Global Edge Security (GES)


GES Features

Global Edge Security (GES) is WP Engine’s Enterprise-grade performance and security add-on for Startup, Growth, Scale and all Custom plans. With this add-on you will receive several features powered by Cloudflare: managed Web Application Firewall (WAF), advanced DDOS Mitigation, Cloudflare CDN, and automatic SSL Installation.

Managed Web Application Firewall (WAF)

Our Enterprise-grade Web Application Firewall blocks the most common vectors for website attacks:

  • Cross-Site Scripting (XSS) – These types of attacks happen an attacker injects malicious code into a legitimate (but vulnerable) application. Attackers can manipulate JavaScript and HTML to trigger the malicious code or scripts. In this way, the vulnerable application or website is used as the “vehicle” to execute the script on the end user.
  • SQL Injection – SQL injection attacks happen when an attacker attempts to input meta characters into a vulnerable web-based form with malicious intent, and these attacks affect database-driven sites (which include WordPress).
  • Cross-Site Request Forgery (CSRF) – Cross-Site Request Forgery involves taking over or impersonating a user’s browser session by hijacking the session cookie. CSRF attacks can trick users into executing malicious actions the attacker wants, or into taking unauthorized actions on the website. In this example, the session cookie is the “vehicle” an attacker uses to impersonate a legitimate user.

Cloudflare’s edge servers also use the OWASP ModSecurity rule set at the edge, protecting your website from the OWASP top-10 vulnerabilities at all times. And, the automated Browser Integrity Check will evaluate request headers to determine whether a request is coming from a real web browser or not.

In addition to the security vectors outlined above, our WAF powered by Cloudflare takes advantage of a unique set of security rules defined by Cloudflare through years of experience identifying and mitigating attacks.

Advanced DDoS Mitigation

DDoS stands for Distributed Denial of Service and is a term used to describe attacks on the Network, Transport, and Application layers of the Open Systems Interconnection (OSI) model.

The Network Layer determines the physical path request should take through the internet (using IP and ICMP protocols), and the Transport Layer is responsible for transmitting and assembling packets of data between two endpoints (using TCP and UDP protocols). Attacks at these layers were more popular in past years and are intended to render your site inaccessible. These types of requests are automatically and silently dropped at the Cloudflare Edge network before ever reaching your WP Engine server.

Application Layer attacks have become more prevalent in recent years, and are attacks based on HTTP, SMTP, SSH, or FTP protocols. This layer is responsible for human and computer interaction, and attacks of this type specifically target an application, or website. Most often Application Layer attacks are caused by botnets, or large networks of malware-infected machines, being directed to send large requests in extreme quantities to a website with the intention of getting past security measures in order to take malicious actions. Cloudflare’s Edge servers use intuitive detection to determine whether a request for your website is legitimate, and block attacks at this level automatically. This means only legitimate traffic makes it back to the WP Engine origin server where your content is hosted.

Origin IP Protection is another way Cloudflare prevents and mitigates DDoS attacks. By nature of routing through Cloudflare’s network, the IP address of your WP Engine server is obfuscated and a Cloudflare IP address is presented instead when users inspect your website. This prevents bad actors from sending traffic directly to your origin server at WP Engine, where your web content is hosted. Instead, Cloudflare mitigates the attack in their edge network before those bad requests ever make it to WP Engine. And, unlike other DDoS protection solutions, Cloudflare provides unmetered DDoS protection–meaning they don’t cap attack size or charge overages.

Cloudflare CDN

In addition to the security measures offered by the Global Edge Security product, Cloudflare CDN adds performance and caching benefits. WP Engine’s finely tuned caching rules will also apply at the Cloudflare Edge network. This means pages can be served to users around the world faster, sending fewer requests to the WP Engine origin server.

NOTE: WP Engine’s opt-in CDN differs from Cloudflare’s CDN, which is enabled automatically. We recommend disabling WP Engine’s CDN offering when utilizing Cloudflare at any level, including GES. Learn more here.

