Is there a limit to how many emails I can add?


I recently deployed an access policy to protect access to a path on my business domain.

Is there a limit to the number of unique emails or “emails ending in” that can be added?

I haven’t encountered one or seen it documented. I’m curious what you would be doing that might stress any limits (but genuinely just curious on a personal “what neat things are people doing” — note that I’m not affiliated with Cloudflare).


I have never encountered limit, experimentation might reveal one.

Depending on your Identity Provider (IdP), you might find it easier to use an access group already defined in your IdP. Something like Azure AD has a 50,000 member limit per group, so unlikely to be an issue.



More than happy to share the use-case!

I’m a technical writer and given that virtually everything I do is ghostwriting, for NDA and other reasons, I have to password protect my portfolio.

My previous “solution” was ultra simplistic — to use the Wordpress Password Protected plugin.

This had some pretty obvious deficiencies and never really sat well with me. Prospects could share it around without my control. I couldn’t revoke access without changing the string and preventing others from seeing it etc.

I created an Access Policy for the portfolio URL specifically. Which is here:

I’ve been using Access to password protect the staging version of this WP site for a few weeks now. I was on the phone call with a friend when the idea to use it for the portfolio struck like a flash of lightning — it’s literally the solution I’ve been dreaming of for months —particularly as I can whitelist a domain so that people can share the link around internally but keep it “protected” from external parties!

Now you can probably understand why I enquired about how many emails I can add to the policy at any one time.

I get asked to share my portfolio a few times a week — more if I’m running a sales prospecting campaign. It’ll be a little bit of leg work, but my idea is to add the emails and domains in Cloudflare.

I don’t have a particular need to revoke access or make it time-limited, so the easiest thing would be to just let the list of approved emails and domains accumulate. Although I also wouldn’t be adverse to manually going through the list every few weeks and ticking off who no longer needs access.

BTW, in terms of emails that might accumulate before a “cleanse” was needed. We’re not talking about huge volume. I’d say 100 per year at the most.

Honestly, I’m super excited to have thought of this use case. I’d much rather implement this at the Cloudflare level than rely upon some more sophisticated WP access plugin that might turn out to be buggy and which I have to worry about keeping updated.

Let me know your thoughts / if there’s any way I could implement this more intelligently.

I expected it might be something like that. One question though, would it be a problem if users can peak at content belonging to other users?

WordPress is a bit leaky, there are a couple different URLs which can kick off a search, various feeds, etc, so it wouldn’t be particularly trivial to limit access to one specific article. A blanket “require access for anything” with specific URLs allowed is easier (and maybe you could grant access at the category level, to simplify the implementation), but you’d need to poke holes for the theme’s static resources and more, so while doable this could be a bit complicated to get going.

1 Like

No, that would be fine. The “portfolio” is mostly just a collection of PDFs — plus a few embedded videos (scripts that I wrote). It’s a generic share — when I pull together individualized collections I usually just do it by email (finding a way to do that technically — as in, through a database system — is another project I’m working on by the way!)

Some stuff I’m precluded from sharing altogether — or even disclosing the clients (sounds super exciting but in reality some companies’ legal departments are just ultra cautious about what they will allow ghostwriters to disclose). But for the stuff that I can … the most important thing is that it isn’t public-facing. But I’ve never signed an NDA which allowed sharing the clips in a portfolio but then attached conditions as to whom I could share the clips with. It’s usually just either in, out, or “ask me each time you’re interested.” Perhaps in time I will and will have to figure out the next technical challenge.

Yes, getting a WP installation to remain “invisible” vis a vis the search engines is tricky. My usual approach is to request to block crawlers in robots.txt. I then usually use a plugin like this to disable the default RSS feeds:

But I’ll take a look into what you suggested. Although it wouldn’t be required for this implementation, I’m sure it’s a technically more elegant solution.