Using cloudflare basics to defend your Magento eCommerce website

Note: This guide will work for normal websites to and wordpress

Often a CDN service like cloudflare is used as a bandaid for a poor performing Magento website. Often when code or website hosting is poor people will try to fix these core problems by using a CDN service like cloudflare. Often this does help, though it is not good practice.

However, today I am discussing what I think it is best at doing. Principally keeping away bots, hackers and malware. While it is true sometimes these issues can manifest as a performance issue first, because often bots etc will drain your Magento website performance for their own gain. If we put that to one side for the purposes of this blog. I will focus on some basic security measures that will allow you to sleep at night while your Magento store shugs away making money.

To put these measures in place you will need:

  • Domain name hosting access so you can change the nameservers
  • Magento Admin access
  • SSL Certificate installed on your hosting (not necessary but I prefer to have ecommerce sites running 100% under https)

    Setup one:

    Go to your Websites main Domain name DNS Make a backup of all the entries and keep it somewhere safe. (Sometimes this is in cpanel or your hosting panel. If you have premium DNS it will be with that provider, which maybe your domain seller, another premium DNS provider)

    Now also take note of your name servers and keep it somewhere safe.

    If you want to double check you have the correct details use these tools; or be cautious this can get messy if you make a mistake. Also make sure you're doing this during your dns support teams working hours.

    Now reduce every dns entry ttl to 300 and save. This will make it quicker to roll back just incase.

    Go to and sign up. Try and use an email separate from the domain just in case unless you have confidence in your skills.

    For the purposes of this tutorial cloudflare's free plan is perfectly acceptable. After you enter your details you will be asked to add a website

    When you do this cloudflare will scan your DNS and then prompt you to check the entries. You can watch a nice video telling you all about cloudflare and its benefits while you wait. Your will then be prompted to check that cloudflare has captured all your DNS entries. Don't assume it did it correctly. Take your backup and cross check it against what is recorded. Add the records or edit to make sure they are the same.

    Step two:

    Your first step of hardening is to allow Cloudflare to mask your server's IP address in your DNS records. You do this by clicking on an grey clouds and making them orange.

    Now click continue. Select the plan you want. Free is fine for this tutorial. Now you will be prompted to change your nameservers to new cloudflare nameservers (Note: you can customise them if you pay a subscription).

    I recommend you do this our of your best trading hours, however cloudflare does state you will experience no downtime. Though please be aware some sites js and css can brake and may require a little finessing to get it running nice.

    Step three

    Change your nameservers at your domain host. Nothing will probably happen for 24-48hrs depending on your provider. Some providers like Godaddy will change very fast others like Crazy Domains seem to take forever to rollover. You can check your nameservers have change on cloudflare or by using an online tool like (NS stands for nameserver)

    Step four

    Configuration of cloudflare

    This is great for protecting against spoofing and man in the middle attacks. It's a little over kill and a bit of a pain in the but to setup, but I still like it. Attempt last after you have everything else dialed in.

  • SSL
    If you have a SSL Certificate on your website go to the crypto menu item and check SSL to Full(Strict). Just note if your site is a little slow or has SSL issues outside of the checkout you may require extra work to do this or may not be able to.

  • Firewall
    If you are running Wordpress or Magento I recommend at least a medium security level. If you don't currently have an issue and never have set your challenge passage to an hour or to suit otherwise set it to 30 minutes.

  • Access rules
    If you not trading overseas set the following countries to Javascript Challenge by default; USA, France, Ukraine, Hong Kong, Germany, Pakistan. They are the most common locations for attacks to originate from. Doing this will cut out 90% of any issues that can happen, such as, bots, DDOS, automated hacking.

  • Speed
    This isn't part of the hardening, but caching your site with Cloudflare will help take the load off your servers if it does come under attack from bots, brute force or DDOS attack. Turn on each section one at a time. Autominify can break Magento css often so as a general rule start with Magento minify off. Then test and measure each option ensuring you are getting a performance gain from it and your css and js doesn't break. Don't just assume ticking all the boxes will improve performance. (Rocket loader can do some weird stuff or be awesome).

  • Caching
    Caching level test and measure as you did with Speed options. Browser caching expiration, as a guide if you make many updates per day set it low. if you barely ever touch the site set it high.

  • Page rules
    This is one of my favourite sections.
    If your site won't break under SSL enter the base url and set it to forward to https
    You can also do this for your checkout page if you can https the main part of the site.

    For security purposes I like to add my admin and user login pages and force them to load under https. Also I set security level to I'm under attack regardless of whether you are. This will cut down bots, ddos, brute force attempts. Also I turn on browser integrity check for newbie users and I like cache on as a buffer, but it is not a must.

  • Scrape Shield
    Turn on email obfuscation and stop those damn bots stealing your email and spamming you nuts. Also turn on server-side excludes. Hotlinking can be great if you don't want your content shared, however it can be a little un-SEO friendly.

    Now you're finished hardening your website with some basic measures which will fight off most of the standard pain in the butt evils of the web. Best of luck!

  • Author image
    Senior Developer at Mebsites on the Gold Coast, Queensland, Australia. Mebsites is an acclaimed Magento and Custom Framework Web Software coding house.
    Gold Coast, Queensland, Australia Website