. How much further do I have to go? I got a lot of rules to go. Okay, I'm gonna stop right here. And we'll pick this up tomorrow.\r\n\r\nUnknown Speaker 2:01:35 \r\nAll right, pausing for a moment. Questions, comments?\r\n\r\nUnknown Speaker 2:01:41 \r\nAnything unclear and what we've seen today because your homework is if you don't have a Cloudflare account, go set it up. And do that tonight. Before tomorrow. Come on in with a little bit of experience under your belt. It's free. And maybe you start applying some of these settings to a site and you can actually go forward I've given you all the tools you need to kind of follow this and add the additional rules that's there that are there. We will talk through this starting at speed tomorrow.\r\n\r\nUnknown Speaker 2:02:10 \r\nPaul, I would not do this on a client site unless you're brave enough to you.\r\n\r\nUnknown Speaker 2:02:16 \r\nDo it on a site that you control a low value site, just so you can see how it works. I'll everything clients is going to be tomorrow.\r\n\r\nUnknown Speaker 2:02:24 \r\nDoug regarding the WAF. If I block the UK with a managed challenge, and Google is still indexing my site in the search engine results, what happens to a UK visitor when they click the Search link to my website. They're gonna get a managed challenge.\r\n\r\nUnknown Speaker 2:02:40 \r\nYeah, so just to correct so you don't block anything with the Manage challenge. It just puts up this.\r\n\r\nUnknown Speaker 2:02:51 \r\nIt's going to say if I go to try to log in here this screen right here.\r\n\r\nUnknown Speaker 2:02:58 \r\nWell, eventually who?\r\n\r\nUnknown Speaker 2:03:05 \r\nThis, this screen right there. That whole process was a managed challenge. I didn't have to click anything because it already knew that my was legitimate. But any traffic that you present a managed challenge. So if the rule is if the traffic's coming from the UK, then give a man a challenge. It's there. It's not blocked, you just have to pass through the gateway pass through the turnstile to get in. So if a user is outside your set geographic areas in Cloudflare for a challenge, they'll still see their search result. They'll click it, they'll pass you the challenge, they'll act they'll access the website. Yeah, it does put a barrier you know they have to pass through. Now you know, if you want to block the traffic altogether, you can do that. Just make the action block instead of manage challenge.\r\n\r\nUnknown Speaker 2:03:56 \r\nI wouldn't do that typically, you know, the goal for filtering traffic is generally I want to get rid of bot traffic that's coming from GeoIP sources that are not generally where my customers are going to come from. So that cuts out a lot of the bot traffic at that geo level. Does that make sense? Everybody?\r\n\r\nUnknown Speaker 2:04:19 \r\nAll right. Any other questions? Before we call it a day?\r\n\r\nUnknown Speaker 2:04:27 \r\nOkay, so everybody, all right.\r\n\r\nUnknown Speaker 2:04:32 \r\nOkay, Karen, can you copy all these settings and roles from one site to another? Wouldn't that be great?\r\n\r\nUnknown Speaker 2:04:40 \r\nThat would be great, wouldn't it? And the answer is no. You can't they have to be set up individually. I know right? It may be one day that will let us do that. I don't even think in the premium version. Paul. I've not seen that.\r\n\r\nUnknown Speaker 2:04:54 \r\nBut here's here's the thing.\r\n\r\nUnknown Speaker 2:04:58 \r\nI really really got deep into Cloudflare last fall, when in the process of migrating to a new server we just decided to put all of our clients under Cloudflare in that process.\r\n\r\nUnknown Speaker 2:05:10 \r\nSo we moved, you know, plus or minus 100 sites through Cloudflare and onto the new server. And once you start doing this, like I can move a site to Cloudflare pretty much in my head now and it takes just five minutes or so it's done. Boom, boom, boom, boom, you kind of get used to what the settings are.\r\n\r\nUnknown Speaker 2:05:30 \r\nIt's not it. It looks like a lot at the first glance. But as you're seeing from where we went from all the things, and page by page now down to just the things that need to change. There are far less and at the end of the document by the way at the end of the document to here and resource number two, here is the Cloudflare setup process. And I'll walk you through exactly the things to change. And that's it.\r\n\r\nUnknown Speaker 2:06:06 \r\nIt takes just a few minutes once you get used to how this works.\r\n\r\nUnknown Speaker 2:06:10 \r\nDo I have ASN or IPs for managed WP? No. So this is a good question. Alright. So you will at the beginning before you do your first site what are all the services that I use? Right? And so it's reached out let's just say manage WP I don't know if they have a public list.\r\n\r\nUnknown Speaker 2:06:36 \r\nLet's see right here. So you'll a lot of times find posts like this. What are the IP oh look, here they are.\r\n\r\nUnknown Speaker 2:06:45 \r\nAnd a whole bunch of others. So there's a oh my gosh, Holy mackerel. There's a bunch of them. So, you know, here's a list and and I would verify with the support. So send in a ticket and make sure you have the actual\r\n\r\nUnknown Speaker 2:07:02 \r\nIP set and you can add those to your skip rule that so it always skips that traffic.\r\n\r\nUnknown Speaker 2:07:13 \r\nAnd so my actual skip rule is more thorough than this one because I got a bunch of IPs and things like that.\r\n\r\nUnknown Speaker 2:07:21 \r\nYeah.\r\n\r\nUnknown Speaker 2:07:23 \r\nAnd Dave is correct. You want to go conservative at the beginning for sure. Again, this is with much power comes great responsibility. Implement slowly make make sure you one side tested that you're not blocking legitimate traffic. But once you get these dialed in, you can boop boop boop just apply them to your other sites.\r\n\r\nUnknown Speaker 2:07:46 \r\nYeah, Ahrefs it's eight, like H refs. In particular. They don't tend to want to help you because they don't want to block you or give you ways to block their traffic. What I would suggest doing if a traffic is being blocked, then look at your events. Like do a scan so you know kind of about the time when the event would hit. Then you can look at your event log and probably even filter it with your block rule.\r\n\r\nUnknown Speaker 2:08:16 \r\nAnd hit that hit the traffic that fits your block rule and see if Oh, that's coming from this range of IP addresses or this ASN or whatever.\r\n\r\nUnknown Speaker 2:08:28 \r\nAnd go from there.\r\n\r\nUnknown Speaker 2:08:30 \r\nSo sometimes you can back end it and figure out but there's there's no easy way that I found oh, here's the magic list of IP addresses or whatever.\r\n\r\nUnknown Speaker 2:08:40 \r\nIt's just not very easy.\r\n\r\nUnknown Speaker 2:08:43 \r\nYeah.\r\n\r\nUnknown Speaker 2:08:46 \r\nTanya, oh, how do you know if you're blocking legit traffic? Good question. That's not a stupid question. So I would watch you know the first so when you implement the for the first time you know, put it on your own site or something else site where the impact is going to be low, but that you have enough traffic to actually generate some decent results. And just look at the events and see what's happening. That's how for example, on the skip rule here, I realized oh, no, I've got let's see, hang on, hang on. I know it was the block rule.\r\n\r\nUnknown Speaker 2:09:30 \r\nThis one, it you know, I saw this query string coming up a lot in the block rule. And that's a legitimate, I realize, oh, blocking this and I don't need to be blocking this. So I added a rule to get around it right.\r\n\r\nUnknown Speaker 2:09:47 \r\nSo, Stacy, you find out when the clients customers complain is not exactly incorrect. Like it's that's pretty right. It some of it is a little bit of trial by error, but that's the way it is for firewall rules, okay. And that's why for example, implement these rules with here. Don't just wholesale drop these rules in thinking what could possibly go wrong because the answer to that question is a lot. But once you get them dialed in for your use case, you have really powerful, really powerful tracking.\r\n\r\nUnknown Speaker 2:10:22 \r\nOr filtering. Yeah. Okay. Anybody else? Before we move? Wrap it up for today?\r\n\r\nUnknown Speaker 2:10:34 \r\nOkay, so homework policy when you migrate a site to Cloudflare do you remove them from the Yep, we're gonna cover that tomorrow. Migration is tomorrow\r\n\r\nUnknown Speaker 2:10:48 \r\nokay, Karen, I have tried to enable copy in the chat. For whatever reason zoom webinars just does not allow that. And I don't know why and we've tried, but give the as soon as the We the chat ends up as a file on the replay page, where you can open it up and grab whatever.\r\n\r\nUnknown Speaker 2:11:09 \r\nYeah, it isn't zoom meetings. This is a zoom webinar, and it's different and I don't know why I've talked to zoom support there. No help. It's yeah, it's a thing and I've not been able to solve it. I'm apparently too dumb to figure that out. Because I've tried zoom settings are horrendous. They're worse than Cloudflare and that's saying a lot Okay, all right. Let's go to Wrap it Up homework for tonight. Add a site, drop it in you know your your site or just spin up a site in try adding some of these settings, we will step through. We'll go through the rest of the recommended settings tomorrow. And then we will put that into practice by actually migrating a site's DNS into Cloudflare tomorrow. That will probably take most of our time and then because we'll do it step by step, and then we'll do we'll wrap up with tips and tricks and whatever questions are left. So that's where we're going. Congratulations, you survived day one. You have endured the firehose of things and it gets really practical from here. All right. So I will see you back here tomorrow. One o'clock central time for part two of Cloudflare for agencies here on solid Academy, where we go further together.\r\n\r\nNathan Ingram 0:04 \r\nAll right, everybody. So welcome, welcome. So how about some feedback from yesterday? Did you learn anything? What was your biggest takeaway? Aha. I assume that we're going to do live demo today. So sure, you'll just go into watching the demo without having the basic foundation of knowledge. So sure there's value without watching the replay.\r\n\r\nAll right, let's get these captions connected. There. All right. Oh, goodness. Gotcha. All right. Link bundle is in the chat. Of course handbook if you need to download that. It is updated by the way from yesterday. So make sure you grab the current copy. I probably need to update the link bundle to reflect that\r\n\r\nall right, well, good. That's good news. So really, really glad to hear that. All right. Welcome, everybody as you're coming on in find a seat, get ready to go. Links are in the chat. The course handbook has been updated since yesterday. The fix the two little typos that I had. Those are now fixed and going and a third that I just recognized. All in the WAF rules. So that's all correct. Now. Make sure you read download that course handbook. Just so you have the correct things. All right. We got a lot of the handbook Yes, one handbook for both days. 40 pages of Cloudflare goodness. or 40 pages of Cloudflare. Comma, goodness, exclamation point. That's a lot of Cloudflare. Oh, it's gonna be a long day when I'm entertaining myself already. Okay. So let me hear from you in the chat. What was your biggest takeaway from yesterday if you survived and had lived to tell the tale\r\n\r\nPaul that will be office hours tomorrow, or week or if we have some time at the end. That's funny. Love it. All right, couple of minutes before we get started, welcome, everybody. Glad you're all here. Make sure you download the fresh copy of the course handbook that has three corrections in and around the WAF rules. Just a couple typos and that space problem and so forth. Yeah, look, there are everybody that I'm constantly finding new ideas for rules. I'm going to talk about that at the beginning as we get started here, because there's some really interesting chatter in the admin bar about rules and stuff going on right now. On a reference that\r\n\r\nhey, look at that foul, awesome. How about that? It's small. It's the little things right. Alright folks, two minutes to go. If you're just joining us in zoom, open up the chat. Say hi. Let me know what your biggest takeaway from yesterday was. Did you get in there and try to set up a site yesterday. Did you do any of that? Thanks still broke? Yeah, yeah. Little bit of tripod. Doug. You did it. Awesome. Yes, Doug, indeed. Cloudflare SSL? Yeah. Very good.