Using Cloudflare with Your WordPress Website

SolidWP Marketing1h 21min

Nathan Ingram00:02

We are just about three minutes out

Nathan Ingram00:11

glad you're all here again, if you're just joining us in zoom pop up in the chat, say hello, tell us where you're logging in from today and now everybody is jealous of Amelia, enjoying a 77 degree day there in Sri Lanka. Yeah, that sounds nice right now. All right, captioning should be working. We are just about two and a half minutes out. Now if you're just joining us in chat let me give you the link to the webinar guide that you see on your screen. It's got all the things where today Hey, Shannon from Denver class from Little Rock, Stacey from Colorado and it's cold in North Carolina according to Beth. So welcome, everybody. Glad you're here. While we're waiting at let me just pardon me, let me show you a webinar that we just got scheduled literally a couple of hours ago. Chris and I were working on the plugin roundup for next week and we realize there's a whole bunch of AI plugins for WordPress. And so I thought, hey, let's just do an AI webinar. How about it and so I registered for this one. It's a free one coming up one week from today. It's gonna be a lot of fun, some really cool uses of AI with free WordPress plugins and some of the other things. Yes, the title and description of this webinar were for the most part generated by Chet GPT with a little bit of editing from me, but yeah, it's it's gonna be a fun webinar here. That's a week from today. It's a free one. So join us for that. We got some really cool stuff to share with you also, the new WP nathan.com website which has been in the works now for a little bit created mostly by AI actually. So it's pretty cool. So we'll be debuting that one on on that AI webinar date as well as the content Yes, the content created by AI. So welcome, everybody. Glad you're here. We're a minute out from starting let me drop in the links to the guy that you see on your screen there. You can download that as a PDF. Also the replay chat log and all that stuff is at the link. same one you use to register as always, for this event. We're talking about Cloudflare today, just about 30 seconds to go. If you've just joined us in zoom pop up in the chat say hello, tell us where you're logging in from today. Make sure you're chatting with everyone make the little box beside the two in the chat drop that down to everyone rather than just hosts and panelists

Nathan Ingram02:52

just about ready to get started now. Boy do we have a lot to talk about today.

Nathan Ingram03:03

All right, who's ready to learn about Cloudflare Yay. All right, let me get the recording started. It is three minutes after and we will get going. Well good afternoon everybody and welcome to another live AI iThemes Training event. My name is Nathan Ingram. I'm the host here. I iThemes Training and we're talking about Cloudflare today this is a by popular demand training that we're making available to everyone at no cost. Lots of questions about Cloudflare came up last week during our I think security webinar on which Timothy two Jacobs the lead developer providing security feature the newest settings, and I think security that lets you add the Cloudflare turnstile, which is a more advanced take on the reCAPTCHA system, as well as h CAPTCHA both of those additional CAPTCHA protocols are now available. And I think security we had a lot of questions about Cloudflare that came up. And we actually had a an opening today. So I thought, well, we'll just drop in a webinar. And so that's what we're doing today. And this is a webinar based on stuff I've learned about setting up Cloudflare for our agency websites. Which we are in the process of doing. Manu I am not going to talk about quick cloud today at all, it's just gonna be Cloudflare. So I know that comes up a lot. They are completely separate in most cases, they do not relate. So we're just gonna be talking about Cloudflare and we have a lot to cover today. So lots of free features are available in Cloudflare. From for anybody to use, there's also some good paid features as well. We'll be highlighting mostly the free ones. As we're getting started. I want to mention something that I mentioned during the pre show, and that is a webinar for one week from today that I scheduled mere hours ago on the iThemes Training website. I'm going to drop that link in the chat again, if you're watching this on the replay, just go up to upcoming webinars and you'll see it in the list. You may have to go to the hit View next and it'll show up in the full list there. But this is a webinar all about free AI tools and WordPress we realized in preparing for the plugin Roundup, which is next Tuesday, if they were cost Chris How many was it five or six different really cool looking AI plugins for WordPress. It lets you do some cool things. And so we thought hey, this might be a fun opportunity just to you know, show some of the stuff we've been playing around with with AI and some of these new free plugins that are available to bring the power of chat GPT and some other AI tools into WordPress. And yes, that's what that's gonna be about. It's a free one on February the eighth at 1pm. So sign up for that one. It is going to be a lot of fun. So just a couple of bits of housekeeping before we get started here. If you're just joining us, I'm going to drop in the link bundle for today. So you can download the webinar guy that's right here on your screen. If you're watching this on the replay, click the Download handout button that's below the video. We'll also be saving the chat log because sometimes some interesting discussion happens or other links are shared. So that'll be shared on the webinar replay page, as well as the transcript which is being captured by otter right now, which is always cool. And by the way, somebody told me I didn't realize this but you can actually listen to the audio right there on the transcript with the auto replay page. That's pretty cool. Just in itself. So anyway, let's get started. So let's quit. Take a quick poll. One more thing. How many? If you have questions throughout the webinar, please use the q&a, which is right there in the Zoom toolbar. You should be able to just mouse over the screenshare that you're looking at the document and see the q&a button. Go ahead and click that and have that little q&a window open. And you can upvote the questions that you also would like to see answered throughout the webinars. So we'll be taking questions in the order of up votes when we get to a time of q&a in this webinar. All right, so quick poll in the chat. How many of you are currently using Cloudflare? In your work? Give me a yes or no right there in the chat. Lots of folks are Yeah, some are. So let's do this. How about on a scale of one to 10 one being what is Cloudflare and 10 being I am a Cloudflare ninja? How would you rate yourself on your skill for using Cloudflare? Awesome we got a few really high scores there. Curtis a nine. So Kurt, you may be helping me answer some questions today. I'm not sure I've written myself a nine either. But I've learned some things and I've got some processes and that's what we're going to share today. So let's talk a little bit about Cloudflare. And for those of you that aren't really familiar with it, we're gonna do a little bit of introduction, just to make sure everybody understands what we're talking about. Here. So Cloudflare basically, is a web performance and security company. They provide services like a content delivery system, a DDoS protection, that denial of service attacks to protect you from bot attacks. They give free ssl certificates, firewall rules, all in all to protect and enhance the performance of your website. So your website can benefit from a speed increase better security, make it more scalable, as well as analytics and insights and things like that. So our goal here is to really dig into the free features of Cloudflare. Now there's some others and we may mention those, but we're not setting any of that up this is going to be just the free features of Cloudflare that you can start using right away with your website. And if you're managing client sites, especially your client sites, because I'll be talking a lot about that as we go. So let's talk a little bit just about Cloudflare itself. Here's some interesting Cloudflare statistics that I came across earlier. As of 2021 Cloudflare had over 20 million internet properties using its services. That's a lot. So there's a lot of folks using this. There's a lot of traffic going through it and as a result Cloudflare gets a lot of intelligence about attacks and threats and those things and can make those make the fixes and preventing those sorts of attacks available to a lot of people. Cloudflare is global network 200 data centers and more than 90 countries, they're spread out across the globe. In 2020 Cloudflare blocked more than 150 billion threats every month. 150 billion threats a month, and their network have rigid averages and more than 50 100 million requests per second. So this is a lie. Cloudflare is a big deal. And you may remember at one point last year Cloudflare had a little blip and they went down for a little bit and the Internet was affected right the internet at large. Cloudflare is a massive has a massive presence in the global Internet space. And they're really they're they're very transparent company, their privacy focus. They're a company that you know, right now, I could say you probably trust these folks. They're a good company. So how does Cloudflare work? So basically Cloudflare stands between your website and the internet. So without Cloudflare visitors crawlers and bots and attackers, just go straight at your website. And so for a lot of folks, maybe you're using a WordPress security plugin, like I think security. I think security is a great plugin. It would sit right here to protect against your naked website. I would suggest that adding Cloudflare to the mix has another excellent layer of security. And so with Cloudflare what happens is Cloudflare stands between all these folks and your website. So visitors come through by the way with a faster connection because the DNS that Cloudflare uses, oftentimes short circuits the route to get from a visitor to your website. You can also filter crawlers and bots and it's gonna stop attackers in many cases automatically. And then you have another layer of protection with a WordPress based plugin. Like I think security or server level security through your web host. So it's an excellent set. Well it really I think have a first option to help filter traffic and then you can rely on secondary options like host based security, plugin level security, all these things are good and they work together. So does that make sense? Before we go any further, everybody good on Cloudflare? Any questions about what is Cloudflare in general they got that John wants to know who owns Cloudflare Cloudflare owns Cloudflare I believe they are their own company. I could be wrong about that. That's not a question I've researched but I believe they stand alone. Okay, so

