How to Install and Configure Cloudflare on Your WordPress Website

How to Install and Configure Cloudflare on Your WordPress Website

Adding Cloudflare to your WordPress website is one of the highest-leverage improvements you can make in terms of security, speed, and reliability — and the core service is free. Cloudflare sits between your visitors and your server, acting as a reverse proxy and Content Delivery Network (CDN) that filters malicious traffic, caches your static assets globally, and handles HTTPS termination at the edge. Once properly configured, most WordPress sites see a measurable improvement in load times and a significant reduction in server-level attacks.

However, Cloudflare is not a "set it and forget it" tool. The default settings that come with a new Cloudflare account are conservative and leave many of the best features disabled. This guide covers not just how to install the WordPress plugin, but also the most important settings you need to configure in the Cloudflare dashboard after connecting your site.

What is Cloudflare?

Cloudflare is a global network service that operates over 300 data centres in more than 100 countries. When you add a website to Cloudflare and point your domain's nameservers to Cloudflare's nameservers, all traffic to your domain passes through Cloudflare's network before reaching your origin server. This architecture gives Cloudflare the ability to inspect, filter, cache, and accelerate every request your site receives.

The WordPress plugin (available here) integrates your WordPress admin with your Cloudflare account, enabling features like automatic cache purging when you publish or update posts, and correct visitor IP logging so your server sees the real visitor IP instead of Cloudflare's IP. You need a Cloudflare account and your domain must be using Cloudflare's nameservers before the plugin will work.

How Cloudflare's CDN Works

A CDN stores cached copies of your static assets — images, CSS files, JavaScript files, fonts — on servers distributed globally. When a visitor in Germany loads your WordPress site hosted on a server in the US, instead of waiting for every asset to travel across the Atlantic, Cloudflare serves the cached copies from its Frankfurt data centre. The only request that goes back to your origin server is the HTML page itself (and only if it is not cached). This is why CDNs dramatically reduce Time to First Byte and overall load times for geographically distributed audiences.

Cloudflare also acts as a shield against DDoS attacks. Because all traffic passes through Cloudflare's network, volumetric attacks (floods of traffic designed to overwhelm your server) are absorbed and filtered by Cloudflare's infrastructure before the malicious traffic ever reaches your hosting provider. The free plan includes basic DDoS mitigation; the Pro plan and above offer more advanced protection.

Improve Page Load Time

The first 3 seconds of page load have the highest impact on your site's conversion rates, according to research by Google and Portent. Approximately 80% of customers say page speed affects their decision to purchase from a website. Cloudflare's CDN, combined with its edge caching and Brotli compression, can reduce your page load time significantly — particularly for visitors who are geographically distant from your hosting server.

Improve Search Engine Optimization

Google uses page speed as a ranking signal, and its Core Web Vitals metrics — including Largest Contentful Paint (LCP) and Cumulative Layout Shift (CLS) — directly influence your search rankings. By improving load times through CDN caching and compression, Cloudflare indirectly improves your SEO performance. Check out Cloudflare's guide on SEO improvements with Cloudflare for more specific recommendations.

Protection from DDoS Attacks

A DDoS (Distributed Denial of Service) attack floods your server with traffic, making your website unavailable to legitimate visitors and leading to lost revenue and reputational damage. With Cloudflare in front of your server, your origin IP address is hidden from attackers — they can only reach Cloudflare's edge nodes, which are built to handle massive traffic volumes. Combining Cloudflare with security plugins like Wordfence gives you defence in depth at both the network and application layers.


Install and Activate the Cloudflare WordPress Plugin

Before installing the plugin, ensure your domain is already using Cloudflare's nameservers. Log into your Cloudflare account, add your site, and follow the onboarding steps to update your nameservers at your domain registrar. Nameserver propagation can take up to 48 hours, though it often completes within a few hours. Once your domain shows as "Active" in the Cloudflare dashboard, you are ready to install the plugin.

  1. Log in to your WordPress admin dashboard and navigate to Plugins in the left-hand menu.

  2. Click Add New Plugin at the top of the Plugins page. In the search box on the right, type Cloudflare and press Enter.

  3. Find the official Cloudflare plugin (authored by Cloudflare, with millions of active installations) in the results and click Install Now. WordPress will download and unpack the plugin files automatically.

  4. Once the installation completes, click Activate. The plugin is now active but not yet connected to your Cloudflare account.

  5. Enable Auto-update on the plugin so it stays current. In the Plugins list, find Cloudflare and click Enable auto-updates in the right-hand column. Cloudflare releases security and compatibility updates regularly, so keeping the plugin current is important.

Connect the Plugin to Your Cloudflare Account

Navigate to Settings → Cloudflare in your WordPress admin. You will be prompted to sign in to your Cloudflare account. Enter your Cloudflare account email address and your Global API Key. To find your Global API Key: log in to the Cloudflare dashboard, go to My Profile → API Tokens → Global API Key → View. Copy the key and paste it into the plugin settings, then click Save API Credentials.

