[00:00:20] Nathan Wrigley: Hello there and welcome once again to the WP Builds podcast. You've reached episode number 463 entitled, understanding how CloudFlare boosts WordPress security and performance with Jonathan Jernigan.
My name is Nathan Wrigley, and a few little bits of housekeeping just before we begin.
The first thing to mention is that this episode really should be going out. If all the things align and the cron jobs run and all of that, it should be going out whilst WordCamp Asia is happening. I'll be there, and so if you are also there, it would be lovely to meet up with you. I've probably got a couple of places which are best to reach out to me.
The first one, I suppose, would be the WordPress Slack, I'm on there, but also if you go to X or Twitter as it was, and search for wpbuilds, you can DM me over there. And it would be lovely to hang out with some of you.
There's no doubt going to be a little bit of time here and there, and it would be really nice to meet up with some of the people who listen to this podcast. That would be most appreciated.
Speaking of listening to this podcast, many people do, and if you have a product or service in the WordPress space, perhaps you would like to get your messages into those people's ears. If you want to find out what we can offer, head to wp builds.com/advertise to find out more. Or just drop me an email admin @ wpbuilds.com. Let's see if we can get your product or service discovered in the year 2026. Podcasts are a very effective way of doing just that.
The other thing to say is I am taking a bit of a hiatus, because of my departure for Word Camp Asia and I'm having a couple of weeks off after that. The This Week in WordPress show won't be happening live. We will be back toward the very end of April. I hope you understand. It's very nice to do those episodes, but it's also quite nice to have a little bit of downtime.
Okay. What have we got for you today? Well, today I am chatting with Jonathan Jernigan. He's been on the podcast several times before. He has got a very popular Facebook group. He runs lots of courses. He's been involved heavily in GenerateBlocks and other WordPress products over the years.
And today we're talking about CloudFlare because Jonathan has taken a bit of a deep dive. He wanted to get experienced about what exactly CloudFlare does and how it works, and he's put a course together to explain that. It's not the kind of super deep dive into everything. This course is more for getting a basic understanding of how things work. But if you're like me, you kind of use CloudFlare all of the time, but don't really know what's going on. And so that is exactly why Jonathan has put this course together.
So we have a chat about what CloudFlare is, how it works, and some of the benefits that you can gain utterly for free, in terms of performance, and security, by using CloudFlare. I hope that you enjoy it.
I am joined on the podcast by Jonathan Jernigan. Hello, Jonathan.
[00:03:20] Jonathan Jernigan: Hello? Hello. am I on the leaderboard for, top no recurring appearances? I think I'm at four, maybe.
[00:03:28] Nathan Wrigley: I don't know. I've never thought about that. You okay. you're definitely in, in with a chance, whatever that
[00:03:34] Jonathan Jernigan: maybe top 10.
[00:03:36] Nathan Wrigley: No, I think you might be number fourth. If, this is the fourth appearance, you might be in the, poll position spot. I think Jamie Marlin might have just picked you, I'm not sure.
But, thank you for coming on again. Really appreciate it. Jonathan Jernigan and I, we've met in the real world. He's got a new haircut, but you can't see that, but it looks very nice. It turns out there was a whole conversation he and I had prior to hitting record about getting, haircuts. So it's
[00:04:02] Jonathan Jernigan: It feels wonderful.
[00:04:03] Nathan Wrigley: had a, we've put the world to, We've had about 30 minutes of chatting ai, you know what's happening in the WordPress space and yada But we're here
[00:04:11] Jonathan Jernigan: As I think we have each previous time as well.
[00:04:14] Nathan Wrigley: Yeah, that's right. We've definitely put the world to rights, but we're not here to talk about that. We're gonna talk today about CloudFlare, which is something that I use all the time, but honestly have no idea what I'm doing.
And so Jonathan's gonna put us straight First stop. Jonathan, just tell us a bit about yourself and what you do, and what you have done and what you are doing and all of that.
[00:04:37] Jonathan Jernigan: Absolutely. Yeah. So glad to be back again. And I have been in WordPress now. Almost exactly 12 years to, to the day. I'm one month shy of 12 years in, in this space. So a lot has changed in that time, and especially now. So with, as we're seeing rapid advance advancements in ai, the, landscape is evolving extremely quickly, but there still is a lot that, we can do in terms of client offerings and, for people like us doing podcasts and courses and all that kind of stuff, there's still a lot of, interesting topics to cover at any given day.
I primarily am, I create courses, occasionally create YouTube tutorials, and then I have a membership that's just for people who use WordPress and generate blocks to build client sites. And, that's typically where I'm spending most of my time these days, is inside that, community. So I pulled away from Facebook, which of course is not easy to do by any stretch, but, Everything kind of lives in there. So we have this course and community, and that's where I spend my time on the WordPress side these days.
[00:05:41] Nathan Wrigley: Nice. I'm with you on the Facebook thing, by the way. I, spent quite a lot of time. On, not usefully employed, fiddling around with WordPress and things like that. And then one morning woke up and said no. And and that was basically the end of that. And that was many years ago. And I gained several useful hours a week back from stepping
away
[00:06:03] Jonathan Jernigan: a hundred percent. I was shared a, a browser extension called newsfeed eradicator, and.
