During the last 2 years I had some problems with this blog because of massive comment spam. I tried different ways to handle this unwanted traffic, but at the end I needed to host my website on a stronger VPS to handle all the requests. Something I don’t want because I have almost zero income with this web development blog.
Placing my website behind a proxy
Using a cache plugin for a WordPress website is in my opinion a required action, but for this website was this not enough and I decided to “hide” my online property behind a proxy or firewall. Sure you can power-charge your web host to a maximum, but I think it’s much better to keep the bad website traffic outside.
Image credits: CloudFlare
Protecting and optimizing a website with CloudFlare
There are several ways to optimize your website, one option is the CDN service provided by CloudFlare. They offer a free plan with basic functionality and premium plans for professional, business and enterprise type of websites. All CloudFlare plans come with these main features:
- Website protection against online threats
- A CDN that serves your static files from huge a worldwide network
- Website optimizations that makes your website load faster
- Web analytics for your website traffic including details about threats and robots
- Plenty of apps which you can use right in your website
Installing CloudFlare for WordPress
The CloudFlare setup was very easy, there was only thing I need to do: Changing the name servers for my website’s domain name. To protect my WordPress application I decided earlier to restrict the access for the wp-admin directory and the wp-login.php file to a small selection of IP addresses. Because my site is now behind the CloudFlare proxy I need to update my rules inside the .htaccess files.
SetEnvIf X-FORWARDED-FOR 195.97.xx.xx allowedip
deny from all
allow from env=allowedip
These modified rules are used by the web server to recognize my IP address while all site access is identified by one of the CloudFlare IP addresses. It’s also possible to create page rules from the CloudFlare interface, but these are limited to 3 rules in the free version.
CloudFlare offers also a plugin that identifies the user’s IP address inside the WordPress application. This is useful for the comment section. The same plugin reports also (new) spammers to the CloudFlare database.
Apache Log files
Since all visitors using the CloudFlare proxy to access your website, this visitor’s IP address isn’t stored in your Apache Log files. To translate the IP addresses to the original number in your log files it’s necessary to install the Apache module mod_cloudflare. If this is not possible you should look for a cPanel server or use one of the hosting providers offering CloudFlare as part of their hosting plan. Check the list of hosting providers on the CloudFlare website.
I customized my CDN + Basic settings a bit:
- The cache level is set to “Simplified”
- To keep my website’s HTML code unmodified I disabled the minify settings for the HTML files.
In the past I used the Bad Behavior plugin to keep most of the bad visitors away from my website. I disabled this plugin because CloudFlare’s blacklist should be strong enough.