Automatic SSL Installation

WP Engine’s Global Edge Security offering will automatically install the SSL certificates added in the WP Engine User Portal on the Cloudflare Edge servers. In this way both the connection between the end-user’s web browser and Cloudflare will be encrypted, as well as the connection between Cloudflare and WP Engine.

This integration means end-users will see the SSL certificate installed through WP Engine when visiting your website, rather than a shared or dedicated Cloudflare SSL certificate. The SSL integration between the Global Edge Security product and WP Engine is automatic, and ensures your website is encrypted from end-to-end.

Limitations

When using the Global Edge Security product from WP Engine, your CDN, WAF, and DDoS configuration rules are automatically configured. While there is no configuration needed on your end, WP Engine cannot add special customizations to these rules for individual sites or accounts–the rulesets and configurations are fine-tuned with performance and Defense-in-Depth in mind for the protection of your websites. If your websites require a high level of customization for Cloudflare settings, or specifically need access to the Cloudflare network in China, you may want to speak to your Account Manager about other Cloudflare options instead.


Configure GES

Before GES can be enabled, it must be purchased for your account. Visit the My Account page in the User Portal to purchase the addon for an account.

We recommend using Cloudflare for DNS and configuring using the CNAME flattening method. This will ensure you can fully utilize Cloudflare’s load balancer.

NOTE: Before proceeding, ensure you have added your domain to the User Portal.

Enable GES

Before configuring any DNS changes, you will want to confirm that GES is enabled for the desired environment within the WP Engine system. This ensures the GES CNAME you will be pointing to is both properly generated and active.

  1. Log in to the User Portal
  2. Click Tools
  3. Select Global Edge Security
  4. Locate your environment name
  5. Confirm the environment name is listed in the Provisioned section
  6. If it is listed in the Unprovisioned section, click Enable to provision and generate the GES CNAME

NOTE: GES cannot be enabled for transferable environments.

Locate DNS Values

There are two areas (both within the User Portal) to locate the GES CNAME that will be used to point DNS later. The GES CNAME is a random string which will be different for each environment and will always include: wpeproxy.com

EX: 1a2b3c4d5e6f7g8h9i.wpeproxy.com

This is different than your WP Engine CNAME, which uses a name assigned by you, and will always include: wpengine.com

EX: myenvironment.wpengine.com

  1. Log in to the User Portal
  2. Click Tools
  3. Select Global Edge Security
  4. Locate your environment name
  5. Copy the contents of the GES CNAME column next to your environment name
  6. If you do not see a GES CNAME value for the desired environment, click Enable next to the environment name to generate one

Your GES CNAME address is also available from a secondary location, should you need it.

  1. Log in to the User Portal
  2. Click Sites
  3. Select the environment name you want to setup GES for
  4. Click Domains
  5. If GES is enabled in the previous step, GES CNAME will be listed here with your randomized string value


Point DNS

Part of the security offered by GES is that it does not rely on a single IP address, which could be attacked or exploited. Configuring using CNAME flattening also ensures you can properly utilize Cloudflare’s load balancing configuration.

  1. Follow this guide for steps to configure either a CNAME
  2. Instead of using the default WP Engine CNAME (EX: myenvironment.wpengine.com) however, you will use the GES CNAME (EX: somerandomstring.wpeproxy.com)
  3. If you already have CNAME flattening configured, simply replace the current WP Engine CNAME value with your DNS host to the GES CNAME
  4. That’s it! DNS will take a few minutes to propagate and change over
    • NOTE: There may be a few minutes of service disruption while any DNS changes resolve

Here’s an example of how GES CNAME records might look when properly configured in Cloudflare:

NOTE: Due to the third-party nature of DNS, please be aware that the WP Engine Support team is limited and can only provide guidance. Our team members cannot log into your DNS host on your behalf to set DNS records.

Pointing from Cloudflare to GES

Pointing from your personal or business Cloudflare to WP Engine’s Cloudflare GES proxy may seem counterintuitive. However, Cloudflare will recognize any wpeproxy.com CNAME you enter and treat it as a proxy automatically. That proxy CNAME works differently than if you point a normal CNAME to some other CNAME with Cloudflare.

