The Ideal Cloudflare Settings For WordPress: How To Configure Every Single Cloudflare Tab To Optimize Your Speed And Security

This tutorial walks you through every single setting in Cloudflare.

It’s specifically written for WordPress to make your site faster and more secure.

It starts with adding your website, changing nameservers, and setting up basic Cloudflare settings. Then it walks you through the tabs (from Overview to Scrape Shield), followed by additional tips like whitelisting Cloudflare’s IPs in your hosting account, why you don’t need the Cloudflare WordPress plugin, and how to setup multiple CDNs to make your site even faster (more data centers = faster website. I use both Cloudflare’s CDN and StackPath’s CDN.


If you’ve already added your website to Cloudflare and changed nameservers, and want to go straight into the Cloudflare settings, you can jump to the Overview tab.


Add Your Website

Sign up for Cloudflare then add your website:

Add website – cloudflare

Once Cloudflare is done scanning, click next:


The free plan comes with their CDN, page rules, and many Cloudflare settings that improve speed/security. Start with the free plan, read this tutorial, then decide if you want to upgrade.


You will eventually come to this dashboard where Cloudflare assigns you 2 nameservers:

Cloudflare nameservers

Login to your hosting account, find your nameservers, and change them to Cloudflare’s. If you can’t find them, Google “how to change nameservers on SiteGround” (or whoever your host is).


Some hosting companies like SiteGround (the host I use and highly recommended as they were rated #1 in 10 different Facebook polls), have an option to activate Cloudflare in their cPanel:


Nice! Just by doing that, your WordPress site is being hosted on their 154+ data centers (they add new ones frequently) and you have Cloudflare’s default settings setup (which we’ll tweak).



Setup Cloudflare With Your Cache Plugin

WP Rocket, WP Fastest Cache, W3 Total Cache,Swift Performance, and other cache plugins allow you to integrate Cloudflare in their settings. You will usually grab your Global API Key (found in your Cloudflare profile) and enter it into your cache plugin’s Cloudflare settings.

Cloudflare global api key

WP Rocket:


WP Fastest Cache:



W3 Total Cache:


Swift Performance:


Setting up Cloudflare using your cache plugin is not the same thing as changing nameservers (you still need to do that). But it ensures better compatibility between the two, since some functionalities overlap. If minify and gzip are enabled in one, they should be disabled in the other.

Cache Plugin Tutorials
If you would like to see how your cache plugin integrates with Cloudflare (and learn how to configure the cache plugin’s ideal settings) I wrote tutorials on the most popular cache plugins:


Basic Cloudflare Settings For WordPress

  • Configure SSL – the Crytpo settings have options to order a free Universal SSL, force HTTP to HTTPS, set SSL encyrption level, and protect your SSL website using HSTS.
  • Create Firewall Rules – protect your WordPress Admin, plugins, and other sensitive areas of your website by creating parameters that stop hackers from accessing them.
  • Create Page Rules – optimize specific URLs for performance and security (set these up based on your website’s needs). Some examples include: forcing high security in your WordPress admin area, decreasing bandwidth consumption by controlling Cloudflare’s cache refresh rate, and bypassing cache (for WordPress admin, eCommerce pages, staging websites, and dynamic content). You can create up to 3 page rules for free.
  • Configure The Speed Tab – minify HTML/CSS/JavaScript, optimize images, speed up dynamic content with Railgun, improve AMP speed using Accelerated Mobile links, enable Brotli (similar to gzip), and asynchronously load JavaScript with Rocket Loader.
  • Enable Hotlink Protection – prevents people from copying images from your site and pasting them onto theirs, which consumes bandwidth (found in Scrape Shield settings).
  • Rate Limiting (Paid Feature) – prevents spammy crawlers from hitting your site too much, which consumes bandwidth (a very common problem). Check your hosting account for a tool like AWstats to identify if this is happening to you. Wordfence does rate limiting for free, while Cloudflare charges for it. This is in the Firewall settings.
  • Multiple CDNs – more data centers = faster website (StackPath, KeyCDN, and other CDNs generate CDN URLs you can copy/paste into your cache plugin, or CDN Enabler.