Nathan Ingram11:36

what are the top Cloudflare features for people like us and by that I mean, either you are a WordPress site owner or more specifically in our audience here on iThemes Training. We especially cater to people who manage WordPress sites for clients. So the top free features for those of us doing client work with WordPress where you have your own website and you're managing it yourself are as follows. And we're gonna dive in more on this later but just as an overview Cloudflare primary thing is DNS. So DNS is with Cloudflare easy to set up and use. Very simple control panel. And the nice thing about Cloudflare DNS is rarely do you have to sit around waiting for these changes to happen. They just happen. They're lightning, fast, fast, reliable resolution of domain names and IP addresses. That's because Cloudflare has fast pipes. It's usually very quick for a user when Cloudflare is running the DNS to connect right through to your website. So it's fast and reliable. They respect user privacy, they do not sell user data to anybody. So they say I mean what you know, we take that with a grain of salt, of course with any company today but you know, Cloudflare is big enough and used by enough folks that are privacy minded that we would we would know likely if that was happening. They can handle high traffic volumes. And they're designed for scalability. So the nice thing about this is let's say you have a site that's on Cloudflare and it hits you know, it gets picked up in some national media story and boom, you've got a ton of traffic. By simply flipping on a few features in Cloudflare some paid features, you can without doing much else, increase the scalability. Of your website almost instantaneously. It's excellent Cloudflare also really can enhance your security, like we talked about briefly before, it's going to automatically block much malicious traffic and they'll protect against DDoS attacks. They just they have they're watching so much traffic that their AI can detect those sorts of attacks and just stop them in the cloud before they ever even get to your website. They have a really strong web application firewall that lets you put in some specific rules. I'll be sharing some of those with you later. They also allow these custom security rules and policies Cloudflare gives you free ssl certificates that work by the way, whether or not you have something like Let's Encrypt on your server, the Cloudflare certificate will take precedence over that it's free. It works great. They employ IP reputation technology to block malicious IP addresses. Rate limiting you know somebody's hammering away they just deal with that automatically. Bot management allows site owners to block bad bots and allow good bots because Cloudflare knows who the bots are. They're managing that much traffic. And they also have this real time threat intelligence. That's their AI that's sort of watching all these things, and making sure protection stays up to date across the board. So really good stuff. Something else that's really cool here that they just added fairly recently is email routing. So if you have for example, a website, it's just like a simple project or whatever, and you really want a an email address at that domain, but you don't want to spin you know, whatever it is to just set up an email address for some little project Cloudflare has this email routing where you can set up an automatic routing at the Cloudflare level. So you know info@mydomain.com forward to this particular Gmail address. And by the way, the Gmail address there's some stuff I'll show you later that will let you send as that email routing address so you can have essentially free email at a very limited level using this free feature in Cloudflare. Cloudflare is also a domain registrar and it's one of the cheapest out there to be honest domain registration with no markup pricing and none of those hidden add ons like some domain companies do. You can manage all your domains within that Cloudflare interface where all your websites are kept. They give you free domain privacy, which is nice. And here's just an example of pricing a.com costs $8.97 wholesale rate, the ICANN which is the you know the organization that manages the registry as an 18 cent tax on each domain name Cloudflare doesn't cost anything. So a.com Every year is $9.15. Currently, you're not going to find it cheaper than that anywhere because there's no markup. So this is a really good feature with Cloudflare so now that we kind of have an understanding of the basics of what, um, you know, what is Cloudflare and you know what it can do, let's get into how we actually use it. So how do we set up our website on Cloudflare? Let me just drop the links and again, if you're if you've joined us late, let me give you the handout link once again. So you have the PDF that's here on the screen. So the one thing I will give you is this caveat right here. Cloudflare is designed for technicians. And so it assumes that you have a little bit of understanding about the technical aspect of the web. If you don't understand DNS, you can really really mess things up. There are some features in Cloudflare. That might sound good to turn on, but it can cause unforeseen consequences if you do so there's you have to have a little bit of knowledge. I'll be pointing out some of those things as we go. But just be very, very careful about turning something on without fully understanding what it does. Okay. So you know, if you need some help, look, you know, find you a professional geek who understands these things and can help you. So, obviously the first thing you're going to need to do is create a Cloudflare account. This is a no brainer, right? So set up a Cloudflare account, use an email address, whatever. Just note that especially if you're managing lots of client sites, here's a a default 50 domains that can be added to every Cloudflare account at the free level. There's multiple levels as you're setting up your account. You can you go through and I don't know goodness. Let's see. I can't really demo this because I don't have an email address to use but as you set up your email address first, you'll see various pricing plans and underneath that you'll see a free level that you can select. At that point you'll open up a free account doesn't cost you a thing at all period. There's you don't have to don't have to put in a credit card or anything. And at that free account level, you can add 50 domains. Now, I've searched on this and I put in a question to Cloudflare support about this and I haven't gotten a response back. There's posts in the Cloudflare community like a threaded message board that indicate that all you have to do is contact support, and they'll increase your number of sites in your account without there being a problem. I have not yet seen an answer to that. But I've seen multiple posts where that's the case. And so I assume that that works. And so I would suggest putting all of your client domains in your Cloudflare agency account. There's not really a a delegate access feature. Plus, you'd have to set up an account for your client so there is a very simple process to migrate a domain to a new Cloudflare account. If for example, you've got to domain your Cloudflare account and the client wants to go somewhere else you can migrate that domain over to the a new Cloudflare account or just change the name servers and pull Cloudflare out of the equation completely. So that's what I would recommend doing. That's what we're going to do. And that seems to work just fine. That makes sense to everybody. So just set up a Cloudflare account, choose an email address, you're good to go. So there is a full setup process of adding your domain. I mean, you literally type in your domain name right and there it is. So let's do some of this. I have ready to go here a the Cloudflare account I have set up for demo for my I themes that up Nathan has already set up here. We're going to add another site just to show how this works. The full processes here but basically you just add a site. We're going to use this dev domain that I have called WP one dot Dev and we're going to add this now what's happening right now oh, here's where it is.