Once connected, the plugin will automatically detect the domain you are on and link it to the corresponding Cloudflare zone. You will now see options to apply Cloudflare's "Automatic Platform Optimisation" for WordPress, toggle development mode (which bypasses cache — useful when making theme changes), and purge the Cloudflare cache directly from your WordPress admin.


Important Cloudflare Settings to Configure After Installation

The Cloudflare dashboard (at dash.cloudflare.com) is where the most important configuration happens. After connecting your site, work through these settings systematically.

SSL/TLS Mode

This is the most critical setting to get right. Navigate to SSL/TLS → Overview in your Cloudflare dashboard. You will see four options:

  • Off: No encryption between the visitor and Cloudflare, and no encryption between Cloudflare and your server. Never use this.
  • Flexible: Encrypts traffic between the visitor and Cloudflare, but Cloudflare connects to your origin server over plain HTTP. This is the most common cause of infinite redirect loops on WordPress sites — if your WordPress is configured to redirect HTTP to HTTPS but Cloudflare sends plain HTTP to the server, you get an endless loop. Avoid this mode if your server has SSL installed.
  • Full: Encrypts traffic end-to-end, but Cloudflare does not validate your origin server's SSL certificate. Works with self-signed certificates.
  • Full (Strict): Encrypts traffic end-to-end AND validates your origin SSL certificate. This is the correct setting for production websites with a valid SSL certificate from Let's Encrypt or a commercial CA. Set this mode for the highest security.

If your hosting provider has a valid SSL certificate installed on your server (most modern hosts, including SiteGround, WP Engine, and AWS with ACM, do), set your SSL mode to Full (Strict).

Always Use HTTPS

Go to SSL/TLS → Edge Certificates and enable Always Use HTTPS. This tells Cloudflare to redirect any HTTP request to HTTPS at the edge before it reaches your server, ensuring all visitors use encrypted connections. Also enable HTTP Strict Transport Security (HSTS) if you are confident your site will always run over HTTPS — this tells browsers to never attempt HTTP connections to your domain, preventing downgrade attacks.

Auto Minify

Go to Speed → Optimization → Content Optimization and enable Auto Minify for HTML, CSS, and JavaScript. Cloudflare will strip whitespace and comments from these files at the edge before delivering them to visitors, reducing file size without any changes to your server. This is a quick win that requires no plugin or build tool changes on your end.

Brotli Compression

On the same Speed → Optimization page, ensure Brotli is enabled. Brotli is a modern compression algorithm that achieves 15–25% better compression than Gzip for HTML, CSS, and JavaScript files, reducing the bytes that need to be transferred to visitors' browsers. All modern browsers support it, and Cloudflare enables it at the edge transparently.

Caching Level and Browser Cache TTL

Go to Caching → Configuration. Set Caching Level to Standard — this caches static assets based on file extension. Set Browser Cache TTL to 4 hours as a good starting point for most WordPress sites. This tells Cloudflare to instruct browsers to cache assets locally for 4 hours before revalidating with Cloudflare's edge. Note that Cloudflare's own edge cache TTL is controlled separately via Cache-Control headers from your server or via Page Rules.

Rocket Loader

Rocket Loader, found under Speed → Optimization, asynchronously loads JavaScript to improve page paint times. It can be very effective for simple sites, potentially improving LCP and TTI significantly. However, it can break JavaScript-heavy plugins — particularly WooCommerce checkout flows, some contact form plugins, and custom sliders that rely on specific JavaScript execution order. Enable it, test your site thoroughly (especially checkout and form pages), and disable it if anything breaks. When it works, it is one of Cloudflare's most impactful performance features.


Cloudflare Firewall Rules for WordPress

Cloudflare's WAF (Web Application Firewall) is one of its most powerful features. Navigate to Security → WAF → Firewall Rules (or Custom Rules on newer dashboard layouts) to create rules. Here are the three most important rules for any WordPress site:

Block XML-RPC Attacks

WordPress's xmlrpc.php file is a frequent target for brute-force and DDoS amplification attacks. Unless you specifically need XML-RPC for Jetpack or a mobile app, block all access to it. Create a firewall rule with the expression:

(http.request.uri.path contains "/xmlrpc.php")

Set the action to Block. This stops XML-RPC attacks at Cloudflare's edge before they reach your server, eliminating the server load these attacks generate.

Challenge Suspicious Traffic from High-Risk Countries

If your website's target audience is in specific regions, you can add a Managed Challenge for traffic originating from countries that are consistently high sources of attack traffic. Create a rule using ip.geoip.country with the country codes you want to challenge, and set the action to Managed Challenge (which presents a CAPTCHA to suspicious visitors rather than blocking them outright). Be careful with this — block only countries from which you receive zero legitimate visitors.