\r\n\r\nYep, good stuff there. All right, about a minute away, y'all. We got a long way to go today. Long way to go. The handout is updated. Yes. So please read download the course handbook it fixes those typos or like there was a space that shouldn't have been at a line break and that sort of thing. All that is fixed in working in this latest version. Phoebe. So we are you did you you would get a challenge at WP admin if you use the rules that I provided that the the challenge rule by default is going to protect the WordPress login page. That's what allows you not to need a CAPTCHA on the login page. So I want all traffic that hits the WP admin to get challenged.\r\n\r\nAlright, just about ready to start everybody. Yeah, Paul, I saw on that note, and I don't know why that would happen. That's really weird. It feels like it feels like that's a browser. Cookie issue. here and what do you mean it looks weird after the challenge\r\n\r\nno formatting Okay, so that's interesting.\r\n\r\nI've never seen that happen. Sounds like there's some sort of a an optimization issue like the CSS isn't getting loaded for some reason. Where are you hosting? It could be related to your hosting environment. cloudways GS? Ah could be something in the breeze plugin. I would look and make sure that the breeze are using cloud where cloudways Breeze. Yeah, so see if it has that. The connection to Cloudflare that I mentioned with the caching so that it's empty incorrectly the cache I've never used breeze so I can't speak to that one. Yeah, always. It's awesome. That's it. It's not just reason the optimization plugins are some that frequently cause problems. Okay, let's get started. I got a long way to go today. Well, Happy Wednesday everybody. Welcome back to day two of the Cloudflare for agencies course here on solid Academy. My name is Nathan Ingram, and we went a long way yesterday, as we looked at what in the world is Cloudflare how does it all work? We went page by page through the settings just to give you kind of a lay of the land of you know all the things that are there. And then we started with recommended settings yesterday. So that's what we're going to pick up today. We got all the way down to speed we've worked through the Cloudflare WAF rules, and we've made our way down to speed now, I do want to mention that I have updated the course handbook from yesterday. I'm going to drop that link in the chat once again. This fixes those couple of types of the like the linebreak typo I noticed also there's some quotation marks that got styled like outwards and not straight quotation marks and one of the rules. So those things are fixed, and it's there in the updated link that's there in the chat. If you're watching this on the replay. The link that's downloadable on the course page has will be correct for you so that's all there and ready to go. So here's where we're going today. We are going to pick up with our recommended settings at the speed portion which we see on the screen now. Then we're going to set up a site in Cloudflare live and just go through the process using the checklist that is in the resource number two at the end of the course handbook. So we'll be just walking through that checklist. And then we'll the final hour we made that that setup process may actually bleed into the second hour so we'll just kind of see how that works. And take a break at some point in the middle. And then at the very end we'll have the the tips and things that I've learned and basically things that I've messed up along the way and how you could not do that. And how to work with clients and you know, had multiple accounts and all that sort of thing and how's the best way to do that. So that's where we're heading today. As always, if you have questions, if the question is about something we're talking about right now, just drop it in the chat. I'll do my best to see that and talk about it. Otherwise, put it in the q&a, and we'll deal with those at the end of each hour. All right. Well, let's get started, shall we? So we finished up yesterday with our various rules around security with our custom WAF rules, and then an anti flood rate limiting rule and making sure we have bought fight mode off. So now we're going to get to our speed sections. Let me get Cloudflare open and Windows arrange and all of that. All right, so we are now here under speed. And we're gonna go speed and then optimization. So right here under optimization, there's a number of different tabs, and we're going to pick up with content optimization. Now this is an area that they have in the past few months rearranged. So if you haven't looked at Cloudflare in a while, you'll notice this is different and that's because it's different. They move things around and they do this all the time. So let's look at what should be on so we like Brotli this is going to be one of the things it's in the setup guide or the quickstart guide that we'll run through in a minute. Whenever you add a site to Cloudflare Brotli is good to have on it just makes HTTPS connections quicker. We talked about Cloudflare font so we like those those are on early hints we looked at which preloads pages when you hover over a link that's on rocket loader off because it can break WordPress JavaScript pretty easily. And we're gonna auto minify all three boxes here JavaScript, CSS and HTML. And then we're gonna go back to the top, the tab for protocol optimization. And we're going to turn zero RTT on. Now basically what that does is if a person has already visited your site, it makes reconnecting to the site quicker. It's just it saves a step. In the security in the HTTP protocol process. Good speeds things up. If you want to read more about it, just Google zero RTT. And you can learn more. So not a lot to change here in the optimization section. But we do have some things to look at under caching. So let's take a look at caching and our recommended settings here. So we're going to start out with configuration and look at our browser cache. So I believe I can't remember what the default setting is here but we want this to be 30 days. One month or 30 days is what Google recommends in order to receive to get good marks on their tools. We want to make sure your browser cache is set for one month. We want our crawler hints to be on so this is basically the index now protocol and so Cloudflare will do that for you which is really great. It lets certain search engines that support index now know that changes have been made to your website. So go come crawl it. It basically proactively tell search engines to crawl new content so that's good. And we want always online which pushes the site over to the Internet Archive for us. We want that on as well. So now, there may be some times where you don't want always online on if it's a very large ecommerce site with 1000s of products, rolling that and adding it to the Wayback Machine might be taxing on the server. Or if the site is changed all the time. There's every single site I have is always online. But if you have a massive site, it might create some performance issues. So you might want to toggle it off but likely every site you're going to want on here. Alright, let's look at some caching rules. These are very, very helpful. So let's say you have a site in development, or for some reason you have a site and you do not want to use the Cloudflare cache at all. How do we turn the Cloudflare cache off? 100% of the time whether it's in development, or I just don't want it because by default, the Cloudflare cache is on. So we need a rule that's going to say always turn the cache off and afford unfortunately, there's not like a toggle to turn on and off the cache. I don't know why there's just not. So what is a rule that we can create? Well, I've settled on this one that basically says if the incoming request is HTTPS, and that is yes, then bypass the cache. So this is, you know, basically every single request coming in to any site that I manage, is going to come in under HTTPS. And with that rule, this site will not be cached at all period by CloudFlare, because we're going to bypass the cache here and with browser TTL. Now, this is a rule that you only want to implement if you don't want the site cached at all. Does that make sense to everybody? So you know, on our dev server, for example, we don't want Cloudflare caching, like Cloudflare manages the DNS on our dev server because we want the security, but I don't want any Cloudflare caching on any sites. that are under development. So we have this rule that turns off caching completely. Does that make sense to everybody? So this is probably not a rule that you want on a live site. But for dev sites, yes. 100%. So here's one that you probably will want to use. Maybe there are pages on your site that don't ever need to be cached. So for example, with an E commerce site, I never want the cart page cached by CloudFlare, or the checkout page. So here we've got URI path contains cart your app path contains checkout, you can continue to stack these up if there are other different URLs that you don't want to be cached. So when these things match, then I want to bypass cache for Cloudflare. And at the browser cache, right, so just no caching of these frequently changing dynamic type pages. Don't want those cash. So cash rules are super helpful. I Paul Yes. Membership dashboards, things like this. This though, these are the sorts of things that you'll want to put in a rule like this one. You have a lot of rules here actually. So 10 available caching rules at the free level. So you can really add things Yeah, in anything like LMS site membership site where you don't want to cash in really it. It's\r\n\r\nit's really more like check out, you know, forms that Process Payment, perhaps maybe events like Melanie's mentioning in the chat. It depends. So if you run into an issue where oh my gosh, my events page is not updating why? Oh, it's Cloudflare. Well, we can just turn it off here at the edit with a cache rule. That makes sense to everybody. They're super useful. To debug these caching issues. All right, so we mentioned this yesterday, we're gonna have our tiered cache. We're gonna go here, and just make sure that the tiered cache topology is set for smart and again, what that does is it moves the assets to the Cloudflare data center closest to the person requesting the the site so it basically shortens the load time, so it's good you always want to have that on. Alright, let's scroll down to our next section, which is rules. We're not getting into workers routes, that's not a route however you pronounce it. That's not something we're going to look at. But there's a couple of really good