 engineering at Cloudflare. So actually, if you notice, our office is right upstairs. So we hope to see you guys more in future. So together with me is also my colleague, Ziggis. He's hiding behind the pillar. He's our SRE. So here in Singapore, we're actually a quite sizeable team, although I'll say hi to Ziggis. Yeah, so we have a quite sizeable team here. It's now about 40, 50 people. So it's not just sales, but engineers like me and also support and network and system engineers here. And we're quite excited to be here because Cloudflare, first, I'll show them who have heard about Cloudflare before this. Oh, that's awesome. Which means I can go. I'm going to leave now, right? OK, just kidding. So we're quite excited because we are a Silicon Valley based company. So actually, from the very beginning, we have actually quite good ties with the open source community. And WordPress is one of them. So when security, when new security vulnerabilities are closed, we are one of a few ones who are in the market to patch them for most of the customers. So that's great. So I think today's my topic is speed up and protect your WordPress sites. So you can do that with Cloudflare. You can also do that with some other similar players in this space. But in this case, since I'm from Cloudflare, I use Cloudflare as just an example. OK, so this is what I'm not going to do. I'm not going to go through the command line and show you all the colorful commands the engineers use. I'm trying to make it visual and show you how to get things done within the reverse proxy solution I'm going to talk about in this presentation. OK, so at the very first place, why do you need to care about web performance? So I think for a lot of people here in this room, we probably already heard about in July, Google has made mobile page speed part of the search engine ranking. And they have been making it part of their search engine for years, and now they are applying that to mobile as well. So which means that if your website loads faster, you actually get higher ranking from Google. So obviously that helps a lot with discoverability of your site. The second thing why you need to think about web performance and why you need to care about it is that it also helps with user engagement. So in a now pretty well-known research done by Walmart in 2012, it's quite some time ago, what they found is that with every single with 100 milliseconds of additional latency, their user engagement or conversion rate, in this case, drops by 1%. So it's quite a significant difference impact given the volume that Walmart handles on their e-commerce platforms. And of course, this is the same theory applies to e-commerce website, but it also applies to social media and even your personal blog. So that's another reason why you need to care about it. Since just now we talked about performance, another thing we need to I think right now we all need to think about is security. So security is something that is somewhat obscure because it seems to be people think about cryptography and hackers who find those obscure vulnerabilities and launch nation-state attacks and stuff like that. But actually, the threats is more common nowadays because all the hacking tools become actually generally available on our darknet. Or if you are interested enough, you can find it somewhere and you can do it. You can scan the entire internet relatively easy nowadays because there are only so many IP addresses nowadays. So that's what we see nowadays is that even if you run a personal blog site or SME, you are SME, you run your small shop run, you sometimes get defacement. And those defacement or hacking or website can be driven by different agenda. Sometimes it's just a group of angry people from somewhere in this region overseas who just want to hack your site to improve their skills, hacking skills, for example. Or sometimes it can be because they want to hold your ransom, they want to ask for money from you, they want to get some bitcoins from you, and they just hold your sites on ransom. So of course, with new security vulnerabilities coming out every day, it also gives more room for hackers to exploit your website. So that's hacking and exploits. The second part of it is encryption or SSL. So if you notice, if you're in this space, you probably have seen this news from Chrome, the Google Chrome team, from July to then 18, which is last month. They are marking all the HTTP-only sites, meaning that sites without HTTPS or SSL is not secure. And if you actually go to my website, my test website, maxwell.cf, and you visit the HTTP version of that, you get a red letter that says that your connection to this site is not secure, and you should enter by any sensitive information, et cetera. So that's definitely going to scare a lot of your visitors out if you only have a site on HTTP, and they're using Chrome. And the reason why Chrome is attracting a lot of attention is because they are typically already start, they are the pioneer in this industry. So once Chrome starts doing that, a lot of other browsers will start doing that. I know Mozilla, the Firebox, is already doing