Regular readers of my blog will remember that a couple of weeks ago I posted about my website security and business or blog continuity efforts after signing up with CloudFlare for website protection and acceleration. While CloudFlare has been good to me so far, I now believe that I have found something even better: Incapsula. This post will present the results of my highly unofficial and probably highly biased comparison of Incapsula and CloudFlare. Incapsula works similar to CloudFlare, albeit slightly different, and while it would be grossly exaggerating to. After some testing I have decided to make the switch, and this post is about my experience with Incapsula compared to CloudFlare.
2015-11-10 This post was written in 2011 and is now outdated. My latest post on Incapsula is here: Incapsula – rest your worries
Personal and biased
Mind you, this is not meant to be a full review or side by side comparison of CloudFlare versus Incapsula, but only meant to highlight some of the differences between them and my personal reasons why I would choose one over the other. For a full comparison, take the CloudFlare tour and then take the Incapsula tour, and then make up your mind.
Both offer free and paid plans. CloudFlare only has two options, Free and Pro at $20 per month. Incapsula has Free and Bronze/Silver/Gold at $49/$99/$249 per month. Clearly, Incapsula aims at the business market, while CloudFlare is for the average website owner and blogger. As I see it, free CloudFlare offers performance, paid Cloudflare offers you more security while free Incapsula offers security and paid Incapsula offers you more performance.
First out: web acceleration. I tested for 8 days straight, 3 days with Incapsula, 2 days with server cache only and another 3 days using CloudFlare. Using this much time I was able take into account the time it takes for the DNS changes to propagate throughout the Internet, since using CloudFlare or Incapsula involves changing the DNS. This post shows how to set up Incapsula in cPanel.
Both Incapsula and CloudFlare appeared to bring down my loading time to approximately the same level. What I noticed when looking at the numbers in more detail is that load time with Incapsula seemed more stable across the board regardless of time or location, whereas CloudFlare fluctuated a lot more, with far better results in the US than elsewhere in the world, but very dependent on the time of day. However, as even closer scrutiny revealed, that could be due to variations in connection speed rather than CloudFlare performance issues.
One thing that stands out from the above graph is that Incapsula seems to take a little while longer to connect, while CloudFlare takes a little while longer to render the full post content. This is confirmed when I look at how my site loads in Pingdom.
While Incapsula loads continuously taking 1.8 secs, CloudFlare loads some resources superfast in 1.4 secs or so and then slooowly gathers the rest, making it a total of more than 9 secs. Why is that? It’s simple: To keep visitors on your site and preventing them from clicking out, as they explain in the video below. Presumably, visitors will see how most of the site loads fast and then not notice that not everything is there yet. That said, looking at my site, I doubt that anyone is seriously going to notice 1.8 secs over 1.4 secs, despite CloudFlare claiming that for every 0,1 secs delay 2% of your visitors go away. Really?
For the record I also checked my home page and the post page using yottaa.com, loads.in, Firebug and although the absolute numbers were different, presumably due to differences in connection speed and the different way these monitors work, the trend seemed the same: both CloudFlare and Incapsula delivered the same performance, with Incapsula perhaps a few notches better, but my testing period is simply too short to state this conclusively. I should perhaps add that I am using Quick Cache as a server cache on my backend, so I didn’t expect a significant increase in loading speed in any case.
CloudFlare has a lot of options for speeding up performance. Incapsula seems to have less. For example, while CloudFlare includes JS and CSS Minification in their free plan, at Incapsula this starts from the Silver plan at $99/month. In fact, CloudFlare’s settings and options (see below) are very extensive compared to Incapsula, but perhaps it’s too much? One thing CloudFlare has that Incapsula doesn’t is “Always Online”, in practice a more or less full cache of your website, allowing visitors to browse your site should the connection to your server go down for any reason. That may be a selling point, but I experienced way too many false positives, where CloudFlare’s cache would kick in when my site wasn’t offline at all.
While CloudFlare appears to have more performance options, there is one thing that Incapsula does better, and that is caching. CloudFlare only caches static content; Incapsula on the other hand also caches dynamic content, thus improving the distribution of your content.
This is what CloudFlare says, see blog.cloudflare.com/cloudflares-free-cdn-and-you
What kind of static content does CloudFlare cache?
Does CloudFlare cache dynamic content, such as HTML or PHP?
CloudFlare does not currently cache these content types.