page rules that we're going to look at here that I recommend. The first is this one, which says our URL is going to be our domain name. star dot domain name. So this will catch any subdomains also an anything after the repeat admin. So basically, I want this rule to impact anything in the WordPress admin area for the main site and then any subdomains that I might have under this Cloudflare account. So I want security level high, which means that if somebody tries to come in it's also you know, it's gonna look at that browser more with more scrutiny and maybe present a challenge. If it detects any issues. I want that for anything in the WP admin I'm also going to completely bypass the Cloudflare cache. I don't want anything in WP admin cached by Cloudflare. I just don't want that. And then I also want this here disabled performance. Any performance related optimizations that Cloudflare might do? I don't want that for my WP admin because that can tend to get in the way of things and break admin functions and hash things that shouldn't be cached. And, you know, you get weirdness in the back end sometimes. So this says anything in the admin, I want to make these changes and it's a really helpful rule. This makes sense to everybody. This is a good one and you do have to fill in your specific domain name here, or it won't work. You can't just say star.wp admin. I tried that. It's got to have the actual site name. Alright, another really helpful rule. I really really liked this one. This is the email obfuscation rule. Again, a lot of folks in the years past we've done WordPress shortcodes, that obfuscate email addresses where they can't be scraped by website scrapers. Cloudflare has this built in at the network level, which I really like. And the neat thing about it is you can apply it only to certain pages with a rule, so we can say, all right, if it's the Contact page, then I want to turn on email obfuscation. Well, why wouldn't I just want this on the whole site? The reason is because it loads an extra little piece of JavaScript that can affect load time, so it won't affect it very much. But I mean, why load the JavaScript on a page that doesn't have email addresses, right. So if you have a contact page that has email addresses, turn this on, or maybe it's a team, page or series of pages. Like you have, you know, your domain slash team slash person's name, then you can do something like this I'm pointing at my screen like you can see that this so anything that follows team then this for like a team bio page, you can obfuscate the email addresses their policy, if the site has an email address in the footer. You want this on every page? Yes. And I wouldn't put email addresses in the footer. I would much rather have people fill out a contact form and send email but yes, if it's in the footer, every page where there's an email address, you could load this and if that's the case, then you can actually just turn it on for the site. Yeah, okay. So these two rules make sense. You got your WP admin and you got your email obfuscation. You got a bunch of page rules that you can do some other things with. There's actually sorry only three, three page rules. So we still have one extra one here. And you can do a lot with these Okey dokey. Everybody good so far on this? Because that's it. That was all of the rules are all of the recommended settings. So we didn't get that fully finished yesterday, but we got it done today. And now we get to actually do the thing. Okay. So I want to give you the overview of what this migration process looks like. And then we're going to skip to the end of the document where the actual checklist is, and by the way, if you're just coming in the course handbook is updated from yesterday. And so you're gonna want to redownload that because I fixed a couple of little glitches with the WAF rules. Okay, so here is our process. And again, it is a checklist is in resource to you can copy that part out, you know, make it your own, whatever. So, big picture, okay. We're going to add the site to Cloudflare. And then we're going to walk through the Quickstart process. These are the common, most recommended settings to set up. We're going to add the name servers that Cloudflare gives us over in our domain registrar. Then we're going to pause the site on Cloudflare. This is critical if you don't do this, you're going to get SSL issues in almost every case, then we're going to go through. Here's our items for the quickstart guide. We're going to go through all the rules and settings that we need to add. We're going to wait for our SSL to generate and then we're going to resume the site on Cloudflare. That's the big picture. How this is going to work. So let's go down and take a look at our resource scrolling scrolling right here. This is page 38 of our guide. And here's what we're going to do. So I have this domain set up and this is just a Kadence Starter Site that I have inflated on to WP one dot Dev. Now this is a domain that lives at GoDaddy. And so that may be a place where you see a lot of domains that you have, right and so this is just as simple and basic of a domain swap or DNS change as I can show you with a typical common registrar. Okay. So we're not going to walk through this whole process. So what I want to do I want to get back here to home, which I did just by clicking this arrow I'm in WP Nathan. Now I can go back now I'm at my account home, or I can go up here to this little user icon and hit account home. It's at that point where I can add a site. Okay, so we're going to add the site to Cloudflare by entering the domain, selecting the free tier and confirming our plan, but let's add the site right here. And by the way, if you added a site to Cloudflare a few weeks ago, this is now completely different. They have totally changed this adding a site flow as they do. I mentioned this yesterday Cloudflare changes things like worse than Google and that's saying a lot so just be aware of that. If you're white if you're following this video six months from now they've probably moved some things around. They're all there you know, and you can probably find them pretty easy but it's it's very likely to change. So we're going to enter in our WP one dot dev domain name here. Continue. We're going to select our plan scroll all the way down to free and click that and confirm and we're confirming and Okay, let's so we're going to start our Quick Scan. Now at this point what's going to happen Cloudflare is going to go out and it's going to attempt to find all or as many of the DNS records as possible for this domain. I'm going to click Start click Scan. Now here's the thing. Don't ever trust Cloudflare scan because it is likely going to miss some things. So it's now picked up in a record and to CNAME so there's definitely more than that. And we're just going to keep moving. So if you can't bypass that scan, I wish you could but you can't. It's going to do its best to find records and plug those in to your DNS settings. But now we've gone through our quick scan and we're going to hit continue and we're going to start the domain activation. So right here, we're going to add the provided name servers to our domain. So here's our two name servers that Cloudflare has given us a copy the first one, I'm going to go over here to godaddy under DNS, and go to name servers. This will be different for every registrar. We're going to change this to my own name servers, and copy and our two different name servers. Oops, two here, save and continue. Okay, now over here, I'm gonna hit continue and continue.\r\n\r\nSo now we come to our overview page immediately right now before you do anything else. Pause Cloudflare on the site, because otherwise what can happen is traffic can start flowing to your domain before Cloudflare generates an SSL certificate and you'll get that security warning in browsers by pausing Cloudflare at this point, what that does is stop Cloudflare it doesn't stop it from generating a certificate but it doesn't use the Cloudflare certificate. So we're not using any Cloudflare features right now because the site is paused. Don't forget that step or you're going just it's inevitable that you're going to get you know a security warning. Okay, so pause Cloudflare Now let's go through our quickstart guide. Let's see right here. So we're going to review the settings in our quickstart guide and get started. So we want to keep this on Yes. All these settings are here. Save this. Always use HTTPS Yes. Do we want to enable Brotli? Yes, just basically all the recommended settings we want on and finish. Boom. Okay, so we are good. And now we're going to go down to our DNS. Now Cloudflare has imported some records, right. So we've got this going on here. Um, you know, what I forgot to do is I forgot to open up my email. Let me grab that one second, folks, because we're gonna get an email from Cloudflare at some point very soon, telling us that the site is working. I've got to log into my email, my solid Academy solid email here one second, everybody. I have 8000 Google accounts as perhaps you do. as well. And there it is, okay. All right. So there's my solid email. We'll put that over here and we'll just wait on that. Okay. So now we're at the point of validating our DNS records. So here in GoDaddy, if we look at our DNS, there, there's a lot more than it found. There's not many actually. There's an A record and some other things, you know, nor if this is a site you're already managing. Maybe you have postmark records or some other transactional email or google verification or office 365, all all those verification records, right? You're going to want to make sure that what's here in CloudFlare, matches 100%. What is at your current DNS provider? Okay. Many Melani that's a brilliant idea is to screenshot this and add it to a record someplace. So better even than this is the ability to export my DNS. So let's see here. Many registrar's have the option to export DNS records. If they do you absolutely want to do this. If they don't, it sucks because you have to hand enter every one of them it's really awful. But here I can say Export zone file. Even GoDaddy will let you export the DNS. So I want to export this zone file and boom, there it went. It is now right here as a text file that just downloaded to back. It is right here, simple text file. So I can take this and go right here to import and export and just drop it in. And now I have all of my records and they it now matches perfectly. So that is super helpful when you have a ton of records. If you are running your DNS through a cpanel server, we're going to come back to that at the end because there is a there's a way to actually export out of cPanel if cPanel is actually running your your DNS All right, but for now we know that these match because we've done a good Import and Export Now a couple of things we want to look at. Many times your export will contain name server records, these name server records, these pertain to GoDaddy domain control.com. These are GoDaddy, we're not using GoDaddy. name servers anymore, so I can delete these our name servers or at Cloudflare. We don't need these records anymore so we can safely delete those. The other thing is, if you have in the Cloudflare import when it pulls in all those records, if you import record, you know this import file is going to contain some duplicate records. Cloudflare is smart enough not to import duplicates, so it didn't used to be by the way used to import duplicates, you have to go in and delete your duplicates. It now is smart enough not to create double records, which is awesome. But in many cases, you're still going to have to add those records one by one because, you know this old antiquated registrar doesn't support exporting of DNS, which is just really annoying but Paul is saying Don't forget to turn off some records that need the original. I'm not quite sure what you mean there, Paul. But you're gonna The key here so you don't mess up DNS is at the end of all this. My DNS records in Cloudflare need to match my DNS records with whatever the registrar is now. Other than the name servers, the DNS records you can delete just like we just did, but everything else needs to match 100% Otherwise you might break their email or something like that.