When we host a new or migrated website, we typically set it up with a Cloudflare account that we manage for you, the customer. This gives us the ability to fine-tune your website’s performance at the network layer and manage its security properly.
But some businesses either have their own Cloudflare account to begin with or simply prefer to have more control over their infrastructure. We believe in customer autonomy and fully support both approaches.
However, in order to be able to do our job properly, we require a certain level of access to your Cloudflare account. This guide provides instructions on how to create a Cloudflare account, secure it, and safely grant us the access we need.
Create a Cloudflare Account #
Signing up for a Cloudflare account is easy:
- Go to https://dash.cloudflare.com/sign-up.
- Enter your email.
- Choose a strong password that you’ve never used anywhere else.
- Keep your password safe. We recommend using a password manager (like Bitwarden) to store your email and password.
- Click Create Account.
- On the next page, Cloudflare will ask you to enter the domain of your website. We’ll skip over this step for now so click the Cloudflare logo to go directly to your Cloudflare dashboard.
- Cloudflare will send an email to verify your email address. This is critical. Do not skip this step. Open your inbox, find the email, and click the big link to verify your email address.
You’ve created your new Cloudflare account. Now it’s time to secure it.
Secure Your Cloudflare Account #
You will be granting us, a third party, access to your account. In the future, you might want to grant access to other third parties, like developers, security professionals, or website optimization experts. It’s important to ensure that everybody that connects to your account maintains the proper security protocols.
- After you log in to your account, click the profile icon at the top right of the page and then click My Profile.
- Click Authentication in the menu at the top. If the Two-Factor Authentication block shows that it’s disabled, click the Set up button next to it.
- Locate the Mobile App Authentication block and click Add. (Make sure you click the right button; there are two Add buttons on the page.)
- Follow Cloudflare’s instructions to install an authenticator app and set it up. Note that you can probably whatever authenticator app you’re probably used to, including Authy, Google Authenticator, Microsoft Authenticator, or even password managers with TOTP support like Bitwarden. If you don’t want to use a mobile phone, you can click the Can’t scan the QR code? Follow alternative steps link at the bottom to get a code you can manually plug in to your authenticator app.
- Enter your password again on the next page.
- Cloudflare will then show you a list of recovery codes. Download them, print them, or copy them to your password manager. If you lose your second factor (e.g., your phone), you can use these codes to recover your account.
- When finish going through the setup pages, the Two-Factor Authentication block on the Authentication page should show a green Enabled label.
- Now click the Cloudflare icon to go back to the dashboard and then click Members on the menu at the top.
- Turn On the Member 2FA enforcement option. Anyone granted access to your account will be forced to use two-factor authentication to actually access it.
You’ve secured your Cloudflare account and set up a requirement that anyone granted access to it must also behave securely.
Grant Us Access to Your Cloudflare Account #
Granting us access is really very easy.
- After you log in to your account, go to the Members area.
- In the Invite members block, type email@example.com.
- Click Invite.
That’s it. You’ve done your part. Once we get the invitation from Cloudflare and accept it, we’ll be able to manager your account.
Your account is safe in our hands:
- We will not have access to your billing.
- We will not be able to add members.
- You can also remove us from the account at any time.
- We use stringent security protocols on our end to prevent unauthorized access. Besides strong unique passwords and good password managers and security hygiene, not everybody on the team has access.
What We Do With Your Account #
First of all, you need to know that we don’t fiddle around with it and we don’t access it when we don’t need to.
There are quite a few things that we will do:
- We’ll change your domains’ DNS records as necessary. That includes things like setting up A and CNAME records for your websites; MX records for your mailboxes; DKIM, DMARC, and SPF records for your transactional and marketing email; Google verification codes; and so forth. We manage our customers’ DNS at no extra charge.
- We’ll set up proper caching and optimization settings to fine-tune your website’s performance, including the Cloudflare proxy, caching options, network settings, and so forth.
- We’ll configure the security settings suitable for your website, such as the proper SSL settings (certificates, HSTS, etc.).
- We’ll access it in emergency situations to help protect against attacks and speed up recovery if anything goes wrong.