WordPress powers about 60% of all websites on the internet, which is a staggering figure by any standard. Most of these WordPress instances lack many basic security features that can mean the difference between your website being hacked and… well, not hacked.
In this article, we’re going to run through the process of setting up a free reverse proxy to help protect your website, there are many advantages to this, including:
- Easy SSL/TLS implementation
- Web application firewall (WAF)
- DDoS protection
- Added privacy
- Faster load times
For this example, the reverse proxy service we’ll be using is CloudFlare. There are many other providers that do the same thing, but I’ve been using CloudFlare forever and they have a generous free plan, which we’ll be taking full advantage of!
We’ll use CloudFlare to protect my personal website, https://hakluke.com. This website is currently running WordPress on a cheap VPS. If somebody decided to perform a DDoS attack, they’d be successful!
How does CloudFlare work?
CloudFlare acts as a proxy between your website visitors and your web server.
The user never interacts with the web server directly, so we can use CloudFlare to filter traffic and protect the web server.
Adding the site to CloudFlare
The first thing we need to do is sign up for a CloudFlare account, but I’ll leave that as an exercise for the reader.
Once you’ve logged into the CloudFlare dashboard, click “Add site” up near the top right, then enter your domain name and click the blue button.
The next page will display the available CloudFlare plans – the layout is a bit cheeky. You will need to scroll past the paid plans to see the free one.
Choose the free plan (down the bottom), and continue. The next step will import your existing DNS records to CloudFlare, it will look something like this:
Once it has finished, you’ll be prompted to switch your nameservers to CloudFlare. To do this, you’ll need to log in wherever you registered your domain name, and update the nameservers to the ones that CloudFlare provide you, the instructions will look something like this:
It might take up to 24 hours for the changes to propagate across the internet, but most often it all happens within a couple of hours. Sit tight! CloudFlare will periodically check, and send you an email when it’s all finished.
Okay, so now you’re using CloudFlare, what have you actually gained? Here are a few things!
You can easily enable the CloudFlare WAF to protect your website from many types of attacks, including vulnerabilities in WordPress, and common OWASP top 10 style vulnerabilities.
Free, easy SSL
The internet is now at a point where all websites should have signed SSL certificates. Setting them up yourself can be a bit of a hassle – but CloudFlare will add SSL to your website by default, without any additional effort on your part.
CloudFlare will serve your page over HTTP/2, which is roughly twice as fast as HTTP/1.1. It will allow your site to load page elements in parallel, and compresses page elements for faster transfers.
CloudFlare caches and optimizes images to reduce load times. In a typical web page, 60% of the data transfer is images, so optimizing these images can offer pretty significant reductions in load times!
CloudFlare offers easy-to-setup rate limiting rules for your website, which will prevent anyone from making excessive requests to your website. This is often a sign of nefarious activities such as:
- Brute-forcing login attempts to gain access to your WordPress instance
- Scraping data from your website
- Causing mayhem by submitting excessive contact form attempts, or something similar
CloudFlare, and other reverse proxy services, tend to have a lot of features, far more than I can cover here! The best way to discover what’s available is just to browse through the web interface and read the descriptions.
Don’t want to use CloudFlare? There are loads of alternatives to choose from! Here are a few popular ones:
- Amazon CloudFront
- Azure CDN
Adding a reverse proxy solution in front of your website is a great way to quickly (and cheaply) improve the general security posture of your website. Hopefully this article has provided the information you need to implement one today!