1. Overview

Quick links of some of the most common Cloudflare settings, but their recommended first steps (and the important settings I marked in this guide) are what you really should look at.

Security – Cloudflare protects your website with SSL settings, firewall, Access, challenge passages, email obfuscation, and also improves uptimes using other settings in Cloudflare.

Performance – Cloudflare speeds up your WordPress site through caching, minifying files, CDN, Brotli (similar to gzip compression), Railgun, Rocket Loader, hotlink protection, image optimization, accelerated mobile links, Argo (in traffic tab) and everything in the speed tab.

IP Settings – Cloudflare helps collect visitor location data using IP Geolocation (in network tab) which can be used block specific countries, spammy crawlers/bots, and other IP addresses from your website. You should Whitelist Cloudflare’s IP addresses in your hosting account.


2. Analytics

Cloudflare analytics

Common Questions

  • Why isn’t Cloudflare caching everything? By default, Cloudflare only caches specific static content not including HTML. If you would like to cache everything, create a page rule, add* as the the URL, then set the cache level to everything. Your cache plugin (and another CDN if you’re using one) may also be caching content.
  • What attacks is Cloudflare blocking? Cloudflare blocks a variety of attacks including content scraping, fraudulent checkouts, and account takeovers. Spammy bots often excessively crawl websites and cause high CPU consumption, and since hosting companies use CPU throttling, the bots may be sucking up your CPU limits which results in a slower website, or even your host shutting down your website temporarily. Cloudflare’s firewall tab and rate limiting (Wordfence does rate limiting for free) helps.


3. DNS

If you want specific services/traffic routed through Cloudflare, add them here. Cloudflare automatically populates the DNS. When an arrow is going through the orange cloud, that service’s traffic is routed through Cloudflare. If it’s going around, it’s bypassing Cloudflare.

Cloudflare dns settings

I use SiteGround (a Cloudflare partner and who I highly recommend as they were rated the #1 host in 10 Facebook polls taken by multiple WordPress-related Groups), so I manage my DNS in SiteGround’s cPanel. Otherwise you will see a DNS dashboard like the one shown below…

Cloudflare dns

Verification TXT Record For CNAME Setup – add a TXT record to verify your CNAME.

CNAME Flattening –  allows a CNAME record to be created for the root domain without violating DNS specifications. This speeds up DNS resolution on CNAMEs by up to 30%.


4. Crypto

Manage your SSL and cryptography settings:

Cloudflare crypto settings

SSL – controls when SSL will be used. If using SSL, full (strict) is recommend.

  • Off – SSL will not be used.
  • Flexible – use if you can’t configure HTTPS on your origin. Visitors can access your site over HTTPS, but connections are made over HTTP. Generally you should avoid this as it may cause redirect loops, but if you must, try using the Cloudflare Flexible SSL plugin.
  • Full – only use if the certificate does not match your domain or is self-signed. Cloudflare will use HTTPS, but will not validate the certificate.
  • Full (Strict) – Cloudflare will use HTTPS and verify the certificate on each request. You should only make this change if all of your origin hosts are protected by Origin CA certificates or publicly trusted certificates***

Edge Certificates – managed your SSL Certificates.

  • Universal SSL (Shared) – free SSL provided by Cloudflare which you will share with 50 other Cloudflare customers, with common name (eg.
  • Dedicated SSL Certificate – $5/month SSL dedicated only to your domain with common name (eg., automatically renewed by Cloudflare.
  • Dedicated SSL Certificate With Custom Hostnames – $10/month, same thing as previous plan only protects up to 50 more hostnames or wildcards of your choosing.
  • Upload Custom SSL Certificate – $200/month if you’d like to use your own SSL and comes with DDOS protection, Railgun optimization, and 100% guaranteed uptimes.

