Do not put your site behind Cloudflare if you don't need to

Original Article ↗ Hacker News Discussion ↗

Cloudflare as single point of failure vs overall reliability

  • Many argue that putting a small site behind Cloudflare reduces technical single points of failure: global anycast, CDN, WAF, tunnels, etc.
  • Others say it simply shifts the SPOF to a single company: its culture, policies and mistakes can take down large chunks of the web at once.
  • Several note it’s often easier to tell management “half the internet is down” than to explain bespoke infra failure; outages are socially easier to defend.
  • Uptime math comes up: rare multi‑hour Cloudflare outages still yield very high annual availability; for most small sites that’s acceptable.

DDoS, bots, and risk for small sites

  • One camp: tiny blogs don’t need DDoS protection; if they’re down or attacked, impact is negligible and you can “turn Cloudflare on later.”
  • Counter‑camp: DDoS‑as‑a‑service is cheap; even personal blogs and forums have been targeted, leading to hosts null‑routing or terminating accounts and/or surprise bandwidth bills.
  • Multiple anecdotes describe constant bot and AI‑scraper load making even low‑traffic PHP/WordPress or forums unsustainable without caching/CDN.

Centralization, privacy, and censorship concerns

  • Strong worry about Cloudflare as a de‑facto private intranet and internet gatekeeper: MITM TLS termination, traffic logging, cooperation with governments, and shareholder incentives.
  • Concerns about governments or ISPs blocking Cloudflare IP ranges (e.g., sports piracy crackdowns), making many unrelated sites unreachable.
  • Users report Cloudflare blocking or harassing “niche” browsers, privacy‑hardened setups, RSS readers and non‑JS clients, effectively denying service to some legitimate users.

Operational convenience and feature set

  • Many use Cloudflare primarily for: free/better DNS, automatic TLS, caching, bandwidth offload, tunnels from home networks, bot/AI‑crawler filtering, and easy scaling for traffic spikes (HN/Reddit).
  • Some say Cloudflare was the difference between affording to host a media‑heavy site vs not.
  • Others point out downside: if you deeply integrate (tunnels, page rules, CDN assumptions), temporarily removing Cloudflare during outages becomes complex and may expose origin IPs.

Alternatives and mitigations

  • Suggestions include: keep registrar, DNS, and hosting separate; use multiple DNS providers and longer TTLs; mirror across hosts; use other CDNs (Bunny, CloudFront+S3), or rely on host‑level DDoS protection.
  • Philosophical split: keep things simple and decentralized even if less “hardened” vs embrace Cloudflare as cheap expert infrastructure and accept occasional correlated failures and centralization.