\r\n\r\nSo yes, the for example, if there are see names that come in, like right here, this here's another one we can delete. This is a GoDaddy domain connects that we don't need that. We can delete this. Any that are there other registrar's that have specific records. We're not using that anymore, so we can delete this and if it's a CNAME generally, any CNAME other than the www record we want to proc we do not want to proxy correct. So this is a really simple DNS setup because there's no email or anything there. Okay, everybody good on this part, moving DNS records in hopefully you can export them and import them otherwise. This is also helpful if you can if DNS is currently managed by another Cloudflare account, then you can export the records out of the current Cloudflare account and import them into to your Cloudflare account. Sue if there's email Yeah, yeah, so like all the MX records, all the text validation records CNAME records that are all all the DNS needs to match exactly. Unless it has to do with, you know, like the name servers or like these GoDaddy specific records that we don't need anymore, but all the other records need to match exactly. You'll probably find that Cloudflare their import gets about 90%. But it will typically especially if it's a complicated DNS setup, it will typically Miss TXT records, like the valid validation records. It usually gets all the C names and the A records, but it misses it tends to miss the TXT records. Okay, everybody, good. All right. So at this point, it's usually taken, you know, five minutes or so to get our DNS all lined up. So now we're gonna go check and see where we are with our SSL. So we're going to click on here, and let's just look at our edge certificates to see okay, so right here, this is showing us it's in process. So this is live demo. I don't know how this is gonna go, okay. If this breaks, we'll fix it. We'll figure it out. But right here, notice that the SSL has not yet been generated for this domain. So we don't want traffic coming through Cloudflare yet, so let's just move on with our settings and we'll keep watching this edge certificate to see if it's ever finished. So we want to go down to minimum TLS of 1.31 dot O is the default for some reason. So we're going to make that 1.3. Now we're going to go down and add our WAF rules. Just following our checklist here. There's my use your four suggested rules that I've given you or your own variations. So we'll go to Security and WAF. Now again, as I mentioned yesterday, I've got this shortcut set up in my text expander CF one. Here's our manage challenge rule. So what I do in my text expander I have this title here. And so I'll copy cut that and put it up there and this is going to be a managed challenge. Boom, and deploy the quick that was that was done. We're going to create rule number two. I'm going to use my shortcode otherwise, you can copy and paste from your notes. There's our second rule the title, cut and paste up here. So choose the action skip and check all the boxes. All the all the boxes just like that deploy great our rule number three now this one has the the variable in it that fills in my domain I've got that. So these are our block rules. Deploy and one more rule\r\n\r\nthese are our crawler blocks. And this gets a block deploy. So you see how quickly it goes. If you have something like text expander or in my case type desk or one of these macro type programs, apps on your on your computer. It just makes these rules go really fast. Otherwise, you can just copy paste, that's fine too. But we've got all those rules added. Does that make sense? Everybody? Got our rules added there. Any questions about that? If so, ask in the chat. If not, I'm going to keep going under security and bots we want to make sure that bot fight mode is off. It should be by default. I always want to make sure of that because that is it can it causes so many headaches. Speed. Oh, you ask a question. Okay, Paul, I explained why I use the web as a prefix. Is there a possibility of some sort of mix up? If we do not have a prefix? No. This is just for convenience, knowing that these are our rules. So we do have some clients that get into Cloudflare and do some things themselves. If you're the only one that's going to be in Cloudflare it doesn't matter but I prefix everything with be WWE, you know functions code all that is just a habit. So this just lets me know these are our rules. Okay, speed. Let's go back to these rules we just covered so speed optimization, content optimization, only the things we need to change here are Cloudflare fonts are on early hints are on check all three boxes on auto minify boom, boom, boom. And we want to go up to protocol optimization and turn zero RTT on. Great. Now let's look at caching. Let's see configuration crawler hints. Okay, browser cache is one month that's the default. That's awesome. Let's see crawler hints are on always online is on. We'll go over to cache rules. Is there anything we want to fix with our cache? Probably not on this one. It's not an ecommerce site. And you know, it's not in development. So there's no cache rules. To set up here for this one. We do though, want to go into tier two cache and turn on our smart tear topology. Okay, now go down to rules and we're going to add our WP admin rule. Let's see page rules and we're going to be star that dopey one dot dev slash WP admin come on admin star. The settings will be about we spell that correctly. All right, first thing we want to do cache level is bypass then it was performance is disabled and our browser integrity check. Oh, no, it was security. Security level is high. Alright, so there's our DP admin rule. And let's go ahead and add a contact page rule\r\n\r\nand we're going to want email occupation on our contact page. On you can add these rules or not just depending on your setup like we've talked about. Thanks. We got our page rules added. Now we're waiting for SSL generations out look, I've got a an email from Cloudflare. It's now active Boom. That's awesome. Let's see if our SSL certificate generated so you may have the email that says it's active active meaning Cloudflare has detected that its name servers are now being used for the domain. So GoDaddy has gone ahead and updated the name servers and Cloudflare sees that so they're connected. Now that doesn't necessarily mean the certificate is generated yet. So let's go take a look under SSL edge certificates. I look it's active boom, perfect. Okay. As soon as this is active, that means the certificate is there and we can unpause Cloudflare. So we're watching for an email that Cloudflare is protecting. We're watching at edge certificates for the universal SSL right here to be active and it can take time. Okay, so let's talk about what happens if it's if it takes some time. Officially, Cloudflare says this can take 24 hours I've never ever had it take that long. You have had to take a few hours in this was you know, this was actually right after remember last year Cloudflare had that data center issue. It a lot of these things were delayed after that. Usually now it's just like what you just saw, it generally just takes a few minutes. And you're good to go. But it can take a few hours. That's nothing to worry about. Now. If you if you get hours and hours and hours and out like the next morning if it's still not working. Then what I would suggest that you do. Let's see I've given a pointer that put those notes troubleshooting down here, okay, so here's how to troubleshoot if you're stuck on pending validation after an hour. So make sure that you delete those NS records. I've found that sometimes when my sometimes when I'm not getting my certificate generated, it's been because I accidentally left those those NS records in the DNS, that old name server, and that can mess around with validating traffic. So make sure that the NS records are deleted like we showed earlier. Also, again, officially it can take 24 hours. If it's still waiting after 24 hours, go down here, here on edge certificates and down at the bottom. Disable doo doo doo doo doo right here. Disable universal SSL, click that button, wait a couple of minutes for things to the dust to settle. Then you re enable it and it starts that validation process again, and I've never had it not work the second time. So that's maybe that's just lucky on my part. But generally that fix is something that stuck. And I've only had that happen like once or twice and all the sites and that was actually a long time ago. So that's a good way of troubleshooting. If you're still having issues then it's time to go to Cloudflare community and ask them questions. But now, we've got our SSL generated so we're good to go there. So we're going to pick up the process when you see the SSL is there under edge. Right here the universal one now we don't have to wait for that saw this question a minute. ago. We don't have to wait for the backup certificate to get set that can take a little bit of time. We have a good SSL, we're good to go. So now we're going to resume the site on Cloudflare. So back to overview and scroll down to the bottom of the page again, enable the Cloudflare on the site. It is now enabled. And okay, here's where it was before and notice that this is what I had up before we made this move. So connection secure. And this is a Let's Encrypt certificate which which the server generated. Now if we refresh this page, and we look at that certificate, we should see a Google certificate now. So let's do a hard refresh. And actually, Chrome may have cached that certificate, which is fine. Yeah, Chrome cache that certificate if we go let's go into the browser, and you can see that it's the Google cert and for some reason Firefox is taking all day to start. Here we go. All right.\r\n\r\nAll right. So let's see. Where is oh, I clicked the wrong thing. There we go. Now it's still interesting. All right. So it's still showing the Let's Encrypt certificate. That's interesting. I wonder why that is.\r\n\r\nWe can also check with what's my dns.com. Job. Okay, and we are on Cloudflare. So the world is seeing that it's under Cloudflare. When you see to these two IP addresses, that's cloud flares, backup IP address, that's what you want. And so it is it is seeing everywhere in the DNS shows. It's running through Cloudflare. So we're good. I'm not sure why it's not showing that let's or white showing that Let's Encrypt. Let me try it in Safari. Just to see I wonder if I loaded that site in Firefox and it still has it cached. That's interesting. We know it's working though. That's what's that's the most important thing.