Nathan Ingram19:39

Scroll down below these paid options to the free version, click it and hit Continue. There we go. Now right now what Cloudflare is doing is going out there and looking at trying to find all the DNS records that are associated with WP one dot Dev and there's a bunch of them. So you know here there's a subdomain setup like this. Those of you that were in the Starter Site know pardon me the the optimizing a Starter Site course last year, we had all the subdomain setup for like an Elementor version and the Kadence version and whatever. And they point to all these the IP address of the the VPS that all the stuff is on look at pulled some Google I just fake these end but these are Google MX records to run Google workspace and even pulled in a couple of TXT records which by the way doesn't often work. For some reason it pulled these in that is not usually the case. It pulled in a CNAME This is put for postmark mail delivery service. So it goes in it does its best to pull in as many of the existing DNS records as possible. Now, I will absolutely 100% urge you to do not go past this step until you have validated with your own eyeballs. The fact that all of the DNS records match from wherever DNS is being handled now into what Cloudflare just pulled in, verify one by one that those records are there, because frequently, it Cloudflare will miss these TXT records. And like just like Sue is saying in the chat if you use something like 365 email or Google workspace, they've got all those SPF and the SRV records and all those things. It misses those text type records a lot. Now in this case, you can see it pulled it in that's in my experience, not normal. So it usually gets the see names. Virtually it's all those I don't I don't think I remember a problem with that pulling those in. It generally gets all the A records, but just go through before you go past this step. Go through and one by one. Make sure that those records exist. If you need to add a record it is this simple click Add Record. You choose the record type you know if it's a TXT record, you put in you know, whatever the name of that TXT record is and drop in the content right there and hit save right you just add add add, add add and so you've got all your records matching. Does that make sense? This is the hardest part of moving a domain into Cloudflare just matching up that DNS and honestly, there's not a shortcut way around it. You could import the DNS records. If your current DNS provider gives you a method to export them. But yeah, otherwise validate them eyeball by eyeball. Okay, make sense? Everybody? Good to go on that. So let's assume this is good. We cancel that. And we're going to hit continue like we have gone through and Oh, Sue, what a great yes. Great thing there. I wish I'd put that in the handout. What a good idea to go through. And I'm going to actually change that suggestion just a bit. You could screenshot the original DNS settings. What I would suggest that you do is do a print and print it to a PDF because you can copy from the PDF and I don't know about you don't want to hand enter one of these five, you know, giant character long text records with all these, all this stuff right here. I don't want to try to hand enter that can you imagine? So? Copy and paste and it'll work. You can do that from the PDF. So just file print as a PDF and then you should be able to copy and paste. And Stacy Yes, even with you know what, even the ones that are imported, you want to make sure that they are matching. This is the one place that most frequent errors occur. Okay, so we'll have we have we run that into the ground. Make sure you double check your DNS records. Okay, so from this point, we're gonna, we're gonna assume we've done all that we're good to go everything matches we're gonna hit Continue. And now it says, Okay, this one is managed at GoDaddy, this domain that one, so we're going to remove those existing name servers, we're going to add these two new Cloudflare name servers, and that's going to connect the the domain to Cloudflare. Now I neglected to get my GoDaddy account up here so that I could do this so give me just one seconds to log in and change this. So we're gonna see actually how long it takes for this name server to update. And if it happens, quick, great. If it doesn't happen quickly, then I have another domain we can use to demo it. So let me get up one. Right. Okay, so here it is. Here. We're going to go to Manage DNS. This is all in GoDaddy. We're going to change our host name now. That's now go back to one want to change our name servers right here. So we're going to copy that first one and drop it in. I'm going to copy the second one. Drop it in save. Yes, I can set. Okay, that's done. So let's check our name servers. All right now Cloudflare has a nice little wizard, which you can go through now I'm gonna skip this because I'm actually going to go down every single menu item once you're familiar with the menu items you may find this wizard is just quick and you can just go do it. So I'm going to skip this wizard. And let's see if we if it goes quickly we'll work from WP one if not we'll go to the other domain on the account. Now, okay, it's gonna take a minute so I'm gonna go back then to my it's still pending right there. So I'm just gonna go into WP Nathan. And we'll pretend like this is the one now that we have resolved our name servers. It's all good to go. It's ready to go. Now by the way, you can go ahead and make all these changes pending the name servers. But I want to be able to demonstrate some of this for you on up Nathan, just in case. And so we're going to walk through the settings here. Okay. All right. So let's go through the very first thing I want to do before I go any further is to make sure SSL is set up. So suddenly, if we've got like this name server thing changing. There's the smallest potential that something might get weird if when we're using a server generated SSL certificate, like Let's Encrypt or one of the cPanel Komodo certificates or whatever, or if your web host whatever it is, is using some other free it's usually Let's Encrypt that they're using. But I want to go ahead right now and just go on as soon as we get the name servers changed. I'm going to go here under SSL, and I'm going to turn this set this to full and I want to toggle on this setting. And we should be good to go. So what this does is it tells Cloudflare that we want to use Cloudflare SSL to protect the website. Now if you have Host Based SSL, it's fine. There's not going to be any conflict of the Cloudflare certificate just takes priority because the traffic is passing through Cloudflare first, and so that's the SSL certificate that's used to protect that traffic. It you know, if you turn Cloudflare SSL off your server, SSL is still going to be there. It's not a problem. So yeah, just make sure this is on. That's the very first thing I would do. Just to make sure you get there's no SSL issue while the propagation is happening, and so forth. Does that make sense? All right. So now we can actually start exploring some of these really cool settings within Cloudflare and it's going to start up here at the top with DNS. Now, we do have some basic analytics here that are pretty cool. You know, it's very, very basic, simple traffic stats, but we're going to start up at the top here with our DNS record. So here's all the things and an important earlier to the exact list that we looked at a minute ago. But there's a couple of things that we want to toggle on now. There if the setting didn't need to be changed. I don't think I referenced that here. I'm only talking I'm only mentioning the things that need to be changed from default here in the dock. So here under DNS, you've got your records and this is where you would go if you need to add a record later. Like if you add something like a transactional email service, like postmark, they say hey, you got to add the CNAME and you've got to add this TXT record. You go right here, click Add Record. This is where you would do that under DNS and records but there's a couple of other settings here that I would do. The first is DNS SEC now I clicked this earlier and I started that let me just click Confirm to cancel it. So literally it looks like this. When you see it I think it just says set up and I may not be Yes right here. So click Enable DNS sec. Now what DNS SEC it's basically extra security to prevent a hacker from somehow spoofing your DNS, it can happen. It's advanced, but you know, it's a simple click this on Cloudflare is gonna start doing some stuff in the background and you know, a few hours or tomorrow this will all be set up and working. They give you

