This tutorial walks you through every single setting in Cloudflare.
It’s specifically written for WordPress to make your site faster and more secure.
It starts with adding your website, changing nameservers, and setting up basic Cloudflare settings. Then it walks you through the tabs (from Overview to Scrape Shield), followed by additional tips like whitelisting Cloudflare’s IPs in your hosting account, why you don’t need the Cloudflare WordPress plugin, and how to setup multiple CDNs to make your site even faster (more data centers = faster website. I use both Cloudflare’s CDN and StackPath’s CDN.
If you’ve already added your website to Cloudflare and changed nameservers, and want to go straight into the Cloudflare settings, you can jump to the Overview tab.
Sign up for Cloudflare then [add your website] :
Once Cloudflare is done scanning, click next:
The free plan comes with their CDN, page rules, and many Cloudflare settings that improve speed/security. Start with the free plan, read this tutorial, then decide if you want to upgrade.
You will eventually come to this dashboard where Cloudflare assigns you 2 nameservers:
Login to your hosting account, find your nameservers, and change them to Cloudflare’s. If you can’t find them, Google how to change nameservers on SiteGround (or whoever your host is).
Some hosting companies like SiteGround have an option to activate Cloudflare in their cPanel:
Nice! Just by doing that, your WordPress site is being hosted on their 154+ data centers (they add new ones frequently) and you have Cloudflare’s default settings setup (which we’ll tweak).
WP Rocket, WP Fastest Cache, W3 Total Cache,Swift Performance, and other cache plugins allow you to integrate Cloudflare in their settings. You will usually grab your Global API Key (found in your Cloudflare profile) and enter it into your cache plugin’s Cloudflare settings.
![Cloudflare Global API Key]
WP Fastest Cache:
W3 Total Cache:
Setting up Cloudflare using your cache plugin is not the same thing as changing nameservers (you still need to do that). But it ensures better compatibility between the two, since some functionalities overlap. If minify and gzip are enabled in one, they should be disabled in the other.
Quick links of some of the most common Cloudflare settings, but their recommended first steps (and the important settings I marked in this guide) are what you really should look at.
Security – Cloudflare protects your website with SSL settings, firewall, Access, challenge passages, email obfuscation, and also improves uptimes using other settings in Cloudflare.
Performance – Cloudflare speeds up your WordPress site through caching, minifying files, CDN, Brotli (similar to gzip compression), Railgun, Rocket Loader, hotlink protection, image optimization, accelerated mobile links, Argo (in traffic tab) and everything in the speed tab.
IP Settings – Cloudflare helps collect visitor location data using IP Geolocation (in network tab) which can be used block specific countries, spammy crawlers/bots, and other IP addresses from your website. You should Whitelist Cloudflare’s IP addresses in your hosting account.
If you want specific services/traffic routed through Cloudflare, add them here. Cloudflare automatically populates the DNS. When an arrow is going through the orange cloud, that service’s traffic is routed through Cloudflare. If it’s going around, it’s bypassing Cloudflare.
![Cloudflare DNS Settings]
I use SiteGround (a Cloudflare partner and who I highly recommend as they were rated the #1 host in 10 Facebook polls taken by multiple WordPress-related Groups), so I manage my DNS in SiteGround’s cPanel. Otherwise you will see a DNS dashboard like the one shown below…
Verification TXT Record For CNAME Setup – add a TXT record to verify your CNAME.
CNAME Flattening – allows a CNAME record to be created for the root domain without violating DNS specifications. This speeds up DNS resolution on CNAMEs by up to 30%.
Manage your SSL and cryptography settings:
SSL – controls when SSL will be used. If using SSL, full (strict) is recommend.
Edge Certificates – managed your SSL Certificates.
Custom Hostnames (Enterprise Feature) – if you have a dedicated SSL with custom hostnames, you can enter their CNAMEs here.
Origin Certificates – these are free TLS Certificates (Transport Layer Security) but the Universal SSL should be fine for 99.99% of websites. TLS is an improved version of SSL but basically, it does the same thing – makes your site secure and serves your assets from HTTPS. Cloudflare Origin Certificates are only trusted by Cloudflare and should only be used by origin servers that are actively connected to Cloudflare. If at any point you pause or disable Cloudflare, your Origin Certificate will show an untrusted certificate error.
Always Use HTTPS – redirect all HTTP requests to HTTPs using a 301 redirect.
HTTP Strict Transport Security (HSTS) – ensures HTTP links become HTTPS links. Protects website from downgrade attacks, SSL stripping, and cookie hijacking. Server will make sure browsers only connect using HTTPS, and that users do not bypass critical security warnings.
Authenticated Origin Pulls – verifies requests to your origin server came from Cloudflare using a TLS client certificate, preventing users from bypassing firewalls and other security.