[00:06:09] Nathan Wrigley: I know the one. Yeah.
[00:06:10] Jonathan Jernigan: That's wonderful. I highly recommend those.
[00:06:13] Nathan Wrigley: yeah, I know what you mean. Basically, all social media platforms I use as a, kind of an inbox. I use it as a mechanism to communicate with people directly. So you know, for example, on XI use their chat functionality, so it's a bit like WhatsApp or something like that.
And so long as you don't get tempted to click on the whatever the link is in the menu that. Gets you into the feed or something, then it's, you're safe. But the minute you, click that, there's an hour or so gone as you watch the cats doing the things with the hippopotamus and and on it goes.
[00:06:47] Jonathan Jernigan: Or the AI video of the donuts falling
[00:06:49] Nathan Wrigley: that's right. What have we become is year 2026. The internet showed such promise, and it's all about cats and hippopotamuses. Anyway,
[00:06:58] Jonathan Jernigan: we're here today to bring
[00:06:59] Nathan Wrigley: yeah, we're gonna straighten you out. So CloudFlare. Everybody's probably heard of CloudFlare. I think the most often that people hear of CloudFlare is when somehow you go to some third party platform, some SaaS platform, and you realise, oh, it's not working, and you think, oh, I'll contact their support.
And invariably it's a CloudFlare thing. CloudFlare seems to underpin. Actually to an alarming extent, if you were thinking about single points of failure, it would appear that maybe we're stacking things up on the, CloudFlare side, but can you just give our listeners a bit of a clue if, if they've never used CloudFlare or any notion of what it even is?
What, is it? What does it do? What's its promise?
[00:07:40] Jonathan Jernigan: it's funny you asked that because that's exactly how the, course turned from three planned lessons on theory and fundamentals into seven. So that's, the same rabbit hole I went down. It's like. What exactly is it and how does it work? it's, there's a lot to it because you first have to rewind all the way back to even just your domain, not even your website itself, but just the domain and understand that lives somewhere somebody holds that.
And anytime somebody types in, wp builds.com, they have to look up and find out their computer does not them physically, of course. they have to figure out where does that site live? And it's in some physical server somewhere in the world. it's a cloud, that technically is on somebody else's property.
Your website lives there, but how does it find that? then you gotta look at DNS records and then, what's a DNS record? It's a, it's a street address basically for your website, and then it starts to compound into all these things. Suddenly just to get a website live, you have to have a domain registrar, and you have to have DNS and hosting and a records and all this stuff that are managed in 10 different places.
But a product like CloudFlare tries to bring that together. So it's not only is it easier to manage where you, your domain, your DNS not hosting necessarily, but many other pieces are all handled under one dashboard, which. As you alluded to, we are centralising that in a way that is somewhat alarming.
But in, in Cloudflare's case, they try to be, the benevolent dictator, the good guy, and give a bunch of really powerful stuff to, mostly non-technical folk like us. For free. Entirely for free,
[00:09:29] Nathan Wrigley: I think that's the, yeah, I think that's the bit that kind of hooked me into the CloudFlare thing was a lot of people who I know who are monstrously clever said CloudFlare is really clever. There's a lot of really clever stuff going on in the background. You should get on their free tier if if all you do is get on their free tier, then you are, you're doing good work for yourself there.
And I, I now use it as a domain registrar. I don't know, I think that launched like three or four years ago or something like that. But now you can purchase domains and if you purchase the domain over there, which by the way. Is as cheap as I've ever found it. I think they don't make any money on the top of the domains.
They charge you what they are charged by the, the registrar in whichever country you are buying it from. and then if you purchase it from them, then they set up a, a. Bunch of free stuff, just like you could get if you bought a domain elsewhere and then repointed the DNS and what have you. And before we get into what all of that is, I would, I would also, I dunno if you've ever done like TCP IP stack, like all of that kind of stuff.
Get got into all of that. It is insane. The internet works. It shouldn't work at all. It's complete nonsense. It's just fairies that holding. Yeah, it's absolutely not. And we're,
[00:10:50] Jonathan Jernigan: It really is.
[00:10:51] Nathan Wrigley: and I are staring at each other at the moment and there are thousands of packets going across the internet, all being encapsulated and, then D encapsulated, their layers.
Being stripped off thousands of times a second. Each of those packets has no idea which route it's gonna get to Jonathan's computer, but somehow it gets there. We're probably using UDP for this, so it, it doesn't care whether they arrive in any order or not. If it's TCP, then yes it does. It'll number them.
And, this is all happening like millions of times and none of it goes in the same direction. And, my understanding
[00:11:24] Jonathan Jernigan: we're across the continent. We're not in the same country.
[00:11:27] Nathan Wrigley: so some of my face might have gone through South Africa. Some of it might have gone through India. Some of you know my hair might have been going through South America somewhere.