And this is what Incapsula says, see incapsula.com/how-it-works/website-performance.
Dynamic content caching
Incapsula caches web site content on its proxies in order to return resources faster to users and reduce page load time, bandwidth and server load. Incapsula does not only cache static content but can also identify content dynamically generated by the application, which can be cached while it remains unchanged.
So, in terms of caching, Incapsula is better than CloudFlare, but it is only available starting with the Silver plan at $99/month. With a free account, both are equal, although there could be behind-the-scenes differences in technology that I don’t know of.
I am not an expert in web security and for a lay person like me it is practically impossible to say which is better and which one is worse, and the description of their security features and options doesn’t exactly tell what they are doing to protect my website. The threat handling panel does not have many options: Observe and Report: Incapsula will issue an alert for every threat but will not block it. The alerts are visible in the Site Dashboard and in the Traffic tab under the Site Dashboard. Block Request: Incapsula will block any request that poses a threat to your website and issue an alert. Block User: Incapsula will block any user that attacked your website. The user will be blocked, starting from the first request that poses a threat. Block IP: Incapsula will block any IP that attacked your website. The IP will be blocked for 24 hours, starting from the first request that poses a threat. When an IP is blocked, Incapsula will also block the user to prevent the same user from executing attacks using other IPs. Do Nothing: Incapsula will take no action when detecting a threat.
It should be noted that while Incapsula includes a Web Application Firewall WAF, protection against SQL-injection and Cross Site Scripting in their free plan, CloudFlare does not and only offers it in the Pro version at $20/month, and thus, in my opinion, CloudFlare does not offer any real security in their free plan. Speaking about security, the other day my Incapsula dashboard alerted that it had blocked some illegal request originating from my own IP apparently during the editing of my blog, and it wasn’t long before I got an email from the support staff at Incapsula:
During our regular system monitoring we have identified a false positive in one of our threat detection engines. This caused an Illegal Resource Access threat alert on a legitimate request. As an immediate resolution we have added an exception for this rule on the following URL on your site: XXXXXX (this is a WordPress password protected page so there should be no risk with this exception). You can see this exception under the site threats settings. Within the next day we will issue a permanent fix for this issue and then the exception can be removed.
Now, that’s a company that truly values the security of their customers, and in my mind, it is one of the best arguments for staying with Incapsula. I mean, they could have just fixed this without telling me.
Both Cloudflare and Incapsula present blocked visitors with an information page, explaining why they have been blocked. CloudFlare takes it further than Incapsula, and allows blocked visitors access, if they pass a Captcha challenge, thus proving that they are human. This challenge page can be customized to match you site’s colors, so it almost looks like being part of your website. A plus for CloudFlare is that blocked humans have the option to leave a message and ask to be whitelisted and allowed in permanently.
What bugs me, however, are the Google ads displayed on this page, and in the customization settings this ad area is left “reserved for recommended software resources to aid in resolving virus or security issues”…yeah right, judging from the ads in the picture left.
Add to that some sloppy Google-translations for the other languages, (see comment below) this does not look like a professional website to me, and I don’t want my blocked visitors to be greeted like this, even if they are only a handful. You can see an example of this challenge page, the ads and the translations here: anti-virus.cloudflare.com/cdn-cgi/anti-virus-challenge
Incapsula, on the other hand, looks neat and professional. Maybe it’s because I’m an engineer and like things squared and orderly presented, but it simply looks better.
Note that the blocked page displays my website icon in the address bar and the browser tab, so clearly this is part of my site. Very nice, indeed. In Incapsula, blocked visitors are just blocked and will have to trust that Incapsula staff will investigate the matter as they claim they say they will do.
I wish Incapsula had an option to leave a message, like CloudFlare has, even if it’s only an e-mail address, which could be forwarded to me the site owner, or to Incapsula, or both, but even without it this does look like a pro business blockage and very different from CloudFlare: incapsula.com/incapsula-errors
One nice thing about Incapsula is that they send out weekly digest of how your site is doing, so you don’t have to log in to keep track.
Both Incapsula and CloudFlare have Support forums, and since CloudFlare has been around a bit longer and has a more active community, naturally their forum has more posts and more a more extensive range of FAQs. Incapsula’s forum is still a bit in its infancy, but is slowly gaining momentum. Staff usually respond questions quite promptly both at CloudFlare and at Incapsula.
