This tutorial walks you through every single setting in Cloudflare.
It’s specifically written for WordPress to make your site faster and more secure.
It starts with adding your website, changing nameservers, and setting up basic Cloudflare settings. Then it walks you through the tabs (from Overview to Scrape Shield), followed by additional tips like whitelisting Cloudflare’s IPs in your hosting account, why you don’t need the Cloudflare WordPress plugin, and how to setup multiple CDNs to make your site even faster (more data centers = faster website. I use both Cloudflare’s CDN and StackPath’s CDN.
The free plan comes with their CDN, page rules, and many Cloudflare settings that improve speed/security. Start with the free plan, read this tutorial, then decide if you want to upgrade.
You will eventually come to this dashboard where Cloudflare assigns you 2 nameservers:
Login to your hosting account, find your nameservers, and change them to Cloudflare’s. If you can’t find them, Google “how to change nameservers on SiteGround” (or whoever your host is).
Some hosting companies like SiteGround have an option to activate Cloudflare in their cPanel:
Nice! Just by doing that, your WordPress site is being hosted on their 154+ data centers (they add new ones frequently) and you have Cloudflare’s default settings setup (which we’ll tweak).
Setup Cloudflare With Your Cache Plugin
WP Rocket, WP Fastest Cache, W3 Total Cache,Swift Performance, and other cache plugins allow you to integrate Cloudflare in their settings. You will usually grab your Global API Key (found in your Cloudflare profile) and enter it into your cache plugin’s Cloudflare settings.
WP Fastest Cache:
W3 Total Cache:
Setting up Cloudflare using your cache plugin is not the same thing as changing nameservers (you still need to do that). But it ensures better compatibility between the two, since some functionalities overlap. If minify and gzip are enabled in one, they should be disabled in the other.
Basic Cloudflare Settings For WordPress
Configure SSL – the Crytpo settings have options to order a free Universal SSL, force HTTP to HTTPS, set SSL encyrption level, and protect your SSL website using HSTS.
Create Firewall Rules – protect your WordPress Admin, plugins, and other sensitive areas of your website by creating parameters that stop hackers from accessing them.
Create Page Rules – optimize specific URLs for performance and security (set these up based on your website’s needs). Some examples include: forcing high security in your WordPress admin area, decreasing bandwidth consumption by controlling Cloudflare’s cache refresh rate, and bypassing cache (for WordPress admin, eCommerce pages, staging websites, and dynamic content). You can create up to 3 page rules for free.
Enable Hotlink Protection – prevents people from copying images from your site and pasting them onto theirs, which consumes bandwidth (found in Scrape Shield settings).
Rate Limiting (Paid Feature) – prevents spammy crawlers from hitting your site too much, which consumes bandwidth (a very common problem). Check your hosting account for a tool like AWstats to identify if this is happening to you. Wordfence does rate limiting for free, while Cloudflare charges for it. This is in the Firewall settings.
Multiple CDNs – more data centers = faster website (StackPath, KeyCDN, and other CDNs generate CDN URLs you can copy/paste into your cache plugin, or CDN Enabler.
Quick links of some of the most common Cloudflare settings, but their recommended first steps (and the important settings I marked in this guide) are what you really should look at.
Security – Cloudflare protects your website with SSL settings, firewall, Access, challenge passages, email obfuscation, and also improves uptimes using other settings in Cloudflare.
Performance – Cloudflare speeds up your WordPress site through caching, minifying files, CDN, Brotli (similar to gzip compression), Railgun, Rocket Loader, hotlink protection, image optimization, accelerated mobile links, Argo (in traffic tab) and everything in the speed tab.
IP Settings – Cloudflare helps collect visitor location data using IP Geolocation (in network tab) which can be used block specific countries, spammy crawlers/bots, and other IP addresses from your website. You should Whitelist Cloudflare’s IP addresses in your hosting account.
Why isn’t Cloudflare caching everything? By default, Cloudflare only caches specific static content not including HTML. If you would like to cache everything, create a page rule, add yourwebsite.com/* as the the URL, then set the cache level to everything. Your cache plugin (and another CDN if you’re using one) may also be caching content.
What attacks is Cloudflare blocking? Cloudflare blocks a variety of attacks including content scraping, fraudulent checkouts, and account takeovers. Spammy bots often excessively crawl websites and cause high CPU consumption, and since hosting companies use CPU throttling, the bots may be sucking up your CPU limits which results in a slower website, or even your host shutting down your website temporarily. Cloudflare’s firewall tab and rate limiting (Wordfence does rate limiting for free) helps.