Nathan Ingram29:39

some things to add here. You just follow these instructions to set up your DNS sec. It's a good extra bit of protection to use. The other thing here is email security. You can also right here set up the SPF records demark DK aim to further to further protect your email. Now, you know these are more advanced things. I don't really have time in this one hour webinar to get into the details of all these records. There's full Learning Center articles on all these if you want to get into setting up you know the details of setting up DNS sec, or email security. There's Doc's that explain how to do that. It's gonna get to you need to know what you're doing on both of those, but it can add extra security. All right, that's all you have to do under DNS. Now under email there's the feature that I mentioned earlier, which is this email routing. This is where you can set up that free forwarding address and you can have multiple forwarding addresses here as well. So all we have to do here is we need to set up a route and create an address. So let's say that'd be Nathan I want something that says hello at WP nathan.com And I want to send it to an email address. Nathan at I themes.com I'm gonna save this and an email validation was sent to my account. So let's take a look at that really quickly. It looks like this

Nathan Ingram31:31

here's the email that just came to me. I'll actually just click Verify. And it goes right there verifying I'm verified so I can reload this page. And it's active right there. So now if you send an email to Hello WP nathan.com It automatically forwards to Nathan and I ithemes.com. Now there is a really great article here if you're using something like Gmail or other free email service, where you can set up a send mail as where you could send as Hello at WP Nathan. So in this way you could set up for example, you know a client that doesn't want to invest an email yet, you could set up a free forwarding and then ascend as all using this Cloudflare service to have essentially a domain level email address at no cost and it works really really well. Also in this area, you can set up a catch all address that like anything at WP nathan.com would forward to one of these validated addresses. I don't know why you'd want to do that. But you could. I know it doesn't have to just be Gmail. I just gave that as an example of a free email service that offers a send mail as option. A lot of free email services do that. I just mentioned Gmail because it's popular you're welcome to spam it spam me there. It's going to this is going to be deleted very soon. Okay, all right. That makes sense. It's a really neat little feature. Absolutely free. Totally works. pretty helpful. All right. So let's move into the next area here which is the SSL TLS area which we visited just a moment ago. We already set it for full when we first set the account up to make sure we don't have any SSL errors when we're getting it going. And we turned on this SSL recommender, which just basically it'll evaluate what's all going on with your server and your traffic and you know, it's going to make sure that you are getting the highest level of SSL that all of the things in the process can support. So that's a good thing. Now we're gonna go into the next area under SSL, which is edge certificates. And here it'll say okay, look, we're protecting start up nathan.com With our universal certificate. That's great. That means if we have subdomains or whatever, as long as they're being defined in CloudFlare, like as a CNAME, or whatever, we can protect that with the Cloudflare SSL certificate. So there's a few things I would turn on. So total TLS should usually be turned on. Let's see. You do you have to have advanced ticket manager on which turned on somewhere

