In Spain, each matchday of La Liga brings more than just goals: it also involves judicial IP and full range blocks to combat pirated broadcasts. The collateral damage is well known by too many companies: completely legitimate sites see their traffic plummet right at match time, their revenue drops, and their technical reputation is called into question… without broadcasting even a second of football. To address this recurrent and serious issue, developer David Carrero (@carrero) has created CF Football Bypass, a free (GPLv2) plugin for WordPress that automates a simple and secure maneuver over Cloudflare DNS: temporarily disable the proxy on the records you specify while “there’s football”, and reactivate it once the risk window ends.
The idea is straightforward and effective: if Cloudflare ranges are the ones that might fall under a blocking order, leave the range during the game. The plugin does not touch content, URLs, or WAF rules. It only toggles the proxy/DNS Only flag on the A and CNAME records selected by the admin. When the match window ends, it reactivates the proxy and everything returns to normal.
The problem: shared ranges causing innocent blockages
Solutions to block illicit streams often target entire ranges of shared infrastructure: CDNs, distribution networks, anycast IPs. When those ranges affect Cloudflare, any domain passing through those IPs can fail to resolve correctly for a significant percentage of users (depending on the carrier, territory, and propagation). And the analytics graph confirms this: sudden, synchronized drops aligned with match times, resulting in abandoned carts, unsent forms, and deteriorated quality metrics.
CF Football Bypass does not dispute the legal framework nor does it aim to evade rights holders. Its purpose is to protect those who do not broadcast but, nonetheless, suffer from sharing infrastructure with infringing third parties.
The solution: “if there’s a match, DNS Only; if not, Proxied”
The plugin automatically checks “if there’s football now” via the service hayahora.futbol. With this indication:
- Match detected → disable Cloudflare’s proxy (set to DNS Only) only on the records you marked.
- Maintain the bypass for the configured duration (between 60 and 600 minutes; typical value 120).
- Once time is up → reactivate the proxy (Proxied) on those same records and restore normal operation.
Additionally, manual controls (activate/deactivate) are included, in case there’s an overtime, an unscheduled friendly, or you want to test the switch without waiting for the cron job.
Fail-safe design: if for any reason the football status cannot be checked, it does nothing. That is, it fails safe.
Authentication in Cloudflare: best with Minimal Permissions Token
To toggle the proxy flag, the plugin connects to the official Cloudflare API. It supports:
- Global API Key + email (classic method).
- API Token with minimum permissions (recommended).
Permissions needed for the API Token:
- Zone:Read
- DNS:Read
- DNS:Edit
This limits the token’s scope and reduces the risk if it gets leaked. The plugin only uses these credentials to list records and modify the proxied status.
Reliable scheduling: wp_cron or external cron with token
By default, CF Football Bypass uses wp_cron to check the status every X minutes (between 5 and 60; recommended 15). On low-traffic sites—where wp_cron might not trigger reliably—it offers a protected tokenized endpoint to run the task from the server cron:
*/15 * * * * curl -s "https://yourdomain.com/wp-cron.php?cfb_cron=1&token=YOUR_TOKEN_HERE" > /dev/null 2>&1
This endpoint only executes the plugin check. The token is regenerated when you save settings with the field empty.
Fine-tuned control: choose specific records and bypass duration
Not every record needs to switch. From the settings, you can:
- Mark only critical records (e.g.,
@andwww) and leave the rest always proxied (mail, FTP, internal subdomains, static files…) - Adjust the bypass duration (between 60 and 600 minutes).
- Manually activate/deactivate whenever needed.
This granularity reduces impact on cache/CDN: for example, you can switch the front-end for football matches and keep static/media content proxied and served from Cloudflare.
Clear dashboard and auditable logs
The plugin offers a status panel with:
- Real-time football status.
- Last check (date/time).
- Bypass active/inactive.
Includes action logs (internal/external cron, manual actions, user, result), with configurable retention and an optional disable logging. The cfb-actions.log file is stored in the plugin folder. You can also view scheduled events via Tools → Site Health → Info → Scheduled Events (look for cfb_check_football_status).
