Cloudflare and Jetpack for WordPress are designed to work together seamlessly, requiring minimal additional configuration. However, there are specific security features to be aware of that protect your Jetpack installation.
Default Jetpack Protection from Cloudflare
The Cloudflare Web Application Firewall (WAF) includes a managed rule, WP0007, which protects the xmlrpc.php file across all Cloudflare plans. This rule allows only Jetpack to access the xmlrpc.php?for=jetpack query string by restricting access to only Jetpack's automation IP range.
As a result, any access attempt to xmlrpc.php?for=jetpack from non-Jetpack IP addresses will be blocked with an HTTP 403 Forbidden message. This security measure enhances your website's protection and does not interfere with Jetpack's functionality.
Additional WAF-Managed Rules That Can Impact Jetpack
Another WAF rule, WP0002 - Block WordPress XML-RPC, can block Jetpack's servers from managing your settings. This rule is disabled by default, but if enabled, it completely blocks access to the xmlrpc.php file. We recommend enabling this rule only as an emergency measure if your xmlrpc.php endpoint is under attack.
Further Guidance
If you have questions or need assistance, please reach out to Cloudflare Support.
By understanding these features, you can ensure that Jetpack and Cloudflare work effectively together to enhance your WordPress site's security and performance.
