How to Set Up Cloudflare for WordPress the Right Way

Table of Contents

1. How Cloudflare Works With WordPress
2. Why Proper Cloudflare Configuration Transforms WordPress Performance and Security
3. Step-by-Step: How to Set Up Cloudflare for WordPress the Right Way
4. Common Questions — How to Set Up Cloudflare for WordPress
5. Conclusion

Cloudflare is arguably the single most powerful free tool available to WordPress site owners — but most people configure it wrong. Pointing your DNS to Cloudflare and leaving everything on defaults misses 80% of its value. Done correctly, Cloudflare acts as your CDN, security firewall, DDoS protection layer, and performance optimizer simultaneously. Over 20% of all internet traffic passes through Cloudflare’s network, giving it unparalleled threat intelligence. This guide explains exactly how to set up Cloudflare for WordPress the right way, covering every setting that actually matters, and the common mistakes that break sites or reduce performance.

How Cloudflare Works With WordPress

When you add your domain to Cloudflare and enable proxying (the orange cloud icon in DNS settings), Cloudflare becomes a reverse proxy. Visitors connect to Cloudflare’s nearest edge server, not your origin. Cloudflare then forwards legitimate requests to your WordPress server, caches static assets globally, and handles SSL termination at the edge.

This architecture means your server only handles requests that actually need dynamic processing. Static files — CSS, JavaScript, images — are served from Cloudflare’s cache in 300+ locations worldwide, often returning in under 10ms regardless of where your server is physically hosted.

Understanding Cloudflare’s SSL Encryption Modes

SSL mode is the most frequently misconfigured Cloudflare setting, and getting it wrong has serious security implications. The four modes are: Off (no encryption), Flexible (encrypted between visitor and Cloudflare only — your origin gets plain HTTP), Full (encrypted end-to-end, but accepts self-signed origin certificates), and Full (Strict) — encrypted end-to-end with a valid, trusted origin certificate. Always use Full (Strict) for WordPress. Flexible mode creates a false sense of security and can expose login credentials to interception between Cloudflare and your server.

Why Proper Cloudflare Configuration Transforms WordPress Performance and Security

• Global CDN for static assets: Cloudflare caches and serves static WordPress assets (themes, plugin JS/CSS, uploaded images) from the edge closest to each visitor, reducing load time by 40-70% for international audiences.
• Automatic minification: Cloudflare can minify HTML, CSS, and JavaScript on the fly without modifying your WordPress files — though combining this with a dedicated optimization plugin gives the best results.
• Brotli compression: Cloudflare supports Brotli compression (which compresses ~20% better than gzip) for all proxied requests, reducing data transfer costs and improving load times.
• DDoS protection included: All Cloudflare plans include unmetered DDoS protection. Layer 3/4 and Layer 7 attacks are absorbed before reaching your origin server.
• Free SSL certificate: Cloudflare provisions a free SSL certificate for your domain within minutes of DNS propagation, with automatic renewal — no manual certificate management needed.
• Early Hints (103): Cloudflare supports HTTP 103 Early Hints, allowing browsers to preload critical resources before the full HTML response arrives, improving LCP scores.

For complementary security setup, see our WordPress security hardening guides.

