Configuring CloudFlare to work with Jetpack for WordPress

I gave up on WordPress.com because I felt I wasn’t getting value for money. Unless I forked out more money than I’m paying now – and annually upfront no less – there was no Google Analytics access and I disliked having to give up the ‘www’ subdomain. Then there are other technical matters which just couldn’t cut the mustard. So I’ve gone back to using CloudFlare, a CDN (content delivery network) and WAF (web application firewall), which sits in front of my VPS (virtual private server) to protect the server and WordPress application. As an added bonus, I was able to enable DNSSEC too.

However, one of the problems I have had with CloudFlare in the past is making it play nicely with WordPress.com’s Jetpack plugin. This provides additional features which are nice to have, but more importantly, allows me to use the WordPress iOS app to create and edit posts on the fly. Very handy if I have my iPad Pro with me and have the urge to write a blog post.

One of my favourite (relatively) new features of CloudFlare is the Firewall. This allows anybody to create a series of rules which grants or denies access to the underlying application. This is a big step up from the simple whitelisting/blacklisting feature which was very limiting and as a simple $20/month Pro subscriber didn’t allow me to block entire countries (a few of which are almost always entirely responsible for attacks and dodgy bots).

To get the Jetpack plugin to work properly, I had to create a brand new rule to allow a series of IPs from Automattic (who make WordPress) to access the blog.

CloudFlare’s new firewall editor is a big step up from simple whitelisting/blacklisting

The rules page is very simple:

We allow access only from WordPress.com IPs & to two URLs

The /?rest_route= URI was a result of examining the output of the firewall logs. I’ve not seen any other calls from WordPress.com using that URI as yet (but then again, I haven’t used it in anger fully as yet), so it might not be necessary. But certainly WordPress.com will use xmlrpc.php.

It works!

Prior to this, whenever I tried to associate Jetpack with WordPress.com, it would fail authentication, refresh the page, seemingly authenticate and that would be it. Nothing else would work. By applying the above firewall rule has made everything work as it should.