Security note: if you deactivate the plugin, it automatically re-enables the proxy on all managed records, so that no half-measures are left behind.
Installation in 10 minutes (step-by-step)
- Download the plugin from GitHub.
- Upload and activate in
wp-content/plugins/cf-football-bypass/. - Go to Settings → CF Football Bypass.
- Select the authentication method (preferably API Token).
- Paste Token and Zone ID from Cloudflare.
- Set check interval (e.g., 15 minutes) and duration (e.g., 120 minutes).
- Click “Test connection and update DNS list”.
- Mark the A/CNAME records to manage.
- Save.
From this point, automation is active.
Typical use cases
1) E-commerce and media with predictable peaks
If your traffic peaks coincide with matches, the bypass reduces 5xx/522 errors, response time spikes, and complaints. You can toggle only @ and www and keep static content proxied in Cloudflare.
2) Ecosystems with many subdomains
Each subdomain can have different policies: app.company.com always proxied, blog.company.com toggled, api.company.com unchanged. Avoid breaking integrations.
3) Sites with low traffic at night or weekends
Configure the external cron with token to ensure timely checks even if there are no visits.
Scope and limitations (what it does and what it doesn’t)
- Yes, it does: toggle proxied/DNS Only on marked records via Cloudflare API.
- No, it doesn’t: delete records, edit content, change WAF settings, or manipulate cache pages.
- Important: if your origin IPs (server) are blocked, this is an other issue; this plugin avoids falling into Cloudflare range blockades, but cannot “unblock” a listed origin.
Requirements and version
- WordPress: from 5.0 (tested up to 6.8).
- PHP: 7.4 or higher (extensions curl and json).
- Outgoing HTTP/HTTPS connectivity for hayahora.futbol and Cloudflare API.
- Cron: wp_cron or external cron with token.
- Stable version: 1.0.1 (adds API Token, improves logs, help sidebar, and manual controls with double verification). Version 1.0.0 introduced monitoring and management via Global API Key.
License: GPLv2 (or later). Open source on GitHub (repository name: dcarrero/cf-football-bypass). Author: David Carrero.
Why this “minimal change” approach works
- No impact on SEO or links: you don’t change URLs, maps, or structure; only alter the pathway for traffic during the match.
- Full reversibility: the usual state resumes only when the window ends.
- Visibility and traceability: dashboard and logs to explain to the business what happened and when.
- Reduced error surface: a single flag (proxied) on specific records, without touching other layers.
Quick guide to best practices
- Start small: toggle
@andwww; evaluate metrics; adjust. - Use minimal permissions token: avoid Global API Key unless no alternative.
- Reliable cron: if your wp_cron is irregular, set up an external cron every 15 min.
- Monitor: note match times, check logs, and record timings.
- Document: keep track of affected records and agreed durations.
Frequently asked questions
Can serving in DNS Only affect cache or performance?
It may change traffic path (from CDN to origin), so temporary latency or bandwidth differences are normal. With record-level control, you can keep static/media assets proxied and only toggle the front-end.
What exact permissions does the Cloudflare API token need?
Zone:Read, DNS:Read, and DNS:Edit. Nothing more. With these, the plugin can list records and change the proxied flag. Avoid broad permissions.
What if the match goes into overtime?
Set a generous duration (e.g., 120 minutes). If it extends, you can manually extend the bypass or reactivate it with a click if needed.
Can it be used on multiple zones (domains) simultaneously?
The plugin works per zone. For multiple domains, replicate the setup on each WordPress site or create a procedure per project.
What happens if I uninstall or deactivate the plugin during a bypass?
It includes a safety feature: when deactivated, it automatically restores the proxied state in all managed records, avoiding incomplete states.
Conclusion
CF Football Bypass offers a simple technical solution to a predictable risk: when range-based blocks impact Cloudflare during matches, it temporarily switches to DNS Only and then restores to normal. It does so with minimal intrusion, traceability, and reversibility. For those seeing traffic drop during matches without being part of the problem, it’s a safety net that might mean the difference between lost afternoons and stable operations.