Getting Cloudflare set up correctly for a WordPress site involves more than just pointing your nameservers. The default Cloudflare settings are not optimal for WordPress, and a few wrong choices cause the problems covered elsewhere. Here is the configuration that works.
SSL/TLS Mode
Set this to Full (Strict) in the Cloudflare dashboard under SSL/TLS. This is non-negotiable for WordPress sites that have HTTPS enabled (which should be all of them). Flexible SSL causes redirect loops. Full without Strict works but does not verify the origin certificate. Full (Strict) requires a valid SSL certificate on your hosting server — your host’s Let’s Encrypt certificate satisfies this.
Also enable Always Use HTTPS under SSL/TLS, then Edge Certificates. This forces HTTP requests to HTTPS at the Cloudflare edge, which is faster than a server-level redirect.
Caching Configuration
In Caching, then Configuration, set Browser Cache TTL to 4 hours as a starting point. This controls how long browsers cache static assets from Cloudflare.
Under Caching Rules (or Page Rules on free plan), create bypass rules for dynamic WordPress pages:
- URI path contains /wp-admin — bypass cache
- URI path contains /wp-login.php — bypass cache
- Cookie contains wordpress_logged_in — bypass cache (this handles logged-in user sessions)
- URI path contains /cart — bypass cache (WooCommerce)
- URI path contains /checkout — bypass cache (WooCommerce)
- URI path contains /my-account — bypass cache (WooCommerce)
Security Settings
Under Security, then Settings, set Security Level to Medium. High and Essentially Off are rarely the right choice for most WordPress sites. Medium challenges suspicious traffic without blocking legitimate visitors.
Enable Bot Fight Mode under Security, then Bots. This blocks known bot traffic from consuming your server resources and bandwidth without affecting legitimate crawlers like Googlebot.
Under Security, then WAF (Pro plan and above), enable the WordPress Managed Ruleset. This activates firewall rules specifically tuned for WordPress vulnerabilities.
Speed Settings
Under Speed, then Optimization:
- Enable Auto Minify for JavaScript, CSS, and HTML. This reduces file sizes without any configuration.
- Enable Brotli compression. More efficient than gzip.
- Rocket Loader: Leave this OFF for most WordPress sites. Rocket Loader asynchronously loads JavaScript and frequently breaks WordPress functionality that depends on script execution order.
Installing the Cloudflare WordPress Plugin
Install the Cloudflare plugin from the WordPress plugin repository. In the plugin settings, connect it using an API token (not the Global API Key — use a scoped token with Zone: Read and Cache Purge permissions). This enables automatic cache purging when you publish or update content.
Set Automatic HTTPS Rewrites to On in the plugin settings. This fixes mixed content warnings by rewriting HTTP links to HTTPS at the Cloudflare edge.
What Not to Configure
Avoid enabling Rocket Loader, as mentioned above. Avoid creating Page Rules that cache everything — this breaks WordPress admin and WooCommerce. Avoid setting Security Level to Essentially Off even if you think it will fix a problem — investigate the actual block reason instead. Avoid enabling Cloudflare’s email obfuscation if your site has email addresses in JavaScript strings that need to be readable.
For Cloudflare configurations on complex WordPress sites including multisite, API endpoints, and custom origin rules, a WordPress developer can set up and verify the full configuration.