Minimum TLS Version – sets a minimum SSL/TLS version users can visit your website from. The default TLS 1.0 is fine.
Opportunistic Encryption – for websites that haven’t added HTTPS but want improved speed of HTTP/2 by letting browsers know your site is supports an encrypted connection. This adds an additional layer of security, but will not give you the green padlock in your browser. It will slightly improve speed/security for non-HTTPs sites, but moving to HTTPS is the best solution.
Onion Routing – lets users on the Tor Network keep their privacy when browsing your site. Tor is network dedicated to defending against traffic analysis and other network surveillance.
TLS 1.3 – enables the latest version of TLS/SSL and will show the green padlock in browsers.
Automatic HTTPS Rewrites – if your site connects to HTTPS and the lock icon is not present in Google Chrome, or has a yellow warning triangle, your site may still contain links/references to HTTP. This helps fix mixed content by ensuring HTTPs is used for all resources on your site.
Disable Universal SSL – if you have a universal SSL from Cloudflare, this disables it, and users won’t be able to access your site using HTTPS if there are no dedicated or custom certificates.
Setup firewall rules (to protect WordPress admin + plugins folder), rate limiting (to prevent spam bots from hitting your site too much and consuming CPU), and other features that can improve security and save bandwidth. Create up to 5 free firewall rules. I have 2 I recommend.
![Cloudflare Firewall Settings]
Firewall Rules – lets you block, challenge, or allow requests based on: countries, IP addresses, bots, URLs, set custom threat scores, and more. See firewall rule examples here or this tutorial.
Example 1: Protect Insecure Plugins – insecure plugins are a common way hackers breach WordPress sites. Not installing them is safer, but this will block access to your plugins folder.
![Cloudflare Firewall Insecure WordPress Plugins]
Example 2: Protect The WP Admin – only allows users in your country to access the WP Admin login page. Good if you have team members (in your country) who also need access.
![Cloudflare WP Admin Firewall Rule]
Rate Limiting – mainly used to block fake Google crawlers and spammy bots that hit your site too much and consume CPU. Cloudflare offers this as a pay-per-usage service, but Wordfence does it for free in their rate limiting options. Careful – you don’t want to block legitimate users!
Security Level – Cloudflare’s algorithm assigns IP addresses a threat score from 0 to 100.
Challenge Passage – when a visitor has a bad reputation with Cloudflare, they will need to complete a challenge. This is the time a challenge expires, and a new challenge will be issued.
Privacy Pass Support – prevent users with a poor Cloudflare reputation from having to constantly fill out CAPTCHAs.
![Cloudflare Firewall Event]
Web Application Firewall
Controls access to your websites by applying an authorization process you configure when users make requests to your origin server. Members will use social and enterprise identity providers (IdP) as their credentials and can access sensitive materials for a given time of your choice. Pricing is free for the first 5 seats, then -5/month for Access Basic or Premium.
![Cloudflare Access Settings]
Speed up your WordPress site using minification, image optimization (Polish + Mirage, Railgun, Rocket Loader, Brotli (similar to gzip compression), and other performance features.
![Cloudflare Speed Settings]
Polish (Pro Feature) – strips EXIF data and compresses images.
Railgun™ – speeds up dynamic content for visitors who are far away from the origin server.
![Cloudflare Railgun Test]
Enable Accelerated Mobile Links – enable if you’re using a plugin for AMP. This allows users to open external AMP links from your website in AMP format. Learn more.
Brotli – similar to gzip compression only believe to be even faster.
Mirage (Pro Feature) – reduces image requests, lazy loads images, and improves image load times on mobile devices with slow network connections. Here are more details on Mirage…
Mobile Redirect – redirects mobile visitors to mobile site (you must have a custom domain).
Prefetching URLs From HTTP Headers (Enterprise Feature) – cached objects are served as 1 request, instead of multiple requests.
Control caching levels and how Cloudflare caches your website.
![Cloudflare Caching Settings]
Purge Cache – clears Cloudflare’s cache.
Caching Level – set how much static content Cloudflare will cache.
Browser Cache Expiration – sets time a visitor’s cache will expire after visiting the page (also known as add expires headers in GTmetrix).
Always Online™ – Cloudflare will attempt to show a cached version of your website if your server goes down.
Development Mode – lets you see changes on your website in real time without worrying about seeing a cached version.
Enable Query String Sort – increases cache hit rates by enabling query strings to be sorted before they hit Cloudflare’s cache.
Page Rules let you optimize specific URLs for performance and security. I suggest looking over their Page Rules video tutorials especially the ones on optimizing WordPress, speed, security, and maximizing bandwidth savings. You should also familiarize yourself with common terms.
Common Page Rules