Protect wp-admin with IP Allowlisting

Create a firewall rule that allows access to /wp-admin only from your office or home IP address. The expression would be:

(http.request.uri.path contains "/wp-admin") and not (ip.src eq YOUR.IP.ADDRESS.HERE)

Set the action to Block. This means even if an attacker obtains a valid WordPress admin password, they cannot access the admin panel unless they are connecting from your whitelisted IP. If you have a dynamic IP address, use Managed Challenge instead of Block so you can complete a CAPTCHA when connecting from a new IP.


Setting Up Cloudflare Page Rules

Page Rules let you apply specific Cloudflare settings to individual URL patterns. Navigate to Rules → Page Rules. The free plan allows up to 3 Page Rules — use them wisely.

Bypass Cache for wp-admin

Create a Page Rule matching the URL pattern yourdomain.com/wp-admin/* with the setting Cache Level: Bypass. This ensures that admin pages are never served from Cloudflare's cache, which would prevent the WordPress admin from functioning correctly (cached admin pages would show stale data and forms would not work). Without this rule, your WordPress admin could behave unpredictably.

Cache Static Pages

For largely static marketing pages, you can use a Page Rule to cache the entire HTML response at Cloudflare's edge, not just static assets. Match the URL pattern yourdomain.com/* with Cache Level: Cache Everything and an Edge Cache TTL of 4 hours. Important: make sure the wp-admin bypass rule above has higher priority (lower number) than this rule, so admin pages are not cached. Also exclude any page that shows user-specific content (shopping carts, account pages, logged-in user data) from this rule, as it would serve one user's content to another user.

Cloudflare Analytics — What to Monitor

Navigate to Analytics & Logs in your Cloudflare dashboard to access traffic insights. The key metrics to monitor are:

  • Requests: Total requests vs cached requests. A high cache hit rate (over 80%) means Cloudflare is effectively serving your static content and reducing load on your origin server.
  • Bandwidth: How much data Cloudflare is serving vs how much your origin is serving. A large difference in favour of Cloudflare means you are saving significantly on server bandwidth costs.
  • Threats: The Security Analytics view shows blocked requests by rule, blocked countries, and attack types. Review this weekly to understand the threat landscape your site faces and tune your firewall rules accordingly.
  • Performance: The performance tab shows request timing distributions. Monitor your origin response time — if it is consistently above 500ms, the issue is on your server, not Cloudflare.

Common Issues After Adding Cloudflare to WordPress

Infinite Redirect Loops

This is the most common problem WordPress site owners encounter after adding Cloudflare. The symptom is an "ERR_TOO_MANY_REDIRECTS" error in the browser. The cause is almost always having Cloudflare's SSL mode set to Flexible while your WordPress site has a redirect rule that sends HTTP traffic to HTTPS. Cloudflare sends HTTP to your server; your server redirects to HTTPS; Cloudflare receives the HTTPS response and sends another HTTP request to your server — and the loop continues indefinitely.

The fix is simple: go to SSL/TLS → Overview in your Cloudflare dashboard and change the SSL mode from Flexible to Full or Full (Strict). If your server has a valid SSL certificate, use Full (Strict). The redirect loop will resolve immediately — no caching to clear.

Images Not Loading After Connecting Cloudflare

If images appear broken after adding Cloudflare, Cloudflare has likely cached an old version of the asset or a 404 response for a resource that has since been uploaded or moved. The fix is to purge the Cloudflare cache. You can do this from your WordPress admin via the Cloudflare plugin (Settings → Cloudflare → Purge Cache), or from the Cloudflare dashboard (Caching → Configuration → Purge Everything). After purging, reload your site in an incognito window to see the current state without browser cache interference.

Contact Forms Not Working — Real IP Header Issue

Many contact form plugins and security plugins (like Wordfence) log the IP address of form submissions for spam prevention. When Cloudflare is in front of your site, your server sees all requests as coming from Cloudflare's IP addresses rather than the real visitor's IP. This can trigger spam filters or cause rate limiting to incorrectly block legitimate visitors.

The Cloudflare WordPress plugin automatically adds support for the CF-Connecting-IP header, which contains the real visitor IP. However, you may also need to configure your web server to restore the real IP. For Apache, install and configure mod_remoteip; for Nginx, use the ngx_http_realip_module to restore the real IP from the CF-Connecting-IP header. Cloudflare publishes its current IP ranges at cloudflare.com/ips — add these to your trusted proxies configuration.

Final Thoughts

Cloudflare is one of the most impactful tools you can add to a WordPress website, but its value comes from proper configuration — not just installation. Work through the settings in this guide methodically: get SSL mode right first (this prevents the most common issues), then enable caching and performance features, then add firewall rules for security. Test your site thoroughly after each change, particularly checkout flows, contact forms, and any dynamic functionality.

With the free plan fully configured, you will have a WordPress site that loads faster for international visitors, is protected against common attacks at the network level, and has SSL properly enforced end-to-end. When you are ready to explore further, Cloudflare's Pro plan adds the full WAF ruleset, advanced bot protection, and image optimisation features that can push your performance even further.

Get in Touch

You need more information? Email me at [email protected]