CloudFlare versus Incapsula
One thing that really shows the difference between the culture of Incapsula and the culture of CloudFlare are these two video interviews with the founders and CEOs of either company.
While Incapsula stays focussed on the topic, explains in detail what they are doing and why, and almost take you step by step through the whole product, CloudFlare is is a lot more chit-chat commercial and not so informative, mostly telling again and again how great and “cool” their service is, and almost scaremongering people into using CloudFlare. I prefer the hard fact technical approach by Incapsula.
First, both CloudFlare and Incapsula are about equal in improving performance, based on the short time I tested it on my blog. Either one would work for me here, and I do like CloudFlare’s “Always Online” cache of my site when my server or connection is down, but I had too many false positives with it. Second, CloudFlare’s options and features seem geared towards performance more than security, while Incapsula appears to be primarily concerned with security. I’m more concerned with security, so I’m going for Incapsula. Third, personally I prefer Incapsula’s easy and straightforward dashboard over CloudFlare, and I’m put off by CloudFlare’s cheap looking
and Google-translated (see comment below) challenge page for blocked visitors. Fourth, in my opinion, CloudFlare is for the masses. Incapsula is for business. I’m business, and I’m going for Incapsula.
Well, this is how I experienced CloudFlare versus Incapsula on my blog, and it may not be the same for other websites. Every website is different and every website owner has different requirements and preferences, as Rakesh Sharma writes in his post about Incapsula. The only way to find out what is best for you is to test it yourself. DiTesco did, and here is his opinion on Incapsula. What works for him or for me may not work for you. For me, Incapsula works.
Update 2011/07/16 – Speed comparison
I’ve now been using Incapsula for two weeks, and I’m impressed with the results. It isn’t any worse than CloudFlare, perhaps even a bit better, when going over my Yottaa records:
Only server cache (11 weeks of data)
Time to title: 477 ms
Time to First Paint: 2110 ms
Time to Display: 3830 ms
Time to Interact: 4630 ms
CloudFlare + cache (6 weeks of data)
Time to title: 438 ms
Time to First Paint: 1450 ms
Time to Display: 1870 ms
Time to Interact: 2820 ms
Incapsula + cache (3 weeks of data)
Time to title: 410 ms
Time to First Paint: 1180 ms
Time to Display: 1540 ms
Time to Interact: 2310 ms
Conclusion: Both CloudFlare and Incapsula improve my site speed considerably, with Incapsula being perhaps an inkling better…when measuring. Visually, from my location, my site did seem a bit “snappier” (as CloudFlare likes to call it) when using CloudFlare, but I also noticed that while the text appears instantly, some images take a little longer to load with CloudFlare than with Incapsula. So, as to Incapsula versus CloudFlare, performance is equal, but is security better in CloudFlare
Update 2011/07/17 – WordPress plugin
Both CloudFlare and Incapsula act as a reverse proxy and all incoming connections to your website first pass through one of Incapsula’s servers, thus changing the originating IP to CloudFlare’s or Incapsula’s IP range. If you use filtering plugins on your WordPress blog, e.g. for spam protection or for banning certain users, this may render these plugins useless. Until now, only CloudFlare had a plugin for WordPress that ensured that the originating IP was passed on through the system, which meant that a plugin such as Bad Behavior wouldn’t work with Incapsula. No more, because today Incapsula released their plugin for WordPress. So, if you’re a WordPress user, there’s nothing to stop you from using Incapsula.
Four years on, I’m still with Incapsula. Read more about it here: Incapsula – Rest your worries
- cloudflare.com: CloudFlare
- incapsula.com: Incapsula
- watchmouse.com: Watchmouse
- tools.pingdom.com: Pingdom
- loads.in: Loads In
- yottaa.com: Yottaa
Related (news) links
- blog.imperva.com: Imperva launches Incapsula
- gigaom.com: Incapsula Launches Cloud-Based Web App Firewall
- gigaom.com: 5 companies using web data to fight cybercrime
(Incapsula is mentioned, but not CloudFlare)
- businessinsider.com: Economies of scale and website security
- thewhir.com: Incapsula to launch cloud-based WAF
- enterpriseefficiency.com: Is CloudFlare an Enterprise Answer?
Other Incapsula reviews
- iblogzone.com: Secure And Improve Performance Of Your Online Business With Incapsula
- mamchenkov.net: Incapsula – fast, secure and reasonably priced CDN