Cloudflare for Better WordPress Website Security and Performance

Things to keep in mind:

    • Every environment (infrastructure, software, etc.) is unique, so there’s no universal approach to configuring a solution.
    • Review and understand all available settings, configuring them to the best of your ability, while not blindly guessing.
    • If a specific setting isn’t mentioned, the defaults are acceptable, or the settings are self-explanatory to any skill level.

Cloudflare is a powerful content delivery network (CDN) and security platform. It helps optimize site speed, enhance security, and reduce operational costs without requiring complex configurations. Every WordPress website under my management utilizes Cloudflare.

Key Takeaways

  • Cloudflare improves WordPress speed by caching content on a global edge network, which lowers load times and improves TTFB and FCP.
  • Cloudflare reduces origin server load and bandwidth use by serving cached assets and pages from the edge.
  • Cloudflare improves WordPress security with DDoS protection, a WAF, SSL/TLS, and bot and traffic filtering.
  • Cloudflare’s free plan is enough for many WordPress sites, and setup usually takes minutes, with DNS propagation up to 24 hours.
  • You can confirm Cloudflare caching by checking the cf-cache-status response header in Chrome DevTools (a value of HIT confirms edge caching).

Performance Improvements Provided by Cloudflare

Cloudflare’s edge network, which consists of hundreds of data centers worldwide, caches and delivers content closer to users, dramatically reducing load times—especially for global audiences.

  • Faster Page Loads: Cloudflare can cache both static and dynamic WordPress content (HTML, CSS, JS, etc.), serving it from the edge, speeding up sites by a huge percentage, while improving performance metrics like Time to First Byte (TTFB) and First Contentful Paint (FCP)
  • Image and Code Optimization: Cloudflare offers image compression and metadata stripping, and minification (for HTML/CSS/JS) reduces file sizes, while Brotli compression and HTTP/3 support further boost efficiency. Ideal for image-heavy sites without needing extra plugins
  • Reduced Server Load: Caching minimizes requests to your origin server, handling dynamic content without regenerating pages, leading to lower bandwidth usage and costs

Security Enhancements

WordPress sites are frequent targets for attacks, and Cloudflare acts as a first line of defense by proxying traffic through its network.

  • DDoS Protection: Absorbs and mitigates distributed denial-of-service attacks, ensuring site availability during traffic spikes
  • Web Application Firewall (WAF): Blocks common threats like SQL injection, cross-site scripting (XSS), and WordPress-specific exploits, while custom rules can secure login pages to prevent brute-force attempts
  • SSL/TLS Encryption: Provides free, automatic HTTPS encryption for secure data transmission, boosting trust and SEO compliance.
  • IP Hiding and Traffic Filtering: Masks your server’s real IP from bots and attackers while filtering malicious traffic before it reaches your site

Cloudflare Initial Setup

For the initial setup, we’ll be covering Cloudflare’s free plan, which is often enough for most people, especially those who don’t have the skills, time, desire, or budget to dive deeper into performance optimization.

  1. Sign up for Cloudflare
  2. Accelerate and Protect Your Website or Application > Click Get Started
  3. Enter your domain name and click Add Site
  4. Choose the free plan and click Continue

At this point, Cloudflare will automatically detect where you manage your DNS (often where you have registered your domain) and scan all the DNS records. While Cloudflare typically detects all your DNS records, ensure that’s the case.

  1. Add any missing DNS records to Cloudflare
  2. Click Continue
  3. Follow the instructions for changing your Nameservers within a new browser tab
  4. Back in Cloudflare, click Done, Check Nameservers
  5. Click Done, check nameservers
  6. Click Finish Later to skip the Quick Start Guide

Let’s continue with the Cloudflare settings, allowing the DNS changes to propagate across the web. DNS propagation can take up to 24 hours but typically completes in minutes, depending on where you previously managed your DNS.

Recommended Settings

I’m routinely revisiting the settings to optimize for security and performance, so consider checking back periodically for the latest recommendations. I’ve fine-tuned some of these settings for use with Kinsta hosting, but your infrastructure will likely dictate some variations.

SSL/TLS

Edge Certificates

  • Overview >  SSL/TLS encryption mode: Full (strict) (Note: The ability to do this depends on your SSL certificate.)
  • Edge Certificates > Always use HTTPS: Enable
  • Edge Certificates > HTTP Strict Transport Security (HSTS): Enabled/Configured
    • Status: On
    • Max-Age: 6 months
    • Include subdomains: On
  • Edge Certificates > Minimum TLS Version: 1.3

Speed

Optimization

Content Optimization
  • Early Hints: Enable
Protocol Optimization
  • HTTP/3 (with QUIC): Enable
  • 0-RTT Connection Resumption: Enable

Caching

Configuration

  • Caching Level: Standard
  • Browser Cache TTL: Respect Existing Headers
  • Crawler Hints: Enable (Note: This tells search engines only to crawl your changed content, thus reducing the load on your server.)
  • Always Online: Disable (Note: This setting is useless for eCommerce websites and wastes your server resources since Cloudflare needs to crawl your website for this to work. I’d consider disabling it regardless of your website type.)

Scrape Shield

  • Email Address Obfuscation: Disable
  • Hotlink Protection: Enable

Verify Cloudflare Caching

For the steps below, let’s assume you are using the Chrome browser and you would like to verify the caching of your home page.

  1. Open Chrome in Incognito mode
  2. Inspect your website with Chrome DevTools by right-clicking on the page and choosing Inspect
  3. Click on the Network menu item
  4. Reload your page a couple of times
  5. Scroll to the top of the results under Network and click on your domain name (e.g., influencewp.com)

If Cloudflare is successfully caching, you should see the following value.