\r\n\r\nYeah, no, that's interesting. Let's take a look at Oh, because here make sure that you set it to full Am I following my instructions? Now, I didn't follow my instructions. So we would have checked that right here. If we set this to full then I bet that's going to change our SSL certificate helps to follow your own instructions. Now it's still showing. I'm not sure why that is. Well, let me just get back to following my instructions and we'll move on. So we've resumed the site on Cloudflare right. Now we're going to enable DNS sec. So you don't want to do this until Cloudflare has traffic for your site. But we're gonna go here under DNS settings, enable DNS sec. Right here, and again, this is the little bit of code, you're going to add to the registrar to validate that Cloudflare does have legitimate control over the DNS. So this is all the stuff that Cloudflare gives you. You don't necessarily need all of it in every registrar is gonna be a little different. But here in GoDaddy, you just scroll over to DNS sec. And we can turn this on\r\n\r\nnot when I'm around, hang on, hang on, hang on. Go Daddy. It's under DNS, DNS records. And oh, hang on. My goodness gracious. Let me refresh this page.\r\n\r\nRight here, DNS records is what we want. So I had to refresh the GoDaddy page because prior it was it was loaded prior to knowing that GoDaddy had handed off the name servers to Cloudflare. But now we've refreshed this and there is a DNS record tab most registrar's are going to have this. You click that and we're going to add the DNS record. So first, we demonstrated this yesterday but first we add the Key Tag and this is all out of order. But Key Tag is here. The algorithm is 13 the digest type is two. And the digest is this string of characters and that's all we're going to need. Save All right, and it may take a minute, but we're going to click Confirm and it needs to wait it's going to look for this and we'll come back to this in a minute. But it will eventually validate that record with the record at the registrar. Why do you have to add this on GoDaddy? Because GoDaddy is the domain registrar for this domain name. If Cloudflare is your domain registrar you just click a button and it works. It's really simple. And then at the end, we go through and we verify our encryption method. SSL overview bool good to go. All right. So we've just added the site to Cloudflare. wasn't that complicated? Was it I'm gonna pause for a minute questions or comments\r\n\r\nthis is when nothing goes wrong. Oh, if they are all this easy, and they usually aren't terribly complicated\r\n\r\nAll right. Other questions how question is How hard is it to move your domain to Cloudflare I can't really demonstrate that because I don't want to move any domains to Cloudflare right now, but it's really pretty simple. We're going to cover domain registrar things in just a minute in the second hour today. We'll talk more about it then. All right, any other questions before we take a break? That actually took less time than I thought it would? We are now completely set up. If we go to WP admin here we'll get to manage challenge as we would expect. Boom. Good. All good logging in. Yep. and log in. There I am. Pretty cool. I Su ever ever worked with inom? Yes, they do not have an export tool. And generally here's what I found. The more the more the back end of your domain registrar looks like 2004 The less likely they're going to have a DNS record export. CEU I don't know if e nam has a DS dropped down or not. inom is pretty old school on the back end, as you know. They really need to and that's a good reason to not be with Vietnam anymore. And maybe to move domain registration to Cloudflare. We're going to talk about domain registration at Cloudflare the next hour. But yeah, Network Solutions is really bad enough. I'm really bad. Yeah, I don't know. So those are some of the ones I've never used Dotster or web dot actually Dotster I used like 8000 years ago. I haven't used them recently. I don't know in it tends to what I've noticed is if the UI in the domain registration looks fairly modern like this, it's more likely they're going to support exporting of records. If it looks awful, like 1995 or whatever, then they probably don't. Yeah. What do you do about DNS if there's no option if the registrar doesn't support it, they don't support it. And again, that's DNS records. have been around for a while and they're an important part of Domain validation. And if your registrar doesn't support it, I mean, I would start looking for new registrar. Yeah. All right. Any other questions before we take a break? Okay, there is a multi part question here.\r\n\r\nOkay, um So first question here is in regard to the WAF rule, the skip good traffic rule. Does we watch your website have a whitelist of IPs? I can't find them anywhere and Thomas is not getting back. No, I'm not aware of one. But I don't think the rules block them. There's I don't think there's anything in a rule that's going to block that traffic. But so it's a good if you put a rule in and if they're getting blocked. This is an exercise of looking at the event and find what it's trying to do and then allow that but I don't have any specific whitelist for we watch. Second question is about Pay Pal. Do we use the ASN for Pay Pal, as you added at the bottom of the dock? Or do we need to find the API or the web? And I'm guessing what you mean. I'm not sure who's asking this question that came in as an anonymous attendee. Or do we and I think what you mean is the web hook. So and I'll reiterate what I said yesterday about this. Oh, no problem, Karen. So I so let's see, as things are good. web hook URL is better. Because as NS I mean, maybe there's they might change or something might happen. So it's good to add the ASN. But if you know like, there's always going to be a pattern in the Pay Pal web hook for their IPN or whatever. Then try to get the little snippet of that web hook like I showed with the WooCommerce or the Gravity Forms stripe web hook, get that little snippet and always allow that traffic that way you're, you're certain that it's not going to get blocked. Does that make sense? And number three, I added all the H refs IP to a Cloudflare list and then added the list to the good bots rule. Today. I got a report that the score was cut in half. Robots. txt is not accessible. Okay, so that okay, so something is still blocking H refs, for you, Karen. And so it could be the country rule. I've had this happen. So some like you can have, let's, let's let's look at our rules here. So, if we look at our rules, oh, there we go. So we've got block rules, right? Let's just say that for whatever reason, your list of IP addresses, it's not in that or it's not coming in that way. And you're blocking based on country and maybe a traffic that's coming in from a country it's not in your allowed list or whatever. So what I would recommend that you do this is this goes back to the refining of rules. Look at your block rules like this. We've already gotten some hits on our block rule. Look at your block rule and see if you can find the Ahrefs traffic and see what it was doing. That was causing the block to happen and then use that to inform a skip rule. And unfortunately, there's not an easy way around this. You just have to investigate and but once you find that, the thing that allows it to skip then you can use that all the rest of your sites. So this is goes back to yesterday when I was saying of, you know, get it right for a good typical site, and then you can use that rule for your setup on all the rest of your sites. Does that make sense? I wish I had like a silver bullet answer, but that's just not the way WAF rules work. Unfortunately, 364 IP addresses Holy mackerel, yeah. So what I would look for instead of that, find it here. You know, does H refs have a user agent? They likely do. Matter of fact, let's just look. So rather than let's see. Yes. So here's their user agent. So maybe what you would do here is say instead of that ginormous block of IP addresses we can just as easily say, in our allow our skip rule here or user agent contains a tres bot. Like this. And see if that doesn't help. Make sure all of your other see this. This is why the order matters because the skip rule comes in number two. And if you are, if you've identified correctly, that traffic, it's going to skip all your block rules and everything else that's there. So we can deploy this and now ah, refs should be able to scan our site. Give that a try and see. Again, this is just kind of have to experiment and find what works for each of the various things. I really, really wish there was an easier way to do this. I've not found it and it could be that I've just not stumbled upon the right method. But in lots of practical hands on work I've not found an easier way to do this. Other than, Oh, here's a good way to disallow to skip the traffic and now it's not a problem anymore. And we know that going forward now. Okay, question from Paul. When looking at security events, can you see what the trigger values are? That caused the rule to get triggered? Not really. Like we can see here, there's three block events that have already happened since we set the site up. And so here, we've got this block, and so you kind of have to look at what's going on.\r\n\r\nLet's look at this block rule. am I allowing Canada?\r\n\r\nOh duck you got blocked sorry about that.\r\n\r\nUnknown Speaker 59:55 \r\nInteresting.\r\n\r\nNathan Ingram 1:00:16 \r\nDoug, when you saw the site, could you see images? Weird?\r\n\r\nI'm not sure. But yeah, this is how you would identify Paul you you. It doesn't tell you what about the traffic triggered the log but looking at the details, you can probably narrow it down again, I wish there was an easier way All right.\r\n\r\nStacey, yeah, you probably you got to dopey admin without a managed challenge. Probably because, okay, again, if you get to someplace without a managed challenge then Cloudflare has been watching your browser and it knows you don't need challenging. Like that's that's okay. It's a managed challenge. It's not an every time challenge.\r\n\r\nBut generally, like, here's a raw browser. If I try to go to the WP admin, it's going to give it a managed challenge because it doesn't know this browser.\r\n\r\nBut if I go back there, see there if I go back to this page, it's probably not going to challenge it again. Because I've already passed the challenge. Yeah, it's a managed challenge. So Cloudflare manages whether or not it wants to challenge the traffic based on the fact that it's processing billions and billions and billions of requests every day. Okay, well, let's take a break here. It is straight, just right about to be two o'clock Central. Let's take a five minute break. We'll come back with the final bit here, which is scrolling, scrolling, scrolling, scrolling, all the tips and tricks, cetera, et cetera, right there. Cloudflare tips and tools and tips that starting at page 32. We'll have a good q&a time at the end, and that'll be it. So we'll take a break five minutes back at five minutes. After two Central Time.\r\n\r\n32nd warning folks, we're back in 30 seconds.