1 Introduction

I first learned about Cloudflare at the beginning of last year, and it has been almost a year since then. During this year, I used the Free account to enjoy many of Cloudflare's features for free (CDN cache acceleration, WAF, DDoS attack protection, Tunnel, worker, R2, etc.). To be honest, I have always had mixed feelings: on the one hand, I feel very happy to enjoy it for free, but on the other hand, I feel ashamed to enjoy it for free (I felt that I owed Microsoft because I had been using pirated products, but I bought a surface pro 4 at my own expense to pay off the debt~). At the same time, I am also very curious about the additional features for pro subscribers. After all, if pro users pay annually, $20/month is not expensive, and you can save money by eating one less big meal every month. The key is, compared with ordinary Free users, are the additional features for pro subscribers worth $20? (I believe that most webmasters who use Cloudflare Free accounts have this doubt)?

With doubts, I searched the Internet for a long time, and I found that there are almost no articles that verify this issue in detail. Generally, some people raise questions in some forums, and then others simply answer a few sentences, and the answers are also very subjective:

In fact, even Cloudflare’s own official website states it very succinctly:

So, what is the actual experience of pro users? Can you become an immortal by subscribing to pro, or is it just a waste of money, as mentioned earlier, just a paid icon?

I am not a person who follows the crowd. After all, Comrade Mao Zedong said: Practice is the only way to gain true knowledge. So with these confusions, I spent a huge sum of 25 US dollars to subscribe to the Pro user and started this month's pro user trial journey.

Note: I will summarize from four perspectives: fundamentals, performance optimization, security, and operation and maintenance visibility.

2 Fundamentals

2.1 Connectivity

2.1.1 Changes in Domain Name Resolution Anycast IP

When I used the Free account before, the resolution address of my blog domain name "blog.tangwudi.com" was "104.21.x.1":

As a result, the resolved IP changed after upgrading to pro:

The reason why I pay attention to this question is because I saw someone asked this question before:

However, even though the resolved IP changed after I upgraded to Pro, I still cannot be sure of the changes in the resolved IP for others after they upgraded to Pro, so I cannot draw any conclusions. I can only say that there is a "high probability" that the resolved IP will change after upgrading to Pro. I hope that more friends who have subscribed to Pro can leave a message to tell me about your situation.

Note 1: Around December last year, my blog had abnormal access problems for some domestic broadband users. PT players should also remember that in December last year, many sets of Cloudflare (Free account) PT sites had abnormal access to web pages or tracker servers? In fact, it was because the "104.21.x.1" IP was blocked by the three major operators in China. Telecom and Unicom had regional access difficulties, and Mobile was the most exaggerated, basically inaccessible throughout the country. This situation began to recover slowly after January.

Note 2: According to the current situation, the users who get 3 IPs are most likely Pro users, while the users who get 7 IPs (104.21.*.1) and two IPs (104.* and 172.* ) are most likely Free users.

2.1.2 Connection rate comparison

2.1.2.1 Choose a comparison object using a Free account

So, is there any difference in actual connection speed after upgrading to Pro? I used ITDOG's website speed test to compare my website with two websites using Cloudflare Free accounts (famous PT sites "Someone" and "Someday"), because their resolved IP addresses are the same as when I had a Free account before (in fact, the same resolved IP address does not necessarily mean a Free account, I guess it should be ~).

A certain person:

One day:

2.1.2.2 Domestic access speed test (TTFB)

blog.tangwudi.com:

A certain person:

One day:

Conclusion: The TTFB time for domestic access to the domain name corresponding to the Pro account is at least half of the TTFB time for access to the domain name corresponding to the Free account.

Note: TTFB time and the "speed" of the end-user's experience of visiting the website cannot be generalized, but for the same website, the shorter the TTFB time, the better the access experience.

2.1.2.3 Overseas access speed test (TTFB)

blog.tangwudi.com:

A certain person:

One day:

Conclusion: The TTFB time of visiting the domain name corresponding to the Pro account abroad is completely different from the TTFB time of visiting the domain name corresponding to the Free account (0.0x seconds vs. 0.x seconds or even x seconds), so there is no point in comparison. However, the few tenths of a second of a Free account is not considered slow to people, so it does not have such a big impact on personal sites that generally use Free accounts. The key lies in whether the cache rules are configured reasonably and the optimization of the website itself.

2.1.2.4 Cloudflare Pro vs. Free: Core Difference in Access Speed

From the TTFB test results of the previous "domestic" and "foreign" visits, Cloudflare Pro Account and Free Account There is indeed a significant difference in access speed between Cloudflare The official has never explicitly stated that the Pro account is better than the Free account in terms of access speed or line.So, where does the acceleration effect of the Pro account come from?