Nathan Ingram34:25

yeah. Oh, this is not my main domain. So if you put in a billing information, you can turn on this certificate manager. You don't have to the basic the basic certificate is fine. But basically what this total TLS is going to do is it's a better approach to make sure that all the things in your website are appropriately covered by SSL certificates, whether it's, you know, different subdomains or whatnot. You do have to set up a billing, putting your card for that so you can buy the free product to turn on Advanced Certificate manager. Then you can add this. It looks like Deb's cat stepped on the keyboard and entered about 18,000 threes in the chat which is awesome. Okay, so always use HTTPS that needs to be on like I want to always make sure all the traffic is coming at my website and HTTPS. So for some reason, there's a link out there that's just HTTP. It's going to fix that so that it comes in at HTTPS. The next thing we're going to turn on here is this HS T S, the HTTP Strict Transport Security. Essentially what this does is it helps to protect from a kind of attack called a man in the middle attack. And we're just going to click Enable here. You have to read and acknowledge that bad things can happen if you use this and essentially it boils down to this. If at some point in the future, your site stops having an SSL certificate for some reason then nobody is gonna be able to view your site at all because this particular feature stops any traffic from going to your website that's not protected under an SSL certificate. So I understand that and I hit Next. And basically, like I say, in the things here, toggle on all options, and select the six month recommended option for here. We just toggle all of these things on and we are protected from that man in the middle attack. Done. We're going to set leave the default setting here for TLS 1.0. There are others but some older browsers might not support the older versions of TLS. We'll leave it at one that's the default app and the rest of the settings we just turn on these are other. You can get really technical, you can read the help docs basically they prevent you from they prevent various types of attacks, or hacks. from happening to your website. You can make TLS 1.3 available for those browsers that support it. It's going to automatically rewrite your HTTPS for you. And you can turn on this is a you know this is kind of a you probably want to do this. If some if if somehow a certificate gets issued for this domain controller under Cloudflare. By some other certificate authority, you get an email about that. So maybe somebody is trying to spoof for some reason your domain name and they're trying to register a certificate. This would let you know that's going to happen. Monitor you're asking if you can't get to the site. How would you fix it? You just go in here and turn this off in Cloudflare. But if you're using Cloudflare for SSL, you're not gonna have a problem there. They just want you to realize that if for some reason you stop using Cloudflare SSL and your own self generated whatever SSL certificates stops working, nobody's gonna be able to get to your site with this setting enabled. And ultimately, it's a good thing because it's going to keep your site protected from a an attack that could be used. Okay, so that covers basically everything. There's, there are other options here where you can create certificates, you can set up origin. So these are all very advanced things, setting up custom host names. We're not going to deal with any of that today. We're just locking down our client website with the free SSL and TLS features of Cloudflare. Okay, let's move down to the next section. This is a big portion of the Cloudflare settings. And it has to do with security. So this is really where a lot of the questions and interest comes around Cloudflare or some of these web application firewall rules. And what I'll tell you is this is one of those things that if you don't know what you're doing, you can mess some stuff up. And we actually with some of the rules that I'd given in the past, we realized that it was conflicting with some things like Stripe and a gravity form callback. And you need to understand how this works enough in order to troubleshoot those things. I'm going to step you through a little bit of that here, but this is one of those areas where you know proceed at your own risk. Because within with a web application firewall rule, you are telling certain kinds of traffic, how it's going to behave when it tries to get to your site. So you could break for example, uptime monitors or stripe connections or things like that. That need to just have a clear path to the site. But if you put a firewall rule in place, you're preventing it from doing that. So you just have to know what you're doing in this case. So I'm gonna explain as best I can here, but there's no way in a webinar like this I can exhaustively explain all these things, nor probably could I at all, but here we go. So Cloudflare gives you five for at the free level five WAF rules that you can use for each domain. Unfortunately, they have to be applied for each domain. So you have all these settings you have to do individually for every domain. Once you get used to adding in the domain it goes pretty quickly but all these things have to be done per domain. There's not a way to like multiple select everything and check them all, unfortunately, but basically what you do you create a firewall rule you paste these rules in the Edit expression box, and magical things happen. Now, there are some things here that I'll get to in a minute called these a s NS these as numbers. And like these numbers represent certain internet properties like Google Microsoft, I think this one is up. Yeah, Google Bing. And this one is something I will look these up in a minute, but their numbers so rather than having to know the range of IP addresses that a Google bot uses to scan your into index your site, you can use this ASN which says all of Google that identifies itself, this ASN can pass through to the site. So let's get one of these in and I'll show you how to check what these numbers are and what they mean. So what we're gonna do is we're gonna go under security and WAF or the web application firewall, and we're going to create a firewall rule now if this is what we call for you, if for you this is what we call it. iThemes Training a duct tape moment, meaning I need to wrap my head and duct tape so it doesn't explode. Just don't do this. Like you don't have to add these. This is an extra level of protection that, you know, it certainly helps, but there's plenty you know, just adding Cloudflare is going to filter out a lot of malicious traffic as it is. This takes it to the next level. But you need to know what you're doing. Okay, is that fair? Okay, so, the way I've got the setup, this is the name. I'm calling it of the rule, and this is the action the rule is going to accomplish. This is the content of the rule itself. Okay, so we're going to create a new rule. We're going to call this good bots. So these are bots that we want to go through our site to pass through Cloudflare to our site with no problems like my like Google and Bing and things like that. So these are good bots. And we're gonna copy this expression. And I'm gonna go down now, it has an Expression Builder where you can build these out a little wizard and do ands and ors and stack up your own rules. But you can add this whole thing right here by simply clicking Edit expression and pasting that in. And then what is the action allow? So we're going to let any traffic that meets the criteria of this rule through to our site with no problem whatsoever. And I'm going to hit Deploy firewall rule and this one is now working so allow good bots and you'll start to see as this rule is in place, you'll start to see some traffic happening and how many times this rule was accessed. Now Sue's asking if you don't add any rules will Google get through? Yes. Because you're there's nothing you're doing to prevent it. Yeah. But you know, if you for example, instead of having this allow you put block or give it a manage challenge, then the Googlebot won't pass that. So you have to specifically in my in this case, I'm saying specifically, allow the these are the bots that I want to get through to my site. But if you don't have this rule in place, the traffic passes through because there's no rule to prevent it. Does that make sense? You're not doing anything. Okay. So what do these numbers mean? There's a couple of them. Well, this is a great resource site called IP info.io. It gives you a lock, you can type in an IP address here. Oh, look, there's me. Et cetera. Okay. So you can also there's a tool here. So if we want to know what the A at this ASN is, I can go straight to that page. And let's just look up this first. 115169 Let's just change this. If we went to ASL 15169 Who is that? Oh, that's Google. This is the primary Google bot. And that's how we can we can look this up. So I've got a bunch of things here. So what is at 75? Oops, I did something wrong. Microsoft that's being how about 714?

Nathan Ingram44:30

That's apple. So you can look these up and find out what they are. And if you find it, so like for example, I was inadvertently blocking stripe web hooks to a gravity form payment in my client was like, Hey, we're getting these webhook warnings and whatever. You know what's going on? So we went and look this up, and I realized, Oh, the stripe web hook is it's not it's getting a managed challenge. And so it's not passing through the firewall, so I had to go and first I looked up the IP address ranges that stripe used but then I went and found the ASN for stripe and it happens to be 5091 stripe Incorporated, so I added that to my list here. And now it passes through without a problem. So this is the sort of massaging you may have to do. And I would test this on a couple of sites, make sure your rules are good before you deploy those through apps. And let's see Stacy is saying you have to be careful with some services. There's a WooCommerce client has issues with a syncing service. Yeah. So you just have to know what their IP addresses are. In that case, somebody else was talking about uptime robot. Yes. So for example, what you would do is uptime robot IP addresses. And so here's this so there's a whole bunch of IP addresses here. So I would copy this and I would go, all right, I'm gonna edit this rule. And if I want to pass through uptime robot, I would say this, this this or IP address, IP source address is in that range. And you can just start stacking up those IPS like that. And same with the I think sync uptime monitor. Yeah. Just start stacking up. I think you can actually add those one after each right here also. Yeah, you can just start stacking those up. So you just have to know what services you're using. Manu, why doesn't stripe deal with it? Because you're you by adding a firewall rule. You are restricting them. So you have to let them through if you're going to use a firewall rule.

Nathan Ingram47:06

Yes, oh, Kurt. That's great. So in. So what Kurt is saying in the chat, by the way, if you're looking at this on the replay, it's at 1:46pm in the chat. You can also do it by user agent so you could say or user agent equals and then what Kurt provided. Oops, I didn't that copy. There we go. This, right. Is that right? Curt? Like that? So you can add the user agent then you wouldn't have to do the IP address. range. Now the problem with using a user agent is it is easily spoofed double. So a bot could come in and declare that they are take this off, take field user agent off, so it'd be like this, but a bot could say Oh, I am the user agent. You know that Curtis just provided I'm going to drop that into everyone Kurt you were chatting with just me but the user agent is movable, so just be aware of that. So it's more secure to use IP addresses or an AAS number. But user agent will work as well. But for most services, you can find a published list of IP addresses like this. It just gets tedious and make sure you document what all these things like you come back in three months and what the heck are these IP addresses for? Oh, yeah. So keep a note somewhere that reminds yourself what this IP Block was. Okay. So we're so let's just take this off for now. We've got our good bots. We're good to go. And let's go back to our WAF rules. So let's add another one. So this is other bots. So and so by the way, the reason we have to allow certain bots is all other bots that are not specifically mentioned in these two lists that match. So we're allowing bots in this list, but we're gonna give a managed challenge to bots that are not in that list. This is the rule that was blocking stripe from the web hook getting my site because I was not specifically allowing it through. So I had to add it to the allowed list. Like it's a good bot and we're not going to stop it on the second rule. Does that make sense? So the Why would you do this because this is going to cut off a ton of bot traffic from your site. It's going to ultimately speed your site up potentially if your site you know horsepower is being used for all these bot views. And it's going to lower server bandwidth. It's going to give your server more resource it's just good to cut off all this traffic as much as possible. So good bots allow other bots get a manage challenge. So we're going to add the second rule here

