Cloudflare and Jetpack for WordPress should require no additional configuration to operate together. However we do have some security features designed to protect your Jetpack installation, read on below to learn more.
Default Jetpack Protection from Cloudflare
The xmlrpc.php file is protected on all Cloudflare plans to allow only Jetpack to use the xmlrpc.php?for=jetpack query string, Cloudflare does this by only allowing the IP range of Jetpack’s automation systems. As such any attempt to access xmlrpc.php?for=jetpack from an IP that is not a genuine Jetpack IP will be blocked with a HTTP 403 Forbidden message from Cloudflare. This in itself is nothing to worry about and improves the security of your website and does not affect the functionality of Jetpack whatsoever.
For more information about why this was originally implemented take a look at our blog post on the subject:
Additional WAF settings that can impact Jetpack
There is a specific rule in the Web Application Firewall (WAF) that if enabled will block Jetpack’s servers from administering your settings. The Cloudflare WordPress WAF rule “WP0002 - Block WordPress XML-RPC” rule is disabled by default but when enabled completely disables access to the xmlrpc.php file. As such we only recommend enabling this rule as an emergency measure if your xmlrpc.php endpoint is being attacked. For further guidance on this, please contact our Support team.