In fact, the acceleration effect brought by Cloudflare's paid plan isIt is not simply achieved by changing the IP address or providing a special line, but more dependent on Underlying network optimization, traffic scheduling priority enhancement, and more advanced caching strategies, these optimizations are mainly reflected in:
1. PoP (edge data center) distribution of visitor traffic

Cloudflare has more than 300 PoPs (edge data centers) around the world, but Accounts of different levels have different priorities in traffic scheduling:
Free account: low priority, may be detoured

• Free account traffic It is easy to be dispatched to a more distant PoP when the load is high., thus increasing access latency.

• Some high-performance PoPs may not be open to Free accounts, but are given priority to paid accounts.

• When domestic users visit the Free account site,Detours may occur, resulting in an increase in TTFB.
Pro account: Prioritize access to high-performance PoPs, reducing detours

• Pro account traffic is Prioritize the nearest PoP when load balancing, reducing delays caused by detours.

• Although Pro accounts still cannot specify a PoP like Enterprise accounts,More likely to enter Cloudflare's high-quality nodes, reducing access jitter.

• For foreign users, the PoP selection optimization of Pro accounts is more obvious, which can significantly reduce TTFB.
Real-world impact

• Domestic visits: There is not much difference between Pro and Free accounts, because Cloudflare does not have a PoP in the country, and all traffic needs to go overseas.

• Overseas visits: Pro accounts are usually assigned to closer PoPs, so the TTFB is lower than that of Free accounts and the experience is better.
2. Origin Requests Optimization

After the visitor's request enters Cloudflare,If the cache misses, Cloudflare still needs to go back to the origin to request the data, the return-to-source strategies for different accounts are also different:
Free account: The path back to the source may be long

• Free account Lower cache level, the hit rate is not as good as that of the Pro account, resulting in more requests needing to be returned to the source.

• The return path may be long, because the return request of the Free account may not necessarily choose the optimal path.

• This results in Free accountsDynamic content loading (such as API requests, database queries) may be slower than with a Pro account.
Pro account: Optimize the return path and reduce the pressure on the origin site

• Better cache management strategies, reduce unnecessary return to the source and improve site performance.

• The return path is usually more optimized, although not as good as Enterprise account can use Argo Smart Routing, but better than Free account.

• Optional Argo Smart Routing further improves return speed and reduces network jitter.
Real-world impact

• If your site mainly relies on static content (such as blogs or photo sites), the Pro account will have a more efficient cache, reduce back-to-source traffic, and increase access speed.

• If the site is mainly based on dynamic content (such as API, database query), the Pro account's back-to-source optimization may improve stability, but it will not reduce the frequency of back-to-source.

2.1.2.5 Analysis of official publicity strategies

Although Pro accounts bring actual speed improvements in PoP selection and back-to-origin optimization, Cloudflare Always emphasize the "functional improvement" of Pro accounts, rather than the simple acceleration effectWhy doesn't Cloudflare directly promote "Pro accounts have faster access speeds" but always emphasizes the functional differences? I think it may be based on the following three reasons:
1. Limited by the network environment, different users have different experiences:

• Cloudflare’s acceleration depends on Multiple factors such as the user's geographic location, ISP operator, site content type, etc..

• For overseas users, the PoP optimization of Pro accounts can indeed bring faster access speeds.

• For domestic users, since Cloudflare does not have a Chinese PoP, the speed improvement of Pro accounts is not obvious, and the official does not want to cause misleading.
2. PoP allocation is dynamically scheduled and cannot guarantee 100% consistency:

• Cloudflare PoP allocation will be dynamically adjusted based on real-time load conditions, even with a Pro account, you cannot 100% ensure that you always go to the nearest PoP.

• This dynamic scheduling method means that Cloudflare cannot give a fixed acceleration commitment and can only differentiate between Pro and Free accounts at a functional level.
3. Cloudflare tends to emphasize security and optimization features:

• Cloudflare’s core business is not just CDN acceleration; A comprehensive network security and optimization platform.

• The real value of a Pro account is Stronger WAF rules, better DDoS protection, more flexible caching strategies, and Cloudflare also tends to emphasize these features.

2.2 Number of rules

This part is the function provided by the Free account, but the number of supported functions is relatively small. After upgrading to Pro, the number of corresponding configurations has also been greatly improved. Here are a few commonly used ones:

1. Number of page rules

• Free account 3:
  
  
• Pro account 20 items:
  
  

2. Number of WAF custom rules

• Free account 5 items:
  
  
• Pro account 20 items:
  
  

3. Number of rate limiting rules

• Free account 1:
  
  
  
  And if the rate limit is exceeded, it can only be blocked for 10 seconds:
  
  
• Pro account 2:
  
  
  
  After exceeding the rate limit, you can block for up to 1 hour and customize the response type:
  
  

4. Number of cache rules

• Free account 10:
  
  
• Pro account 25 items:
  
  

The above are the ones I often use. I won’t list the other ones that I don’t use often. According to the official statement, the Pro plan has 155-65=90 more rules than the Free plan:

Note: Adding one more rate limit rule is a big help to me. It can be used to protect sensitive paths of WordPress, such as setting a separate rate limit for "/wp-admin/admin-ajax.php". Before, I could only split this part of traffic separately and send it to Changting WAF on the intranet for rate limiting (see article:Home Data Center Series: Cracking the WordPress AJAX Protection Problem: Using Cloudflare Tunnel to "divide" normal website access and attack traffic), now it can finally be processed in the cloud, and the number of other rules actually doesn’t matter to me: just use more "or" in the same rule.