Step-by-Step: How to Set Up Cloudflare for WordPress the Right Way

1. Create a Cloudflare account and add your domain: Sign up at cloudflare.com, click “Add a Site”, enter your domain, and select your plan (Free is sufficient for most WordPress sites). Cloudflare will scan your existing DNS records automatically.
2. Update your nameservers: Replace your registrar’s nameservers with the two Cloudflare nameservers shown in your dashboard. DNS propagation typically completes within 5-30 minutes, though it can take up to 48 hours globally.
3. Verify DNS records are proxied: In DNS settings, ensure your A and CNAME records for the domain and www have the orange cloud (proxied) icon. Records with grey clouds bypass Cloudflare entirely.
4. Set SSL/TLS to Full (Strict): Go to SSL/TLS → Overview and select “Full (Strict)”. This requires a valid SSL certificate on your origin server (Let’s Encrypt works perfectly). Also enable “Always Use HTTPS” under Edge Certificates.
5. Enable HSTS: Under SSL/TLS → Edge Certificates, enable HTTP Strict Transport Security with a max-age of at least 6 months. This tells browsers to always use HTTPS for your domain, preventing SSL stripping attacks.
6. Configure Cache settings: Under Caching → Configuration, set Browser Cache TTL to 4 hours or more. Create Cache Rules (formerly Page Rules) to bypass cache for: logged-in users (when wordpress_logged_in_* cookie is present), the WordPress admin (/wp-admin/*), and WooCommerce cart/checkout pages.
7. Enable WordPress WAF managed rules: Under Security → WAF → Managed Rules, enable the “Cloudflare for WordPress” ruleset. This free ruleset blocks known WordPress exploit patterns.
8. Configure Bot Fight Mode: Under Security → Bots, enable “Bot Fight Mode” (free) or “Super Bot Fight Mode” (Pro). This challenges or blocks known bad bots including scrapers, credential stuffers, and vulnerability scanners.
9. Set Security Level: Under Security → Settings, set Security Level to “Medium” for most sites. This challenges visitors from IPs with a threat score above a threshold without being so aggressive it blocks legitimate users.
10. Install the Cloudflare WordPress plugin: Install the official Cloudflare plugin in WordPress (Settings → Cloudflare). Authenticate with your API token, then click “Apply Optimal Settings for WordPress”. This configures cache purging, sets the correct Visitor IP header, and applies performance best practices automatically.

For Cloudflare’s complete WordPress setup documentation, see Cloudflare’s official WordPress guide.

Common Questions — How to Set Up Cloudflare for WordPress

Will Cloudflare break my WordPress site?

Cloudflare can cause issues if SSL mode is set to Flexible (causing redirect loops), if the cache is not correctly bypassed for logged-in users (causing admin panel issues), or if aggressive firewall rules block legitimate traffic. Following this guide’s configuration avoids all of these common problems. If you do experience issues, use Cloudflare’s “Development Mode” to temporarily bypass caching while you troubleshoot.

How do I fix the “too many redirects” error with WordPress and Cloudflare?

This error is almost always caused by Cloudflare’s SSL mode being set to “Flexible” while WordPress or your server is also redirecting HTTP to HTTPS, creating an infinite loop. Fix it by switching Cloudflare’s SSL mode to “Full” or “Full (Strict)”, or temporarily by setting it to “Off” while you reconfigure. Long-term, always use Full (Strict) with a valid origin certificate.

Does Cloudflare cache WordPress pages for all visitors?

By default, Cloudflare only caches static file types (images, CSS, JS, fonts) — not HTML pages. To cache WordPress HTML, you need to create a Cache Rule with “Cache Everything” and set a TTL, while bypassing cache for cookies indicating logged-in users or cart contents. The Cloudflare APO (Automatic Platform Optimization) add-on ($5/month) handles this automatically and is highly recommended for WordPress.

Should I use Cloudflare’s proxy for my WordPress origin IP (A record)?

Yes — always proxy your A and CNAME records (orange cloud). This hides your origin server’s real IP address, preventing attackers from bypassing Cloudflare’s protections by attacking your server directly. If your origin IP is exposed (e.g., in email MX records or subdomains), consider using a separate IP for non-proxied records.

Conclusion

Cloudflare is far more than a DNS provider — when configured correctly for WordPress, it becomes a CDN, security platform, and performance layer that transforms your site’s speed and resilience. Three key takeaways:

• Always set SSL mode to Full (Strict) — never Flexible — to ensure genuine end-to-end encryption without redirect loop risks.
• Configure Cache Rules to bypass caching for logged-in users and the wp-admin area to avoid stale content issues in the WordPress backend.
• Enable the WordPress WAF managed ruleset and Bot Fight Mode on day one — these free protections block thousands of automated attacks daily with zero configuration overhead.

With Cloudflare properly configured, explore our complete WordPress optimization series to squeeze every last millisecond of performance from your stack. Questions about your specific Cloudflare setup? Ask in the comments below.

---

See also: How-To Guides: Practical Technology Tutorials for 2026 — browse all How-to articles on Hubkub.

Related Articles

• How to Create a Fast Tech Blog with WordPress and Redis
• How to Write Better AI-Assisted Articles Without Sounding Robotic
• How to Set Up RSS Feeds to Follow Any Website Without Social Media

Last Updated: April 13, 2026