Github Pages are otherwise normal git repositories (git push, accept pull requests and github issues).
Cloudflare sits in front of a site, acting as a content delivery network and DDoS firewall. Acting as a reverse proxy, they can even provide https for your site (although it's not end-to-end security at the free level). According to their analytics, I saved 6% in bandwidth due to their caching, and 68 threats over the last week (mostly US and Ukraine). One of the reasons I stripped back the asp to html was the number of probing attacks I used to see in my logs, trying to break in via /admin and non-existent urls. With static code, it's (mostly) bullet-proof. Despite not publishing any https links, 3% of traffic is already SSL.