3 Performance Optimization

3.1 Image Optimization

3.1.1 Overview

Image optimization is a very important part of website optimization. This function is not available in the Free account:

Note: Image conversion requires Cloudflare Image (paid) to be used, and the image link needs to be modified (specify width and height), which is not suitable for lazy people like me, so it is not covered in this article.

After activating Pro, both Polish and Mirage can be used:

3.1.2 Polish

Cloudflare’s Image OptimizationPolishIt can automatically compress and optimize images on the website to increase page loading speed and reduce bandwidth consumption: it optimizes images through lossless and lossy compression, and supports conversion to WebP format, providing more efficient image presentation. Polish will also intelligently select the most appropriate image format and quality based on the visitor's device and network conditions to further improve the user's browsing experience. After enabling Polish, image loading speed will be significantly accelerated, especially on mobile devices, improving the overall performance and responsiveness of the website.

Compared with the image conversion function, the biggest advantage of Polish is that it is hassle-free: images do not need to be stored on Cloudflare Image, but can be stored directly on your own server or other supported cloud storage (such as Cloudflare R2). Polish will automatically optimize and compress images during image transmission without you having to manually adjust the source files. It should be noted that the Polish optimization function only works for domains proxied by Cloudflare, so you need to make sure that the domain name of the image hosting service where the images are stored is proxied by Cloudflare.

How efficient is Polish optimization? Take an image stored on R2 as an example, the original size is 234kB:

After being optimized by Polish and converted to webp format, the size is only 130kB, which is 104kB less:

The picture was directly converted into webp format and the capacity was reduced by nearly 45%. This optimization is quite powerful. The key is that I didn’t do anything but just turned on a switch~~, so this is an optimization function that is very suitable for lazy people.

Note 1: The Polish function takes effect only when the image has been cached by CDN. The Polish function does not take effect on images that have not been cached.

Note 2: Another meaningful parameter is Cf-Bgj. imgq:100 means that the image quality is not reduced because I chose the "lossless" mode for Polish.

3.1.3 Mirage

Cloudflare Mirage Mirage is an image acceleration tool optimized for mobile devices and low-bandwidth networks. It helps reduce page loading time, especially in slow network environments, by intelligently adjusting the loading method and quality of images. Mirage dynamically provides adaptive image size and quality based on the screen size, resolution, and network conditions of the user's device, thereby effectively reducing bandwidth consumption and improving user experience. It can also delay the loading of images (on-demand loading) to ensure that images are loaded only when users need them, further optimizing website performance. In general, Mirage makes web pages load faster on mobile devices and improves the overall access speed and fluency of the website.

However, the effect of Mirage is not as easy to observe as Polish (it requires a low-speed network, and the device and network simulation of Chrome developer tools may not work well), and there is no obvious logo, so I won’t bother with it just for a screenshot.

Note: Actually,Polish Polish image optimization also works on mobile devices. It not only compresses and optimizes images, but also intelligently selects the appropriate image format and quality based on the visitor's device and network conditions. For example, Polish can convert images to lighter WebP format, which is particularly beneficial for loading speed on mobile devices, because WebP files are usually smaller than traditional JPEG or PNG files while maintaining good image quality. However, Polish focuses more on optimizing the size and format of images, rather than Mirage That way, additional smart processing is done specifically for mobile devices (such as dynamic image resizing and on-demand loading). Therefore, Polish can still improve the loading speed of mobile images, but if deeper mobile optimization (such as lazy loading and device adaptation) is required, Mirage or other technologies may be more suitable.

3.2 Content Optimization

3.2.1 Overview

Except for APO, all other features of content optimization are available in the Free version, so I will mainly introduce APO. However, I can also mention Rocket Loader because this feature is also very important:

3.2.2 Rocket Loader

Cloudflare's Rocket Loader is a feature that shortens page loading time by delaying the loading of non-critical JavaScript scripts on web pages. It postpones the loading of non-critical scripts and prioritizes loading resources that are critical to page rendering, thereby reducing page blocking time. Through this delayed loading method, Rocket Loader can ensure that page content is presented to users faster, improving overall loading speed and user experience.

Some local WordPress plug-ins actually have similar functions, such as WP Rocket, which can delay the execution of non-critical JS files and optimize and merge JS scripts (CSS can also be optimized and merged).