If you want specific services/traffic routed through Cloudflare, add them here. Cloudflare automatically populates the DNS. When an arrow is going through the orange cloud, that service’s traffic is routed through Cloudflare. If it’s going around, it’s bypassing Cloudflare.
I use SiteGround (a Cloudflare partner and who I highly recommend as they were rated the #1 host in 10 Facebook polls taken by multiple WordPress-related Groups), so I manage my DNS in SiteGround’s cPanel. Otherwise you will see a DNS dashboard like the one shown below…
Verification TXT Record For CNAME Setup – add a TXT record to verify your CNAME.
CNAME Flattening – allows a CNAME record to be created for the root domain without violating DNS specifications. This speeds up DNS resolution on CNAMEs by up to 30%.
Manage your SSL and cryptography settings:
SSL – controls when SSL will be used. If using SSL, full (strict) is recommend.
Off – SSL will not be used.
Flexible – use if you can’t configure HTTPS on your origin. Visitors can access your site over HTTPS, but connections are made over HTTP. Generally you should avoid this as it may cause redirect loops, but if you must, try using the Cloudflare Flexible SSL plugin.
Full – only use if the certificate does not match your domain or is self-signed. Cloudflare will use HTTPS, but will not validate the certificate.
Full (Strict) – Cloudflare will use HTTPS and verify the certificate on each request. You should only make this change if all of your origin hosts are protected by Origin CA certificates or publicly trusted certificates***
Edge Certificates – managed your SSL Certificates.
Universal SSL (Shared) – free SSL provided by Cloudflare which you will share with 50 other Cloudflare customers, with common name (eg. ssl123456.cloudflaressl.com).
Dedicated SSL Certificate – $5/month SSL dedicated only to your domain with common name (eg. onlinemediamasters.com), automatically renewed by Cloudflare.
Dedicated SSL Certificate With Custom Hostnames – $10/month, same thing as previous plan only protects up to 50 more hostnames or wildcards of your choosing.
Upload Custom SSL Certificate – $200/month if you’d like to use your own SSL and comes with DDOS protection, Railgun optimization, and 100% guaranteed uptimes.
Custom Hostnames (Enterprise Feature) – if you have a dedicated SSL with custom hostnames, you can enter their CNAMEs here.
Origin Certificates – these are free TLS Certificates (Transport Layer Security) but the Universal SSL should be fine for 99.99% of websites. TLS is an “improved” version of SSL but basically, it does the same thing – makes your site secure and serves your assets from HTTPS. Cloudflare Origin Certificates are only trusted by Cloudflare and should only be used by origin servers that are actively connected to Cloudflare. If at any point you pause or disable Cloudflare, your Origin Certificate will show an untrusted certificate error.
Always Use HTTPS – redirect all HTTP requests to HTTPs using a 301 redirect.
HTTP Strict Transport Security (HSTS) – ensures HTTP links become HTTPS links. Protects website from downgrade attacks, SSL stripping, and cookie hijacking. Server will make sure browsers only connect using HTTPS, and that users do not bypass critical security warnings.
Authenticated Origin Pulls – verifies requests to your origin server came from Cloudflare using a TLS client certificate, preventing users from bypassing firewalls and other security.
Minimum TLS Version – sets a minimum SSL/TLS version users can visit your website from. The default TLS 1.0 is fine.
Opportunistic Encryption – for websites that haven’t added HTTPS but want improved speed of HTTP/2 by letting browsers know your site is supports an encrypted connection. This adds an additional layer of security, but will not give you the green padlock in your browser. It will slightly improve speed/security for non-HTTPs sites, but moving to HTTPS is the best solution.
Onion Routing – lets users on the Tor Network keep their privacy when browsing your site. Tor is network dedicated to defending against traffic analysis and other network surveillance.
TLS 1.3 – enables the latest version of TLS/SSL and will show the green padlock in browsers.
Automatic HTTPS Rewrites – if your site connects to HTTPS and the lock icon is not present in Google Chrome, or has a yellow warning triangle, your site may still contain links/references to HTTP. This helps fix mixed content by ensuring HTTPs is used for all resources on your site.
Disable Universal SSL – if you have a universal SSL from Cloudflare, this disables it, and users won’t be able to access your site using HTTPS if there are no dedicated or custom certificates.