We've no idea. But the whole thing is just rid. Ridiculous. The people who put together the spec and displayed it to the initial creators of the internet, the Tim Burners Lees of this world, that kind of thing, Vince surf and all that. They must have been, no, this will never work. No,
[00:11:56] Jonathan Jernigan: They must have. They must have not only sounded insane when they presented it, but they also must have wondered, will this actually work for
[00:12:02] Nathan Wrigley: yeah. And it did. And it does, and it now has become almost like a human right. it's, on that level. It's a utility like water. And it's, food and things like that
[00:12:14] Jonathan Jernigan: It has to be. Yeah. So, then from a practical perspective for us, we can take this blindingly, complicated, incredible piece of engineering and harness some of the really, cool characteristics that other people way smarter than us have, created. and we can harness those in a website that is potentially, a tiny mom and pop small business site all the way up to.
The biggest sites in the world are run behind CloudFlare, and for, a variety of different reasons. You may not use it for the same reasons I do and.
[00:12:46] Nathan Wrigley: you've used the phrase there, which belies why I think I started using it. So you said behind CloudFlare, which is a curious confection of words really, but that was my understanding of how it began as an entity. It was like this wall and you would put your website. Behind CloudFlare, you'd set up the DNS in such a way that E, everything that wanted to get to your site and wanted to display your site on their computer, they would have to somehow manage to get through the wall that CloudFlare had built.
And if they managed to get through that wall, which presumably in most cases they could, then they could see your website. But in other cases, if there was a, detection that, oh, hang on, something fishy is going on here, CloudFlare would say, Nope. You're not getting in. Is that kind of how it began?
Was it basically a firewall? Do you know?
[00:13:40] Jonathan Jernigan: Absolutely. Yeah. And what's so cool about it is, I had to come up with a way to try to explain this in, the course. So at the risk of basically spoiling the entire first quarter of the course, I, I came up with this analogy to try to describe. Like what exactly, your website is on the internet and, how CloudFlare incorporates that.
But by using a real world analogy. So what I came up with was, if you think about your website on the internet, it's very similar to your house in the real world where anybody could come to your website at any time, just like anybody could drive to your house at any time if they knew approximately where it was.
So then. When you add on like a security plugin, whatever security plugin you can name, it's effective, but it's not super effective because then by the time somebody's reached your house and they've breached the door, they're already in the security plugin says, Hey, somebody's here, but they're already there.
So what good does that do you? So then what would you do in the real world to keep people away? you could just instal a fence around the whole property, so then people could get there, but they're blocked at the door. But then, how do you let good people through? you might just hire a security guard and that person's gonna verify and double check that those, names are legit and they can pass through.
And anybody else is just, cast aside at the gate. And that's effectively what CloudFlare is doing for your website automatically. And to your point about our very podcast taking place so fast that it, there's no appreciable lag or extra delay on top of that. So CloudFlare is actively filtering out these people before they've ever even reached your, server, your hosting.
So that's what people say when they mean, or that's what people mean when they say, I am behind CloudFlare. Because if somebody's connecting to my site. They're first intercepted by CloudFlare, who effectively ask them what's the nature of your visit? And if it's legit, they're gonna get passed through.
And if not, then they get effectively a screen that just blocks them and they never even reach your, site. It does a million things. It, it, protects you from a security perspective. you can also create incredibly cool firewall rules to get even more specific on who's allowed where and, who's not allowed in certain portions of your site.
and then of course, the other huge thing is that CloudFlare has. Physical presence in over 300 cities around the world. So your website then gets, or portions of your site, I should say, get replicated to all these places. So again, in the course I talk about how, imagine you, you're a, law firm and you know you're based in Chicago or whatever, you might have somebody who's perfectly legitimate that wants to connect to your site from Vienna.
And so they have to go, around the world effectively 5,000 miles. and that connection is not slow, but it's certainly not quick going that far is, very doable, but it could, be faster. When your site is again behind CloudFlare, they replicate large portions of your site to their data centres all over the world.
So that person in Vienna then connects to your site directly in Vienna. They don't even have to make that hop over to Chicago and, if they do, it's for a small portion of the site, like the HTML only, for example, because they've already been served CSS MP three files, fonts. Images, everything like that, from that little data centre directly in their city.
and there's hundreds of them all around the world, all over Europe, South Africa, central and South America, everywhere you can name all over Asia, they're everywhere. So we, then are protected, with that incredible firewall and your site is replicated all around the world. So it's just way faster.
[00:17:33] Nathan Wrigley: in terms of the firewall, when you were describing it there as a house, what immediately came into my mind, I'm really into mediaeval history. I love it. I was thinking more of a car, you know that Moten, Bailey Castle kind of thing, where you've got the big mound in the middle and there's a castle on the top, and the, but beneath the mound is a great big wall.
just like this massive stonewall, and it doesn't matter how hard you try, you're not getting over that wall. You have to go through the gate, and in order to get through the gate, it's gotta be opened. And as you've described with the front door. So that was where my head went. What, I always find curious though, about CloudFlare, and forgive me, CloudFlare, I'm sorry about this, but everything that I've ever used of yours has been free.
I've never paid for any CloudFlare thing, and that, that kind of makes me pause, okay, we know the analogy from Facebook and Google. If you're not paying, then you are in effect, the, product you are, the thing that is, propping the whole business up. How does CloudFlare manage to. To keep this giant cavalcade of free stuff free.