I have done a special comparison before, and found that the effects of using WP Rocket and Rocket Loader are not much different, so I would naturally like to install one less plugin and use Cloudflare instead. Combined with Zaraz's third-party script cloud loading and management, it can greatly reduce the burden on WordPress. Of course, WP Rocket has other very practical functions, which are related to the APO function introduced in the next section.

3.2.3 APO(Automatic Platform Optimization)

The seventh part of my previous Cloudflare tutorial series (see:Home Data Center Series Cloudflare Tutorial (VII) Introduction to CF Worker Functions and Practical Operation, Verification and Research on Related Technical Principles of Implementing "Beggar Version APO for WordPress" Function to Accelerate Website Access Based on Worker) In the article about using Workers to speed up website access, the APO function has actually been introduced:

Simply put, it only takes two steps
1. Enable the APO feature in the Cloudflare dashboard:

2. Install a Cloudflare plugin in WordPress and enable it (very simple initialization settings are required):

After completing these two steps, you can enjoy the global CDN optimization based on Worker provided by Cloudflare, which automatically covers HTML, JavaScript, CSS and image resources in WordPress and supports unlimited traffic. Most importantly, after enabling APO, the improvement of website performance is not limited to caching and optimization, but also brings other significant benefits:

First, APO automatically enables smart caching for your WordPress website, without the need to manually configure complex page rules or cache strategies. Traditional optimization methods usually require the use of plugins such as WP Fastest Cache or WP Rocket to handle local caching, JS and CSS optimization, and manually set cache rules in the Cloudflare dashboard, and may even require the configuration of Workers and KV to achieve optimization. In contrast, APO automatically completes these optimization tasks through Cloudflare's automation mechanism, which not only eliminates tedious configuration, but also reduces the possibility of human error, greatly simplifying the optimization process.

Secondly, APO also avoids the complex cache logic that often needs to be adjusted in traditional optimization. In the past, the cache strategy for WordPress was often not sophisticated enough, and it was necessary to manually set cache rules for different resources, or use Workers and KV to achieve more sophisticated control. After enabling APO, Cloudflare will automatically handle all caching and optimization, whether it is images, HTML or JavaScript, it can automatically achieve intelligent caching and optimization, and no manual intervention is required.

Most importantly, APO uses Cloudflare's global CDN network to ensure that website resources can be quickly loaded no matter where the user is, significantly improving the page response speed and user experience. Especially for visitors around the world, APO's optimization effect is particularly outstanding, which can effectively reduce regional delays and improve access speed.

In general, after enabling APO, your WordPress website can not only enjoy more efficient caching strategies and optimizations, avoiding the trouble of manual configuration, but also automatically obtain Cloudflare's powerful global network support and unlimited traffic capabilities (the biggest worry when using Worker-based optimization methods before was encountering DDoS attacks, because the free quota of 100,000 requests/day was really not strong enough~), which greatly simplifies the work of performance optimization and makes the website run more smoothly and efficiently.

Note 1: You can also subscribe to the APO function separately in the Free account (5 US dollars per month), so if you have already subscribed to APO in the Free account, subscribing to the Pro annual membership is equivalent to paying only 15 US dollars more per month. When you think about it, don’t you feel that you have gotten a great deal?

Note 2: APO is designed forWordPressAs for the website design function, Cloudflare mainly provides this service through deep integration with WordPress (because WordPress has a large share in the world and has a very good mass base), so for other friends who subscribe to Pro and do not use WordPress to build websites, this function is given for free, which is such a waste.

Note 3:APO As mentioned in the previous sectionRocket Loader They can take effect at the same time and complement each other to improve website performance. APO optimizes and caches the static resources (HTML, CSS, JavaScript and images) of WordPress websites through Cloudflare's global CDN network, speeding up page loading and reducing the burden on the source server; Rocket Loader It mainly optimizes the loading order of JavaScript, and ensures that page content is presented first by delaying the loading of non-critical scripts, reducing rendering blocking. When the two are used together, APO provides site-wide caching and resource optimization, while Rocket Loader focuses on optimizing script loading, which can significantly improve website loading speed and user experience. However, WordPress generally has related optimization options locally, such as the Argon theme I use, which already has the function of lazy loading images:

It is recommended that local optimization options be turned off and Cloudflare be responsible for everything to prevent mutual interference.

3.2.4 Protocol Optimization

I won't say much about this part. The only option for Pro is "Enhanced HTTP/2 Prioritization", which can be used in other Free plans. You can read the comments and basically turn on all of them. However, webmasters who care about domestic users should be cautious about turning on the "HTTP/3" option. After all, the traffic of QUIC UDP port 443 is too conspicuous (the key is that this part of the traffic has to pass through a wall) and is too easy to be targeted.

3.2.5 Others

This part of the content is only for Pro Automated Signature Exchange (SXG) Function:

Enable Automated Signature Exchange (SXG) After the feature, Google no longer just acts as a traditional search engine, forwarding access requests to websites, but also acts as a cache server to directly respond to user requests with cached content. This means that Google can ensure the integrity and validity of cached content by securely exchanging signatures with visitors, while significantly speeding up page loading, which not only reduces page loading delays, but also effectively improves Core Web Vitals In Largest Contentful Paint (LCP) Indicators, thereby improving user experience and indirectly improving SEO rankings.