This has not been shown to cause any performance degradation because Cloudflare doesn’t recognize it as a second traditional DNS “hop”. There are proprietary settings in place to make sure that there’s no redirect loop and to optimize for traffic flow.

GES IP Addresses

In the rare case that CNAME flattening is not an option, GES also supports the following A records. Be aware that these A records may be subject to change, so CNAME flattening will always be preferred.

141.193.213.20
141.193.213.21

If you choose to point DNS using the A record method, it is ideal to use two A records. One A record will function normally, however using two A records will ensure you’re able to still take full advantage of the Cloudflare load balancer configuration. For example:

TypeNameContent
Afakewebsite.com141.193.213.20
Afakewebsite.com141.193.213.21
Awww141.193.213.20
Awww141.193.213.21


Verify GES Configuration

  1. Log in to the User Portal
  2. Click Sites
  3. Select the environment name you’ve setup GES for
  4. Click Domains
  5. Click the 3-dot menu icon to the right of your domain
  6. Click Check Status
  1. Within an hour our system will query your DNS records to confirm if GES was properly configured
  2. When GES is properly configured, our system will show this all green status lights:

Our system will only validate GES is point correctly if each individual record is configured to the wpeproxy.com CNAME address.

  • Verify you’ve configured your nameservers properly for the DNS host you want to use
  • Verify you’ve configured two records (one for www and one for non-www)

Learn more about Domain Statuses here.


GES Cache

By default, GES has static assets cache expiration set to 365 days. If cache expiration needs to be modified, reach out to WP Engine Support.

  1. Log in to the User Portal
  2. Click Sites
  3. Select the environment name you’ve setup GES for
  4. Click Domains
  5. Click the menu to the right of your domain
  6. Click Clear GES cache


GES Errors

If you are using WP Engine’s Global Edge Security add-on you may see new errors. Read on to learn how to interpret the error pages, and troubleshooting steps to resolve errors.

Unknown Error

This section will help you if you encounter the following error:

Web server is returning an unknown error
There is an unknown connection error between Cloudflare and the origin web server. As a result, the page cannot be displayed.
Ray ID: 1234567890-DFW
Your IP Address: 123.45.67.890
Error reference number: 520
Cloudflare Location: DFW

This error appears when there is a connection error between Cloudflare and the WP Engine origin server. While this error can mean several things, some common causes include:

  • The connection was reset
  • Response headers were too large (generally indicates a deeper problem with the website)
  • Invalid or empty response from the WP Engine origin server
  • No response headers were sent
  • Presence of multiple “Content-Length” headers

The 520 Unknown Error is typically caused by something at the application layer, indicating a website-level issue rather than a server-level issue. Try visiting the site while using a hosts file trick to point your domain directly to the WP Engine IP address showing in your User Portal, and see if a different error exists which might be causing this. For more help, contact WP Engine support via 24/7 Live Chat in your User Portal.

Web Server is Down

This section will help you if you encounter the following error:

Web server is down
The web server is not returning a connection. As a result, the web page is not displaying.
Ray ID: 1234567890-DFW
Your IP Address: 123.45.67.890
Error reference number: 521
Cloudflare Location: DFW

This error occurs when the Cloudflare server received a “connection refused” response from the WP Engine origin server, or when the web server is down/restarting. If the web server is down/restarting, simply try the web page again in a few minutes.

In the case of a “connection refused” issue, usually this happens because a Cloudflare IP address has been rate-limited or blacklisted on the WP Engine server or on the website directly through a security/firewall plugin. WP Engine allows connections from Cloudflare IP addresses, indicating the issue is most likely to be a security plugin or firewall. Check your security settings for your website, or contact WP Engine Support via 24/7 Live Chat in your User Portal for more help.