Custom Hostnames (Enterprise Feature) – if you have a dedicated SSL with custom hostnames, you can enter their CNAMEs here.

Origin Certificates – these are free TLS Certificates (Transport Layer Security) but the Universal SSL should be fine for 99.99% of websites. TLS is an “improved” version of SSL but basically, it does the same thing – makes your site secure and serves your assets from HTTPS. Cloudflare Origin Certificates are only trusted by Cloudflare and should only be used by origin servers that are actively connected to Cloudflare. If at any point you pause or disable Cloudflare, your Origin Certificate will show an untrusted certificate error.

Always Use HTTPS – redirect all HTTP requests to HTTPs using a 301 redirect.

HTTP Strict Transport Security (HSTS) – ensures HTTP links become HTTPS links. Protects website from downgrade attacks, SSL stripping, and cookie hijacking. Server will make sure browsers only connect using HTTPS, and that users do not bypass critical security warnings.

Authenticated Origin Pulls – verifies requests to your origin server came from Cloudflare using a TLS client certificate, preventing users from bypassing firewalls and other security.

Minimum TLS Version – sets a minimum SSL/TLS version users can visit your website from. The default TLS 1.0 is fine.

Opportunistic Encryption – for websites that haven’t added HTTPS but want improved speed of HTTP/2 by letting browsers know your site is supports an encrypted connection. This adds an additional layer of security, but will not give you the green padlock in your browser. It will slightly improve speed/security for non-HTTPs sites, but moving to HTTPS is the best solution.

Onion Routing – lets users on the Tor Network keep their privacy when browsing your site. Tor is network dedicated to defending against traffic analysis and other network surveillance.

TLS 1.3 – enables the latest version of TLS/SSL and will show the green padlock in browsers.

Automatic HTTPS Rewrites – if your site connects to HTTPS and the lock icon is not present in Google Chrome, or has a yellow warning triangle, your site may still contain links/references to HTTP. This helps fix mixed content by ensuring HTTPs is used for all resources on your site.

Disable Universal SSL – if you have a universal SSL from Cloudflare, this disables it, and users won’t be able to access your site using HTTPS if there are no dedicated or custom certificates.


5. Firewall

Setup firewall rules (to protect WordPress admin + plugins folder), rate limiting (to prevent spam bots from hitting your site too much and consuming CPU), and other features that can improve security and save bandwidth. Create up to 5 free firewall rules. I have 2 I recommend.

Cloudflare firewall settings

Cloudflare web application firewall settings

Firewall Rules – lets you block, challenge, or allow requests based on: countries, IP addresses, bots, URLs, set custom threat scores, and more. See firewall rule examples here or this tutorial.

Example 1: Protect Insecure Plugins – insecure plugins are a common way hackers breach WordPress sites. Not installing them is safer, but this will block access to your plugins folder.

  • URL path + contains + /wp-content/plugins
  • Refer + does not contain +

Cloudflare firewall insecure wordpress plugins

Example 2: Protect The WP Admin – only allows users in your country to access the WP Admin login page. Good if you have team members (in your country) who also need access.

  • Field: URL path + contains + /wp-admin
  • Country + does not equal + United States
  • Action: Block

Cloudflare wp admin firewall rule

Rate Limiting – mainly used to block fake Google crawlers and spammy bots that hit your site too much and consume CPU. Cloudflare offers this as a pay-per-usage service, but Wordfence does it for free in their rate limiting options. Careful – you don’t want to block legitimate users!


Security Level – Cloudflare’s algorithm assigns IP addresses a threat score from 0 to 100.

  • High – scores greater than 0
  • Medium – scores greater than 14
  • Low – scores greater than 24
  • Essentially off – scores greater than 49
  • I’m Under Attack! – should only be used when your site is under a DDoS attack. This adds an extra layer of protection by analyzing traffic to confirm legitimate human visitors. Each visitor sees an interstitial page for about 5 seconds while being analyzed.