I know they've got a business tier, but it always seems like everybody I know is on the free tier. So how does it work?
[00:18:47] Jonathan Jernigan: Yeah. it's a great question and I assume that they must just have such monster mega whale enterprise clients that their, bills are paid by those people. But, but they, have a blog post on their site from many years ago that specifically talks about how valuable the free plan is and that they are committing to it indefinitely.
That it's a commitment they've made to make this free plan extremely useful, and to not change that. And, at any point. So that, very thing gave me pause when I thought about creating this course. I thought, yeah, but it's free now. Will it be in six months tomorrow? Who knows? but that, post gave me some, confidence.
And then I think they, go on in that blog post to talk about the value of free users because with so many more sites, so many more attack vectors exposed, they're able to then. Leverage that data that these free users gave them to then protect not only everybody but their paying, enterprise clients.
And their whole idea is that they can sustain enormous attacks, from, organisations the size of governments, and, they'll be able to withstand, bought attacks and DOS attacks and all those nasty things that happen.
[00:20:05] Nathan Wrigley: I, can't bring the numbers to bear, but every once in a while there is a blog post which comes out of the CloudFlare blog, which kind of illustrates the, numbers, okay, we had this thing last week, here's a kind of breakdown, and I've gotta say, I think they're really good at being. introspective and, then telling you what the heck happened.
they're not like, oh, nothing to see here. It, they're much more, this went horribly wrong and here's what happened, and here's how we fixed it. And I, find that quite refreshing. And that seems to be from the, the, like the boardroom level down it, nobody seems to be immune from that level of honesty.
Certainly that's what I'm picking up. But when you read those articles and you hear the numbers. They're it's almost like you're talking in astronomy terms. the numbers are just unimaginable. It's oh yeah, we had 15 million hits a second on this particular, I'm making numbers up.
I dunno what they were, I can't remember what they were. But it's of that order of magnitude and you think, gosh. That. what, how is that even, how is that even possible? And I presume that what you are saying is that on some level the business customers must be able to pay for the, freeloaders.
Like me?
[00:21:21] Jonathan Jernigan: Yeah, I think, they must, I think they must operate at such a scale that for a company to pay CloudFlare, who knows, again, making up figures a hundred thousand dollars a year, millions of dollars a year to protect them and provide all these firewall services. It's just, a cost of doing business for them.
[00:21:38] Nathan Wrigley: Yeah. Yeah. And, if.
[00:21:40] Jonathan Jernigan: are massive enterprises.
[00:21:41] Nathan Wrigley: 'cause you can imagine, I don't know. if I'm thinking about the likes of Google and Amazon and people like that, they, we know that they've got their own stack. So they're, it's very unlikely that they're using CloudFlare. But other companies, think of giant retail outlet like Walmart or something.
I have no idea what Walmart uses, but maybe they've got their own infrastructure. But That kind of level where being down for three minutes at Christmas is. Probably tens, maybe hundreds of millions of dollars. And so if you can, if if you can calculate what the potential losses are over minutes or hours or days or weeks or whatever it may be, and you can do the calculation figure out, actually cloudflare's not the, it's really good value, It all adds up. It must add up. Otherwise they wouldn't still be here,
[00:22:34] Jonathan Jernigan: Certainly. Yeah. And then I think, because they, offer the same quality of service to the free lobes like
[00:22:42] Nathan Wrigley: Yeah. Yeah.
[00:22:43] Jonathan Jernigan: They like then have that same skill to deploy it at scale to, a million visitors a minute. And I don't know for sure off the top of my head, famous, massive companies that are behind CloudFlare, but.
I would imagine a company's as large as something like Shopify. If they don't use CloudFlare, they probably have some custom contract with them to, do some, portion of mitigation, keep these sites online. so the, cool thing is that these massive companies are funding this, development on this tool that then we can use.
for, just normal small business sites and, get genuine, actual, real benefit out of, and the thing that, really sold it to me was the spam prevention, which now in ai, the age of spam is changing. And, what, the example I talk about all the time is I have a real estate law client whose domain name is just four letters.
And they purchased that domain, which formerly was for a conference in Europe that now no longer exists. But because that conference was around for many, years, there's all kinds of back links all over the internet that still point to that domain name, which of course are entirely irrelevant to their business today.
So they would get hammered with spam just, nothing I've ever seen. You log into WordPress and check gravity forms and there's a thousand spam entries. Like it's just, it was, it made their contact forms useless. just, there was no way around it. It was junk. Even if a good one came through, you couldn't see it in the sea of spam.
So when, we got desperate, I, added you. Turnstile to the form and capcha and stuff like that. And of course it made effectively no difference. And then finally, I, this has now been a little over two years ago, I, put them behind Cloud Flur, as they say. And it was almost like, it was almost like somebody flipped the switch, just suddenly it spam, it wasn't gone entirely, but like 95% of it was gone to the point where maybe, every fifth one, every 10th one was spam.
And it suddenly their, forms were useful again and. That was the moment for me where I was like, okay, this, although has so much more capability than I'm ever gonna use and, genuinely don't even need to consider ever touching, but what it can do with a couple extra clicks is just, it's staggering.
and the other, incredible thing about this is going back to that, guard gate analogy, the fence analogy. There's this term, you'll hear a lot called at the edge.