The specific effect after enabling it is that there is one more source domain name "blog-tangwudi-com.webpkgcache.com":

Correspondingly, the number of requests from "google.com" will decrease.

4 Security

4.1 WAF

For Pro users, in addition to the increase in the number of WAF custom rules supported, the most critical change is the managed rules.

Cloudflare WAF Free users The so-called “Free Hosting Rules”The official statement is that it "can provide some basic WAF protection functions, mainly for common attack types, such as SQL injection, cross-site scripting (XSS), etc. for default protection." But in fact, these protection effects are relatively limited, or even basically equivalent to nothing. Changting Leichi Community Edition(Now renamed Personal Edition) intercepts most attacks in the intranet, and then Wordfence plugin Perform a second layer of filtering in WordPress to ensure security. Usually, I will manually add custom rules in Cloudflare WAF to block attacks only after Changting Leichi WAF intercepts multiple repeated attacks.

From this perspective,Free users The WAF function can actually be regarded as an almost transparent component. It does not provide much protection by default. The real function depends entirely on the user's subsequent manual intervention and rule addition.

However, after upgrading to Pro users, things are different:

for Pro User, Cloudflare WAF provides two important managed rule sets:Cloudflare Managed Rulesets and Cloudflare OWASP Core Rule Set, these two rule sets play an important role in protecting websites from various network attacks:

1. Cloudflare Managed Ruleset

Overview: Provided by Cloudflare Managed rule sets It is a set of preconfigured rules for preventing common web attacks, such as SQL injection, cross-site scripting (XSS), etc. Through these rule sets, Cloudflare will automatically update and optimize the protection strategy without manual configuration by the user.

Features:

• Automatic Updates: Rules are updated over time to address new security threats.

• Efficient protection: covers common attack methods, such as cross-site request forgery (CSRF), file upload vulnerabilities, etc.

• No manual intervention required: Cloudflare managed rulesets require no additional user configuration and are automatically enabled.

• Regular optimization: Based on global network traffic and security trends, Cloudflare continuously optimizes these rules to improve detection accuracy and reduce false positives.

Applicable scenarios: For users who don't have much time or resources to manage WAF settings, managed rule sets provide a very convenient and effective protection solution.

Currently, there are 34 WordPress-related rules in the managed rule set. As a WordPress user, I feel much safer instantly:

2. Cloudflare OWASP Core Ruleset (CRS)

Overview:OWASP Core Rule Set is based on OWASP (Open Web Application Security Project) A set of rules developed based on OWASP's recommendations and best practices. It covers the most common web security risks of OWASP and protects websites from attacks such as SQL injection, XSS, command injection, etc. through these rules.

Features:

• Complete attack protection: CRS is designed to protect against the most common and dangerous web security vulnerabilities listed in the OWASP Top 10.

• Defense in Depth: The CRS rule set provides broader protection than the Cloudflare managed rule set, covering more complex attack types such as XML External Entity Injection (XXE) and Remote File Inclusion (RFI).

• Flexibility: OWASP CRS provides flexible configuration options, allowing users to enable or disable specific rules based on their needs, and even customize the rules to suit specific website application scenarios.

• Open source support: CRS is open source, which means that the rules can be modified and extended according to actual needs.

Applicable scenarios: If you need deeper web application security protection, or your website application involves sensitive data, CRS is an ideal choice, especially for users who need to meet certain security compliance requirements (such as PCI-DSS).

With these two rule sets, Cloudflare Pro users can get more powerful and flexible security protection, effectively reducing the risk of potential network attacks. For example, I have enabled two managed rule sets for a while, and the number of packets blocked on my intranet Changting WAF has been greatly reduced compared to before (the community version cannot select the time period, only today's interception~):

Even if there are intercepted packets, it is basically due to frequency restrictions:

As for the wordfence plug-in on WordPress, the real-time traffic is basically only login events. After observing for another 2 days, it can be uninstalled (WordPress lightweight project has taken another big step forward~).

Note: For those who are familiar with WAF rules, you can modify the rules in the managed rule set according to your actual needs. For those who are not familiar with it, generally keep the default configuration. This default configuration is also the best practice recommended by Cloudflare and suitable for most users.

---

By the way, someone made a traditional Chinese mirror site for me before:

After a brief study, I found that it was implemented by using a reverse proxy. After pretending to be a Google spider in the UserAgent, it passed the WAF rules of the free hosting of the Free account. Before upgrading to Pro, I dealt with it by manually adding a rule in the WAF custom rules: "Block all requests that contain the word Googlebot in the UserAgent but do not belong to Google ASN."