Challenge Passage – when a visitor has a bad reputation with Cloudflare, they will need to complete a challenge. This is the time a challenge expires, and a new challenge will be issued.

Privacy Pass Support – prevent users with a poor Cloudflare reputation from having to constantly fill out CAPTCHAs.

IP Firewall

  • IP Access Rules – whitelist, block, or challenge specific IP addresses (whitelist yours!).
  • User Agent Blocking – mainly used if you are under attack from a specific User-Agent.
  • Unmetered DDOS Mitigation – if you are under Distributed Denial of Service (DDoS) attack, Cloudflare will attempt to deny it no matter the size or duration. As Cloudflare stated, other companies bill heavily for this using surge pricing. But Cloudflare doesn’t.
  • Firewall Event Log – shows firewall events that have been triggered.

Cloudflare firewall event

Web Application Firewall

  • Web Application Firewall – Pro feature, but one of the best ways to improve security by protecting against SQL injection attacks, cross-site scripting, and cross-site forgery (read more). This uses Cloudflare’s built-in ruleset and automatic WAF updates based on Cloudflare’s intelligence (as you know, attacks move fast and before you know it, 40,000 websites have already been affected by the time you hear the news).
  • Browser Integrity Check – looks for requests with HTTP headers commonly used by spammers, bots, and crawlers, and presents a block page if determined to be a threat.


6. Access

Controls access to your websites by applying an authorization process you configure when users make requests to your origin server. Members will use social and enterprise identity providers (IdP) as their credentials and can access sensitive materials for a given time of your choice. Pricing is free for the first 5 seats, then $3-5/month for Access Basic or Premium.

Cloudflare access settings


7. Speed

Speed up your WordPress site using minification, image optimization (Polish + Mirage, Railgun, Rocket Loader, Brotli (similar to gzip compression), and other performance features.

Cloudflare speed settings

Auto Minify – minifying HTML, CSS, and Javascript are high priority items in GTmetrix. Cache plugins usually take cake of this, but you can use Cloudflare too. If you see visible errors after enabling these, it’s probably cause by minifying CSS or JavaScript. WP Rocket and most cache plugin have options to exclude problematic files that are causing errors, if they exist.

Polish (Pro Feature) – strips EXIF data and compresses images.

Railgun™ – speeds up dynamic content for visitors who are far away from the origin server.

Cloudflare railgun test

Enable Accelerated Mobile Links – enable if you’re using a plugin for AMP. This allows users to open external AMP links from your website in AMP format. Learn more.

Brotli – similar to gzip compression only believe to be even faster.

Mirage (Pro Feature) – reduces image requests, lazy loads images, and improves image load times on mobile devices with slow network connections. Here are more details on Mirage…

  • Resizes images based on a visitor’s device/connection. A visitor on a poor connection will get a smaller version (lower resolution) until they are back on a higher bandwidth.
  • Reduces amount of requests – instead of sending multiple requests for all images on the website, Mirage pulls this into one request so visitors can see images immediately.
  • Lazy loads images (only loads them once users scroll down and actually see the image).

Rocket Loader™ – asynchronously loads JavaScript, including third party scripts.

Mobile Redirect – redirects mobile visitors to mobile site (you must have a custom domain).

Prefetching URLs From HTTP Headers (Enterprise Feature) – cached objects are served as 1 request, instead of multiple requests.


8. Caching

Control caching levels and how Cloudflare caches your website.

Cloudflare caching settings

Purge Cache – clears Cloudflare’s cache.

Caching Level – set how much static content Cloudflare will cache.

  • No Query String – only delivers cached files when there is no query string.
  • Ignore Query String – delivers same resource to everyone regardless of query string.
  • Standard – delivers different resource each time the query string changes.

Browser Cache Expiration – sets time a visitor’s cache will expire after visiting the page (also known as add expires headers in GTmetrix).

Always Online™ – Cloudflare will attempt to show a cached version of your website if your server goes down.

