Cloudflare for Better WordPress Website Security and Performance

Things to keep in mind:

    • Every environment (infrastructure, software, etc.) is unique, so there’s no universal approach to configuring a solution.
    • Review and understand all available settings, configuring them to the best of your ability, while not blindly guessing.
    • If a specific setting isn’t mentioned, the defaults are acceptable, or the settings are self-explanatory to any skill level.

Cloudflare is a powerful content delivery network (CDN) and security platform. It helps optimize site speed, enhance security, and reduce operational costs without requiring complex configurations.

Every WordPress website under my management utilizes Cloudflare.

Performance Improvements Provide by Cloudflare

Cloudflare’s edge network, which consists of hundreds of data centers worldwide, caches and delivers content closer to users, dramatically reducing load times — especially for global audiences.

  • Faster Page Loads: Cloudflare can cache both static and dynamic WordPress content (HTML, CSS, JS, etc.), serving it from the edge, speeding up sites by a huge percentage, while improving performance metrics like Time to First Byte (TTFB) and First Contentful Paint (FCP).
  • Image and Code Optimization: Cloudflare offers image compression and metadata stripping, and minification (for HTML/CSS/JS) reduces file sizes, while Brotli compression and HTTP/3 support further boost efficiency. Ideal for image-heavy sites without needing extra plugins.
  • Reduced Server Load: Caching minimizes requests to your origin server, handling dynamic content without regenerating pages, leading to lower bandwidth usage and costs.

Security Enhancements

WordPress sites are frequent targets for attacks, and Cloudflare acts as a first line of defense by proxying traffic through its network.

  • DDoS Protection: Absorbs and mitigates distributed denial-of-service attacks, ensuring site availability during traffic spikes.
  • Web Application Firewall (WAF): Blocks common threats like SQL injection, cross-site scripting (XSS), and WordPress-specific exploits, while custom rules can secure login pages to prevent brute-force attempts.
  • SSL/TLS Encryption: Provides free, automatic HTTPS encryption for secure data transmission, boosting trust and SEO compliance.
  • IP Hiding and Traffic Filtering: Masks your server’s real IP from bots and attackers while filtering malicious traffic before it reaches your site.

Cloudflare Initial Setup

For the initial setup, we’ll be covering Cloudflare’s FREE plan, which is often enough for most people, especially those who don’t have the skills, time, desire, or budget to dive deeper into performance optimization.

  1. Sign up for Cloudflare
  2. Accelerate and Protect Your Website or Application > Click ‘Get Started.’
  3. Enter your domain name and click ‘Add Site.’
  4. Choose the FREE plan and click ‘Continue.’

At this point, Cloudflare will automatically detect where you manage your DNS (often where you have registered your domain) and scan all the DNS records. While Cloudflare typically detects all your DNS records, ensure that’s the case.

  1. Add any missing DNS records to Cloudflare.
  2. Click ‘Continue.’
  3. Follow the instructions for changing your Nameservers within a new browser tab.
  4. Back in Cloudflare, click ‘Done, Check Nameservers.’
  5. Click the ‘Done, check nameservers’ button.
  6. Click ‘Finish Later’ to skip the Quick Start Guide.

Let’s continue with the Cloudflare settings, allowing the DNS changes to propagate across the web.

DNS propagation can take up to 24 hours but typically completes in minutes, depending on where you previously managed your DNS.

Recommended Settings

I’m using the settings below, but I’m constantly testing for the best optimization, so please check back periodically for the latest recommendations.

SSL/TLS

Edge Certificates

  • Overview >  SSL/TLS encryption mode: Set to Full (strict). (Note: The ability to do this depends on your SSL Certificate.).
  • Edge Certificates > Always use HTTPS: Enable
  • Edge Certificates > HTTP Strict Transport Security (HSTS): Enabled/Configured
    • Status: On
    • Max-Age: 12 months (Note: Cloudflare lists a recommendation of 6 months, but after some research, they actually recommend 12 months.).
    • Include subdomains: On
  • Edge Certificates > Minimum TLS Version: 1.3

Speed

Optimization

Content Optimization
  • Early Hints: Enable
Protocol Optimization
  • HTTP/3 (with QUIC): Enable
  • 0-RTT Connection Resumption: Enable

Caching

Configuration

  • Caching Level: Standard
  • Browser Cache TTL: Respect Existing Headers
  • Crawler Hints: Enable (Note: This tells search engines only to crawl your changed content, thus reducing the load on your server).
  • Always Online: Disable (Note: This setting is useless for eCommerce websites and wastes your server resources since Cloudflare needs to crawl your website for this to work. I’d consider disabling it regardless of your website type.

Scrape Shield

  • Email Address Obfuscation: Disable
  • Hotlink Protection: Enable

Verify Cloudflare Caching

For the steps below, let’s assume you are using the Chrome browser and you would like to verify the caching of your Home page.