Now after upgrading to Pro, no rules need to be added, and the managed rules will be directly blocked:

---

4.2 Automatic procedures

4.2.1 “Automated Program Attack Mode” for Free Users

for Cloudflare Free users, enable "Automated Program Attack Mode" After that, Cloudflare will perform basic automated traffic identification and interception. For example, Cloudflare can identify some common automated attack behaviors, such as malicious crawlers, brute force cracking, etc., and will CAPTCHA or JavaScript Challenge to verify whether the traffic is malicious automated requests. In this case, automated traffic is consideredMalicious traffic, and protect the website by challenging or blocking it.

However, Cloudflare allows another type of traffic by default, namely "Absolutely automatic" flow, this type of traffic does not have obvious malicious behavior, but is still initiated by automated programs. For example:

• Web crawler: They do not necessarily perform malicious actions, but frequently visit websites to collect data.

• Automation Scripts: Used to request data at scale, but without brute force or other aggressive behavior.

---

"Absolutely automatic" flow Traffic that is completely automatically generated by scripts or tools, usually without user participation or interaction. This type of traffic is relatively complex to identify, and Cloudflare Free accounts can only perform basic screening of this traffic through relatively loose rules, and there is no way to fine-tune its control.

---

In short, enabling "Automated Program Attack Mode" After that, Cloudflare will intercept those obviously malicious automated traffic (such as brute force login attempts, crawling sensitive data, etc.) and confirm the legitimacy of the request through a challenge mechanism. "Absolutely automatic" flowThis type of traffic lacks malicious features and has no high-frequency or malicious request behavior.Free usersNo permission to customize this "Absolutely automatic" flow SoThese flows are allowed by default.No interception or verification will be triggered.

4.2.2 "Standard automatic program protection settings" for Pro users

After upgrading to Pro users, the automatic program has more functions:

In the detailed configuration interface of automatic program protection, there is finally an option for "absolutely automatic" traffic processing:

Compared with Free users, Pro users can set the "absolutely automatic" traffic processing behavior. If they are worried about accidental damage, they can set it to "hosted inquiry".

---

although Pro User exist "Absolutely automatic" flow Compared with Free users There has been a significant improvement, but there are still some difficulties:"Absolutely automatic" flowThe characteristic of these traffic is that they usually have no obvious malicious behavior or attack characteristics. Accurate identificationThere are still some difficulties, especially some low-frequency automated traffic with behavior similar to normal users, which may be misjudged as normal requests, resulting in failure to achieve 100% accurate identification. In this case, relying solely on automatic identification is not enough to completely prevent all malicious automated traffic (in simple terms,Absolutely automatic The rules are mainly aimed at those Relatively simple automated programs with obvious behavior patterns, usually Low-end crawler script or Basic automation tools, which typically do not have sophisticated anti-detection capabilities and are easily detected by Cloudflare's standard rules).

However, combined with Pro User of WAF managed rulesets, especially the protection rules for common attack modes (such as SQL injection, cross-site scripting attacks, etc.), which can greatly improve the "Absolutely automatic" flow The protection effect is enhanced, the recognition accuracy is enhanced and the risk of misjudgment is reduced (the interception of malicious reverse proxy traffic from mirror sites is an example). WAF Rules and Enablement Automatic program protection,Pro User It can more effectively deal with these difficult-to-identify automated traffic and improve overall security protection capabilities.

By the way, Cloudflare Business and above users have more advanced "Bot Management"It can analyze and identify traffic based on machine learning, behavioral analysis, fingerprint recognition and other technologies. It can more accurately identify automated programs (such as crawlers, malicious reverse proxies, etc.) and take corresponding actions (such as challenges, interceptions, etc.). Unfortunately, it costs at least $200 a month, which I can't afford even if I cut my losses.

---

At the same time, WordPress users can take advantage of this. After turning on the "Optimize for WordPress" switch, Cloudflare will WordPress Some specific optimizations are made for common attacks and malicious automated traffic, including but not limited to the following:

1. Prevent brute force login: The WordPress login page /wp-login.php and the admin page /wp-admin/ are often targeted, especially by brute force attempts to obtain the administrator password. When this option is enabled, Cloudflare will more aggressively detect this type of automated traffic to the login page and use CAPTCHA or JavaScript Challenge To intercept such malicious requests.
2. Limit access to common entry points: Some common exposed interfaces in WordPress websites (such as /wp-login.php, /wp-admin/, /xmlrpc.php, etc.) are often attacked by malicious crawlers and automated scripts. This option helps Cloudflare optimize the protection of these interfaces and reduce the risk of being attacked by malicious automated traffic.
3. Identifying Malicious Traffic Specific to WordPress: To address some unique behaviors of WordPress, after enabling this option, Cloudflare will use rules and algorithms optimized specifically for WordPress to improve identification efficiency and avoid accidentally blocking normal traffic.
4. Automatically handle WordPress-specific attack patterns: WordPress often becomes Automation Scripts and reptile This traffic may not only be malicious, but also be a large-scale data scraping. When this option is enabled, Cloudflare will pay special attention to the patterns of this type of traffic and perform targeted optimizations.

