Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What are some other viable options?


1) not using DoS / DDoS protection, or using any number of hosting services that have this built in, or using a service that doesn't marginalize large parts of the world in the name of "security". DoS / DDoS attacks are not as common as Cloudflare would want you to believe.

2) use literally any other registrar / DNS service / hosting platform. You then won't need to worry about whether people all over the world will be getting CAPTCHAs on ever visit because of where they live or what browser they choose to use.


They don’t only offer DDoS protection, but also a WAF (Web Application Firewall), and if you run commodity software, attacks are very common.

I know this because I manage a WordPress site fronted by a different WAF, and I can see in the logs that malicious bots are trying to pwn the site basically 24/7.

(and before you say ‘patches’ – yes, but defense in depth is a thing, and you don’t always have the luxury of vendors with good security practices.)


Yes, Wordpress is attacked incessantly. It's designed to be actively hostile to security, so yes, a firewall that helps ameliorate is a good thing.

However, if you really care about Wordpress security, a WAF is just covering things up, and yes, you need to patch (but that's not really the fix). The proper fix is to reconfigure things to not follow Wordpress' absolutely ridiculous security. While patching depends on vendors, securing Wordpress from its own hubris doesn't depend on vendors.

But even where Cloudflare's products are arguably good, they still do too much in my opinion to marginalize non-mainstream visitors and to re-centralize the Internet around one big company. Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.


WP core isn’t bad, the problem is when you’re the ops guy and you get handed an installation with 30 plugins.

Anyway, WP was just an example. Are you 100% certain that all your software is 100% on the ball when it comes to modern security practices? We all know that not everyone takes security seriously.

> Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.

Which ‘elsewhere’ would you suggest? Every time AWS, Azure or GCP have issues, the internet is affected too.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: