Cloudflare

About two months ago I read about Cloudflare on the Interwebs and decided to give it a whirl. This review is reflects my experience using a free Cloudflare account for just over one month. Cloudflare is essentially a Content Deliver Network (CDN) with some interesting additional offerings. While the free account doesn’t give you all the benefits of a CDN, its threat protection has proved to be a good cost effective way to increase performance on this site.

In this article, I’ll cover my overall experience in creating and configuring a free Cloudflare account and I’ll detail the metrics that illustrate why I believe that it has increased performance to davidvielmetter.com.

[background]

I’ve been running this WordPress powered blog for a number of years now and it has slowly increased in popularity over the years. The content I write falls mostly into the Tips and Tricks category of how-to articles which people tend to find on search engines like Google or Bing. One of the benefits of using WordPress has always been that it allows me to quickly create and publish media rich content that looks structured and is easily indexed by Search engines.

For me, the downside of using WordPress has become the ever growing number of spammers and attacks. Until signing up with Cloudflare, I had no way to even quantify the amount of malicious visits to my blog. Yes I’ve been using Google Analytics for years, but even with all it’s recent benefits and improvements, it is still very difficult to separate HAM from SPAM traffic.

This is precisely where Cloudflare comes in. It works by essentially taking over DNS for your site and allowing/denying web requests with the help of a blacklist of known IP addresses. The concept here is very similar to blocking spam emails via blacklists, only that it is applied to web requests instead. When someone requests davidvielmetter.com, his IP address is crosschecked against Cloudflare’s blacklist before DNS responds with the site IP address for the site. If the requestor’s IP is on a known blacklist, he is presented with a Cloudflare page indicating as much and given the opportunity to access the site if he can enter the words in a captcha. If he fails to complete the captcha, the event is logged by Cloudflare and access to the site is blocked.

The Cloudflare control panel neatly shows Google style analytics that clearly separate legitimate, malicious and search engine traffic. Additionally users can view blocked site requests, inspect the reason why they were blocked and chose to permanently allow or block requests from the same IP in the future.

[configuration]

Setup isn’t as simple as signing up for a free Cloudflare account, however. After creating your account, you’ll need the ability to modify your site’s nameservers and in essence point them to Cloudflare’s own. If you’re registered at Godaddy or Network Solutions this fairly straight forward, but changing name servers with other hosting providers can be more tricky. You may need to contact your hosting company to see if changing your name servers is possible before you create a Cloudflare account. These are my new Cloudflare NS records with Godaddy:

After making the name server change and waiting 24-48 hours for Cloudflare confirm the change, your account will be active. This is denoted by a green check box in your Cloudflare dashboard for each domain name being protected by Cloudflare. Once the account is activate, you’ll be able to view your Cloudflare analytics and start blocking and/or allowing IP addresses.

[analytics and features]

The free Cloudflare account has three major components: Apps, Analytics and Threat control. Apps are third party Cloudflare services you can enable or disable on your account. Some of these services are free and some are not. I haven’t spent too much time analyzing how these services work, but there are some interesting offerings like email obfuscation among others available.

Analytics is the interface that displays statistics about the visits to your website. It will give you a break down of the number of legitimate site visits, site visits by search bots and visits blocked. The interface allows you to quickly see both historical (pie chart) and date specific (line graph) statistics about these three categories of visits to your site. More information can be obtained from each graph by hovering over components, however, drilling for more information on any specific category is not possible.

Threat control is the part of the account that lets you see what visits were blocked and optionally block or allow traffic from specific IP addresses permanently. One nice feature of this interface is that hovering over the logged block requests also shows you why that request was blocked (i.e. visitor failed to pass captcha test). Additionally a confidence value is assigned to each logged event indicating the “threat level” (whatever that means is unclear) of the event.

[results]

So after using Cloudflare for a little more than one month, I can say that I’ve noticed several drastic changes on my blog: First, I no longer get any comments telling me how great my blog’s “theme” is or how I’ve changed their life with one of my posts. Even with Akismet turned on, before Cloudflare I was manually spamming about 20-30 of these comments every week. Now the only comments I get are legit ones. A graph of my Akismet stats shows the drastic decrease of comments after the Cloudflare activation starting April 2012:

Next, I’ve noticed a significant decrease total traffic to my site on Google Analytics. According to Cloudflare nearly 31% of all traffic to my site is from known spammers. I’m hosting with Bluehost, so I don’t have to worry about bandwidth limits, but I figure blocking traffic caused by spammers can’t hurt site performance. This is a couple of months stats in Google Analytics illustrating the decrease in overall traffic because spammers have now been blocked:

I’m not saying Cloudflare is going to yield these results for everyone, but for my WordPress blog, it certainly reduced a lot of traffic I was never interested in. Likely the issue with my blog is that it is easily found by spammer bots due to the domainname.com/wp-admin/ existence. I just don’t want to change the structure of my blog and cause unnecessary permalink issues I can’t easily fix.

Finally site performance. I haven’t seen a drastic reduction in load times and I’m sure part of this has to do with Bluehost’s $6.95/month standard package. It’s difficult to get load times down especially with a blog that has a lot of binary content and javascripts. My site is pretty well optimized and I am using W3 cache, but I’ve never really seen load times better than 3 seconds on average and that hasn’t changed even after Cloudflare. I have seen a decrease from about 6s on average to something around 4s or even 3.5s but it bounces around that area depending on how much overhead my database tables have. Here is a graph from Google Analytics showing the decrease in page load times between April and June:

So there you have it. Overall, I’m pleased with the performance, offerings and value of Cloudflare. One final thing I wanted to note is that I have received only a single email communication from CloudFlare since signing up. That’s much appreciated too. There’s nothing worse than signing up for a free service and subsequently being bombarded with email newsletters about upgrading to a premium account.

Comments

2 responses to “Cloudflare”

  1. David Vielmetter Avatar

    Update – after the switch to Cloudflare, Google has discontinued my sitelinks. I’m unsure as of yet whether this is due to the switch to Cloudflare, but it is something to keep in mind before making the switch.

  2. Fee Ray Avatar

    How Dyn does it using our global 24/7 network monitoring platform that monitors HTTP, HTTPs, SMTP or ICMP/Ping, Dyn rapidly detects outages in your servers, datacenters or network providers and seamlessly re-route your traffic to an alternate location that you have pre-configured via rule sets, ensuring that you are always up and running for your users.