Development Mode – lets you see changes on your website in real time without worrying about seeing a cached version.

Enable Query String Sort – increases cache hit rates by enabling query strings to be sorted before they hit Cloudflare’s cache.


9. Workers

Workers is a JavaScript execution environment that allows developers to augment existing applications or create new ones without configuring or maintaining infrastructure. Pricing is $5/month + usage (first 10 million Worker-powered requests are free, then $.50 per million requests). Workers can be configured to run specific pages, subdomains, etc. Test it out here.



10. Page Rules

Page Rules let you optimize specific URLs for performance and security. I suggest looking over their Page Rules video tutorials especially the ones on optimizing WordPress, speed, security, and maximizing bandwidth savings. You should also familiarize yourself with common terms.


Common Page Rules

  • Always Online – keeps a limited version of your site online if your server goes down. Can be used for your most important pages (eg. terms of service, privacy policy, etc).
  • Browser Integrity Check – attempts to deny spammers from accessing your website (located in the Firewall tab). While you probably want this turned on, the most common page rule for it is disabling it for your API.
  • Browser Cache TTL – time Cloudflare instructs a visitor’s browser to cache a resource. You can increase this for pages that aren’t updated frequently to save on bandwidth.
  • Disable Performance – turns of auto minify, Rocket Loader, Mirage, and Polish. These are great to speed up pages, but you can disable these for your WordPress admin.
  • Edge Cache TTL – time Cloudflare’s edge servers cache a resource before going to origin server for a fresh copy. You can increase this for pages not updated frequently.
  • Email Obfuscation – prevents spam by hiding your email address to bots, while remaining visible to visitors (only applies if you list your email on your website). Enabling this on the contact page (and other pages showing your email) prevents spam.
  • Security Level – Cloudflare assigns IP addresses a threat score of 0-100. Page rules can be created to assign high security to WordPress admin and sensitive areas of your site.
  • Cache Level – amount of caching done by Cloudflare (‘everything’ is most aggressive).
  • Asterisk (*) – used in page rule URLs to match parameters. For example, if I used* as my URL, then I set the security level to high (first example below), then all URLs with /wp-admin/ in them would have high security.

Cloudflare says

“We recommend that you create a Page Rule to exclude the admin section of your website from Cloudflare’s performance features. Features such as Rocket Loader and Auto Minification may inadvertently break backend functions in your admin section.”

Protect And Optimize WordPress Admin + Login Pages – browser integrity check and high security will protect your WordPress admin area. You should usually not cache it, and disable performance features (which should only be turned on to speed up the front end of your site).

Wp admin page rule

Decrease Bandwidth Of WP Uploads Area – since items in your WordPress uploads file do not change frequently, you don’t have to cache them as much, which will save you bandwidth.


Don’t Cache Dynamic Content – most WordPress sites are static, but if you have dynamic content that changes based on user behavior, add the URL you serve dynamic content from.

Bypass ajax cloudflare page rule

Don’t Cache Staging Websites – if you’re testing new designs, plugins, or other changes on your website, you want to see those changes in real-time, and so you should not cache them.

Bypass staging cache cloudflare page rule

Don’t Cache eCommerce Cart, Checkout, Account Pages – some hosts like WP Engine already bypass caching for eCommerce pages, other do not. In this case you want to bypass cache for you cart, checkout, and account pages, as well as other similar pages. Cloudflare also has their own tutorial on caching dynamic elements and other best eCommerce practices.

Bypass cart page cloudflare page rule

Bypass add to care cache cloudflare page rule

Bypass checkout page cloudflare page rule

Bypass account page cache cloudflare page rule

Don’t Cache WooCommerce Pages – WooCommerce uses 3 sets of cookies which you’ll want to bypass from your cache:

  • woocommerce_cart_hash
  • woocommerce_items_in_cart
  • wp_woocommerce_session_

Bypass woocommerce cart hash cloudflare page rule

Bypass woocommerce cloudflare page rule

Bypass woocommerce session cloudflare page rule

Stop Bots From Collecting Your Email – enable email obfuscation on pages that show your email address to prevent spam (eg. your contact page). You can turn the global setting on in your Cloudflare Scrape Shield settings, but this is only needed for pages that show your email.