Setup firewall rules (to protect WordPress admin + plugins folder), rate limiting (to prevent spam bots from hitting your site too much and consuming CPU), and other features that can improve security and save bandwidth. Create up to 5 free firewall rules. I have 2 I recommend.
Firewall Rules – lets you block, challenge, or allow requests based on: countries, IP addresses, bots, URLs, set custom threat scores, and more. See firewall rule examples here or this tutorial.
Example 1: Protect Insecure Plugins – insecure plugins are a common way hackers breach WordPress sites. Not installing them is safer, but this will block access to your plugins folder.
URL path + contains + /wp-content/plugins
Refer + does not contain + yourwebsite.com
Example 2: Protect The WP Admin – only allows users in your country to access the WP Admin login page. Good if you have team members (in your country) who also need access.
Field: URL path + contains + /wp-admin
Country + does not equal + United States
Rate Limiting – mainly used to block fake Google crawlers and spammy bots that hit your site too much and consume CPU. Cloudflare offers this as a pay-per-usage service, but Wordfence does it for free in their rate limiting options. Careful – you don’t want to block legitimate users!
Security Level – Cloudflare’s algorithm assigns IP addresses a threat score from 0 to 100.
High – scores greater than 0
Medium – scores greater than 14
Low – scores greater than 24
Essentially off – scores greater than 49
I’m Under Attack! – should only be used when your site is under a DDoS attack. This adds an extra layer of protection by analyzing traffic to confirm legitimate human visitors. Each visitor sees an interstitial page for about 5 seconds while being analyzed.
Challenge Passage – when a visitor has a bad reputation with Cloudflare, they will need to complete a challenge. This is the time a challenge expires, and a new challenge will be issued.
Privacy Pass Support – prevent users with a poor Cloudflare reputation from having to constantly fill out CAPTCHAs.
IP Access Rules – whitelist, block, or challenge specific IP addresses (whitelist yours!).
User Agent Blocking – mainly used if you are under attack from a specific User-Agent.
Unmetered DDOS Mitigation – if you are under Distributed Denial of Service (DDoS) attack, Cloudflare will attempt to deny it no matter the size or duration. As Cloudflare stated, other companies bill heavily for this using surge pricing. But Cloudflare doesn’t.
Firewall Event Log – shows firewall events that have been triggered.
Web Application Firewall
Web Application Firewall – Pro feature, but one of the best ways to improve security by protecting against SQL injection attacks, cross-site scripting, and cross-site forgery (read more). This uses Cloudflare’s built-in ruleset and automatic WAF updates based on Cloudflare’s intelligence (as you know, attacks move fast and before you know it, 40,000 websites have already been affected by the time you hear the news).
Browser Integrity Check – looks for requests with HTTP headers commonly used by spammers, bots, and crawlers, and presents a block page if determined to be a threat.
Controls access to your websites by applying an authorization process you configure when users make requests to your origin server. Members will use social and enterprise identity providers (IdP) as their credentials and can access sensitive materials for a given time of your choice. Pricing is free for the first 5 seats, then $3-5/month for Access Basic or Premium.
Speed up your WordPress site using minification, image optimization (Polish + Mirage, Railgun, Rocket Loader, Brotli (similar to gzip compression), and other performance features.
Polish (Pro Feature) – strips EXIF data and compresses images.
Railgun™ – speeds up dynamic content for visitors who are far away from the origin server.
Enable Accelerated Mobile Links – enable if you’re using a plugin for AMP. This allows users to open external AMP links from your website in AMP format. Learn more.
Brotli – similar to gzip compression only believe to be even faster.
Mirage (Pro Feature) – reduces image requests, lazy loads images, and improves image load times on mobile devices with slow network connections. Here are more details on Mirage…
Resizes images based on a visitor’s device/connection. A visitor on a poor connection will get a smaller version (lower resolution) until they are back on a higher bandwidth.
Reduces amount of requests – instead of sending multiple requests for all images on the website, Mirage pulls this into one request so visitors can see images immediately.
Lazy loads images (only loads them once users scroll down and actually see the image).
Mobile Redirect – redirects mobile visitors to mobile site (you must have a custom domain).
Prefetching URLs From HTTP Headers (Enterprise Feature) – cached objects are served as 1 request, instead of multiple requests.
Control caching levels and how Cloudflare caches your website.
Purge Cache – clears Cloudflare’s cache.
Caching Level – set how much static content Cloudflare will cache.
No Query String – only delivers cached files when there is no query string.
Ignore Query String – delivers same resource to everyone regardless of query string.
Standard – delivers different resource each time the query string changes.