[00:25:25] Nathan Wrigley: Yeah.
[00:25:26] Jonathan Jernigan: And that term is exactly what we're talking about, where that bot, that spammer tries to connect to your site. But CloudFlare intercepts it at the edge, which means physically at Cloudflare's server in whatever city around the world you're in, and then it determines should this person be allowed to connect or should it not.
That's before it's ever reached your website and you're hosting. So you're able to serve more traffic on the same tiny little two gigabyte hosting server, simply because the vast majority of the people who make it to the site are legit. They're not bots and spammers. It's not a, it's not perfect of course, but it's way, better.
[00:26:07] Nathan Wrigley: Yeah, that's an interesting point. So we have a lot of listeners who, broad amounts of listeners who some are very experienced and obviously everything you're saying will be. They'll get that. But there's a whole bunch of people who listen who are very inexperienced, brand new to tech, and, I, think we'll unwrap that a little bit.
So the idea here being that your, website, if you like, little simulations of your website, copies of it, have been placed at these computers around cloud flares edge. So one in Vienna, one in Dusseldorf, one in wherever, Sydney,
[00:26:39] Jonathan Jernigan: Miami, Atlanta, whatever.
[00:26:41] Nathan Wrigley: different destinations, and there it is. And an internet request comes in, let's say from, I don't know, evil country.
Let's go with that. evil country. Somebody sends a request and it gets to the, edge computer that's got your site. and your site doesn't even get involved in that. CloudFlare just puts up the guardrails and says, Nope. There's something about you, which is raising our spidey sense.
We're just gonna drop you, you are not penetrating any further in. Now, of course, the, net result of that is that. Your site didn't have to do anything there. There was no plugin which got involved. There was no page which got served up. Your site was just sitting there having a rest on the beach, taking its pina colada through the straw, just enjoying life and all of the nasty things were just washing up against this wall.
Now that sounds like nothing. Let's say that 5,000 of those things weren were getting through because CloudFlare wasn't there. That's 5,000 things Your server's gotta do 5,000 things you possibly have to pay for in a tiny fractional way, but it might all add up, and so that is really profound. Just that one little thing is incredibly profound.
[00:27:58] Jonathan Jernigan: It's, incredible. Yeah. And, It actually, it goes even deeper because there's this thing that I've called that of course is not my, own grand new creation, but basically taking other people's concepts of what else you can do inside of CloudFlare on that free plan and the, way that I pulled off that spa.
Stop that I mentioned with my real client was simply by taking the default firewall rules that CloudFlare sets up for you automatically with no effort required. They're very, good. They, they, block remote access to, for us WordPress folk WP config. So somebody can't remotely access that file.
That's just a CloudFlare thing that they, check and they say, whoa, that's WP config. Nope, nobody can access that. Keep your database safe, keep all your, proprietary information safe. But even more so than that, they constantly are updating it with the latest vulnerabilities. So if something comes out, they, patch it in their firewall, so then it's just not exploitable.
But then we can create our own custom rules on top of that. I call it the plumber rule 'cause I like to imagine, think about in your country a client of yours. If they are a physical service-based business or even a, business that can only service people in your own country, a lawyer, or some kind of specialised trade like that, they, there is no reason, no legitimate reason whatsoever that anybody, except those people inside of that country need to reach that site.
So why should evil country A, B, and C be able to reach that site? That's where the spam and the bots and the, malicious traffic is coming from. So when I, set up like small business clients, I'm simply creating a firewall rule that says, if this person is not connecting from one of these countries, typically Canada, United States, whatever is applicable for that particular client, then, just block them, just drop it entirely.
There's no legitimate reason why they need to be connecting. And if there is, we'll create an exception to the rule. We can, do that. We have that. We have the technology for that. So what that means then is your interior designer, your plumber, your mus, maybe not musician, you get the idea.
Businesses that have literally no ability to service people outside of their own country, just there's no need for that. And CloudFlare handles all of that for you. So it means less spammers, less attackers, but better performance because the website's only serving legitimate traffic. You don't have as much bloat in the database because spam just typically doesn't even make its way into the database.
and, there's, just so much more you can do to, we can get into the weeds of other things that are very
[00:30:52] Nathan Wrigley: into the weeds a little bit. One, one curious thing that I think about the CloudFlare free plan is they're really good at not telling you how great they are. And what I mean by that is all this. Office going on in the backend and they don't really email you to say, you get this sort of summary once in a while, but it's not, really heavy marketing or anything.
It's not okay, we did this, and so you should pay up because what we didn't do is this, there none of that. It all seems to be just. I don't know, altruism is the wrong word. 'cause definitely it's a for-profit entity, but there is, there, there does seem to be some sort of philanthropic side to it.
they're, helping out, the internet to a great extent. And I imagine the vast majority in terms of numbers, not in terms of revenue, but in terms of numbers are on the free. Plan. Yeah. okay, let's get into some of the bits and pieces that are in your course. Some of the sort of more high level stuff, maybe the things that are more of interest to, to people who are just wanting to explore CloudFlare a little bit more than the free version that you switch on and go with the defaults.
