This tutorial walks you through every single setting in Cloudflare.
It’s specifically written for WordPress to make your site faster and more secure.
It starts with adding your website, changing nameservers, and setting up basic Cloudflare settings. Then it walks you through the tabs (from Overview to Scrape Shield), followed by additional tips like whitelisting Cloudflare’s IPs in your hosting account, why you don’t need the Cloudflare WordPress plugin, and how to setup multiple CDNs to make your site even faster (more data centers = faster website. I use both Cloudflare’s CDN and StackPath’s CDN.
If you’ve already added your website to Cloudflare and changed nameservers, and want to go straight into the Cloudflare settings, you can jump to the Overview tab.
Add Your Website
Sign up for Cloudflare then [add your website] :
Once Cloudflare is done scanning, click next:
The free plan comes with their CDN, page rules, and many Cloudflare settings that improve speed/security. Start with the free plan, read this tutorial, then decide if you want to upgrade.
You will eventually come to this dashboard where Cloudflare assigns you 2 nameservers:
Login to your hosting account, find your nameservers, and change them to Cloudflare’s. If you can’t find them, Google how to change nameservers on SiteGround (or whoever your host is).
Some hosting companies like SiteGround have an option to activate Cloudflare in their cPanel
Nice! Just by doing that, your WordPress site is being hosted on their 154+ data centers (they add new ones frequently) and you have Cloudflare’s default settings setup (which we’ll tweak).
Setup Cloudflare With Your Cache Plugin
WP Rocket, WP Fastest Cache, W3 Total Cache,Swift Performance, and other cache plugins allow you to integrate Cloudflare in their settings. You will usually grab your Global API Key (found in your Cloudflare profile) and enter it into your cache plugin’s Cloudflare settings.
WP Fastest Cache
W3 Total Cache
Setting up Cloudflare using your cache plugin is not the same thing as changing nameservers (you still need to do that). But it ensures better compatibility between the two, since some functionalities overlap. If minify and gzip are enabled in one, they should be disabled in the other.
Basic Cloudflare Settings For WordPress
- Configure SSL – the Crytpo settings have options to order a free Universal SSL, force HTTP to HTTPS, set SSL encyrption level, and protect your SSL website using HSTS.
- Create Firewall Rules – protect your WordPress Admin, plugins, and other sensitive areas of your website by creating parameters that stop hackers from accessing them.
- Create Page Rules – optimize specific URLs for performance and security (set these up based on your website’s needs). Some examples include: forcing high security in your WordPress admin area, decreasing bandwidth consumption by controlling Cloudflare’s cache refresh rate, and bypassing cache (for WordPress admin, eCommerce pages, staging websites, and dynamic content). You can create up to 3 page rules for free.
- Enable Hotlink Protection – prevents people from copying images from your site and pasting them onto theirs, which consumes bandwidth (found in Scrape Shield settings).
- Rate Limiting (Paid Feature) – prevents spammy crawlers from hitting your site too much, which consumes bandwidth (a very common problem). Check your hosting account for a tool like AWstats to identify if this is happening to you. Wordfence does rate limiting for free, while Cloudflare charges for it. This is in the Firewall settings.
- Multiple CDNs – more data centers = faster website (StackPath, KeyCDN, and other CDNs generate CDN URLs you can copy/paste into your cache plugin, or CDN Enabler.
Quick links of some of the most common Cloudflare settings, but their recommended first steps (and the important settings I marked in this guide) are what you really should look at.
Security – Cloudflare protects your website with SSL settings, firewall, Access, challenge passages, email obfuscation, and also improves uptimes using other settings in Cloudflare.
Performance – Cloudflare speeds up your WordPress site through caching, minifying files, CDN, Brotli (similar to gzip compression), Railgun, Rocket Loader, hotlink protection, image optimization, accelerated mobile links, Argo (in traffic tab) and everything in the speed tab.
IP Settings – Cloudflare helps collect visitor location data using IP Geolocation (in network tab) which can be used block specific countries, spammy crawlers/bots, and other IP addresses from your website. You should Whitelist Cloudflare’s IP addresses in your hosting account.
- Why isn’t Cloudflare caching everything? By default, Cloudflare only caches specific static content not including HTML. If you would like to cache everything, create a page rule, add yourwebsite.com/* as the the URL, then set the cache level to everything. Your cache plugin (and another CDN if you’re using one) may also be caching content.
- What attacks is Cloudflare blocking? Cloudflare blocks a variety of attacks including content scraping, fraudulent checkouts, and account takeovers. Spammy bots often excessively crawl websites and cause high CPU consumption, and since hosting companies use CPU throttling, the bots may be sucking up your CPU limits which results in a slower website, or even your host shutting down your website temporarily. Cloudflare’s firewall tab and rate limiting (Wordfence does rate limiting for free) helps.