something like that, and we can expect that to happen to other mobile browsers and other browsers pretty soon. OK, so I have talked enough about the problems. Now let's talk about the solutions. So I'm getting a little bit technical here, because I'm using a technical term for that. There's a solution for this problem called Reverse Proxy. Now let's make it visual. So what do we mean by Reverse Proxy? So without Reverse Proxy, your users here on the left who are visiting a website using a browser will use the internet to use, to visit your website, your WordPress sites here hosted on the server. And the server can be on DigitalOcean, can be on Bluehost, it can be on GCP, it can be on AWS, it can be anywhere. It can be self-hosted on your Raspberry Pi. But this is kind of scary, because you are basically exposing your web hosting infrastructure to the rest of the internet. And we all know that there are lots of bad guys on the internet. So that's the reason why people come up with this idea of Reverse Proxy. So as the name suggests, as a proxy, what they do is that they are the ones who are exposed to the internet. And they get all their traffic from the internet for you, and they drop those traffic, they block those bad traffic, and pass the clean traffic to you. And another thing they do is that as a Reverse Proxy, I can cache stuff, meaning that you have a huge image file on your web page. A Reverse Proxy can save a copy of that on the Reverse Proxy so that the same requests don't need to go to your origin or your servers. So it's both a performance and security tool for website owners. And obviously, at the beginning, I mentioned, Cloudflare is just one of them. If you are in this space, you probably heard about Nginx or Varnish. They are quite popular open source projects. And they have been deployed at scale for lots of WordPress sites as well. Any questions so far? No? OK. So just now I talked about the benefits of Reverse Proxy in a more technical term. Now let's drill down to look at what it actually does. So the first thing, just now I mentioned caching. So now let's use Cloudflare as an example. So Cloudflare here right now, we have 152 data centers across the world. What it also means is that we can save copies of your assets, meaning your images, your videos, your audio files, or CSS files on one of our locations, or all our locations, depending on where your visitors come from. And putting it into a limit term is like serving the content of your viewer's internet neighborhood. And the technical term for that is called CDN, Content Distribution Network. So we probably will hear that term coming up more and more as I go by. And to draw an analogy in the physical world. So I like to use this analogy. Let's say I'm like, I love drinking Wulong tea. I could buy canned tea from my favorite supermarket, but there are only so many fair price stores in Singapore. But instead of going to fair price, what I can do is I can go to my convenience store in my neighborhood, like 7-Eleven, a good example. I can find it everywhere. And no matter where you go, you'll always find they have Coke, they have my favorite green tea, they have other stuff on their shelves. And I can just go there and grab them. Similarly, for Cloudflare, we do the same thing but on a global scale. So we just talk about performance, the CDN piece of it. The second thing it does is security. So by security, what we mean is basically to keep the bad guys away. And just like I mentioned that, because as reverse proxy, you are kind of like an agent of your website. So it takes all the traffic from the internet and it will do some room matching, look at API addresses, look at your HTTP request headers, and identify the back attackers, people that you actually should be allowed to access the website. And depending on the different solutions, different solutions tend to have different ways to mitigate those bad attackers. For us, we have one of our options is this browser check. So you probably have seen that on some website. And what it does is run some JavaScript on the browsers and make sure it's the human beings using a valid Chrome instead of part of botnet. So you will keep the bad guys away. The second thing is that it also help you to establish TLS or SSL, HTTP, secure connections to your users. So the sensitive information cannot be intercepted by the bad guys who run a ROG Wi-Fi access point in your neighborhood, or whoever who have hijacked your Wi-Fi access point at your home are the way it is. So security, and of course, at the end of the day, you also want to show the green padlock in the end user's browser to give them confidence that you are taking care of their security. So actually, before this, I have prepared a demo. It's probably like a five-minute demo. It's going to bring a site to Cloudflare in a really short time. I'm not sure whether any are you guys interested at all? OK, let's do it. All right, so let me just go to my demo site right here. OK. All right, so actually, right now, I have to have my test or demo WordPress site. I call it Cheesy. I call it Cecil's Flores. I have one called Robinson's