Xenforo from Sucuri to Clouflare

Hi guys,

In a few days I would like to switch from Sucuri (used since the time of vbulletin) to Clouflare. First of all, do you advise me to switch to Clouflare? Does it integrate well with Xenforo?

Another thing: at the level of CSM and basic settings of Xenforo I don’t have to change anything right? Should I only change the DNS?

On Sucuri I also have an SSL certificate for https. Does Cloudflare also provide an SSL certificate?

Thank you!

@eva2000 is a massive user of Cloudflare and Xenforo. I’m sure he’ll be along soon to say how well they work together and things to look out for.

Here’s one of his forum threads:


A few years back, I switched from Cloudflare to Sucuri only to come back to Cloudflare 2 days after. You are likely to receive biased opinions on this sub; however, from personal experience, Sucuri has only been on a downhill ever since their original owners sold it.

In terms of DDoS Protection, the current sensor/automatic mitigation of Cloudflare will do significantly better than Sucuri. Still, you need some manual labor in both solutions if the attack is somewhat complex.
Cloudflare JS Challenge is also slightly superior; the CAPTCHA challenge is where I’d argue that Sucuri can outperform Cloudflare, primarily due to HCaptcha not being my choice of preference when it comes to fighting smart bots.

If you have custom rules on Sucuri, you might want to port them to Cloudflare.



I made the switch from Sucuri to Cloudflare for my Xenforo forums ~4-5 yrs ago. My Xenforo forums has been through Cloudflare free, pro, business and now enterprise plans in the past 4+ yrs or so :smiley:

You can read the following to get started

Also Xenforo’s image and link proxy Options - XenForo 2 Manual can reveal your server real IP by default unless you configure a separate server forward HTTP proxy and set it in Xenforo config file $config['http']['proxy'] Config.php options - XenForo 2 Manual

HTTP client settings

These settings control the behavior of the internal XenForo HTTP client, which is used to fetch resources from across the internet, such as images and web pages when using the Image and link proxy .

  • $config['http']['sslVerify'] = null ;
  • $config['http']['proxy'] = null ;

The sslVerify setting will force the system the verify the SSL certificate of any sites it visits using the SSL/HTTPS when requesting resources. Setting this value to true can be of benefit in some circumstances, but there are a number of ways that SSL certificate verification can fail, resulting in an inability to fetch the resource requested. If in doubt, leave this setting alone.

If you want the internal XenForo HTTP client to perform its requests through a proxy, enter the proxy server’s address in the proxy setting.

That’s what I do for my Xenforo forums. You can see discussion at XF 1.5 - Untrusted Http Client | Page 3 | XenForo community


Thanks for all the info, guys!


On sucuri I don’t use any cache. I use that of the server. Can I set it like this also on Cloudflare?

The passage on real IPs is interesting! It was what I was looking for!

I would also be interested in protecting the admincp with a password. It’s possible?

Other things that are really important for the correct functioning of everything? Or are the settings all personal?





Two questions about Cloudflare settings.

How can I protect the admin with a password? I enter in “Access”, “Criteria” … and then?

On Sucuri I had the cache set in Site caching (using your site headers). I would like to keep it this way. How should I set it up on Cloudflare?

Thank you again!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.