If you want specific services/traffic routed through Cloudflare, add them here. Cloudflare automatically populates the DNS. When an arrow is going through the orange cloud, that service’s traffic is routed through Cloudflare. If it’s going around, it’s bypassing Cloudflare.
I use SiteGround (a Cloudflare partner and who I highly recommend as they were rated the #1 host in 10 Facebook polls taken by multiple WordPress-related Groups), so I manage my DNS in SiteGround’s cPanel. Otherwise you will see a DNS dashboard like the one shown below…
Verification TXT Record For CNAME Setup – add a TXT record to verify your CNAME.
CNAME Flattening – allows a CNAME record to be created for the root domain without violating DNS specifications. This speeds up DNS resolution on CNAMEs by up to 30%.
Manage your SSL and cryptography settings:
SSL – controls when SSL will be used. If using SSL, full (strict) is recommend.
- Off – SSL will not be used.
- Flexible – use if you can’t configure HTTPS on your origin. Visitors can access your site over HTTPS, but connections are made over HTTP. Generally you should avoid this as it may cause redirect loops, but if you must, try using the Cloudflare Flexible SSL plugin.
- Full – only use if the certificate does not match your domain or is self-signed. Cloudflare will use HTTPS, but will not validate the certificate.
- Full (Strict) – Cloudflare will use HTTPS and verify the certificate on each request. You should only make this change if all of your origin hosts are protected by Origin CA certificates or publicly trusted certificates***
Edge Certificates – managed your SSL Certificates.
- Universal SSL (Shared) – free SSL provided by Cloudflare which you will share with 50 other Cloudflare customers, with common name (eg. ssl123456.cloudflaressl.com).
- Dedicated SSL Certificate – /month SSL dedicated only to your domain with common name (eg. onlinemediamasters.com), automatically renewed by Cloudflare.
- Dedicated SSL Certificate With Custom Hostnames – /month, same thing as previous plan only protects up to 50 more hostnames or wildcards of your choosing.
- Upload Custom SSL Certificate – /month if you’d like to use your own SSL and comes with DDOS protection, Railgun optimization, and 100% guaranteed uptimes.
Custom Hostnames (Enterprise Feature) – if you have a dedicated SSL with custom hostnames, you can enter their CNAMEs here.
Origin Certificates – these are free TLS Certificates (Transport Layer Security) but the Universal SSL should be fine for 99.99% of websites. TLS is an improved version of SSL but basically, it does the same thing – makes your site secure and serves your assets from HTTPS. Cloudflare Origin Certificates are only trusted by Cloudflare and should only be used by origin servers that are actively connected to Cloudflare. If at any point you pause or disable Cloudflare, your Origin Certificate will show an untrusted certificate error.
Always Use HTTPS – redirect all HTTP requests to HTTPs using a 301 redirect.
HTTP Strict Transport Security (HSTS) – ensures HTTP links become HTTPS links. Protects website from downgrade attacks, SSL stripping, and cookie hijacking. Server will make sure browsers only connect using HTTPS, and that users do not bypass critical security warnings.
Authenticated Origin Pulls – verifies requests to your origin server came from Cloudflare using a TLS client certificate, preventing users from bypassing firewalls and other security.
Minimum TLS Version – sets a minimum SSL/TLS version users can visit your website from. The default TLS 1.0 is fine.
Opportunistic Encryption – for websites that haven’t added HTTPS but want improved speed of HTTP/2 by letting browsers know your site is supports an encrypted connection. This adds an additional layer of security, but will not give you the green padlock in your browser. It will slightly improve speed/security for non-HTTPs sites, but moving to HTTPS is the best solution.
Onion Routing – lets users on the Tor Network keep their privacy when browsing your site. Tor is network dedicated to defending against traffic analysis and other network surveillance.
TLS 1.3 – enables the latest version of TLS/SSL and will show the green padlock in browsers.
Automatic HTTPS Rewrites – if your site connects to HTTPS and the lock icon is not present in Google Chrome, or has a yellow warning triangle, your site may still contain links/references to HTTP. This helps fix mixed content by ensuring HTTPs is used for all resources on your site.
Disable Universal SSL – if you have a universal SSL from Cloudflare, this disables it, and users won’t be able to access your site using HTTPS if there are no dedicated or custom certificates.
Setup firewall rules (to protect WordPress admin + plugins folder), rate limiting (to prevent spam bots from hitting your site too much and consuming CPU), and other features that can improve security and save bandwidth. Create up to 5 free firewall rules. I have 2 I recommend.
Firewall Rules – lets you block, challenge, or allow requests based on: countries, IP addresses, bots, URLs, set custom threat scores, and more. See firewall rule examples here or this tutorial.
Example 1: Protect Insecure Plugins – insecure plugins are a common way hackers breach WordPress sites. Not installing them is safer, but this will block access to your plugins folder.