\r\n\r\nAll right, we're back for the final hour of Cloudflare for agencies got a long way in the last few hours together and everybody's still alive. Seems like that's, that's really good. Okay, so in this last bit of time we have together we'll do plenty of time for q&a and also go through some of the tools and tips that I think are helpful to know about Cloudflare. A question came in during the break from Paul, with the rules and effect is this where you no longer set the reCAPTCHA and solid security. So the answer to that question is yes. Because in our WAF rule, we are we have a managed challenge. That's going to challenge any of our WP login now when I when we talk about no longer set the reCAPTCHA for the login page, okay? If you are using solid security to protect your comment forum or whatever. And by the way, are y'all listening? Can we can I share something just between you and me? There may be some ecommerce protections that are coming in solid security maybe that's maybe so this you'll want that those in place right. So this Manage challenge protects the login page if you're using solid security and and turnstile reCAPTCHA, or whatever other recaptures for comments or registration or that sort of thing, then, you know, you either want to put those pages into your rule here or continue to use the CAPTCHA rule. The CAPTCHA is there installed security. Does that make sense Paul? But it's it is redundant. To set a CAPTCHA on a page where they've already had the past through a managed challenge to get there. Does that make sense? Everybody? Nobody's talking in the chat. That's okay. All right. So I'm gonna move on okay. Everybody's gone to sleep. That's okay. All right. So the other thing I'll mention is this and this is a very important note. These as you've seen already web application firewall rules are very flexible and need to be changed for your use case. And may be modified over time, right? The firewall rules that I have in place now work really, really well. But I'm likely going to modify those as I learn new things and you probably will too. So one thing I would watch, for example, there's an ongoing discussion right now in the admin bar. From Troy Glancy Troy is really good at this sort of thing. And he's at his far original Cloudflare rules from a couple of years ago are the ones that kind of got me looking into this to begin with. And he's actually perfected several others and he's going to post at some point soon. So I would recommend if you're in the admin bar, watch this post. Just search for Cloudflare in the admin bar, it'll pop right up and see what his advice is on this right because he may very well and probably will have some ideas for things I haven't seen or thought of yet. So you know, borrow and steal the best firewall rules from others, just with the remembrance that firewall rules can block legitimate traffic. So don't just wholesale apply them to everything. Make sure you know what you're doing. Right. So don't consider these rules or settings even as a silver bullet. I've tried to give you some perspective on when and where and how to apply those rules. Does that make sense? Okay, so let's look now at some Cloudflare tools and tips. So we're going to start with the Cloudflare WordPress plugin. So let's go there. And we're just going to add it to this new WP one dot dev site. So we're just going to search for Cloudflare Cloudflare. And it'll be the official Cloudflare plugin right here. Now, disclaimer, I don't use this plugin, but it is it is there and it's free and you might like it. It's particularly helpful if you don't have a performance optimization plugin. So let's go back to Cloudflare and are actually settings under Settings and Cloudflare. Unlike many plugins, what you're going to do, we're going to sign in, we need our email, which is Nathan and ithemes.com and a global token. So you always find those that your account home. And actually it's where is that it's at profile, actually my profile in API tokens. I'm going to create a token for WordPress. I'm gonna rename this to WP one dot dev so I know which side it is. Scroll down, continue to summary, create token and there's my token. And I'm going to paste that over into here. And save. Now Cloudflare is connected to my site now basically what this plugin does is bringing some of the Cloudflare dashboard functions into WordPress. So you know I can automatically apply Cloudflare settings that are best for WordPress if I want. I don't want to do that. So I've already done that over in Cloudflare. But I can go here to settings for example. And I can turn on development mode just right here from within WordPress. It's got some interesting little things. I don't use this because I prefer just to go to the Cloudflare dashboard to manage my settings. But this plugin does exist. It's pretty, you know it has it has some good use cases and you might just want to play around with it. Like, oh, there's a button right here to get into. I'm under attack mode, right from the WordPress dashboard. So it's there, it's available, it's free. You connect it with an API key just like I showed you. And you know, it can be helpful in certain circumstances where I would recommend though that you add Cloudflare is into whatever WordPress performance plugin that you have chosen. So in our case, we use Lightspeed as an agency because we use Lightspeed server on our server. You might be using we had the discussion earlier about cloud ways breeze, you might be using hummingbird or DEP rocket or whatever. Each of these have a little area for Cloudflare most good WordPress performance plugins have some sort of Cloudflare integration and you know, like right here, the API token I just created, you'd go through that same process, create the token and drop it in with your email address and the domain and it'll be connected. Now why would you want to do this? The reason is, most of these WordPress performance plugins, you know, they've got caching and you know, optimization of JavaScript and all that stuff. And they're smart enough to know, okay, when WordPress runs in Update, clear the cache, okay. Or if you edit a page, we're the cache Cloudflare sitting up here at the network level has no idea that you've made those changes here on WordPress. So the assets that it has cached up here at the network level might differ from what's at WordPress. And the end result is you go to the site, the CSS looks wonky or things just aren't right. So we need something that's going to connect Cloudflare and our WordPress performance plugin so that in effect, in our case, like we're using Lightspeed, so whenever we run plug in updates, Lightspeed clears the local cache, and it clears the Cloudflare cache, so that everything stays in sync and that's what you want. So do not let me just underscore this. Do not use the Cloudflare cache. If you have a performance plugin at the WordPress level that isn't connected in some way to Cloudflare. Because what you will see you'll go to the site one day, and the CSS will be all wonky. And it's because the caches are different and that's what's happened. Does that make sense to everybody? Don't use a WordPress performance plugin and the Cloudflare cache unless you've connected them together. With an API key. Otherwise bad things happen.\r\n\r\nAs Sue is asking, How did I get to the screen? What screen are we talking about? This is the doc Oh, lightspeed. This is just a screenshot. This is in the document. This is just a screenshot. Of the Lightspeed cache settings. It is under CDN in lightspeed. It's in a different spot in every WordPress performance plugin. So just look through your plugin of choice and you'll likely find Cloudflare settings virtually all the good ones support Cloudflare. Oh, okay. So if your server uses Lightspeed, you go under Lightspeed cache on the admin bar, go to the CDN, tab, or link and you'll see it down toward the bottom. The Lightspeed cache Yep, good. Everybody. Okay with this makes sense? Does Perf Matters not connect? I'm shocked at that.\r\n\r\nInteresting, yeah, I don't use perf matters. So I can't speak to that. But you'll definitely want to visit with them on that. So it probably this primarily affects hashing. And I don't Perf Matters doesn't do caching, right. It only does asset optimization. Like, okay, so you may not need Cloudflare connection in that case. So this really, this really comes into play. When it comes to Caching, caching those assets in various places. So if the changes that Perf Matters makes are likely pulled up to Cloudflare anyway, but I would I would still if you're, if in whatever WordPress performance plugin you use, if you don't see Cloudflare settings, reach out to their support and make sure there's not going to be a conflict. That would be my recommendation. Okay, everybody good on that. Does that make sense? Because you will come in one day or you'll get an email from your client. Hey, everything looks weird and wonky and you'll go in there and the CSS is all jacked up. And it's because the cache is wrong. Or worse than that. It'll look fine for you, but it will look wonky for everybody else. And so you know, it's just, it's, it's a Cloudflare cache issue. And what you have to do is go out and let me just show this. This is if you hit that problem, go into your website, go into cache, and configuration and purge everything, and it's probably going to look just fine. Because that's going to cause it to go in and pull assets back up and refresh everything and then connect your performance plugin to Cloudflare and it likely will not happen again. Okay, everybody, good to move on. Everybody has gone to take a nap. Okay. Let's move on and talk about clients and Cloudflare so this is one of the big questions. So if we move our DNS into CloudFlare, can we give clients access? And the answer is yes. And it's beautifully simple. It is so simple. So I delegate access to the Cloudflare DNS to any client who requests it. We have many clients who for various reasons, need to manage their own DNS that didn't used to be the case, when we served a much simpler level of client. They just wanted us to do everything, and many still do. But we also have a lot of clients that manage their own. So we give them access and so here's how you do it. You're gonna go up here to the account icon in the top right, you're gonna go to Account home and scrolling, scrolling, manage account and members. So right here, we can invite members to join our account. So let's invite Nathan to join our account. Nathan at boom. A fan at Nathan ingram.com. I can't type. There we go. And what are we going to do we want to include it can be all domains that are in this Cloudflare account probably don't want to do that. A specific domain Yes, I want to give Nathan access to WP one dot Dev. Well, what if I have multiple domains that Nathan needs access to a domain group? Oh, no, sorry, a specific domain. And I'll just add another one. Or actually we'll do it this include a specific domain. Okay, Nathan needs access to both of these domains that are in my account. What level generally I'm gonna give them domain administrator access, you can restrict it to just DNS if that's all they need. But in these cases, I want my the clients that are going to want Cloudflare access are going to need to have control of everything. Just like I would make sure clients have access to their own domain name. Same thing. I'm going to grant domain administrator rights continue to summary. Yes, yes, yes. Invite an email was just been sent to my other email address that would give me access to that, that this email address. Nathan at Nathan ingram.com doesn't have a Cloudflare account. So I would go through a flow of setting up a Cloudflare account. And it's just that easy. If you want to get rid of their access, you just hit edit and you revoke access x let's see. Let's see. How do we do this? It's a delete. Yeah, cancel the invite. Or at this point, we would like here's this, I can. Here's one where I've given other email address access, and I can remove access from somebody if I want. So pretty helpful. Yes, so Ben, like Dennis saying, this is like a reverse way of giving a client their own account. And it's not their own account. It's you're giving them access to domains in this account, that's yours. But either way they in the end, they have the access that they need, and it's super easy to do this. What's also helpful is you can enforce to FA SO by toggling this on, you can force anyone that you add to this account to add to FA to their account. So I always turn that on. It's not on for this one because this is a test account. Class since client domains are registered with Cloudflare I had them set up account and delegate access to me that works too. Yeah, either way that that works. But the delegation is really simple and smooth. And Cloudflare as you just saw, it's just click click like and you're done. And it gives everybody everything that they need. Any questions about this part? Are we good? Rolling, rolling. Speaking of domain registrar ah Cloudflare is I think the best place to register domains now. Because they don't make any money on domain registration. They charge you a.com Is $9.77 per year. That is the flat cost of a domain plus the ICANN fees. It's literally they're selling you domains at costs. So if you want to get to domain management, you go here, manage our account home. Domain Registration. We're right here. And we can manage domains. So you can register a domain name here and do a search. It even has the suggested domain names if you want to brainstorm a little bit about Dr. nathan.net. That's pretty funny. Anyway, but you see how cheap they are really at 977 for a.com 494 for a.uk. Anyway, you just go through a registration process. Do you want to transfer a domain in right here? You just they have a flow to bring in domains to Cloudflare this way. Yeah, Stacy. So this is a great spot to move clients that were once at Google domains. And now at Squarespace, move them into Cloudflare it's gonna be cheaper and the UI is really simple. And there's not you know, unlike some registrar's, which shall remain nameless. Nameless. There's not a bunch of crap on the screen to upsell. Yeah, Paul, you pay a year when transferring? Yes. But I think also they give you an extra year.