Nathan Ingram50:14

Edit expression, paste, they get a manage challenge. Now what is a managed challenge? That is Cloudflare turnstile, where Cloudflare is going to look at the traffic and make a decision. It takes a couple of seconds. Okay, this is good. I'm gonna let it pass through or we're gonna give it a CAPTCHA or we're gonna block it altogether. Yeah. So that is it's turnstile managed to challenge is turnstile. So we've got now these two rules set up. Now we're going to do another one. This rule is my favorite of the list, because this is going to stop most virtually all login attacks on your site. So what we're doing here we're saying if the URI path in other words, if the URL that's trying to be reached, contains WP login, give it a managed challenge. So nobody can even get to the WP login without passing through Cloudflare turnstile and we're doing it the Cloudflare level doesn't even require a doesn't even require a plugin on the WordPress site. So let's add this one

Unknown51:33

give it a managed challenge

Nathan Ingram51:42

Wait, I'm missing a open parenthesis there. Sorry about that. I mean, that's when you can even build yourself if we it's a really easy one. Just like this. Now what impact does that have immediately watch this.

Nathan Ingram52:09

This is what managed challenge looks like I'm going to the login page WP nathan.com. It passes through this. That is a managed challenge from Cloudflare. So the bot is not even going to get to the login form. So login based reCAPTCHA like I think Security provides is fantastic at the site. Level. But it still would allow a person to fill it in and potentially submit so they're still loading the login page. The Cloudflare manage challenge happens before the login page even loads. So if you're getting DDoS attacks on that login page, this rule they don't even get to the site. It's really cool. All right. Now here's another one that's geographically based. So for me, most of my clients aren't really doing business outside the United States in very few cases. So we're gonna set up a rule that says if you're outside the United States, then I want to do do a manage challenge. So let's just set this up and I'll show you how easy this rule is to modify. Let's create a firewall rule. And actually, let's just build this one manually, let's just say outside USA and this is going to be country is not if they're not in the United States, or we'll say United States Minor Outlying lions, that islands he did that way, then give them a managed challenge. Boom, done. That's it. So if you have other countries you want maybe I want to do Canada well I could just add it to that list. Really, really easy. Can add Mexico you whatever you want to do, you can really easily add lists to you know, the safe list so if they're not in this list, you just add them very easily. Karen So, great point okay, so like manage WP might have cert or some other service might have servers, they're outside the United States. And even if this is where it just takes trial and error, right to get your rules correct for your situation. You may have allowed the IP range to pass. But here oh, they're outside the USA. So they pass through the first three rules but boom they get blocked by the fourth, which means I've got to say it's not in this or the IP range or whatever is not their IP range. So I have to add that to each one. Does that make sense?

Nathan Ingram54:56

Class you could say maybe, or you could just ban countries you could do that too. But so just realize that it's not like if if they get a thumbs up from one rule they pass through. No, no. They have to pass through all the rules. Think of it like a succession of gates in order you know, a succession of secure doors. In order to enter a building. You have to pass through each checkpoint. So you know, the traffic has to be true all the way through these firewall rules. This is why I'm saying you need to know what you're doing. You're gonna get good security without any of these, but you can get super security using these rules. Alright, so those are the four rules that I would use and you still have one if you need to tweak it. So pretty cool. All right. This was the hardest part and you all survived. Yay. Pat yourself on the back. All right, it is now five minutes until to move fast. There's a little few little notes here. Let's see. Oh, here we go. So adjusting these rules. I talked about this just a little bit. You know, finding the ASN or the IP range. One thing that's that's really, really helpful, too, and this is how I narrow down the issue with stripe. If we go here. Here's a screenshot. So this is a screenshot of the firewall events. So let's see if we have any events showing up yet. Let's go to WAF Okay, oh yeah. Okay, look, we have a, we already got okay, this was me. So there's one time this rule has been hit. So if I go to this, you can actually see a log of any traffic that hits this rule. And by going into it, you get this screen where you get some information. Okay, so this is the that screen where the the stripe rule was happening. So, look right here. This is where I found the stripe track that the stripe ASN right there. It showed up right there. So that's how it ended. I just verified I searched on that website to make sure that was stripe and it was and so I added that as number to the safe list. That's how I did that. So sometimes it's not quite that easy, but in this case it was also it gives you an IP address here but stripe like many services uses a range of IP addresses, like we just saw on that uptime robot screen. So if you can use the ASN that's going to be simpler. But if you can't the IP address range will work. We pause just for a second if that makes sense, everybody