Email obfuscation cloudflare page rule

Make Important Pages Always Online – in case your server goes down or something else happens to your website, and you want to make sure visitors can at least see your most important pages (eg. privacy and about page), create a page rule to make them Always Online.

Terms of service cloudflare page rule

Always Use SSL – if you enable Always Use HTTPS in the Crypto settings, you don’t need this.

Enforce https cloudflare page rule


11. Network

Cloudflare network settings

HTTP/2 – most hosts support HTTP/2 (test your site here). HTTP/2 requires an SSL certificate.

QUIC (Beta) – quick UDP internet connections speeds up HTTP traffic and improves security.

IPv6 Compatibility – the most recent version of Internet Protocol. The internet runs low on IPv4 address space, so this was developed so billions of devices can interact on a global scale.

WebSockets – mostly used for real-time applications like live chat and gaming. They create open connections between the visitors and origin server, so they can communicate faster.

Pseudo IPv4 – an IPv6 to IPv4 translation service (Cloudflare recommends disabling this since this was designated as experimental and you would not normally see this kind of traffic).

IP Geolocation – locates each user’s country so you can see them in Cloudflare’s analytics.

Maximum Upload Size – if you let visitors upload files to your site, this is the MAX upload size.

Response Buffering (Enterprise Feature) – if users are able to download files from your site, this tells Cloudflare to wait until the entire file is downloaded before sending it to the user.

True-Client-IP Header – allows you to see user’s IP addresses.


12. Traffic

Cloudflare traffic argo

Argo (Paid Feature) – uses Cloudflare’s real-time network intelligence to route traffic across the fastest, most reliable paths from the origin to Cloudflare’s data centers. Cloudflare says web assets perform about 30% faster on average, reduces latency by 35%, and connection errors by 27%. Pricing is $5 per website (per month) plus $0.10 for every gigabyte of transfer.

Argo Tunnel – this is available once you activate Argo. It protects your server’s IP address from exposure by routing requests through Cloudflare before hitting the server. This prevents the attack using Cloudflare WAF, unmetered DDoS mitigation, and authenticated with access.

Load Balancing – checks the health of servers and determines if they’re being overused or are geographically far away, then efficiently optimizes their routes. Improves speed + uptimes. Pricing is $5 – $50 per month + 50 cents per 500,000 queries (first 500,000 queries are free).


13. Stream

Stream is a video platform for developers and content teams who built video applications. In the background, Cloudflare will encode, store, and deliver your videos with one API. They will also optimize it for the right devices, format, bitrate, and network connection. Every 1,000 minutes viewed costs $1 per month. Each 1,000 minutes of video stored costs $5 per month.

Cloudflare stream


14. Custom Pages

Custom pages let you upload custom HTML pages that are shown to visitors when your website has errors or challenges. These are all paid features, quite expensive, and mostly used for large websites with lots of traffic and have the budget to customize their user experience.

Cloudflare custom pages

IP/Country Block – customize the error page shown to visitors when they visit from a blocked IP address or country. To block or challenge IPs in certain countries (mostly used to block spam bots) turn on IP Geolocation in the Network tab and create a firewall rule (or use .htaccess).

WAF Block – customize the error page when users break a firewall rule (in firewall tab).

500 Class Errors – customize 500 error pages (server error).

Enable Origin Error Pages – customize 502 and 504 error pages (gateway errors).

1000 Class Errors – customize error 1000 pages (DNS points to a prohibited IP).

Always Online™ Error – customize the error page when your server goes down, and the Always Online feature (found in caching section) doesn’t have a cached version of your page.