In short, WordPress users win again.

4.3 Changes in Pro User Security Strategy Thinking

From the almost non-existent WAF managed rules and crude automatic program attack identification for Free users, to the two major managed rule sets of WAF for Pro users and the "absolutely automatic" traffic identification and unified processing that can get things done, I have to re-examine the security strategy of the entire site.

One thing that bothered me before was that if the entire home data center went down (power outage, network disconnection), although the detection script that runs regularly on the Tencent Cloud lightweight server would automatically enable the backup connector of the Cloudflare Tunnel in the home data center after discovering it, thus turning the disaster recovery site of the blog on the Tencent Cloud server into the primary site to restore service (see article:Home data center series uses cloudflare tunnel to realize automatic takeover of disaster recovery site when WordPress main site fails), however, the security will be greatly compromised because there is an intranet WAF in the home data center for secondary filtering.

Now, due to the huge improvement in security for Pro users (in fact, Free users serve as a foil~), even if the disaster recovery site on Tencent Cloud becomes the primary site, security issues do not need to be considered in the short term.

At the same time, the originally very complex WAF Custom RulesI also thoroughly sorted out and optimized the rules (which used to be the main line of defense for my website): I cleaned up a lot of outdated or no longer needed rules, and shifted the focus of security from relying on these cumbersome custom rules to more efficient and automated protection solutions. "Assistant Police", and the real security line is given to Hosting Challenges for “Absolutely Automatic” Traffic and 2 managed rule sets for WAFThis transformation allows me to respond to various automated traffic attacks more intelligently and accurately through Cloudflare, while reducing excessive manual intervention and rule maintenance, further improving security and management efficiency.

Note: Even if Pro users have enabled the two managed rule sets of WAF and the "absolutely automatic" traffic identification, they cannot rest easy. After all, it is just one of the many services provided for $20. It is not a big deal, but it is much better than Free users. Therefore, the WAF on my intranet is still there (the heterogeneity of security devices is still meaningful). For friends who use WordPress, it is recommended to install the wordfence plug-in as much as possible (although it may increase the "Total Blocking Time" by dozens of milliseconds).

5. Operation and Maintenance Visibility

Many people may not care about this part, because I believe that most people do not often visit Cloudflare's web dashboard. However, for after-sales engineers who work in the operation and maintenance industry or often need to troubleshoot problems, a website that can provide detailed Monitoring, statistics, log query, and analysis Backend systems with functions such as:

1. When the website encounters attack WhenIdentify the attack source, type, and impact range, and formulate corresponding defense measures

2. When the website appears Access exception You can check it at the first time Traffic status, cache hit rate, error log, so as to quickly locate the problem

3. NeedOptimizing performance When using the website, you can analyze the bottleneck of the website through detailed traffic data, adjust the cache strategy, WAF rules, or optimize content distribution

Compared with the Free version, Pro users have significantly enhanced O&M visibility, which can be summarized in the following three aspects:

1. More detailed analysis data

Pro users can HTTP traffic and Security Analytics Get more detailed statistics than the Free version, including:

• More indicators(such as request volume, data transfer volume, page views, etc.)

• Advanced Filters(Filter data by country, IP, data center, edge status code, etc.)

This data is very helpful for analyzing access patterns, optimizing caches, and adjusting security policies, as can be seen from the comparison of the "HTTP Traffic" and "Web Analytics" content in the "Analysis and Logs" section for Pro and Free users below.
HTTP Traffic:

Free version:

Pro version:

Web Analytics:

Free version:

Pro version:

You can see that the Pro version provides much richer information in the "HTTP Traffic" and "Web Analytics" sections.

2. WAF event log & rule matching details

The Free version of WAF can only display the total number of intercepted requests, but cannot view the specific interception details. WAF Event Log Provides complete Attack Records,include:

• Triggered Specific rules(such as OWASP rules, hosting rules, IP restrictions, etc.)

• The source of the attack IP, Country/Region, User-Agent

• Detailed HTTP request information(such as request URL, parameters, request body, etc.)

This is very important for analyzing attack patterns and adjusting defense strategies, especially False interception troubleshooting When using Pro, it is possible to accurately determine which traffic should be released or the rules should be adjusted, as can be seen from the following comparison between Pro and Free users in the "Security"-"Event" interface:

Free version:

Pro version:

Similarly, you can see that the Pro version provides much richer information in the "Security"-"Events" section.

3. DDoS attack detailed report

The Free version only provides basic DDoS protection, while the Pro version DDoS Monitoring Report You can view:

• Specific attack patterns (e.g. SYN Flood, UDP Flood, HTTP Flood）

• Attack Peak QPS, the number of intercepted requests

• Attacked Destination URL or port

When a DDoS attack occurs, these data can help the webmaster understand the scale of the attack more clearly and adjust Cloudflare rules to optimize defense. This part of the function is also based on "Security-Events", so I won't repeat the screenshots. However, in the end, this part of the content varies from person to person, and not everyone will be interested.