Nathan Ingram57:37

Okey doke. dokie a few more things under security. Like we just did this one. There's some paid things like for paid shield. There is a setting here under bot I would toggle this on this is going to look for patterns that known bots use and just cut them off at the past or give them a managed challenge. If it looks like this is a free freebie, right? It looks like can you believe this is free? It's fantastic. It's fantastic. Here under DDoS settings let's see here but fight mode on and then down here under settings, which is the last one. I'm gonna suggest you go for medium as your default level. A 30 minute challenge passage. This is basically how long between challenges should suspect traffic get 30 minutes I think is the default you can tweak that up or down. Depending on how often you want questionable traffic to be challenged. I will turn on your browser integrity check just to see if the headers from the browser indicate any level of threat based on their AI and all the stuff they're figuring out. Privacy pass is pretty cool. This is actually a Chrome and Firefox extension that you can use on your browser that will allow you to pass through some of these captures more easily it works with both H captcha and Cloudflare turnstile. You can turn this on. It will prevent like if the person is using they have to be using this extension. It's only available for Chrome and Firefox. Most people aren't using it. You know, it's a cool little thing that we might see catch on later. I'm gonna turn that on. Alright, let's get into some speed settings. There are some important speed settings you can get at the free level. The most impressive speed features are only available at the paid level. So let's go here under optimization. Let me know if you have a question that's not in regard to exactly what we're talking about here. Use the q&a box please. I'll try to get to those questions after we wrap up. So optimization, let's go speed and optimization. There's some settings here you need to be aware of and sometimes they can break your site like any speed optimizing thing can. So you want to test it and make sure it works. So auto minify so Oh, by the way, a lot of these settings come from this really great article at perf matters. Perf Matters is a top class speed optimization plugin for WordPress. And they went through now this is a little bit old. It doesn't have some of the newer Cloudflare features and the screenshots are using the old Cloudflare UI they changed a few months back, but the information is still good. Most of the suggestions I have here are from that article. So if you want to read more, it's a great article to read put that on your list to read. So here under auto minify they suggest and I agree to turn all these on with the caveat that sometimes minified CSS minified JavaScript can break things. So just test it and make sure everything works once you've identified but probably you'll be okay here. The next thing I would turn on is Brotli. Not broccoli, but broccoli, which is a compression algorithm. That's like if you remember Jesup that was like a server level compression algorithm. Brotli is like the next generation of that. So toggle that on that's a good thing. I can't find any problems when I use that. Early hints. Turn that on because it's sort of prefetches some things that can make the site feel quicker a lot of these Pro features are here rocket loader Perf Matters suggest you turn this off, because the way it deals with JavaScript is it breaks some WordPress things. I wouldn't turn this on either this is just it can cause problems and the I'll mention real quick here. This is probably the first thing you would want to pay for on WordPress if you want to do this. So there's been probably 18 months ago I think Cloudflare introduced this APO for WordPress, automatic platform optimization where it just handles everything for you. You don't need any sort of optimization plugin or anything like that. It costs $5 per month per site. It handles all that up in the cloud, and it works and it really does work very, very well. So if you don't want to fool around if you don't, maybe you only have a few sites, and you don't want to fool around with these, you know, optimization plugins by this five bucks a month. It just works you know, if you're managing 150 sites $5 a month per site gets expensive really fast. Right? So you know, that's that's the thing. There are some other things here you can pay for as well that are probably worth it. Oh down here at the bottom. Don't do any of this mobile stuff unless you're using amp for some reason. Not many people are anymore. Or if you have like a mobile, like a standalone completely separate mobile subdomain probably don't need that. All right, moving down to the next part here, which is caching. Go to configuration, and just use the standard level for caching. Be aware that Cloudflare is caching some stuff up in the cloud. And so if you, you I have found that it doesn't really get in the way of development. But if you have something weird like something is caching and I can't figure it out, it's probably Cloudflare. And you can come in here and dump that. Set your browser cache for for Perth matters suggest 30 days. One month right there. What they say is this gets rid of that expires header expire headers notice you'll see in Google Lighthouse sometimes this will fix that. Turn on the crawler hence. The other items here. Oh yeah, always on so this is kind of cool. I kind of like this. There's an upside and the downside always online means that periodically, like once a month Cloudflare is gonna crawl your site and stick it out there in the Wayback Machine, the Internet Archive. So a lot of you have seen that it's got these old versions of sites and stuff like that. This will automatically put your site in the Wayback Machine. And if for some reason your server goes down, it will start to pull it in from the Wayback Machine, which is kind of nice. So you're always quote unquote, online. Now the downside of this is it's going to crawl your site every month and could you know it's going to increase server bandwidth during that crawl. I still think it's probably worth it. It's kind of cool. When you are developing a site, you can turn on development mode, which means that it's not going to do it's going to bypass all the Cloudflare caching and you'll get direct contact with your site. So that's kind of cool. When you're developing Just don't forget to turn that back off. All right. Something else here that they've just added fairly recently is called Argo to tear or they had a paid Argo in the past. This is a tiered cache that sort of distributes your settings across their global network. I don't see a reason not to turn that on. If you have international traffic, it's just going to route through the Cloudflare data center closest to the traffic and get them up to your website as quickly as possible. Pretty good idea. down into the network settings here. We want to turn on basically all of the things here, turn on HTTP to turn on HTTP three, turn on zero RTT. And we'll leave off these things. I mean, there's some technical stuff to read here. I don't think it helps any of us. So the rest of the stuff will just leave alone. Now there's another little bit down here. We'll skip all this stuff. It's got some I'm gonna go back to the cinematics it's cool. Scrape shield is kind of nice. I'm gonna leave these off but here's what you can do. Cloudflare has this email address obfuscation if you toggle that on? It is going to obfuscate from crawlers and like spam crawlers and or just crawling your website to harvest email addresses. It will obfuscate the email address from those crawlers so they can't harvest the email address. Now the downside to that is usually it's going to run a JavaScript on your page so could increase load time but might block you know, it's a it's a give or take to decide if you want that or not. You know, I probably won't run that a lot. You also have down here the hotlink protection, which you know it will protect your images from being directly accessed from another site like loaded, you know, link to from another site. Again, it's gonna load a JavaScript that could slow things down but it's cool feature nonetheless. So you can make a decision whether you want to turn those things on or off. Totally up to you. Oh, that should have been deleted. So you see some internal notes here. That was really the end of it. This was the question that I asked Cloudflare support that they never answered. So if you want to copy and paste that question you're welcome to and see if they answer you quicker than they answered me. So there it is. That is Cloudflare. Y'all get pretty cool. There's a lot of neat stuff. Oh, let me show you Cloudflare apps before we go to q&a. This is kind of cool. I don't know what to think about this yet. But here's the thing, because Cloudflare your traffic is passing through Cloudflare and they see all of the HTML and everything is passing through there. They can actually go through and insert content in your existing site. So for example

Nathan Ingram01:07:28

here is a welcome bar. Let's just do this welcome bar. Let's click that. Let's preview it on our site. It's free at the basic level something happened oh, Ark. You see what happened here. Cloudflare is getting caught in its own turnstile. So it's pretty funny. Let's Let's disable those firewall rules. Just so I can show you this. We'd have to go figure out why that's happening. That is really funny. Oh, look, look, our name servers validated so it took less than an hour. It's so funny. Let's just toggle off these rules so they don't apply and let's try this again.

Nathan Ingram01:08:35

I think this will fix the problem now. Okay, so let's go on anyway. What this will let you do is pick the point on your page. That you want this hello message to appear, hey, we're gonna be closed on Valentine's Day or whatever. And not even at the WordPress level. You could do this for any site passing through Cloudflare. You pick the point where you want to install it, and Cloudflare adds that message in route to the site isn't that cool? And there's all sorts of other apps like Facebook comments, Twitter feeds, there's all kinds of neat stuff in that apps. I would just you know play around with it. explore it a little bit. It's pretty neat. Okay, so we went a long way, didn't we? It was a fire hose. I get that. Super helpful. If you simply go in and toggle on those basic settings under security, you're gonna be doing a lot better than you were before. But those Whap the WAF rules can really help things as well. Just make sure you know what you're doing and you test things. All right, I have 21 open questions. So we'll I will spend the next five minutes answering as many of these questions as possible. If you would like please pop up in the q&a, scroll through the questions, give them an up vote. I'll take the questions in order of votes. First, Sue is the paid version worth it and why the ballpark cost? So that is a great question. Let's look at our domain. Let's see. Back to our account home. And, oh, there's a couple things here. I want to show you. If you're getting attacked, you can toggle on under attack mode. And that puts the man his challenge in front of all the traffic. That's really helpful. Here's also Where's you can turn on development mode. And here's where you can purge the Cloudflare cache. All of that is just right here at the top level under overview. All right, if I want to change my subscription 25 bucks a month. That's really small that gives you a lot of different things more WAF rules, lossless image compression so you know you can deal with you don't have to have like an image optimizing plug in mobile optimization cache analytics bought my gate my mitigation, super bot fight mode. What that is more rules, better support and so forth. So you know it goes from free to $25 a month per site. Okay, so this can add up quickly. Yeah, this might could have been a multi hour webinar. Okay. So is it worth it? Depends on your site and your situation. That if I use Cloudflare Can I drop wordfence they do different things. I would not ever recommend dropping a WordPress based security plugin. I mean it's it's another it's just another door they'd have to walk through. I would recommend dropping wordfence for I think security. Next question. Stacy. When I set up Cloudflare and captured my DNS, it also captured in a record for my server name at liquidweb. I didn't realize that a record before my server had the proxy status as proxied and it messed up my email. Yeah, so you change it to DNS only correct. Can you show your DNS for your A records? Yes. I'm not sure why that would have happened. But I have had that proxy cause a problem for those sorts of things. And again, you just that's it's an example of in your setup, Stacey, you need to be aware of that. So the next domain you pull in, you just unplug see that record