Browser Cache Expiration – sets time a visitor’s cache will expire after visiting the page (also known as add expires headers in GTmetrix).
Always Online™ – Cloudflare will attempt to show a cached version of your website if your server goes down.
Development Mode – lets you see changes on your website in real time without worrying about seeing a cached version.
Enable Query String Sort – increases cache hit rates by enabling query strings to be sorted before they hit Cloudflare’s cache.
10. Page Rules
Page Rules let you optimize specific URLs for performance and security. I suggest looking over their Page Rules video tutorials especially the ones on optimizing WordPress, speed, security, and maximizing bandwidth savings. You should also familiarize yourself with common terms.
Common Page Rules
Edge Cache TTL – time Cloudflare’s edge servers cache a resource before going to origin server for a fresh copy. You can increase this for pages not updated frequently.
Email Obfuscation – prevents spam by hiding your email address to bots, while remaining visible to visitors (only applies if you list your email on your website). Enabling this on the contact page (and other pages showing your email) prevents spam.
Security Level – Cloudflare assigns IP addresses a threat score of 0-100. Page rules can be created to assign high security to WordPress admin and sensitive areas of your site.
Cache Level – amount of caching done by Cloudflare (‘everything’ is most aggressive).
Asterisk (*) – used in page rule URLs to match parameters. For example, if I used onlinemediamasters.com/wp-admin* as my URL, then I set the security level to high (first example below), then all URLs with /wp-admin/ in them would have high security.
“We recommend that you create a Page Rule to exclude the admin section of your website from Cloudflare’s performance features. Features such as Rocket Loader and Auto Minification may inadvertently break backend functions in your admin section.”
Protect And Optimize WordPress Admin + Login Pages – browser integrity check and high security will protect your WordPress admin area. You should usually not cache it, and disable performance features (which should only be turned on to speed up the front end of your site).
Decrease Bandwidth Of WP Uploads Area – since items in your WordPress uploads file do not change frequently, you don’t have to cache them as much, which will save you bandwidth.
Don’t Cache Dynamic Content – most WordPress sites are static, but if you have dynamic content that changes based on user behavior, add the URL you serve dynamic content from.
Don’t Cache Staging Websites – if you’re testing new designs, plugins, or other changes on your website, you want to see those changes in real-time, and so you should not cache them.
Don’t Cache eCommerce Cart, Checkout, Account Pages – some hosts like WP Engine already bypass caching for eCommerce pages, other do not. In this case you want to bypass cache for you cart, checkout, and account pages, as well as other similar pages. Cloudflare also has their own tutorial on caching dynamic elements and other best eCommerce practices.
Don’t Cache WooCommerce Pages – WooCommerce uses 3 sets of cookies which you’ll want to bypass from your cache:
Stop Bots From Collecting Your Email – enable email obfuscation on pages that show your email address to prevent spam (eg. your contact page). You can turn the global setting on in your Cloudflare Scrape Shield settings, but this is only needed for pages that show your email.
Make Important Pages Always Online – in case your server goes down or something else happens to your website, and you want to make sure visitors can at least see your most important pages (eg. privacy and about page), create a page rule to make them Always Online.
Always Use SSL – if you enable Always Use HTTPS in the Crypto settings, you don’t need this.
QUIC (Beta) – quick UDP internet connections speeds up HTTP traffic and improves security.
IPv6 Compatibility – the most recent version of Internet Protocol. The internet runs low on IPv4 address space, so this was developed so billions of devices can interact on a global scale.
WebSockets – mostly used for real-time applications like live chat and gaming. They create open connections between the visitors and origin server, so they can communicate faster.
Pseudo IPv4 – an IPv6 to IPv4 translation service (Cloudflare recommends disabling this since this was designated as experimental and you would not normally see this kind of traffic).
IP Geolocation – locates each user’s country so you can see them in Cloudflare’s analytics.
Maximum Upload Size – if you let visitors upload files to your site, this is the MAX upload size.
Response Buffering (Enterprise Feature) – if users are able to download files from your site, this tells Cloudflare to wait until the entire file is downloaded before sending it to the user.
True-Client-IP Header – allows you to see user’s IP addresses.
Argo (Paid Feature) – uses Cloudflare’s real-time network intelligence to route traffic across the fastest, most reliable paths from the origin to Cloudflare’s data centers. Cloudflare says web assets perform about 30% faster on average, reduces latency by 35%, and connection errors by 27%. Pricing is $5 per website (per month) plus $0.10 for every gigabyte of transfer.