Basic Security Challenge – when you set your security level (in the firewall tab), Cloudflare assigns users a threat score of 0-100 based on Cloudflare algorithm. Users will a poor reputation will be given a challenge page –  this is where you can upload that custom page.

WAF Challenge – customize the challenge page when users trigger a WAF rule (in firewall tab).

Country Challenge – customize the challenge page for specific countries you are blocking.

I’m Under Attack Mode™ Challenge – customize the error page while your site is in I’m Under Attack Mode (in firewall tab).

429 errors – customize the error page when users trigger a rate limiting rule (in firewall tab).


15. Apps

Cloudflare Apps are like WordPress plugins (they add functionality to your website) but I stick with WordPress plugins and made an awesome list of WordPress speed plugins that will probably be more useful than Cloudflare’s Apps. But, I listed the most popular ones below.

Cloudflare apps

Popular Apps

  • Google Analytics – easy way to install Google Analytics using the UA code.
  • – live chat app specifically for WordPress sites (they also have a plugin).
  • Autosave – prevents users from losing information when filling out forms on your website (for example, they accidentally close the tab or get disconnected). It automatically saves the form data locally and restores it. No configuration is needed.


16. Scrape Shield

Cloudflare scrape shield settings

Email Address Obfuscation – if you list your email address on your website, this prevents bots from crawling it and sending you spam, however you will also lose the ability to “click to send.”

Server-side Excludes – if you have sensitive content that you would like to hide for suspicious visitors (but not real visitors), enable this and wrap sensitive content with: <!–sse–><!–/sse–>

Hotlink Protection – prevents people from copying your images and pasting them on their own website, otherwise you would still be hosting these images (sucking up your bandwidth).


Whitelist Cloudflare IPs

The next sections cover the following (at least do the whitelisting)!

Whitelisting IP addresses makes sure Cloudflare’s IPs are not blocked by your server.

Whitelist Cloudflare/StackPath IPs In Hosting Account – contact your host and ask them to whitelist Cloudflare’s and StackPath’s IPs (since most hosts don’t allow you to do this). Since your traffic is being routed through Cloudflare, your server will see a lot of traffic proxied through Cloudflare, and may trigger it to be blocked. Whitelisting their IPs makes sure your host does not block or limit this. You should also whitelist IPs for other CDNs you are using.

Cloudflare IP addresses:

Cloudflare ip ranges

StackPath IP Addresses:

Stackpath ip addresses


Cloudflare Plugin

Cloudflare’s WordPress plugin doesn’t have great reviews (lots of 1 stars) probably because the plugin isn’t well supported, only includes 3 tabs (Home, Speed, Analytics), and doesn’t include all the settings from those tabs that are found in Cloudflare’s actual dashboard. It also includes too many Pro features. I honestly wouldn’t install it, and instead configure your Cloudflare settings directly in their dashboard. There are many more options available there.

Cloudflare wordpress plugin home settings

Cloudflare wordpress plugin speed settings

Cloudflare wordpress plugin analytics settings


Using Multiple CDNs

Multiple CDNs = more data centers = faster content delivery. Cloudflare has 250+ data centers and StackPath has 34+ data centers which are heavily located in the US. Combine them and that’s almost 200 data centers, further reducing the distance between your visitors and server. I use both Cloudflare (free) and StackPath ($10/month with free trial) on my site.

Multiple cdns

Step 1: Sign up for StackPath (or another CDN). StackPath has a free 30-day trial with 31 data centers heavily located in the US. This is where most of my visitors are, and maybe you too.


Step 2: In the dashboard, click the CDN tab, then create a StackPath CDN Site:


Cdn url stackpath

Step 3: Copy StackPath’s CDN URL and paste into your cache plugin (screenshot below is for WP Rocket). You can also use the CDN Enabler plugin which has an option to add a CDN URL.


Step 4: In StackPath go to CDN → Cache Settings, then click “Purge Everything”…


Step 5: Run your site in GTmetrix and “content delivery network” should be green in YSlow.

