Hi, everyone!

I’m planning to enable APO on a subdomain. According to the documentation, this will require using Global API key to authenticate in the plugin (and plugin-less APO is evidently going away). I have reasonable concerns about the security of Wordpress (more specifically – its various plugins), and the website is operated by a somewhat independent entity. Therefore I’d like not to save the Global key in Wordpress unless absolutely necessary. Would I be able to replace this after setup is complete with a regular per-zone API token? Any other hints how to make this setup more secure?

Thank you.

That might be old documentation. As I recall, APO works with Tokens:
https://developers.cloudflare.com/automatic-platform-optimization/get-started/activate-cf-wp-plugin

I didn’t even think APO would work without a plugin. Do you have a link that explains this? Another user looks to have APO enabled on a subdomain (under a domain with the plugin) and it’s active.

Hi, @sdayman!

Thank you for your reply. The documentation doesn’t seem too old – https://developers.cloudflare.com/automatic-platform-optimization/reference/subdomain-subdirectories#run-apo-on-a-subdomain was updated 6 days ago and specifically states “You can only use a Global key for the subdomain”. And I won’t sleep well knowing that the webmaster of this website is in control of all our DNS zones.

As for plugin-less APO, see here – Intend to deprecate: running APO without Cloudflare for WordPress plugin

Oh…darn. I’m not sure what the reasoning is for that.

One option would be to try using WP Cloudflare Super Page Cache. It says it works with a token.

That was quite a while ago. I wonder if they’ve made any progress on that. I wonder how it purges cache without having the plugin.

@emeliyanov I tested it now, API token for WordPress works just fine to setup APO on a subdomain. We will update the documentation for that.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.