Cloudflare is a reverse proxy and CDN that sits between your visitors and your WordPress server. Traffic passes through Cloudflare’s global network before reaching your host, giving you CDN-delivered static assets, DDoS protection, SSL termination, and basic caching on the free plan. This guide covers the complete setup from DNS configuration to WordPress-specific settings.
Step 1: Add Your Site to Cloudflare
Create a Cloudflare account at cloudflare.com. Click “Add a Site” and enter your domain. Cloudflare scans your existing DNS records automatically. Review the detected records carefully – all existing records (A, CNAME, MX, TXT) should be imported. Any missing record will break email, subdomains, or other services after you switch nameservers.
Cloudflare provides two nameservers (e.g., mark.ns.cloudflare.com and diana.ns.cloudflare.com). Log in to your domain registrar (GoDaddy, Namecheap, etc.) and replace the existing nameservers with Cloudflare’s nameservers. DNS propagation takes 1-24 hours. Cloudflare’s dashboard shows “Active” once propagation is complete.
Step 2: Configure SSL/TLS
Go to SSL/TLS -> Overview. Set the encryption mode to Full (Strict). This requires a valid SSL certificate on your origin server. If your host does not provide SSL, use Full (not strict) temporarily – but get a certificate from your host (most provide free Let’s Encrypt certificates) and switch to Full (Strict). Never use Flexible mode on a WordPress site – it creates redirect loops.
In SSL/TLS -> Edge Certificates, enable “Always Use HTTPS” to redirect all HTTP traffic to HTTPS at the Cloudflare level.
Need help optimising your WordPress site? Describe your project and get a free estimate.
Step 3: Configure Caching
Go to Caching -> Configuration. Set Browser Cache TTL to 1 year for static assets. Cloudflare’s default caches static files (images, CSS, JS) but does not cache WordPress HTML pages on the free plan – dynamic pages pass through to your server each time. For HTML caching on the free plan, you need to create a Page Rule.
Go to Rules -> Page Rules. Create a rule to cache HTML pages:
- URL pattern:
yourdomain.com/* - Setting: Cache Level -> Cache Everything
- Edge Cache TTL -> 2 hours
Important: also create a page rule to bypass cache for the WordPress admin and logged-in users:
- URL:
yourdomain.com/wp-admin/*-> Bypass Cache - URL:
yourdomain.com/wp-login.php-> Bypass Cache
Step 4: Install the Cloudflare WordPress Plugin
Install the official Cloudflare plugin from WordPress.org. Connect it with your Cloudflare API token. The plugin provides: automatic cache purging when you publish or update posts (so visitors see fresh content immediately), one-click security setting adjustments, and Web Analytics integration. Without the plugin, you would need to manually purge the Cloudflare cache every time you publish new content.
Step 5: Fix the Visitor IP Problem
When traffic passes through Cloudflare, your server sees Cloudflare’s IP addresses instead of visitor IPs. This breaks IP-based plugins (spam protection, geolocation, analytics). Fix it by restoring the real visitor IP. Install the Cloudflare plugin and enable “Restore Visitor IP” in its settings. Alternatively, add this to your wp-config.php:
if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];
}Recommended Cloudflare Settings for WordPress
- Speed -> Optimization – enable Auto Minify (HTML, CSS, JS), Brotli compression
- Security -> Settings – Security Level: Medium (adjust if you see false positives blocking legitimate visitors)
- Network – enable HTTP/3, 0-RTT Connection Resumption
- Scrape Shield – enable Email Address Obfuscation to prevent email harvesting bots
Cloudflare Workers and Advanced Rules
Beyond the basic setup, Cloudflare Workers (available on paid plans) let you run JavaScript at the edge for advanced use cases: A/B testing at the CDN level, personalised content based on visitor location, custom request routing, and bot filtering logic more sophisticated than the built-in security rules. For most WordPress sites, the basic free plan with the settings above is sufficient. Workers become relevant when you need custom logic that your origin server would handle slowly due to geographic distance from visitors.
A practical use on the free plan: use Cloudflare’s Transform Rules to add security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) at the edge rather than configuring them in WordPress. This adds the headers to every response without touching the server configuration.