- URL path + contains + /wp-content/plugins
- Refer + does not contain + yourwebsite.com
Example 2: Protect The WP Admin – only allows users in your country to access the WP Admin login page. Good if you have team members (in your country) who also need access.
- Field: URL path + contains + /wp-admin
- Country + does not equal + United States
- Action: Block
Rate Limiting – mainly used to block fake Google crawlers and spammy bots that hit your site too much and consume CPU. Cloudflare offers this as a pay-per-usage service, but Wordfence does it for free in their rate limiting options. Careful – you don’t want to block legitimate users!
Security Level – Cloudflare’s algorithm assigns IP addresses a threat score from 0 to 100.
- High – scores greater than 0
- Medium – scores greater than 14
- Low – scores greater than 24
- Essentially off – scores greater than 49
- I’m Under Attack! – should only be used when your site is under a DDoS attack. This adds an extra layer of protection by analyzing traffic to confirm legitimate human visitors. Each visitor sees an interstitial page for about 5 seconds while being analyzed.
Challenge Passage – when a visitor has a bad reputation with Cloudflare, they will need to complete a challenge. This is the time a challenge expires, and a new challenge will be issued.
Privacy Pass Support – prevent users with a poor Cloudflare reputation from having to constantly fill out CAPTCHAs.
- IP Access Rules – whitelist, block, or challenge specific IP addresses (whitelist yours!).
- User Agent Blocking – mainly used if you are under attack from a specific User-Agent.
- Unmetered DDOS Mitigation – if you are under Distributed Denial of Service (DDoS) attack, Cloudflare will attempt to deny it no matter the size or duration. As Cloudflare stated, other companies bill heavily for this using surge pricing. But Cloudflare doesn’t.
- Firewall Event Log – shows firewall events that have been triggered.
Web Application Firewall
- Web Application Firewall – Pro feature, but one of the best ways to improve security by protecting against SQL injection attacks, cross-site scripting, and cross-site forgery (read more). This uses Cloudflare’s built-in ruleset and automatic WAF updates based on Cloudflare’s intelligence (as you know, attacks move fast and before you know it, 40,000 websites have already been affected by the time you hear the news).
- Browser Integrity Check – looks for requests with HTTP headers commonly used by spammers, bots, and crawlers, and presents a block page if determined to be a threat.
Controls access to your websites by applying an authorization process you configure when users make requests to your origin server. Members will use social and enterprise identity providers (IdP) as their credentials and can access sensitive materials for a given time of your choice. Pricing is free for the first 5 seats, then -5/month for Access Basic or Premium.
Speed up your WordPress site using minification, image optimization (Polish + Mirage, Railgun, Rocket Loader, Brotli (similar to gzip compression), and other performance features.
Polish (Pro Feature) – strips EXIF data and compresses images.
Railgun™ – speeds up dynamic content for visitors who are far away from the origin server.
Enable Accelerated Mobile Links – enable if you’re using a plugin for AMP. This allows users to open external AMP links from your website in AMP format. Learn more.
Brotli – similar to gzip compression only believe to be even faster.
Mirage (Pro Feature) – reduces image requests, lazy loads images, and improves image load times on mobile devices with slow network connections. Here are more details on Mirage…
- Resizes images based on a visitor’s device/connection. A visitor on a poor connection will get a smaller version (lower resolution) until they are back on a higher bandwidth.
- Reduces amount of requests – instead of sending multiple requests for all images on the website, Mirage pulls this into one request so visitors can see images immediately.
- Lazy loads images (only loads them once users scroll down and actually see the image).
Mobile Redirect – redirects mobile visitors to mobile site (you must have a custom domain).
Prefetching URLs From HTTP Headers (Enterprise Feature) – cached objects are served as 1 request, instead of multiple requests.
Control caching levels and how Cloudflare caches your website.
Purge Cache – clears Cloudflare’s cache.
Caching Level – set how much static content Cloudflare will cache.
- No Query String – only delivers cached files when there is no query string.
- Ignore Query String – delivers same resource to everyone regardless of query string.
- Standard – delivers different resource each time the query string changes.
Browser Cache Expiration – sets time a visitor’s cache will expire after visiting the page (also known as add expires headers in GTmetrix).
Always Online™ – Cloudflare will attempt to show a cached version of your website if your server goes down.
Development Mode – lets you see changes on your website in real time without worrying about seeing a cached version.
Enable Query String Sort – increases cache hit rates by enabling query strings to be sorted before they hit Cloudflare’s cache.
10. Page Rules
Page Rules let you optimize specific URLs for performance and security. I suggest looking over their Page Rules video tutorials especially the ones on optimizing WordPress, speed, security, and maximizing bandwidth savings. You should also familiarize yourself with common terms.
Common Page Rules
- [Always Online] .
- [Browser Integrity Check] .
- [Browser Cache TTL] – time Cloudflare instructs a visitor’s browser to cache a resource. You can increase this for pages that aren’t update