I’ve been building websites since 1996. From static HTML sites, to Flash sites, to mobile-first, to whatever is next, the technology has always moved very fast. A pretty constant theme has been that security tends to catch up later. When I was getting started, even basic file transfers used to expose passwords to anyone listening. Today, that’s unthinkable. Everything gets encrypted.
DNS security followed a similar path. Before Cloudflare, your DNS requests traveled the internet completely unprotected. It was easy for attackers to intercept or redirect site traffic. That is no longer the case. For the past decade, Cloudflare has been our choice for securing your site. Yes, there are other things you can do like install a security plugin, but that puts the cart before the horse. Cloudflare is easy to set up, and is the first thing we recommend to clients.
With Cloudflare protecting over 24 million active websites (including Clockwork’s), nearly half of the internet’s top 10,000 sites rely on it. Here are five reasons we continue to suggest it:
What Cloudflare Actually Protects – Cloudflare sits between your website and the internet. When someone visits your site, their request goes through Cloudflare’s network first, where it gets filtered for malicious traffic, optimized for speed, and then passed to your server. Think of it as a smart security guard that also happens to make everything run faster.
In this video, our CEO shares an introduction to Cloudflare – what it does, why it matters, and how it helps businesses protect and optimize their online presence.
1. DDoS Attack Protection
Cloudflare acts like a massive shield in front of your site, soaking up huge waves of malicious traffic before they ever reach your server. When a site is being attacked, the first thing we do is ask them if they are on Cloudflare. The protection service is free, and when a site is getting hammered, Cloudflare will begin to block IP addresses that are trying to attack the server.
The real advantage is how Cloudflare learns from every attack. When they stop a DDoS hitting one website, that same protection automatically applies to all the other sites on their network. In just the first quarter of 2025, they reported blocking over 20 million DDoS attacks. That’s almost as many as they blocked in all of 2024, and a lot of shared intelligence protecting your site.
2. Web Application Firewall (WAF)
Cloudflare’s WAF is built to spot and block the kinds of attacks that sites face most often, things like XML-RPC abuse, SQL injections, and cross-site scripting. It even has WordPress-specific rules that update on their own, so you’re protected against newly discovered plugin and theme vulnerabilities without lifting a finger.
We can also be a little more proactive. For example, some sites that we build do not even have a reason for users except admins to log in. We can set up a rule to block all admin login requests outside of the U.S. That immediately starts making the site more secure. Combined with other WordPress security best practices, this fortifies multiple layers of protection.
3. Bot & Brute-Force Defense
This is where things get really interesting. Even if you don’t set up those WAF rules, some of these free features can make your site more secure just by toggling a button. This free feature will immediately start blocking, not all, but a lot of IP addresses that are flagged as “bots.”
But here’s what most people don’t realize: bots aren’t just trying to break into your admin panel. They’re scraping your content, hammering your server with fake traffic, and burning through your bandwidth. When legitimate users can’t access your site because bots are overwhelming it, you’re losing real business. Cloudflare’s bot detection runs continuously, learning patterns and blocking malicious traffic before it reaches your server.
4. SSL/TLS Encryption Made Simple
With Cloudflare, you can get SSL certificates and turn on HTTPS with just a few clicks. You’ll see that little lock icon in your browser’s address bar on most modern sites (and above this article). That’s your site telling visitors their connection is secure. Although we normally use Let’s Encrypt to generate SSL certificates directly on the server, Cloudflare offers this as a backup option when your hosting setup makes other methods complicated.
There’s no reason in 2025 to not have an SSL certificate. Search engines penalize sites without HTTPS, browsers warn users about unsecured sites, and customers expect to see that lock icon when they’re entering any personal information. Cloudflare makes this all much easier.
5. Hidden Server IP
One of the most overlooked benefits of using Cloudflare is that it masks your origin server’s real IP address. I’ve seen people use Cloudflare, but they turn off the “proxying” which turns off this feature. This feature is a must!
Without Cloudflare, anyone can run a simple lookup to find exactly where your site is hosted, which opens the door for direct attacks that completely bypass your firewall and security plugins. By routing all traffic through Cloudflare’s network, your true IP stays private, making it much harder for attackers to target your server with DDoS floods, port scans, or other exploits.
Even if someone tries to hit your site directly, they’ll just end up knocking on Cloudflare’s door, not yours. This layer of obscurity is a powerful first step in keeping your website secure.
6. AI-Powered Attacks
Beyond malicious bots and brute-force attacks, there’s also a new category of automated threats that’s more sophisticated than the usual spam bots and password crackers.
AI-powered attacks are evolving fast. Some AI services are now using stealth crawlers that deliberately hide their identity while scraping content, which can impact your site’s performance and content rights. These aren’t typical brute-force bots. They’re smarter and harder to detect. Traditional bots are usually blunt instruments (high volume, obvious patterns), while AI-powered attacks are surgical and adaptive (low profile, human-like behavior, constantly evolving).
The good news is Cloudflare has been working directly with browser developers to stay ahead of these threats. If you’re already using Cloudflare, you’re getting protection from these emerging AI threats automatically as they roll out updates.
What Most People Miss
Just like how security evolved from unencrypted FTP to today’s standards, Cloudflare is now part of our standard setup for every site. It’s free and one of those tools that just makes sense. But making sure the proxy is enabled and WAF rules are properly configured takes some experience with web development and understanding how hosting setups work.
Security isn’t something you set up once and forget about. Between WordPress updates, plugin changes, and new threats popping up, your site needs regular attention. That’s why we include Cloudflare setup and monitoring in our flexible website care plans.
If you’re running a site without Cloudflare, you’re basically still using the equivalent of unencrypted FTP. Need help getting it set up right? We can walk you through it.