Connection Timed Out

This section will help you if you encounter the following error:

Connection timed out
The initial connection between Cloudflare's network and the origin web server timed out. As a result, the web page can not be displayed.
Ray ID: 1234567890-DFW
Your IP Address: 123.45.67.890
Error reference number: 522
Cloudflare Location: DFW

This error indicates the request timed out when trying to establish an initial connection to the WP Engine origin server. There are several conditions which could cause this error to appear:

  • Your WP Engine server is overloaded with traffic, and could not respond to the connection request
  • Cloudflare requests have been blocked by your website via a security plugin or firewall
  • Website has disabled Keep-Alive headers
  • Faulty network routing

If the first or last scenario is true, try again in a few minutes to see if your request is successful, as the high traffic or routing issue may be temporary. If you continue to see this error, contact WP Engine Support via 24/7 Live Chat in your User Portal for more help troubleshooting this issue.

If the second or third scenario, check security settings for your firewall or security plugin, and ensure it is not blocking Cloudflare IP addresses, or that it hasn’t disabled Keep-Alive headers, which Cloudflare requires to make connections to your WP Engine server.

Origin is Unreachable

This section will help you if you encounter the following error:

Origin is unreachable
The origin web server is not reachable.
Ray ID: 1234567890-DFW
Your IP Address: 123.45.67.890
Error reference number: 523
Cloudflare Location: DFW

This error is very rare, and typically indicates a network route to your WP Engine origin server is unavailable. This can happen if your WP Engine server IP address has been null-routed, which is an extremely rare scenario. If you encounter this error, first check your DNS settings to ensure you are pointed to the correct CNAME for your Global Edge Security add-on. If all looks correct, please contact WP Engine Support for more help via 24/7 Live Chat in your User Portal.

A Timeout Occurred

This section will help you if you encounter the following error:

A timeout occurred
The origin web server timed out responding to the request.
Ray ID: 1234567890-DFW
Your IP Address: 123.45.67.890
Error reference number: 524
Cloudflare Location: DFW

WP Engine institutes a 60-second timeout for long-running page requests. On top of this, Cloudflare institutes a 100-second timeout of a similar nature. If a connection was established but no response was sent for over 100 seconds, this error will occur. Most often this error occurs because of long-running requests (cron jobs or imports), or because of very long database operations. We recommend batching your imports or long-running cron jobs into smaller requests so they do not exceed the timeout. If you need more help identifying the source of this issue, please contact WP Engine Support via 24/7 Live Chat in your User Portal.

SSL Handshake Failed

This section will help you if you encounter the following error:

SSL handshake failed
Cloudflare is unable to establish an SSL connection to the origin server
Ray ID: 1234567890-DFW
Your IP Address: 123.45.67.890
Error reference number: 525
Cloudflare Location: DFW

WP Engine’s Cloudflare configuration uses “Full” SSL settings, meaning it will try to connect to the WP Engine origin server with SSL encryption. This error will occur if the SSL certificate does not exist or was removed on the WP Engine origin server. To resolve this error, simply add a free Let’s Encrypt SSL certificate for your domain in the WP Engine User Portal. If you need more help troubleshooting this error, contact WP Engine Support via 24/7 Live Chat in your User Portal.

Invalid SSL Certificate

This section will help you if you encounter the following error:

Invalid SSL certificate
The origin web server does not have a valid SSL certificate
Ray ID: 1234567890-DFW
Your IP Address: 123.45.67.890
Error reference number: 526
Cloudflare Location: DFW

This error indicates the SSL certificate on the WP Engine server is not valid. If you encounter this error, check the SSL certificate showing in your User Portal for your website. Make sure the certificate is not expired, has not been revoked, and is not self-signed. To resolve this error you can add a free Let’s Encrypt SSL certificate from the WP Engine User Portal for your domain. If you need more help troubleshooting this error, contact WP Engine Support via 24/7 Live Chat in your User Portal.


NEXT STEP: Troubleshooting issues with GES

Still need help? Contact support!

We offer support 24 hours a day, 7 days a week, 365 days a year. Log in to your account to get expert one-on-one help.

The best in WordPress hosting.

See why more customers prefer WP Engine over the competition.