  • cf-cache-status: HIT

For more information about the various Cloudflare caching codes (e.g., HIT, MISS, EXPIRED, etc.), view their support article on this topic.

IP Whitelisting

You may encounter situations where Cloudflare’s security prevents other solutions from communicating with your website, and in those cases, we need to tell Cloudflare to trust those solutions.

  1. Cloudflare Dashboard > Security > WAF > Tools
  2. IP Access Rules > Enter the IP address given to you by the solution’s vendor
  3. Action > Allow
  4. Zone > If you only have one website in your Cloudflare account, you can leave the default option (This Website); otherwise, you will want to choose All Websites In Account
  5. Notes > Enter the name of the solution to help you remember why you added it
  6. Click Add

URL Redirects

For performance, it’s best to redirect URLs at the edge rather than using server redirects or plugin-based redirects, which place an extra load on the web server. While Cloudflare allows different redirects, let’s focus on redirecting specific URLs.

Single Redirects

Single redirects are typically used when you have five or fewer redirects to configure. While you can configure your redirects using advanced operators (e.g., REGEX) to target multiple URLs in one rule, it’s more of an advanced approach.

You can always start here and then move to Bulk Redirects when the time comes.

  1. Cloudflare Dashboard > Rules > Create Rule > Redirect Rule
  2. Name > Give your rule a name to easily identify it (e.g., Old Shop Page to New Shop Page)
  3. Custom Filter Expression > When incoming requests match… > Field > Select any of the available URL options (URL Full, URL, etc.)
  4. Custom Filter Expression > When incoming requests match… > Operator > Select any of the available Operator options (Equals, Regex, etc.)
  5. Custom Filter Expression > When incoming requests match… > Value > Enter the old URL you’re redirected from (Note: Again, we are focusing on URLs here, so that’s the example I’m giving.)
  6. Custom Filter Expression > Then… > Type > Static
  7. Custom Filter Expression > Then… > URL > Enter the new URL.
  8. Click Deploy
  9. Clear your browser cache and test the redirect

Bulk Redirects

Bulk redirects are your next stop once you outgrow single redirects.

  1. Create your rule and assign your list from step #2
  2. Cloudflare Dashboard > Rules > Settings > Bulk Redirects
  3. Bulk Redirect Lists > Create Bulk Redirect List
  4. Give your list a name and either import your URLs or manually add them
  5. Bulk Redirect Lists > Create Bulk Redirect Rule

Grant Access to Your Account

This is for times when you need to grant access to team members, website support professionals, etc. In the example below, we’ll grant a website support professional full access to a select domain.

2FA

Although not required, I highly recommend requiring everyone (including you) to use 2FA.

Your Account (2FA)
  1. Cloudflare Authentication
  2. Two-Factor Authentication > Click Set Up
  3. Mobile App Authentication > Click Add
  4. Follow the provided instructions and click Next (Note: There are many free or low-cost authenticator apps. If you’re looking for a free solution, I recommend Microsoft Authenticator. However, you’ll save yourself the hassle of manually looking up 2FA codes if you go with a solution like the very inexpensive BitWarden browser extension, which is my preference.)
  5. Follow the remaining prompts.
Invitee Accounts (2FA)
  1. Cloudflare Dashboard
  2. Manage Account > Members
  3. Member 2FA Enforcement > Toggle ON
  4. Click Confirm

Invite

  1. Ensure you’re on the home screen of your Cloudflare Dashboard
  2. Expand Manage Account
  3. Click Members
  4. Click Invite
  5. Invite Members > Enter their email address
  6. Click Add
  7. Scope > Type > Choose all domains or a specific domain to grant me access
  8. Account Scoped Roles > Choose Administrator
  9. Click Continue to Summary
  10. Click Invite

Frequently Asked Questions About Cloudflare for WordPress Security and Performance

What Does Cloudflare Do for a WordPress Site?

Cloudflare proxies your traffic through its network. It speeds up delivery with edge caching and performance features, and it adds security controls like DDoS protection, a web application firewall (WAF), and SSL/TLS.

Is Cloudflare’s Free Plan Enough for Most WordPress Sites?

For many sites, yes. The article’s setup steps focus on the free plan, since it covers core speed and security features without complex configuration.

How Do We Verify Cloudflare Caching Is Working?

Open Chrome in Incognito mode, inspect the page, go to the Network tab, reload, click the top request for your domain, then check response headers. If you see cf-cache-status: HIT, Cloudflare is caching that request.

What SSL Setting Should We Use in Cloudflare for WordPress?

Use SSL/TLS encryption mode set to Full (strict) when your origin has a valid SSL certificate. Next, enable the Always Use HTTPS option, configure HSTS, and set the minimum TLS version to 1.3.

When Do We Need to Whitelist an IP in Cloudflare?

Whitelist an IP when Cloudflare blocks a trusted service that needs access to your site (for example, a vendor tool that must reach your origin). Add an IP access rule in Cloudflare WAF tools, set the action to Allow, pick the right zone, and add a note for tracking.

Share Post

403 Exclusive Deals

No Affiliation. Just Significant Deals on Premium Solutions.

Explore Deals

Exclusive Giveaways

Effortless Entry. No Purchase Required.

Enter Giveaway

IWP Newsletter

No Affiliate Links. No Ads. No Spam. Just Good Stuff.

Join Our Newsletter

Our newsletter dares to be different.

  • No Ads
  • No Spam
  • No Affiliate Links
Several Winners Will Be Chosen!!! NeetoRecord, a Loom alternative, is a screen and webcam recording tool that helps you avoid unnecessary meetings. You can record your screen to create demos, presentations, tutorials, feedback, and more.
Enter Giveaway