Learn how to allow Cloudflare IP addresses and why allowing Cloudflare is recommended.

Overview

Changing your name servers to Cloudflare routes traffic through Cloudflare for any orange-clouded DNS records in the Cloudflare DNS app. Your origin web server receives traffic from Cloudflare IP addresses due to Cloudflare’s reverse proxy.

To avoid blocking Cloudflare IPs unintentionally, check that:

• Your origin web server iptables are set to trust Cloudflare IPs.

• Bad Behavior or mod_security plugins are up to date.
• Your htaccess file allows Cloudflare IPs.
• Any security plugins, such as WordPress security plugins, allow Cloudflare IPs.

Allow Cloudflare IP addresses

For Cloudflare to send visitor requests to your origin web server, allow Cloudflare IP addresses at your origin web server.  Contact your hosting provider or website administrator for guidance.  

Also, consult documentation for walkthroughs on using .htaccess or iptables to allow IP addresses.  The following examples demonstrate the format of an iptables rule to allow a Cloudflare IP address range.  Replace $ip below with one of the Cloudflare IP address ranges.

For IPv4 address ranges:

iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT

For IPv6 address ranges:

ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT

You may also consult the following resources for help in allowing Cloudflare IPs for these Wordpress plugins:

• iThemes Security
• Wordfence

Related resources

• Is Cloudflare compatible with Bad Behavior?
• What are Cloudflare’s IPs?