Flores, but I close it. So basically, it's a very standard WordPress site with mostly static content. But if you look at that, you can notice something. The first thing is that it's not secure, meaning that it only serves HTTP. And if I want to visit the website using HTTPS, you get error. It says your website cannot be reached, because this particular site hasn't been configured with SSL or HTTPS. And another thing, if you notice, is same as other sites. I have a login page, and it basically allows all the attackers on the internet to run scanners on this particular site and try to find vulnerabilities. There's no check and balances in place. Yeah. So now let's bring it to Cloudflare. So actually, it's just three steps. There are only three steps. I should put it into my speaker snow. Let me just go here. So just three steps. First, get account on Cloudflare. Second, change the DNS, the name servers, meaning the name servers, on your registrar to Cloudflare, so that we can get your traffic. And the third step is to install our WordPress plugin. It's official plugin from us, so that we can make the entire configuration easier for everyone. So now let's do it now. So here, this is my registrar called Freedom. It's a free registrar, perfect for testing. And the same steps can be done on any registrar, like GoDaddy, or Namecheap, or Google Domain, whatever you use. And also on the other hand, what I have is that I already have an account on Cloudflare. So this is what I'm going to do. First, I'm going to add the name of my website, syselpholaris.cf. So what's happening on the background is that Cloudflare will do some scanning, try to copy the existing DNS entries to Cloudflare. And this is precisely what our wizard is saying. So I promise you, it's for free, right? So that's the reason why here we have a free plan. It's just free for me, for the other plans, too, because I'm a Cloudflare employee, but don't be confused. Yep, so I'm getting a one free plan. Yep, so we have already got your DNS records. So for those who are tech savvy, you can see we have already copied the A record for DNS. And it looks good. Let's just continue. So in these steps, here at Cloudflare, we are basically telling the user that you need to change your current DNS or name servers from Freedom to Us. And these are the two, a pair of unique name servers assigned to you. So now let me just do some copy and pasting. Copy and paste. Copy and paste. All right, it looks good to me. So now let's save it. OK. So while I'm making the changes, at Cloudflare, you can see that this side is still being activated, meaning that Cloudflare is doing some scanning to make sure that the DNS server change that have been made correctly. So we are doing this constantly on the background. This typically takes a couple of minutes and there's no downtime, because what's really happening is that instead of letting the traffic go to your application directly. Now we are trying to get the traffic from to us. And this process is gradual and there's no downtime again. All right, let's see. So this typically here, we say, is allowed for 24 hours, but actually takes much less than that. Let's just do a quick check. What's my DNS? OK, let me copy this and see how it's been propagated. OK, yeah, it actually looks good to me, except for ISP in Germany is still catching my old DNS and also Australia. So that might be the reason why it's taking some time. OK, done. The zone is activated. Actually, I just received an email telling me that. So with the particular domain activated, what it means is that is that call for now is taking your traffic, we can process our traffic, and we can provide you with SSO certificates very shortly. So now let's take a look at my Cecile Flores website. Let me just refresh it. Sometimes my browser will cache the DNS record, so what I do is I clear the cache. Now let's refresh the site again. And you can see on my this little plugin called Clare, this site is what we call Orange Clouded. So by Orange Clouded, what we mean is that now this particular site serves from Cloudflare instead of some other third party providers. Yeah. So if you look at the IP address here, or if you look at for those who are savvy, if you look at the network, if you look at the response headers, you can see that Cloudflare now appears to all your HTTP responses. Yeah. So that's how you can tell a site is on Cloudflare. And if you look at there, you can see for some of the content that the gigantic photos on my home page is now being a hit in our cache, meaning that Cloudflare already have a copy of that, and we're serving that from our cache. So this is for those who are tech savvy. So now we come to our last step is to install the plugin. And trust me, this is actually the easy part. So all you need to do is obviously go to Plugins and add a new plugin called Cloudflare. All right. So this is already activated. Now, OK, let's install it, but not activated. OK. Here we go. OK, so you can see there's a little Cloudflare configuration page in your WordPress dashboard. So all you need to do is to go back to your account right here at