\r\n\r\nLet's see. Seems like I read that somewhere. Oh, this is an interesting little point. I didn't mention this earlier with DNS sec. We went and validated the domain. You have to turn that off before you transfer a domain. So just stick that in your back pocket to remember. You cannot transfer a domain like you have to unlock the domain and turn off DNS sec if you've turned it on, if you're going to transfer Yeah, Stacey, I can't I think you're right there Stacy. Yeah, and classes saying the same thing. I can't find where it says that here but when I've transferred a domain to Cloudflare they add it you pay for a year but they add a year to whatever the current date is. So it's a it's as good of a deal as you're gonna get on a transfer. Okay, class that's a good yeah. If if you're already at the max prepay level, then yeah, they don't add a year but that's generally not the case. So really easy to use them as a registrar and now so here it by the way, here is one caveat with using Cloudflare as the domain registrar, you cannot or let me say it this way. You must use Cloudflare to manage your DNS. If Cloudflare is the registrar, so you can't I don't know why you'd want to but you can't manage DNS elsewhere. If you're registering the domain at Cloudflare. I've never found that to be a problem. But just note that that is that's a thing. Oh, there's something I meant to cover in the last hour and I'm going to do that now. I'm going to scroll back up here in the Cloudflare setup process, okay, so we were here we talked about let's this this issue with importing DNS records. I showed you the process of importing from a DNS provider like we exported the DNS from GoDaddy, import it into Cloudflare. There is something here that I want to show you because it's not immediately apparent. And this is super helpful. So you may like I did have a number of sites where the DNS was actually managed with cPanel cPanel. DNS is great, really easy to use. But there's not a clear way in the cPanel UI to export a domain file. Like we just imported from GoDaddy. I don't know why that is. It's been requested for years, but cPanel has never done it. But there is a way to do it and it will save you time from hand entering all those records. Let me show you how it works. So I'm going to jump over to the WP Nathan's cPanel and just There we go. And what you're going to do, and this is again, this is weird, and I wish they would do this differently, but this is what they do. So we're going to grab a recent cPanel backup, and we're going to go here to backup and just download our most recent full account I just hit the cloud for a rule. I wonder what that's all about. There we go. That was really weird. Okay, so if we have time, we'll go and look at the rule and see what hit that. So here's a recent recent account backup. I'm just going to download this and it's downloading this tarball which is like a zip file. It's downloading it to my desktop\r\n\r\ncan take a minute. You're going it's rather large. It's a gigabyte loading, loading loading. Let's go and Okay, so here is our backup file. All right. Now this is so weird and I wish they would do something different but this is what you can do and it works. So we're going to unzip or uncompressed this tarball again, takes just a minute to do because there's a lot of stuff in here it's a full cPanel account backup. What's got to expand all the things\r\n\r\nYeah, this is a really old backup, but it'll still work for illustrative purposes. Slowly, very, very slowly. There is a file in here that you can use to import but you have to download the whole stupid thing to get there. Moving moving, okay, almost almost. Come on. Come on. There we go. Okay, so once we open up our folder here, we're gonna go to the DNS zones folder. So right here is this uncompressed. There's our DNS zone and look, there's WP nathan.com.db. We're going to rename this to dot txt. So it's just a text file. And yes, I want to use this and now this file can just be imported right into Cloudflare. Just like that. It's a backwards process, but it will allow you to import from cPanel and even as long as that takes to download and whatever that's still better than hand entering DNS records. Yeah.\r\n\r\nPaul is saying you did not have to rename the dbx file. Great. Well, that may have been a change in Cloudflare because you used to have to rename it to dot txt so great if you can import that. I haven't tested this recently. So yeah, if you can enter the.db file then you don't have to rename it. That's great. Good. Good, good news. So that will save you time if you're coming out of cPanel and into Cloudflare. Any questions about that before we move on?\r\n\r\nAll right, let's talk a little about turnstile. So Cloudflare turnstile is a CAPTCHA replacement, that many of you are aware of. It's been integrated into solid security for some time now, and again, think of it as turnstile is the same thing as a managed challenge? Only in widget form that can be added to some sort of form like a login form or a comment form or a checkout form or whatever. So it is the same thing as a managed challenge. It's just a widget instead. So now you do have to create turnstile API keys to use it right and so you do that at so many windows. All right. So we're gonna go to account icon account home, turnstile, account home and scroll down to turns turnstile and here's our keys. Now, here's the catch. Wild Slayer lets you have 10 turnstile keys per account. So, a couple of things. First, you might not need more than 10 turnstyle keysets. So for me, I don't need more with all the sites that we manage because in most sites comments are turned off so we don't need comment protection. We're not using it to protect forms because we use Gravity Forms zero spam, and we're protecting the WordPress login page with a well last rule. So I'm not really using turnstyle API keys at all except for WooCommerce sites, which we protect with the simple Cloudflare turnstyle plugin. And for those we do need turnstyle keys. Now if you need more than 10 just created an account Cloudflare account. So the beautiful thing here is you can create multiple Cloudflare accounts with different email addresses and then what you do is just make them members of each other. So that whatever account you log into has access to all the domains that are in all the accounts and it just makes it really easy to manage. So don't let the account limit necessarily bother you. Because you can just simply create more accounts and link them together as members of each other does that make sense? Everybody? So you create turnstile keys right here just like you would a reCAPTCHA key. The domain does have to be in the this account. And you just go from there any questions about that? pod for turnstile? Super, super helpful. All right. We talked a little bit about this Cloudflare does give a lot for free. They do play certain limitations like 10 turnstyle key pairs per account 50 API keys per account. So we actually limit are the number of domains in any account is 50. Even though you can have unlimited domains in a Cloudflare account, you can only have 50 API keys so we only put 50 domains in an account. So we have multiple accounts that meant that are linked to each other as I described. Because the API keys are needed for to connect Lightspeed to flush the cache. So you can again just like I described, use the same delegation process to to connect those accounts to each other. And it's really easy. So when you log in to any of your accounts, and this is what's really neat, when you go to Account home\r\n\r\nhang on a minute. Let's see profile isn't no hang on. I can't see it here. When you log into account that shared with other accounts. You can actually see all the websites you have access to and find the website very easily that way. I can't demonstrate that on the screen right now. But even you know we have like five different Cloudflare accounts now that we're juggling, but you log into one of them. You can search and find the website you're looking for because it's been we have access to it and you just go right to it. It's really simple to connect those accounts together. That was poor explanation, I think But does that make sense? Any questions about that? Linking Cloudflare accounts makes things super easy. Okay. Paul has a good question in the chat. So let's say you have a client in Cloudflare and you give them account access, and they come back in with I don't know anything about Cloudflare if they want to leave. So at that point, the answer is I'm sorry. That's why you hired me Cloudflare manages your DNS and give their next web provider access to the Cloudflare account and if they don't understand how to use it, I mean, that's on them. Right? I really don't have I mean, Cloudflare is pretty industry standard now and if you don't understand how to use it as a web professional, then you probably need to learn. I don't want that to sound arrogant. I just think that's the way it is. Yeah. If they leave then they leave. Yeah. Is that fair? That's good. Stacey. Yeah, give them a DNS export. Good. Yes, send them to this webinar. I mean, honestly, if you're a web, a web professional, even if you didn't know anything about anything we were doing here, you can log into Cloudflare and see what to do with DNS. It's really simple. If the DNS settings and Cloudflare and I'm not talking about firewall rules and all of that, like oh, so if a client were going to leave me then I would probably set up. Yeah, fit. Let me let me reverse my thinking on this a bit. Paul. If if I was going to offboard, a client whose site is managed on CloudFlare, I would probably set up a new Cloudflare account without any of our firewall or any of the security settings that just had the DNS and move the site to that account and give them access to that because I would I wouldn't want any of our security settings to go forward with them the world whatever's next. So been saying he had to do that on Monday. Yeah.