CDN Connector
Multi-CDN integration for WordPress. Connect Cloudflare, Bunny CDN, Fastly, AWS CloudFront, or KeyCDN to sync blocked IPs at the edge, manage cache, restore real visitor IPs, and activate shield mode during attacks.
Overview
The VistoShield CDN Connector bridges your WordPress security stack with your CDN provider. Instead of blocking threats only at the application level, CDN Connector pushes firewall decisions to the network edge — stopping malicious traffic before it reaches your server.
Key capabilities include:
- Support for 5 major CDN providers: Cloudflare, Bunny CDN, Fastly, AWS CloudFront, and KeyCDN
- Automatic sync of blocked IPs from Firewall and Bot Detector to CDN edge rules
- Cache purge management (purge all, purge by URL, auto-purge on security events)
- Real visitor IP restoration with automatic CDN header detection
- Under Attack / Shield Mode activation from WordPress dashboard
- Connection health monitoring and API status checks
Supported CDN Networks
| Provider | Edge Blocking | Cache Purge | Shield Mode | Real IP Header |
|---|---|---|---|---|
| Cloudflare | ✅ | ✅ | ✅ (Under Attack Mode) | CF-Connecting-IP |
| Bunny CDN | ✅ | ✅ | ✅ | X-Forwarded-For |
| Fastly | ✅ | ✅ | ✅ | Fastly-Client-IP |
| AWS CloudFront | ✅ (via WAF) | ✅ (Invalidation) | — | CloudFront-Viewer-Address |
| KeyCDN | ✅ | ✅ | — | X-Forwarded-For |
Installation & Setup
- Upload the
vistoshield-cdnfolder towp-content/plugins/ - Navigate to Plugins → Installed Plugins in your WordPress admin
- Click Activate next to VistoShield CDN Connector
- Go to VistoShield → CDN Connector to connect your CDN provider
Connecting Your CDN
Navigate to VistoShield → CDN Connector → Providers and select your CDN. Each provider requires specific API credentials:
| Provider | Required Credentials |
|---|---|
| Cloudflare | API Token (with Zone permissions) or Global API Key + Email. Zone ID. |
| Bunny CDN | API Key from the Bunny dashboard. Pull Zone ID. |
| Fastly | API Token with purge and ACL permissions. Service ID. |
| AWS CloudFront | IAM Access Key ID and Secret Access Key with CloudFront and WAF permissions. Distribution ID. |
| KeyCDN | API Key from the KeyCDN dashboard. Zone ID. |
After entering your credentials, click Test Connection to verify API access. A green status indicator confirms the connection is active.
Auto-Sync Blocked IPs
When enabled, CDN Connector automatically pushes blocked IPs from your Firewall and Bot Detector to your CDN’s edge firewall rules. This means malicious traffic is stopped at the CDN level before it ever reaches your origin server.
How sync works:
- Real-time sync — When the Firewall or Bot Detector blocks an IP, it is immediately added to the CDN’s block list
- Batch sync — A scheduled task (every 5 minutes by default) ensures any missed IPs are synced
- Expiration — Temporary blocks are automatically removed from the CDN when they expire in VistoShield
- Manual sync — Use the Sync Now button to force an immediate full sync
Cache Management
Manage your CDN cache directly from the WordPress dashboard under VistoShield → CDN Connector → Cache:
| Action | Description |
|---|---|
| Purge All | Clears the entire CDN cache. Use after major site changes or security incidents. |
| Purge URLs | Selectively purge specific URLs or URL patterns from the cache. |
| Auto-Purge on Events | Automatically purge relevant cache when security events occur (e.g., after a malware cleanup or firewall rule change). |
Auto-purge events can be configured under the Events tab. Common triggers include post-incident cleanup, WAF rule updates, and plugin deactivation.
Real IP Restoration
When your site is behind a CDN, WordPress sees the CDN’s IP address instead of the actual visitor IP. CDN Connector automatically detects your CDN provider and restores the real visitor IP from the appropriate header.
- Auto-detection — CDN Connector identifies your CDN provider and selects the correct header automatically
- Manual override — You can specify a custom header if your setup uses a non-standard configuration
- Trusted proxies — Configure trusted proxy IP ranges to prevent header spoofing
- Integration — Restored IPs are used by all other VistoShield plugins (Firewall, Bot Detector, Login Guard, Activity Log)
Under Attack / Shield Mode
Shield Mode is an emergency feature that activates your CDN’s highest protection level directly from the WordPress dashboard. When activated:
- Cloudflare — Enables “Under Attack Mode”, presenting a JavaScript challenge to every visitor
- Bunny CDN / Fastly — Activates enhanced DDoS protection and aggressive bot filtering
- AWS CloudFront — Not available (use AWS Shield separately)
- KeyCDN — Not available
Shield Mode can be activated manually from the CDN Connector dashboard or automatically via Incident Response playbooks. It should be deactivated once the attack subsides to avoid blocking legitimate visitors.
FAQ
Can I use CDN Connector without other VistoShield plugins?
Yes. CDN Connector works independently for cache management and real IP restoration. However, the auto-sync blocked IPs feature requires the Firewall or Bot Detector plugin to be active, since it syncs their block lists to the CDN edge.
Does CDN Connector replace my CDN’s built-in security?
No. CDN Connector enhances your CDN by pushing WordPress-level security decisions to the edge. It works alongside your CDN’s native security features, not instead of them.
How many IPs can be synced to the CDN?
This depends on your CDN provider’s limits. Cloudflare free plans support up to 50,000 IP Access Rules. Bunny CDN and Fastly have similar generous limits. CDN Connector tracks sync counts and warns you when approaching provider limits.
Will purging the CDN cache affect my site performance?
A full cache purge will temporarily increase origin server load as the CDN rebuilds its cache. For routine changes, use the selective URL purge feature to minimize impact. Auto-purge on security events only clears relevant URLs.
Is my CDN API key stored securely?
API credentials are encrypted at rest in the WordPress database using the site’s authentication keys. They are never exposed in the admin interface after initial entry and are never transmitted to any external service other than your CDN provider.