Nathan Ingram01:12:11

I don't have any mail setup here so it probably wouldn't have done anything. I have seen though in the past. The postmark CNAME used to require it not being proxied. Now it doesn't care. So apparently, postmark has made a change. They're like you can you just turn the proxy off to DNS only and that way what that does is it exposes it's like there's no protection there. There's it's not passing through the Cloudflare proxy.

Nathan Ingram01:12:42

Alvin, if origin server is using Let's Encrypt, which auto renew, is there a way to let SSL auto renew without having to manually turn off proxy every three months and leave as DNS only?

Nathan Ingram01:13:01

That is a great question. And I don't know the answer. I do not know the answer to that question. Now then I would require I'd suggest that you talk to your server support and see what they suggest. I don't think Chris, have we run into any problems with Let's Encrypt, not renewing. I've got a bunch of domains behind Cloudflare. Alvin and I don't I don't think we've had a single issue with Let's Encrypt, not renewing. So if you're having that problem and talk to your server support, I'm on a liquid web dedicated server. We haven't run into that issue. Elizabeth, can you have two SSLs? Yes. One for like AVID is saying one from your host and one from Cloudflare. The first one that it passes through is the one that's gonna guard the traffic. So for example here, if we went to WP nathan.com There's a Let's Encrypt server level certificate. But there's a Cloudflare certificate as well. And you can see that here. Then in DNS sec, where do you add the seven records of domain registrar? You do that? I know because Cloudflare is handling your DNS. You put that on your Cloudflare record because then it's there your your registrar DNS is handled wherever the name servers are pointing. So it's Cloudflare. Sherry, what are the triangle Warning Centers in the left column and what do they mean? Where are we talking about sharing

Unknown01:14:44

the first main screen here or this screen

Nathan Ingram01:14:59

had slayers records view DNS records

Nathan Ingram01:15:11

what exclamation points Oh Sherry. had to leave. I'm not sure what exclamation points I don't know. They disappeared. And it's all fine. Yeah, could be there pending. I don't know. I would I don't know what to look at to answer that question. I'm sorry. All right, Karen. Where was the last adding a message on route so that is under Apps down here at the bottom? I would use these things with caution. I just think it's cool. Like, you know, it's just neat stuff. Like you can add Google Tag Manager this way, basically, because all of the code is passing through Cloudflare. They can drop stuff into it. They give you the ability to drop stuff into it. Pretty cool. There's lots of stuff here. Just fun to look through, right? I'm not recommending any of these things is just something fun to look through. Okay, last question. I'll wrap up curl are the site and secret keys and Cloudflare turnstyle. The same entry values when creating a form and enabling google recaptcha? Yes. No, wait, Carl. Are you still here? Are you still here, Carl? Where are you talking about? Are you talking about and I think security

Nathan Ingram01:16:45

in Kadence. Okay, so you should use the site. Okay. If you're going to use Cloudflare turnstyle on your site. And let's say that you have a number of different plugins doing it like Kadence form can use Cloudflare turnstyle right. Also, I think security can use K turn Cloudflare turnstile, use the same API key in every plugin on that site that's using Cloudflare turnstile. Does that make sense? Okay, Karen, yes. And Karen. I'm glad you mentioned that because that was in my notes to add to this webinar, and I neglected to do that and that is the free Cloudflare plugin. Which is cool. And I think actually I even have it. Let me log into WP Nathan. Can I still have it active on the site? Give me a minute. I do want to share I do want to show this

Unknown01:17:54

password was

Nathan Ingram01:18:04

okay, it's not there. We'll just add it really quickly. Plugins don't work unless they've been installed and activated. Not sure if y'all realize that or not. That's pro tip for the day. So the Cloudflare plugin. The thing about the Cloudflare plugin is that it can conflict with certain optimizer plugins. Like for example, we use Lightspeed and they bump heads. There'll be a little warning like we try to activate the Cloudflare plugin Lightspeed says wait a minute, we can conflict with you. So just be aware of that. Let me activate it here. It was installed just not activated. And settings are here under Cloudflare.

Nathan Ingram01:18:50

So basically, we can connect our account to Cloudflare. Here, let me just do that really quickly, just so you can see what that's like. I mean, we're already way over. So. Alright, here's what I did. I think I can just show this. It's not gonna roll the API key later. So I click that it let me just start again. Alright, I click that and open up this. I'm going to choose what side it is I think, let's see.

Nathan Ingram01:19:27

Nathan Ingram01:19:40

So many passwords I'm gonna paste this in API key token. All right, and we're connected. So the nice thing about this plugin is you can view some things here you can purge the cache you can drop into development mode, here and that immediately over here on Cloudflare. shows that I'm in development mode. I can turn it off. And it's just talking back and forth with the API. Kind of cool. You can also turn this on which is automatically purge Cloudflare cache when an update is made, that's very helpful. If you're using an optimizer plugin like Lightspeed or some of the others. They have a Cloudflare API connection as well and they're purge the cache also purchased the Cloudflare cache. Yep. Okay. Let's 20 minutes after and I'm tired. Okay, how do we do y'all good stuff. A lot. A lot of fun here okay. If you are looking for all the links, they are there in the chat. The replay will be up in about an hour or so along with all of the things and yeah, this was fun, fun stuff. Office hours is tomorrow. If you have further questions, you remember dropping in office hours, ask those questions. Do not forget, like we mentioned earlier that here actually, let's hang on a second here on the training site. We just scheduled for one week from today. scroll down scroll down, scroll down right there free AI tools for WordPress. This is going to be a super fun webinar. All about AI stuff in WordPress. So that's coming up next Wednesday at one o'clock. All right, y'all. Thanks for hanging out with me for the last hour and 21 minutes. Excruciating ly long webinar. You hung in there for it. Very good. I will see you back here tomorrow for office hours here on iThemes Training where we go further together.

00:0000:00