Cloudflare and copy and paste your settings, which is the API keys from there. So this allows us to configure your Cloudflare configuration from your WordPress sites instead of going managing two different dashboards. Right. And so I have this. Wait a second. Sorry, folks. Where's my API keys? Sorry. Oh, here it goes. Yeah. Sorry, everyone. I don't have my password here. So OK, let me just get it from somewhere else. OK, let me copy and paste them here. Oh, that's the wrong password. OK, now it's getting embarrassing. But let me see. I can get you something else. Yeah, yeah, yeah, I didn't save it anywhere. You know what I'm going to do? Embarrassing. Yeah, I just get it from a keychain there. All right. OK, this looks good. Yeah, the reason why we have these checks is to make sure that your password cannot be copied from other cross-site scripting bots or scripts. I'm going to sign this. OK. Please. OK, got it. Finally, CYN Cloudfare. Yep. So after so much trouble, I made to get in. So actually, the Cloudfare plugin for WordPress is pretty simple. It's just simple buttons like this, optimized Cloudfare for WordPress. Just click. And also, we have this thing very interesting called automatic cache management. So for whoever, who have used CDNs before, I think cache management is a big part of it. So you want to make sure that whenever you update your image or your style or your theme, you want this change to be propagated to the rest of internet immediately. So that's the reason why we built this. It will automatically tell Cloudfare to invalidate, to clear the old cache. So it's always the latest content who are served to the internet. Yep. So that's basically about it. So now, if you go back to Cecile Flores, my website, you can see that it has a value SSO certs, already here, provided by Cloudfare. And all this all comes free. And of course, there are more features to there, more advanced security features. I'm more than happy to talk to you a little bit about it because WordPress can be quite sophisticated, sometimes, especially for enterprises. Any questions? Yeah. Most of the clients are all security-sensitive people. Yeah. Because your program is in the context between the digital-sensitive page and the sensitive page. That's a very good question. So in this sample, it's a free plan. So we, Cloudfare, provide what we call universal, which is a free SSO certs. Yeah. Yeah. I mean, that Microsoft has, they are all security-sensitive. Yeah. But you also provide the support for the client. That's a very good question. Yeah. I mean, we're interested to be able to use it for my website. Yep. That's a very good question. Now let's look at this diagram, right? So what you are saying is that Cloudfare here, we automatically get a cert for you. But also, on your hosting provider, they also give you a cert, right? So actually, to your users, what they see is Cloudfare certificates. So it will be used to your cert. That's correct. But however, we need your host, the certs provided by your hosting providers to be able to talk to you in SSL. Meaning that we still, we want you to encrypt this part of the traffic as well, right? We don't want anyone sitting in the middle to intercept your traffic. So that's the reason why you still need a cert here. Yeah. Yeah. That's a very good question. Yeah. Please. Can you please tell us exactly what you're thinking about? Very good question. Oh, well, you guys have the best questions here. So the answer is yes. And I can show you how you can do that, right? So let me repeat the question first. The gentleman there is asking whether they can use self-signed certs on their servers and yet have some encryption between Cloudfare and your servers, right? The answer is yes. And you can actually do that easily here under the Crypto tab. So crypto in this case means not cryptocurrency, but SSL, yeah. So right now it's default to be flexible, flexible, meaning that we always, Cloudfare always talk to your origin HTTP unencrypted. But if you want us to support HTTPS with your self-signed certs, you can just use what we call full mode. So in the full mode, we only do encryption, but not authentication, right? Meaning that even if it's signed by you or by any, by invading CA, we'll still recognize that, yeah. Please. It's not right. Really? Is it on Cloudfare or? Really, okay. Yeah, I'll probably talk to you a little bit later. Yeah. Yeah, please, yeah. In general, for sites that use this Cloudfare, not using Cloudfare, the improvement is, please. Yeah, yeah, yeah. So that's a very good question, right? So actually that's a type of question you typically run into a lot of times with big enterprise customers is that how do you prove that improvement, there's a performance improvement, right? So Cloudfare, unlike some providers that we don't provide performance metrics for measurement because we are non-neutral, right? Because we provide that, we always say we are the fastest, right? But however, in the industry, there are quite a number of the performance monitoring tools, right? Pindum is one of them. I use a free one for my personal site called Status Cake. There's an