On Thursday, April 8, 2021, Cloudflare sent the following email to their users:
Cloudflare is making infrastructure changes to simplify customer configuration, and reduce the number of IPv4 addresses that could potentially interact with your origin on Cloudflare’s behalf.
If your security model relies on allowing a list of trusted Cloudflare IPs from cloudflare.com/ips (or via API) on your origin, please make the following changes to your allow list by May 7, 2021. This change is safe to make today.
This change delists the 126.96.36.199/14 prefix, which is no longer in use by Cloudflare infrastructure. These addresses will be repurposed for use with our Gateway and WARP (secure web gateway and VPN) products, and may carry traffic from untrusted sources in the future.
Our server platform has built-in tools to keep track of the official Cloudflare IP addresses. These tools make sure that we're identifying visitor traffic correctly in server logs, and allow WordPress and its plugins to see real user IPs, rather than Cloudflare IPs.
Once Cloudflare updates their official list, our automated systems will pick up this change and make the needed server adjustments.
We'll also be monitoring the servers to make sure this happens as expected.
Either way, there's nothing you need to do—we'll take care of this automatically for you!