Cloudflare Sync
How to connect Cloudflare to SiteFort and push firewall rules to the edge. Only relevant if the site's DNS is proxied through Cloudflare.
Is Cloudflare Sync right for your site?
Cloudflare Sync pushes SiteFort firewall rules to Cloudflare so bad traffic is blocked before it reaches your server. This matters most for sites that receive high-volume attacks, brute force waves, or scraping traffic that puts load on the origin server even when blocked at WordPress level.
Skip this page if your site does not use Cloudflare DNS proxying. Cloudflare Sync only affects traffic that actually passes through Cloudflare. If DNS records are not proxied (orange cloud in Cloudflare), traffic goes directly to your server and edge rules have no effect.
What gets pushed to Cloudflare
| Rule type | Pushed to Cloudflare edge? |
|---|---|
| Manual IP block and allow rules | Yes, when supported by your Cloudflare plan |
| Country rules | Yes, subject to plan limits |
| Manual user-agent block rules | Yes |
| Automatic edge blocks during active attacks | Yes, managed separately from manual rules |
| Built-in bot policy (Balanced, Maximum) | No. Bot policy runs at origin level only. |
| Rate limiting | No. Rate limiting runs at origin level only. |
Connect Cloudflare
Go to SiteFort → Settings → Integrations → Cloudflare Connection.
You need two things from Cloudflare: the Zone ID for the website, and an API Token with the correct permissions. The full step-by-step connection process including screenshots is in the Cloudflare Integration Guide in the docs. The key points are below.
API Token permissions required
| Permission | Required |
|---|---|
| Zone - Zone - Read | Yes |
| Account - Filter Lists - Edit | Yes |
| Zone - WAF - Edit | Yes |
| Account - Firewall Access Rules - Edit | Optional, fallback support only |
Use an API Token, not a Global API Key. Scope it to the specific zone. After saving credentials in SiteFort, check the Connection, Account ID, Permission Check, and Detected Plan status cards. All four should show green before enabling Cloudflare Sync.
Common connection issues
| What SiteFort shows | What to check |
|---|---|
| Permission Required | Add the missing token scopes in Cloudflare, then click Re-verify Credentials in SiteFort. |
| Verification Failed | Confirm the Zone ID is correct and the token value was pasted without spaces or extra characters. |
| Plan limit warnings | Reduce the number of synced entries or consolidate IP rules into CIDR ranges where possible. |
| Conflicting targets | A rule already exists in Cloudflare with the opposite action. Remove or update it in Cloudflare, then push again from SiteFort. |
Sync settings
Go to SiteFort → Firewall → Cloudflare Sync.
| Setting | Recommended | Watch out for |
|---|---|---|
| Cloudflare Sync | On, once credentials are verified | Rule changes push automatically when sync is on. Use Push now after making significant firewall changes if you want immediate sync rather than waiting for the next automatic push. |
| Push now | Use after major rule changes | Nothing to watch. Forces an immediate sync of all eligible rules. |
Wildcard IP patterns such as 192.168.1.* are enforced at the origin level and may be skipped during Cloudflare sync. If a specific rule needs edge enforcement, use a CIDR range instead.
Automatic edge blocks
Go to SiteFort → Firewall → Cloudflare Sync → Automatic Edge Blocks for Active Attacks.
When an IP repeatedly triggers firewall blocks, SiteFort can escalate that IP to a temporary Cloudflare edge block automatically. This stops the attacker at the edge during active abuse without requiring a manual rule.
| Setting | Recommended starting point | Watch out for |
|---|---|---|
| Block Threshold | 10 to 20 triggers | Setting this too low can escalate IPs from shared networks like offices, universities, and corporate VPNs where multiple users share one IP and one person's behaviour triggers the rest. |
| Observation Window | 15 to 30 minutes | Shorter windows react faster but increase the risk of escalating legitimate traffic spikes from events, email campaigns, or sales. |
| Edge Block Duration | Start with 30 to 60 minutes | Temporary blocks are appropriate for most abuse. Longer durations should only be used when an IP has been consistently abusive across multiple observation windows. |