entire ecosystem who does monitoring, performance measurement, et cetera, right? So I think the best way to see is to run it yourself is to do a comparison. Cloudfare versus without Cloudfare or Cloudfare versus Provider B. Then from there, you can see the difference. But generally, at the rule of thumb, if your visitors are far from your servers, meaning that if you have a service here in Singapore and your visitor is regional or global, you're more likely you will need a CDM because that will extend the reach of your site from just Singapore to the rest of the world, right? To be closer to your visitors. So that's the concept about CDM. It's to be closer. Based on the way these questions are answered, you know, state in and outside is without SSL, because we need to Cloudfare to show that it's secure. I still advise the world that we should have SSL. Yes, yes. As a best practice, I mean as a security principle, we want SSL to be end-to-end, meaning that from your users browser to Cloudfare and from Cloudfare to your servers or your hosting providers. We want this to be end-to-end because without, you know, the weakest link is usually the link that gets, you know, explored, right? So that's definitely recommended from us. Yeah. Yeah, please. Oh, it's basically unencrypted traffic from Cloudfare to your server. Yeah, meaning that HTTP only to your origin, to your servers. Yeah. Yeah, that's another very good question. Yeah, so by default, Cloudfare have a set of... have a set of cacheable file extensions. You can find this article just by Googling that, Cloudfare file extensions. So all the bots will cache all the commonly seen static or cacheable file contents. For example, you know, JPEG, JS, where is CSS? CSS is here. Yeah, so these are typically... those are the things we see don't typically change and we cache them by default. Yeah, but one thing to notice is that we don't cache HTML by default. Yeah, we don't cache HTML. So sometimes as a WordPress owner, you want to cache your entire web page. You need to use something special called cache everything. It's a feature, I think it's a feature available to pro plan or something like that. It's definitely available here. Yeah. Sorry? Custom assets. Custom assets? Yeah, totally. That something can be done with cache everything. Yeah, we can... If you notice MP4 is not here, but with cache everything you can cache MP4. Yeah, yeah. Stream, like... You have a new stream offering, right? Yeah, yeah, yeah, yeah. Very good point. Thanks for having me there. So I think today's session is primarily based on use cases, mostly focusing on the free plan. But if you have specific use cases, I strongly recommend you to, of course, try our service first before drawing conclusions. And secondly is to look at the different plans we have, because a lot of things we do like WAF and stream like video delivery, you mentioned just now are not part of the standard package. But the free package is probably the best we can get in this market right now. Yeah, yeah. Thank you for bringing that up. Yep. All right. So any more questions? Yep. Yeah, please. Oh, I think your question is how do we, what mechanism we have to prevent your domain being hijacked by someone else? Is that a question? Or how do we prevent people from... I think it's very easy to use for the other risks. But if there are any risks to use in front of there, to use for by one of the sites... Are there any risks? Are there any risks? Yes. By what? Are there any risks? I really couldn't think of any. Like risking night security or something else? I had a... As far as I understand the... There are many, many... Okay. Okay. Yeah, so I think your question is about with... Crawford right now, we have 10 million domains on us, a lot of them are free. I think your question is how do you prevent user A, are there any risks because we have so many, too many users? Is that kind of a question? Yeah. Sorry, I don't speak understatedly. Yeah, yeah, yeah. So, yeah, so I think one thing... But I rather take it in a positive light because with 10 million domains, we actually get lots of attacks going on or traffic any moment, any given moment. Or actually Ziggis has a dashboard that has all done going DDoS attacks. It's all thousands, tens of thousands, or lots of requests per second, right? So with that information, actually what we did is that we captured that information and assigned a threshold to every IP address we see on network, right? And we used that to protect your website because we know why IP address is malicious and why we challenge those IP address when they come. Right? So instead of a threat, I think it's more like benefits and like something that's unique for Crawford because of our scale. Yeah. Sorry for being too specific for Cloudflare, but I can't speak for other vendors in this case. Yeah. Cool. If there's no more questions, we have the Space Tool 9. Yeah, that's it. So if you just want to chill out and mingle the network for a bit, then we're all good. So thanks to Cloudflare. Thank you. Thanks for having us and thanks to the pizza and drinks, Valentine's or anything else. Yeah.