What, else do you cover?
[00:32:02] Jonathan Jernigan: there's, a bunch of really interesting things. first of all, the course is designed for beginners. So if you don't even know what DNS is or a CNAME record is, I spend a lot of time going through the, those fundamentals because it's so important to really understanding that why. And then another lesson I didn't anticipate at this at the start, but that I spend time on is the idea of what is a name server.
And I don't think that's relevant for our, chat today, but just that like people, are familiar with that term, but what is it? How does it work? That's critical. You have to, understand that.
[00:32:36] Nathan Wrigley: Again.
[00:32:37] Jonathan Jernigan: Yeah, another bewildering piece of technology that just works in the background. so we spend a lot of time on the fundamentals like that and then move into the cool stuff, like I just talked about, the, firewall rules.
That, to me is the, part of the course. That's the reason it even exists. The firewall and the custom rules that you can create on top of that are. Are just out outstandingly good. There's nothing that even comes close. No security. I don't use security plugins on WordPress simply because the firewall rules and CloudFlare are so outstanding and so powerful that there's just simply no reason to.
So I spend a lot of time with these firewall rules, creating what I just described, what I call the plumber rule, and then. for example, have, when you go to a site and you get that popup screen and it says, we're making sure you're a human protected by CloudFlare. That screen, in case listeners aren't familiar, is called a managed challenge.
And it's a, screen that CloudFlare throws up automatically to say, we saw something just a little bit suspicious here. We want another second or two to make sure that everything is fine. And typically that screen just goes away and you don't have to do anything. But with. That firewall, we can, say always manage, challenge somebody when they come to this specific page or this specific subdomain.
So for example, like I typically add that manage challenge rule to the WordPress login page. Not because it's the most secure way to do it, but because. It is more secure than just leaving it open, but less intrusive for non-technical clients who have to deal with two factor. They don't want, they don't wanna do all that.
So, that's another huge thing is being able to protect specific parts of the site, like login pages or like for instance, we had this recurring issue on our PI calendar site where we would get spam checkouts that somehow completed checkout but never paid. And we spent forever trying to figure it out.
We opened tickets with easy digital downloads and, gravity Forms and all these people, nobody had any idea how they were getting through. We had all the settings correct, everything was fine. We just couldn't figure it out. We put up a managed challenge screen on the PI calendar, checkout page, like magic.
It stopped the, those, bogus checkouts just ceased to exist entirely and. We, saw no appreciable change to our conversion rate on PI calendar. It is annoying, we admit, of course, when you click buy now and you're presented with that managed challenge screen, it is extremely annoying of course.
But it was necessary in this
[00:35:26] Nathan Wrigley: That's so interesting. Yeah, that's fascinating. I'm now curious as to how the heck do you get through the checkout without, without actually doing the checkout? Okay. Okay.
[00:35:36] Jonathan Jernigan: Yeah. 'cause not only. Not only did you have to pay, but you also had to create an account. So somewhere it created the account, but then the payment failed or something. It was impossible to figure
[00:35:46] Nathan Wrigley: genius somewhere, stroking their cat, just Yeah, that's right. Biting their little finger.
[00:35:53] Jonathan Jernigan: Yes. Yes.
[00:35:54] Nathan Wrigley: Yeah. okay, so aside from the firewall, when I go in and I honestly, this is me with CloudFlare. This is literally what happens. I buy a new domain, I buy it from CloudFlare. And once I've bought it, I just make sure that I've got the name servers so I can put those in various different places so that I can, put the hosting, make the hosting aware of what's going on.
That's kind of it. That's where my relationship ends. But I know there's so much on the menu in the, on the left there's 50 things that UI just got. Upended. I think it was like a month ago or something. They changed it. Signifi, not significantly, but things got moved around a little bit and it's at that point that you notice more items 'cause you can't suddenly click where it used to be.
And so there's absolutely loads. Are there any, other free bits like, let's deal with the free, are there any other free bits apart from the firewall and the firewall rules? That you think are particularly curious. we don't have to go into how to implement it. Obviously that's in, your course and what have you.
But are there any free bits that are worth mentioning?
[00:37:01] Jonathan Jernigan: Oh, absolutely. the, whole point of my particular course, and there's another gentleman who has a similar CloudFlare course, it's in the WordPress circles that his course is, extremely technical, and we'll show you how to get every last drop out of CloudFlare. But that's actually the exact opposite of the approach that I take in my course and just in effectively everything I do with WordPress, simply because that's I get you to 90% and that final 10% is so difficult and time consuming and diminishing returns that I think that it just simply doesn't make sense to, to spend all that effort. And that also applies inside of CloudFlare, I believe, because like you said in that left hand sidebar, when you log in, I just counted this for the sake of the course, I know there's 18 individual items, and of those 18, sometimes there's six sub menus underneath it.
And. Of those 18, in my opinion, there's only six worth paying attention to. And some of them, you're gonna spend your time in just automatically, like the DNS tab, creating your a records, seeing your name server, stuff like that's just a given. The firewall. They call it security rules.