Note: Pro users have another advantage in operation and maintenance. Compared with Free users who can only post in the community forum for help, Pro users can directly submit a work order to open a case:

But I haven't experienced it yet, I'll try it when I get a chance.

6 Who is Pro for? Is it worth the upgrade?

In the previous article, I introduced in detail the many improvements of Cloudflare Pro compared to Free. But it needs to be emphasized again that Pro is not suitable for all sites. Its main advantage is reflected in dynamic sites that need frequent back-to-source, especially WordPress users. In order to more intuitively illustrate the value of Pro, the following is a summary from the perspectives of static sites and dynamic sites:

Static sites: Free is enough

For completely static websites, such as blogs generated by Hugo, Hexo, and Jekyll, or pure HTML/JS/CSS document sites and corporate websites, Cloudflare Free can already provide adequate protection and optimization. Static sites do not involve databases and backend APIs, so the security risk is relatively low, and the default DDoS protection of the Free version is sufficient to deal with common attacks. In addition, such sites can usually achieve full-site caching, and the access speed is very fast, so the dynamic optimization function of the Pro version is not very meaningful. If the site's images have been manually optimized to WebP or compressed using TinyPNG, the additional improvements to Polish and Mirage in the Pro version are also relatively limited. Therefore, most static site users do not need to upgrade to the Pro version.

Dynamic sites (especially WordPress): Pro version has significant improvements

For dynamic sites such as WordPress blogs, e-commerce, and forums, the value of Cloudflare Pro is very obvious. APO (Automatic Platform Optimization) can reduce the back-to-source requests for dynamic pages, significantly reduce TTFB (time to first byte), and increase loading speed. At the same time, the Pro version provides stronger WAF rules, which can effectively defend against common attacks against WordPress such as SQL injection and brute force. Automatic program protection (Bot Management) can also reduce spam comments and malicious crawlers, and further optimize site operations. In addition, the Pro version provides more detailed logs and security analysis to help webmasters better monitor traffic and optimize performance. Therefore, for long-term dynamic sites, the Pro version is a worthy investment.

Based on the previous analysis, the following table is compiled for reference by friends who are considering subscribing to Pro users:

Site Type	Free Cloudflare	Cloudflare Pro	Is it worth the upgrade?
Pure static site (full site cache)	Basic protection + high cache hit rate	Limited improvement (unless relying on Polish, Mirage)	Not recommended
Lightweight dynamic site (small blog)	May be limited by cache, WAF rules	Provide WAF hosting rules to reduce junk traffic	Optional
WordPress site (with dynamic interactions)	Vulnerable, TTFB may be high	APO + WAF protection + Bot protection, double improvement in performance and security	recommend
E-commerce/ Forum/ API site	Poor performance under high concurrency and high security risks	Stronger cache strategy + protection rules	Highly recommended
Frequently encounter DDoS or malicious traffic	Basic DDoS protection only	WAF managed rules + detailed attack analysis	recommend

7 Summary: Unexpected "really good" experience

In fact, I feel like I've been on a pirate ship: I originally just wanted to subscribe to Cloudflare Pro for a month, experience the various improvements of the Pro version, write a summary and leave it at that. I didn't expect that after all this trouble, I actually felt that the Pro version was completely tailor-made for me, and I have even begun to seriously consider subscribing to the annual fee version. Although I have to tighten my belt, it can greatly reduce the time and energy of daily blog operation and maintenance, so this investment is still worth it.

However, I still want to emphasize again:The Pro version does not directly improve the access speed of domestic usersThe reason I emphasize this again is because I have seen many people in various forums have this misunderstanding, thinking that after upgrading to the Pro version, the domestic access speed can be significantly improved, and then after upgrading, they find that there is actually no difference, and then they say that Pro is useless. Remember one unchangeable fact: CloudflareWe do not have our own nodes in the countryTherefore, the direct speed optimization brought by the Pro version can only be reflected in the access of overseas users.

For domestic sites, if you really want to improve access speed, you still have to rely on Cloudflare APO, page optimization, cache strategies and other means, and you may even need to use domestic CDN. If you are willing to register and pay special attention to domestic access speed, then it may be a better solution to directly use domestic CDN. After all, even if it is Cloudflare's Enterprise version, you still need to go through the registration process if you want to use domestic JD Cloud nodes. If you are willing to register, then why go through so much trouble with Cloudflare?

final,Whether Cloudflare Pro is right for you depends on your needs: If your site's audience is mainly overseas users, or it is a dynamic site (especially WordPress), the various optimizations of the Pro version are definitely worth buying; but if your website visitors are mainly from China, and you have optimized the access speed through other means, then the Free version may be enough.