Argo Tunnel – this is available once you activate Argo. It protects your server’s IP address from exposure by routing requests through Cloudflare before hitting the server. This prevents the attack using Cloudflare WAF, unmetered DDoS mitigation, and authenticated with access.
Load Balancing – checks the health of servers and determines if they’re being overused or are geographically far away, then efficiently optimizes their routes. Improves speed + uptimes. Pricing is $5 – $50 per month + 50 cents per 500,000 queries (first 500,000 queries are free).
Stream is a video platform for developers and content teams who built video applications. In the background, Cloudflare will encode, store, and deliver your videos with one API. They will also optimize it for the right devices, format, bitrate, and network connection. Every 1,000 minutes viewed costs $1 per month. Each 1,000 minutes of video stored costs $5 per month.
14. Custom Pages
Custom pages let you upload custom HTML pages that are shown to visitors when your website has errors or challenges. These are all paid features, quite expensive, and mostly used for large websites with lots of traffic and have the budget to customize their user experience.
IP/Country Block – customize the error page shown to visitors when they visit from a blocked IP address or country. To block or challenge IPs in certain countries (mostly used to block spam bots) turn on IP Geolocation in the Network tab and create a firewall rule (or use .htaccess).
WAF Block – customize the error page when users break a firewall rule (in firewalltab).
500 Class Errors – customize 500 error pages (server error).
1000 Class Errors – customize error 1000 pages (DNS points to a prohibited IP).
Always Online™ Error – customize the error page when your server goes down, and the Always Online feature (found in caching section) doesn’t have a cached version of your page.
Basic Security Challenge – when you set your security level (in the firewall tab), Cloudflare assigns users a threat score of 0-100 based on Cloudflare algorithm. Users will a poor reputation will be given a challenge page – this is where you can upload that custom page.
WAF Challenge – customize the challenge page when users trigger a WAF rule (in firewall tab).
Country Challenge – customize the challenge page for specific countries you are blocking.
I’m Under Attack Mode™ Challenge – customize the error page while your site is in I’m Under Attack Mode (in firewall tab).
429 errors – customize the error page when users trigger a rate limiting rule (in firewall tab).
Cloudflare Apps are like WordPress plugins (they add functionality to your website) but I stick with WordPress plugins and made an awesome list of WordPress speed plugins that will probably be more useful than Cloudflare’s Apps. But, I listed the most popular ones below.
Talk.to – live chat app specifically for WordPress sites (they also have a plugin).
Autosave – prevents users from losing information when filling out forms on your website (for example, they accidentally close the tab or get disconnected). It automatically saves the form data locally and restores it. No configuration is needed.
16. Scrape Shield
Email Address Obfuscation – if you list your email address on your website, this prevents bots from crawling it and sending you spam, however you will also lose the ability to “click to send.”
Server-side Excludes – if you have sensitive content that you would like to hide for suspicious visitors (but not real visitors), enable this and wrap sensitive content with: <!–sse–><!–/sse–>
Hotlink Protection – prevents people from copying your images and pasting them on their own website, otherwise you would still be hosting these images (sucking up your bandwidth).
Whitelist Cloudflare IPs
The next sections cover the following (at least do the whitelisting)!
Whitelist Cloudflare/StackPath IPs In Hosting Account – contact your host and ask them to whitelist Cloudflare’s and StackPath’s IPs (since most hosts don’t allow you to do this). Since your traffic is being routed through Cloudflare, your server will see a lot of traffic proxied through Cloudflare, and may trigger it to be blocked. Whitelisting their IPs makes sure your host does not block or limit this. You should also whitelist IPs for other CDNs you are using.
Cloudflare’s WordPress plugin doesn’t have great reviews (lots of 1 stars) probably because the plugin isn’t well supported, only includes 3 tabs (Home, Speed, Analytics), and doesn’t include all the settings from those tabs that are found in Cloudflare’s actual dashboard. It also includes too many Pro features. I honestly wouldn’t install it, and instead configure your Cloudflare settings directly in their dashboard. There are many more options available there.
For CloudFlare users, YSlow should automatically detect the CDN if it’s set up correctly and you’ve given it enough time for the DNS to propagate (2 days).
If YSlow isn’t detecting your CDN, then you can add your own CDN hostnames so that they aren’t penalized by the CDN recommendation. Visit your User Settings page and then input your CDN hostnames under the “YSlow CDN Hostnames” field. GTmetrix should then recognize your CDNs in your future tests.