\r\n\r\nYeah, that give them a naked Cloudflare account that just has the DNS in it. All right. Something else that's really neat is Cloudflare email routing. We talked a little bit about this on yesterday, and I've given the whole process there for that. I'm not going to go back and re get into that. Pretty, pretty thorough, but basically Cloudflare lets you set up email addresses without an email server that forward to another address and if they're forwarding to a Gmail account, for example, you can set up a send as address so that it can receive email as info at your domain, and it can send email as info at your domain all that can be done free within the Cloudflare email route routing settings. Let's see it looks like this. The last thing Yep. The last thing I'll mention, and we've already sort of dealt with this is troubleshooting WAF rules, you may run into things. If legitimate traffic is blocked by a WAF rule. Go to that activity log. That's right here. Websites AP Nathan. Wow. Yeah, go to your block rule and see what traffic has come in that's been blocked. Oh, this was maybe this was good traffic. So we need to figure out a way there. How do we let this come through? Now, by the way, don't you know if he's Oh, Google is blocked? Well, I don't think that's the Google bot. That's actually a Google Cloud Server. So a lot of times this may be a compromised server. That's trying to get access to things. So just because you see Google doesn't mean it's legit, or you know, Amazon, AWS or whatever. Sometimes those are legitimate, or they are, they are compromised sites that are hosted on Google's infrastructure. For example, anyway, you look at look at the activity log load entries that pertain to that specific rule by clicking this little number in the analytics here that loads one day, there we go.\r\n\r\nAnd actually, I don't know what this flex potential is, maybe we wanted to allow that so we could add this as into our skip rule or whatever. But the log entries here are what you're going to look at to further refine your your rules. All right. So that brings us to the end of the course. That's it. We've gone a long way in the last few days. We got our site live on Cloudflare. We've got recommended settings and all of these things. Now we've got some time for open q&a. What do you think questions, comments, snide remarks all of them are available at this point. Questions from Paul, okay. All of this setup work is built into the cost of a website for a new client correct or do you factor in a cost for this going forward? How much extra if anything would you charge for doing this? Great question. So I would actually wrote this is a management service. So this is part of security that we provide for the client. And it's part of onboarding a site into our website management process. So I don't charge extra for this. And honestly, it took a little while to go through all of this. But once you start to do this over and over again, you'll migrate a site into Cloudflare in like five minutes, like it'll be. It's pretty quick once you get used to it, and especially if you set up little shortcuts like I did with my TextExpander it really doesn't take long once you get all your rules dialed in and how you like things. It doesn't take long to do. And so I don't charge extra for that it actually what happens is, it saves me work on you know, in the future because the site's being protected and much better. And Tanya Yes, I just dropped in the link in the chat for the updated course handbook. There were three different edits I made around web application firewall rules that were like little typos and some of the quotes were squiggly quotes instead of straight quotes, that sort of thing. That's all fixed. Second question for Paul, how about setting this up for existing clients extra service? And the same answer for me on that when we migrated all of our clients over to Cloudflare back last fall. We didn't charge extra for that because it makes things easier for us to have those clients all in Cloudflare more secure less traffic on the server. All of that. Yeah. When there's nothing as you could certainly charge more for it. I chose not to because it's part of the management service. Do I notify clients? The ones that I thought would be interested? Yes. The ones that just want to know their site is secure. No, no, but you know, we'll raise our rates again here probably in two months. And I'll let them know all these extra things we've done at that point. But in a very, you know, you got to communicate with clients. Some clients don't care about all the little things right. So you don't want to overwhelm them with information. So for the clients that are non technical and they just want to know that we're taking care of their site. I would just mention that we've added a network layer of security that blocks you know, something like I'd worded in such a way that was, you know, a high level a level of security that blocks a lot of bad traffic before it ever hits the site. Just to show them, you know, we're constantly improving their security, and that's what they're paying us for. Others, you know, they have a technical person, the ones that have access to Cloudflare. And by the way, some of those that's a that's an interesting little point here. Some of the, our clients, the ones particularly that have access to Cloudflare our clients that have an internal IT department or things like that. And so there was a bit of a process. So we had a canned email that went out of hey, we're in the process of moving to a new server and in doing this we're also getting all of our DNS uniform. And we want to move everything to Cloudflare. Here's why. In some of them we actually had a you know, a quick call with many of those IT folks like yes, great, let's do it. We'd like Cloudflare you know, we know about it, whatever. And so we just set up the account delegated access, good to go but it really depends on the client and their level of involvement or if they have it people, etc. Doug for the web application firewall, if I use the block action for country equals UK, and Google is still indexing my website in the SERP. What happens to a UK visitor when they click the Search link to my website? Yeah. So the blocking traffic from a different country shouldn't impact your SERP and where your site shows up in the SERPs, what will happen is if you're in the UK and you click the search result, you're now going to WP nathan.com with a geo origin of UK which triggers that firewall rule to present a manage challenge. So we're not challenging Google. We're challenging traffic with an origin and a location where we're saying it needs to be challenged. So that's why you want to modify those rules such that any you know if you have legitimate clients that typically come from other countries, you know, whatever, let me say it this way, whatever countries that you have legitimate customers, clients, whatever in that would be coming to that site, allow those but turning off or only allowing traffic from those known good countries can filter out a lot of garbage traffic bots that are coming in from all over the world.\r\n\r\nPaul is asking how do anonymizer is get affected by geo locations or VPN? I mean, it's if I come in if you if I turn on my VPN right now, and I say I'm in Belgium, and I try to visit a site where the WAF rule only allows US and Canada I'm gonna get a managed challenge because the geolocation is coming in as a different country. Yeah. So anonymizer errs impact weath rules, because they they present as coming from that country, because I mean, they actually are they're routing traffic through a server in another country. So that's just how that works. Generally, though, the bot garbage traffic isn't proxying they're not standing there. They're coming from other parts of the world and it's noticeable\r\n\r\nBen when using support like from India for like WP all import, they need access? Yeah, but you can still challenge that traffic. That's the thing is, we're not blocking traffic from those countries. We're putting a manage challenge in place, meaning people you know, if it's a support technician coming in from a country that hasn't been specifically allowed, they're just gonna get a managed challenge. And they can log in with the you know, it's not blocking the traffic. And so I wouldn't change my WAF rules. If support is coming in from a different country. They'll just pass through the Manage challenge and then do what they need to do. So you're, it's a challenge rule, not a block rule does that make sense?\r\n\r\nThe man is challenge will stop bot traffic because bots don't really have a way to validate a managed challenge yet. But who knows, right? The bots will get better and then Cloudflare will get better and then the bots will get better and the Cloudflare will get better. That's just the way it goes. Right. All right. Anybody else before we wrap this one up? Okay, who's ready to add Cloudflare to some client sites do you have everything you need? Are you equipped to to add a client site to Cloudflare? Any final questions before we wrap up? Awesome. All right. Well, hopefully this was helpful to you. We are back tomorrow for office hours. We joke that in the pre show today that anything that breaks when you add these rules just asked me to borrow in office hours we'll deal with all right, we'll see you back here tomorrow office hours one o'clock central time on solid Academy where we go further together.\r\n\r\nTranscribed by https:\/\/otter.ai\r\n\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:968:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:249:\"\r\n\r\n\r\n\r\n\r\nWelcome to Cloudflare!\r\n\r\nCloudflare Page by Page\r\n\r\nRecommended Cloudflare Settings\r\n\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938374439\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1o7Y8xSGeEx8ZF7yBmMsRat6XNkkjEXWc\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/Xr3bZcpfJBN9iV2YsapSA3avN0Q?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:971:\"a:7:{s:18:\"event_replay_title\";s:5:\"Day 2\";s:25:\"day_description_cloneable\";s:254:\"\r\n\r\n\r\n\r\nRecommended Cloudflare Settings (continued)\r\nMigrating a Site to Cloudflare\r\nMore Cloudflare Tools and Tips\r\n\r\n\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"938814771\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:15:\"Course Handbook\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1PJ71vKzkdKrGgnl45DmR9_BtlxXU5Ih4\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:15:\"Course Handbook\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1Nr3wkfCzHZ7Nr4PEzVWhV1lKn40abQUV\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/qIa-JHSQCRIijFOyeMsIQX00B1g?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448512,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content );

Help Docs Software Kadence Cloudflare for Agencies

Cloudflare for Agencies

You’re a busy web agency owner. You’ve heard about how others are using Cloudflare to protect their websites but you’re not sure where to start. This course from Nathan Ingram explains how to implement free Cloudflare features to substantially increase the security of your websites. It will save you time by giving a no fluff explanation of the features you should use and the ones you should ignore. Included is a proven checklist for setting up a site in Cloudflare, including suggested WAF rules.

Note: this course assumes you have a basic understanding of DNS. You can learn more about DNS in the first hour of the Web Foundations Workshop.