My primary reason for the sites I've used it on is testing.
The site that I'm testing *for* right now has plenty of server capacity, but some slow response times in foreign locales, so it would be the CDN aspect and the bandwidth optimization for front-end speed that would be primarily attractive.
That said, having tested on low-traffic sites that have no real need of the load balancing per se, I do like Cloudflare.
Like I say, it's the easiest DNS management interface I've used and since it's on the proxy itself, the TTL is under five minutes.
The reverse proxy is also really easy to use if you remember it's there - I was troubleshooting a page layout issue and it took me 20 minutes to realize that it wasn't changing because it was serving a cached version. That in itself was a good test - it was basically transparent. But it's easy to flush the cache, flush a file or tell Cloudflare to bypass the reverse proxy and serve your site uncached.
And then there's the firewall, and this gets to the nub of my question. What I like is that comment spam goes way down. I have it set to "low" meaning only to block the absolute worst offenders (overwhelmingly Chinese IPs). But I do wonder if legit visitors are getting caught in that trap. It has happened to me on one occasion that I was presented with a Cloudflare challenge page.
Oh, one other "con" I forget to mention in my top post is that if you want PCI compliance, you need two certs for every domain - one for the Cloudflare IP for that domain and one for the main server. So managing your SSL certs becomes a bit more complex. If you want basic SSL for admin login areas you need to bump up to a "pro" plan ($20/mo for the first site, $5/site thereafter), though I suppose you could set up a CNAME like secure.example.com that would not be managed by CF. I'm not sure how that would work... should work though.
At that point it's a tough call. Let's say you're running five small sites on a underpowered VPS. Now you're looking at $40/month for Cloudflare. If you put that money toward your VPS...
- at VPSLatch it takes you from 1GB to 4GB of memory
- at Digital Ocean it takes you from 4GB/2 cores to 8GB/4 cores
So I think it works best for
- sites that have modest traffic and can live without SSL
- site that really need the "Railgun" optimization and all that