We are setting up WAF and proxying our wordpress sites through CloudFlare
We have then used the Cloudflare Plugin to optimize the page - but it would be a great security feature if we could use the app to also lock down the wordpress site to be served by the CF Proxy only, not allowing anyone to bypass it
I am afraid, this would cause some privacy issues as the app cannot do the things needed on the origin host / server.
Furthermore, in terms of SSL, it could cause issues like if the origin host / server maybe doesn’t support and somehow doesn’t work over HTTPS, or uses a different and unspported/not compatible port with Cloudflare proxy, for a Free user for example.
Nevertheless, in some other way, for the users who are on a shared hosting this is really not an option as far as they do not have that much “power” neither privileges.
Neither, if a lock down could be done, does it mean it should lock down the ports too, but what about sending e-mails and any contact forms?
So in general, from my point of view, not possible so soon.
To be served by the CF proxy only, make sure your domain and www and any other DNS hostname records are set to cloud.
Otherwise, just to think off, if the plugin for WordPress would have such and so much access and privileges, what could possibly go wrong if the WordPress website gets malware or compromozed by 3rd-party person having the acces?
In that case, who to blame? Cloudflare? I doubt.
Yes, there is a possibillity, using Cloudflare Argo Tunnel (or Full Strict SSL + Authenticated origin Pulls) you could lock down your origin host by closing ports (if already not) + Firewall Rules, Managed WAF and other available security options at Cloudflare, if interested into it.