Is A Cloudflare Pro Plan Worth it?

Last month, I subscribed to Cloudflare Pro to test it out. As you might be aware, I’m a huge fan of Cloudflare as they provide a free service that is unmatched even by many paid providers. I’ve been considering upgrading to Cloudflare Pro for a while just to kick the tyres, but haven’t really found a good use case for it. However, after facing slowdowns on a similar product (StackPath), I decided to try a paid subscription to Cloudflare for the first time on my site WP-Tweaks.com.

These are my impressions about whether or not it’s worth it for the average website owner.

Biggest Benefit – The Web Application Firewall (WAF)

The Cloudflare Pro plan doesn’t improve your caching. It doesn’t increase the retention times of your data, nor does it provide you with access to all of its 200+ datacentres across the globe. Instead, what you get is access to a first-class firewall that acts as a buffer between your site and the big bad world.

Now Cloudflare already keeps your site protected from certain types of DDoS attacks, so you don’t need to worry. But there are a huge number of other threats that are constantly probing your site for weaknesses. Keeping up with these is a big headache and even if you don’t use Cloudflare, you’ll be paying for a similar service one way or another.

My site isn’t huge. Yet I get a scary number of attacks on it every day as shown here:

In the last 24 hours alone, the Cloudflare firewall has blocked 200 attacks on my site and sent a “challenge” CAPTCHA to 21 others. In case you’re wondering what these attacks are, Cloudflare gives you a detailed report as shown below:

These “Managed Rules” are all defined by Cloudflare. You can enable or disable them as a group or individually based on your specific needs. There are separate rule sets for WordPress, Magento, and others. All of them are provided by the Cloudflare Pro plan.

Without the WAF provided by Cloudflare Pro, all of these attacks would have hit my site WP-Tweaks.com, and even though I keep all my plugins and themes updated, you never know which one might unexpectedly succeed. It just needs one to compromise your entire site. I’ve seen some scary looking requests that try and access my wp-config.php file using bugs in plugins, and the WAF gives me peace of mind by blocking all of that outright.

Comparing Cloudflare WAF to Plugin Firewalls

There are many security companies that provide WAF-like services. For example, I have iThemes running on my site to harden WordPress in a variety of ways. However, these use up server resources, whereas something like Cloudflare acts as a buffer between your origin server and hackers. So there’s no additional load on your site.

Some security products like Sucuri also provide a service like Cloudflare, and those are great to use. But every solution is different and has its own disadvantages. For example, if you want full HTML caching as as I outlined here, then Sucuri can only store your HTML pages for 3 hours, and not a couple of days like Cloudflare does. But that’s not a functionality that everyone might need, so this may not apply to you.

Speed Optimizations and Caching Analytics

Cloudflare Pro also comes with some nifty speed optimization features like “Mirage” for images and TCP prioritization to squeeze the maximum speed out of your site. It also allows you to get a detailed look at your cache statistics as shown here:

You can see above, that around 2/3rds of my requests were served by Cloudflare. Not bad!

Is it Worth It?

The WAF alone might be worth it. Of course, $20/m can seem extremely high if you’re paying just a few bucks for hosting! But for those who need the security, it’s absolutely worth it. Ultimately you may find that the actual cost of web hosting is the lowest component of your overall costs. The additional services to speed things up will make up the bulk of your expenses. And if you want a good WAF, there’s no avoiding the need to pay for it :).