Of course, that's a big one. the caching tab. This is another case where I believe that the default caching rules are perfectly sufficient for 99% of us. And I don't touch a single thing under the caching simply because it's so good as it is, that I don't think it's worth changing, especially because when you start doing that.
That's when you run into my client sees one thing, I see something else, and our visitor sees something else we can't even predict. caching is just, it can be such a nightmare. so the caching rules, that cache is your site by default for four hours. And that's just, enough. You can crank it as high as you want, but for most of us, we're getting in there and we're making changes, if not every couple days, every few weeks, and
[00:39:03] Nathan Wrigley: just quickly to hijack that a little bit before you carry on. So in the same way that you don't use a security plugin because you feel that the firewall is really great on the CloudFlare side, do you use any kind of caching? Plugin, which talks to CloudFlare. let's say for, I don't know, there might be a setting in the, WP admin to clear the CloudFlare C cache or something like that.
Do you use a caching plugin which leverages CloudFlare or just, anyway, there's the question. Do you use
[00:39:32] Jonathan Jernigan: Fantastic question. Yeah, so the only performance plugin I use inside of WordPress is the one called Perf Matters, and I'm sure you're well familiar with them.
[00:39:40] Nathan Wrigley: Yep.
[00:39:41] Jonathan Jernigan: there's not a, there's not a direct CloudFlare integration per se, but it definitely still is, it still is, applicable and relevant to use perf matters or something similar on your site.
And I find that if you have to clear the cache in one place, you probably also have to clear it on the CloudFlare side. if you're, you, rebuilt a whole page and you wanna make sure everybody sees the newest version, if you're gonna go into WP Rocket or whatever and clear the cache. Like you also gotta, you also gotta do it in CloudFlare too.
[00:40:10] Nathan Wrigley: I think there are a few plugins that there maybe is a dedicated plugin that I've seen in the past, which literally does that, it just buss the CloudFlare cache. It doesn't do much else, but it's quite handy having that. In the WP admin, so you can just click that button and I guess you drop in some API keys or something.
Can't remember how that's done anyway, sorry. Okay.
[00:40:30] Jonathan Jernigan: a lot of, hosts have their own bespoke button. Like Kinta, I know for a fact has a bespoke one in the WP admin dashboard that pops up and lets you clear their cache. Same kind of thing.
[00:40:40] Nathan Wrigley: Okay. Sorry. So I derailed you there, you were talking
[00:40:42] Jonathan Jernigan: yeah, no problem. The another big area that the free version gives you is this product called Access. And it's this, it's a whole other like separate portal that exists.
You click access and it takes you to this whole other page. And what it does is it's effectively like the ability for you to provision access based on sets of rules to your site. So in most cases, I don't use this except when there's like a proprietary login screen that only specific people should access.
Or, if, the site is sensitive enough that we do actually need two factor authentication. Instead of relying on a WordPress plugin, which again, if the attacker gets in, they can simply just disable that plugin. the access product inside of CloudFlare effectively gives you the ability to add two-factor authentication to your site.
So if somebody goes to wp builds.com/wp login, they won't even see that screen load. It never actually even hits your server. Until that two factor action has been completed. So you could have it be, an email to only your email. It could be Nathan at, and, that's it. That's the only place that two factor code goes.
And if they don't succeed, they're just never even shown the login screen.
[00:42:05] Nathan Wrigley: and that's, on the free tier, is it? That's,
[00:42:08] Jonathan Jernigan: it is,
[00:42:08] Nathan Wrigley: did I not know about that? That's so great. I love that. Okay.
[00:42:12] Jonathan Jernigan: that one used to be buried. It was like under security and this other thing, and now they brought it out as like its own kind of standalone
[00:42:18] Nathan Wrigley: Yeah. So you can just specify a page or a route, and you can say, I dunno, do a two FA with an email or something. So respond by clicking a link on an email or, so That's brilliant. Gosh. Sorry.
[00:42:32] Jonathan Jernigan: So it's, it's. incredible. 'cause it's, extremely flexible based on what the needs of you and potentially your client are. Like, for example, if the login page should only be accessible by people with an at WP Builds podcast email, like then it could be Nathan and Tom, and Sarah and Kate.
you don't have to go in and input all of those. As long as that email exists, then it's gonna send that to them and then
[00:42:59] Nathan Wrigley: Okay, so you can set rules within rules. So you set up the rule on the front end of the site if you like, and then you can have domino effect of a different set of rules around, I don't know. If the email address is this, then you're good to go. Okay. Gosh,
[00:43:13] Jonathan Jernigan: Yeah, and, also like it's important to keep in mind that with CloudFlare, all this stuff is stacked in these layers where they all interoperate on, either forward or behind of other rules. Like in most of my clients, when we have that plumber country blocking rule, that one is then followed by managed challenge on the login page.
So only people who are inside of the country who then also try to reach the login
[00:43:40] Nathan Wrigley: Oh yeah. Okay.
[00:43:41] Jonathan Jernigan: Are shown that challenge. And then an additional layer is they can't even reach the login page if they don't have the correct email or, text message verification code or whatever it is. So it's this, whole like suite of things that it, brings together that I find is so
[00:43:58] Nathan Wrigley: Yeah, I like that A any more?
