Jetpack incompatibility with CloudFlare

Hi,

I have the latest version of Jetpack installed on a site I’m working on. After getting Error code: -32300 for Publicize, then after deactivating and deleting, then reinstalling the plugin and getting HTTP 412 errors, then numerous support requests with my provider, I’ve finally figured out the problem. I’m running cloudflare and my host is not allowing Jetpack to access xmlrpc.php since it sees cloudflare’s IPs and only allows Automattic IPs to connect due to the recent security flaw.

I know this isn’t a Jetpack issue per se, but I see in your press release that you’ve asked hosting providers to provide network-wide blocks after the xmlrpc security issue. Any chance of making it so that those who have updated Jetpack can use it with a CDN on MediaTemple? I have a bluehost site that’s running fine with Jetpack and cloudflare so there should be some way to configure it to work on other hosts, I would assume? Here’s what MediaTemple has to say:

“It appears that your site is unable to use Jetpack due to the xmlrpc.php file it depends on being inaccessible to anyone but Automattic, the authors of WordPress. From a security standpoint, this is fine since noone else should be talking to Jetpack through this file. The following article will go into further detail:

http://jetpack.me/2014/04/10/jetpack-security-update/

When you enable CloudFlare, specifically the Railgun function, all requests to Apache come from the CloudFlare IP address range. As these IPs are not part of Automattic’s IP range, they are blocked. Unfortunately, we cannot simply whitelist CloudFlare to access Jetpack on your GRID, as the requests could be coming from an attacker or Automattic. Since all we would see on our end is CloudFlare, it reintroduces the security risk we are trying to prevent.

For now, you will not be able to use Jetpack with CloudFlare or Railgun.”

https://wordpress.org/plugins/jetpack/