  1. Open Chrome in Incognito mode.
  2. Inspect your website with Chrome DevTools by right-clicking on the page and choosing ‘Inspect.’
  3. Click on the ‘Network’ menu item.
  4. Reload your page a couple of times.
  5. Scroll to the top of the results under ‘Network’ and click on your domain name (e.g., influencewp.com).

If Cloudflare is successfully caching, you should see the following value.

  • cf-cache-status: HIT

For more information about the various Cloudflare caching codes (e.g., HIT, MISS, EXPIRED, etc.), view their support article on this topic.

IP Whitelisting

You may encounter situations where Cloudflare’s security prevents other solutions from communicating with your website, and in those cases, we need to tell Cloudflare to trust those solutions.

  1. Cloudflare Dashboard > Security > WAF > Tools
  2. IP Access Rules > Enter the IP address given to you by the solution’s vendor.
  3. Action > Allow
  4. Zone > If you only have one website in your Cloudflare account, you can leave the default option (‘This Website’); otherwise, you will want to choose ‘All Websites In Account.”.
  5. Notes > Enter the solution’s name to recall why you added this.
  6. Click ‘Add.’

URL Redirects

For performance, it’s best to redirect URLs at the edge rather than using server redirects or plugin-based redirects, which place an extra load on the web server. While Cloudflare allows different redirects, let’s focus on redirecting specific URLs.

Single Redirects

The Single Redirects are typically used when you have five or fewer redirects to configure. While you can configure your redirects using advanced Operators (e.g., REGEX) to target multiple URLs in one rule, it’s more of an advanced approach.

You can always start here and then move to ‘Bulk Redirects’ when the time comes.

  1. Cloudflare Dashboard > Rules > Create Rule > Redirect Rule
  2. Name > Give your rule a name to easily identify it (e.g., Old Shop Page to New Shop Page).
  3. Custom Filter Expression > When incoming requests match
 > Field > Select any of the available URL options (URL Full, URL, etc.).
  4. Custom Filter Expression > When incoming requests match
 > Operator > Select any of the available Operator options (Equals, Regex, etc.).
  5. Custom Filter Expression > When incoming requests match
 > Value > Enter the old URL you’re redirected from. (Note: Again, we are focusing on URLs here, so that’s the example I’m giving.).
  6. Custom Filter Expression > Then
 > Type > Static
  7. Custom Filter Expression > Then
 > URL > Enter the new URL.
  8. Click the ‘Deploy’ button.
  9. Clear your browser cache and test the redirect.

Bulk Redirects

Bulk Redirects are your next stop once you outgrow Single Redirects.

  1. Create your rule and assign your list from step #2.
  2. Cloudflare Dashboard > Rules > Settings > Bulk Redirects
  3. Bulk Redirect Lists > Create Bulk Redirect List
  4. Give your list a name and either import your URLs or manually add them.
  5. Bulk Redirect Lists > Create Bulk Redirect Rule

Grant Access to Your Account

This is for times when you need to grant access to team members, website support professionals, etc. In the example below, we’ll grant a website support professional full access to a select domain.

2FA

Although not required, I highly recommend requiring everyone (including you) to use 2FA.

Your Account (2FA)
  1. Cloudflare Authentication
  2. Two-Factor Authentication > Click ‘Set Up.’
  3. Mobile App Authentication > Click ‘Add.’
  4. Follow the provided instructions and click ‘Next.’ (Note: There are many free or low-cost authenticator apps. If you’re looking for a free solution, I recommend Microsoft Authenticator. However, you’ll save yourself the hassle of manually looking up 2FA codes if you go with a solution like the very inexpensive BitWarden browser extension, which is my preference.)
  5. Follow the remaining prompts.
Invitee Accounts (2FA)
  1. Cloudflare Dashboard
  2. Manage Account > Members
  3. Member 2FA Enforcement > Toggle ON.
  4. Click ‘Confirm.’

Invite

  1. Ensure you’re on the home screen of your Cloudflare Dashboard.
  2. Expand ‘Manage Account.’
  3. Click ‘Members.’
  4. Click ‘Invite.’
  5. Invite Members > Enter their email address.
  6. Click ‘Add.’
  7. Scope > Type > Choose all domains or a specific domain to grant me access.
  8. Account Scoped Roles > Choose ‘Administrator.’
  9. Click the ‘Continue to Summary’ button.
  10. Click the ‘Invite’ button.

Share Post

Exclusive Deals
Explore
Exclusive Giveaways
Explore
IWP Newsletter
Subscribe

Our newsletter dares to be different.

  • No Affiliate Links
  • No Ads
  • No Spam
  • Unfiltered
  • Product Creator Focused

Your trust matters. That trust is awarded by providing you with quality content and never sharing your information.

X-twitter Facebook Linkedin Youtube
Several Winners Will Be Chosen!!! NeetoRecord, a Loom alternative, is a screen and webcam recording tool that helps you avoid unnecessary meetings. You can record your screen to create demos, presentations, tutorials, feedback, and more.
Enter Giveaway