[00:44:03] Jonathan Jernigan: I am trying to think off the top of my head. I could pull up my, little
script
[00:44:06] Nathan Wrigley: No, that's fine. Honestly, I think you've wet our appetite. I, I. Like I said, I've just had this cursory relationship with it. I, the clever people that I know all think that it's the best thing, they're all like, I'm on team CloudFlare, this kind of thing. And, and I'm just piggybacking off their knowledge really.
So I've, just made the assumption. Everything is brilliant and works over there. Obviously there's this single point of failure problem, which the entire world knows about when CloudFlare goes down. I do know of a couple of hosting companies in the WordPress space who are now starting to lean into CloudFlare and CloudFlare workers and,
[00:44:47] Jonathan Jernigan: Yeah,
[00:44:48] Nathan Wrigley: pages and things like that on different, on the edge in different ways.
I know that's a new thing as well, which is quite interesting. Yeah.
Yeah.
[00:44:57] Jonathan Jernigan: There's a, way that you can host, websites. WordPress, I don't think at this time, can be done without extra complexity, but you can host basic like static sites on CloudFlare through their workers system, like you said, completely for free.
[00:45:12] Nathan Wrigley: It's nuts, isn't it? Yeah.
[00:45:13] Jonathan Jernigan: it's crazy. Yeah, there's, I'm sure there's some limit to visitors or bandwidth or something, but, but that's really cool.
And another, neat product that also exists. It's technically free, pay as you go. they have a whole, they have a whole, database like backup system that exists called R two. And I taught this course maybe about a year ago on this hosting product called Cloud Panel. Funny enough, cloud flare and cloud
[00:45:43] Nathan Wrigley: Yeah. Yeah.
[00:45:44] Jonathan Jernigan: but cloud panel is effectively like a server control panel that you have full access to and it can back up the whole server, including all the individual sites to.
CloudFlare R two. So then you have this like backup similar to a Google Drive or Backblaze or whatever. That can all just be right there inside of your, CloudFlare account. So there's just, it's, one of those things that it's impossible to convey how many things you could
[00:46:14] Nathan Wrigley: Yeah, that's
[00:46:15] Jonathan Jernigan: Because there's so much in there, but also because you and I don't build things in the same way.
So what I find cool you might not, but there is for sure something in there that, you know you'll be blown away with
as
[00:46:28] Nathan Wrigley: It, genuinely is absolutely fascinating. I guess what we haven't done so far, I will put it in the show notes and I'll mention it in the preamble to this episode. Where do we, where do we get the, first of all, where do we find the course that you are talking about today?
[00:46:44] Jonathan Jernigan: Absolutely. Yeah. Just on my website, it's jonathan jernigan.com and there's a little courses button, and you'll see it as soon as you click on that.
[00:46:51] Nathan Wrigley: So I'm gonna spell your name just in case anybody is listening to this and can't see the text, let's put it that way. So it's Jonathan in the normal way, and then Jernigan, J-E-R-N-I-G-A-N. So Jonathan jernigan.com go there and search for the CloudFlare course. Is there any other place online where you typically hang out?
I know you said you're trying to, inoculate yourself from social media, but perhaps you are, I don't know, maybe you're a LinkedIn or something like that.
[00:47:18] Jonathan Jernigan: as much as I like to talk about, eliminating social media from my life, it's not a, I am not completely cured of the addiction. I still poke around the place I think I spend most of my time in the WordPress sphere is inside the admin bar
Facebook
[00:47:33] Nathan Wrigley: Yeah. Yeah.
[00:47:34] Jonathan Jernigan: And that's just, a place.
It's actually, I wanted to mention too, there was just a thread like a few days ago about somebody who, was having bogus checkouts on their WooCommerce site and. A bunch of people chimed in and they said, here's CloudFlare rules that you can do to stop this. This, I had this exact problem. Here's exactly what you do.
And it was so
cool to see,
[00:47:56] Nathan Wrigley: nice bit of
[00:47:57] Jonathan Jernigan: we've, talked about the admin bar many times, and
too.
[00:48:01] Nathan Wrigley: Kyle Van Doozen, you should go and check it out. The admin bar.com, I think. certainly go Google it and you'll find it. and, yeah. Okay. So that's great. I appreciate you chatting to me today about that. Go and check out CloudFlare, check out Jonathan's website and go and subscribe to his course because it makes sense. Jonathan Jernigan, thanks for chatting to me.
[00:48:20] Jonathan Jernigan: Absolutely wonderful. Thank you.
[00:48:22] Nathan Wrigley: Well, I hope that you enjoyed that. If you did or if you didn't, doesn't matter. Head to episode number 463 at at wpbuilds.com. Search for the episode with Jonathan Jernigan, if you can't remember that number, and leave us a comment there, we would love that.
One last reminder, if you're at WordCamp Asia and you're listening to this during that event, come and find me. I'm on X @wpbuilds. admin @ wpbuilds.com if you want to use email, and I'm also on the WordPress Slack as well. It would be very nice to hang out.
Okay, that's all we've got for you today. I'm gonna fade in a bit of cheesy music and say you stay safe. Have a good week. Bye-bye for now.