Cdn gtmetrix yslow

Step 6: add the CDN URL to your hosts’ DNS records:

Cdn url in dns records


Cloudflare CDN Not Showing Up In GTMetrix YSlow

GTmetrix says

For CloudFlare users, YSlow should automatically detect the CDN if it’s set up correctly and you’ve given it enough time for the DNS to propagate (2 days).

If YSlow isn’t detecting your CDN, then you can add your own CDN hostnames so that they aren’t penalized by the CDN recommendation. Visit your User Settings page and then input your CDN hostnames under the “YSlow CDN Hostnames” field. GTmetrix should then recognize your CDNs in your future tests.


More WordPress Speed Optimizations

If you liked this tutorial, you’ll love my WordPress speed optimization guide. It has 38+ tips to make your site run faster including a robust list of speed optimization plugins, configuring top cache plugins like WP Rocket, high CPU plugins to avoid, tips on optimizing images, and more!

Wordpress speed optimization guide

Cheers to a better GTmetrix report :)


p.s. The report is for my homepage. I decided not to compress images on this post so you can see them better, so if you run this URL through GTmetrix you may not see 100% with “optimize images” errors. But my homepage (and speed tutorials I try to get 100% on), are in fact 100%.

Comment if you have questions. I’ll be the first to admit I’m not a real developer (so you may want to reach out to Cloudflare’s support with the super technical stuff) but I’ll try my best.


About Tom Dupuis

Tom Dupuis writes WordPress speed and SEO tutorials out of his apartment in Denver, Colorado. In his spare time, he plays Rocket League and watches murder documentaries. Read his bio to learn 50 random and disturbing things about him.

12 thoughts on “The Ideal Cloudflare Settings For WordPress: How To Configure Every Single Cloudflare Tab To Optimize Your Speed And Security

  1. Hi Tom, I have connected my WordPress website yesterday with Cloudflare by following your tutorial but since then I can’t access my website’s dashboard and It’s showing this error message: “ERR_TOO_MANY_REDIRECTS”. Can you please tell me why I’m getting this error message?  

  2. Hi Tom,

    I guess my earlier comment is not good given you support SiteGround! No problem to delete of course. : )

    There is one missing bit of info on your article it seems, as well as anywhere else I have been. If you are using SiteGround and Cloudflare together, as you say you do, and using SG Supercacher and SG Optimizer, then we should be putting Cloudflare on Bypass for whole site. So how does a CDN work when doing that??? Confused.

    Do not expect to hear back which is fine.

    Best regards,

    1. Hey Richard,

      Really sorry about that. I honestly don’t have much experience with membership sites and am not sure why SG Optimizer would be causing issues with your membership plugin. You may want to reach out to SiteGround’s support and ask them. Sometimes I get stuck on questions and just have to acknowledge that I don’t have the answer. I wouldn’t think you should bypass Cloudflare for the whole site though.

  3. Hi Tom,

    Thanks so much for a wonderfully complete setup article. So valuable and have bookmarked page as so many others here have! ; )

    Having a lot of trouble with Siteground Supercacher and the SG Optimizer plugin (conflicts with membership plugin in so many odd ways!).

    I am now looking to disable all SG caching and run from Cloudflare CDN alone.

    Q: Does Cloudflare on its own work well enough? Seems wasteful to add a caching plugin and then disable stuff in either plugin or Cloudflare to not duplicate functions.

    Not looking for a super fast site, just fast and secure. Cloudflare is essential to stop bot attacks which are a constant hassle.

    Thanks again for your hard work putting this guide together.

    Happy New Year!

  4. That’s an epic, Tom! Bookmarked it … made notes and finally implemented. Instead of Full, I made a wrong entry of Flexible and finally messed it up. Anyway, sorted it out. Thanks!

  5. In Page Rules – Decrease Bandwidth Of WP Uploads Area you mean* in the picture right?

Leave a Reply

Your email address will not be published.