The Ideal Cloudflare Settings For WordPress (Can Be Used For Most Sites)

Cloudflare settings wordpress

Here are recommended Cloudflare settings to use as a baseline. Of course, this can depend on whether your site uses WooCommerce, WPML, or whether you’re using Cloudflare free vs. paid.

Benchmark results in KeyCDN’s Performance Test as well as core web vitals (i.e. PageSpeed Insights). Otherwise, sign up for a Cloudflare account (or open your dashboard) and let’s start.

If you’re using Rocket.net’s Cloudflare Enterprise (what I use) or Cloudways/Kinsta’s, or FlyingProxy, you don’t need to setup the dashboard since you’re using their integration.

DNS: Use Cloudflare’s DNSCloudflare is one of the fastest, most reliable DNS providers on dnsperf.com. Others like GoDaddy/NameCheap can be slow and cause latency. To switch your DNS to Cloudflare, sign up for Cloudflare through their website, add your website, and change nameservers to Cloudflare’s in your domain registrar. Some hosts let you activate Cloudflare in their dashboard in 1-click, but this doesn’t give you access to Cloudflare’s full dashboard. Since DNS & network latency are part of TTFB, using a fast DNS is critical and can be tested in KeyCDN.

CDN: Change Your Website To Proxiedgo to Cloudflare’s DNS settings and change your website from DNS only to “proxied” which turns it orange. Proxying traffic through Cloudflare is needed to use APO, Argo, load balancing, Zaraz, and other Cloudflare features. But it does not cache HTML (that’s what APO or a cache everything page rule is for). There are several benefits to the CDN: you’re offloading bandwidth to Cloudflare’s 250+ data centers (saved bandwidth is shown in your Analytics tab). It reduces the geographical distance between your server/visitors, and it minimizes requests to your origin server. While Cloudflare is usually not the fastest CDN option on cdnsperf.com, it opens up other Cloudflare features which can typically optimize your site better than other CDNs, which is especially true if you plan on using Cloudflare’s paid plans.

Cloudflare cdn proxy

SSL: Full Strictbest security of all options when using HTTPS (except on enterprise plans).

Edge Certificate: paid users can upload SSL to Cloudflare to eliminate SSL/TLS at the edge.

Always Use HTTPS: ONredirects all HTTP links to HTTPS which forces a secure connection.

HSTS: Enableforces browsers to use a secure connection. Once you confirm Cloudflare’s agreement, you’ll enable HSTS, set max age header to 6 months (what Cloudflare recommends), and enable preload/no-sniff header. If you have subdomains, you can enable HSTS on those too.

TLS: Enable TLS 1.3 And Set Min. Version To 1.2TLS 1.3 is the newest/fastest TLS protocol while TLS 1.0 and 1.1 have been deprecated. Your host may also have settings to set TLS versions. TLS speeds can be measured using KeyCDN and is short for Transport Layer Security.

Firewall Rules: commonly used to block bad bots, countries, XML-RPC, and wp-login. Here are a few common rules which can help block unwanted hits to your server and reduce CPU usage.

Cloudflare firewall rules

Bot Fight Mode: ONblocks bad bots which are logged into your firewall events. Paid users can use super bot fight mode which has better control over what happens for bots that are definitely vs. likely automated with settings to allow verified bots, bot protection for static resources, and improved bot management with JavaScript detections. I prefer bot fight mode over Cloudways bot protection or plugins like Blackhole For Bad Bots since it’s more advanced.

Browser Integrity Check: ONanother layer to block bad bots, spammers, and crawlers. Cloudflare will scan for commonly malicious HTTP headers and present them with a block page.

Image Optimization

  • Image Resizing: resize, adjust quality, and convert images to WebP/AVIF format.
  • Mirage: optimizes images on slow network connections by replacing images with low resolution placeholders (only until the page is rendered) and combining image requests.
  • Polish: compresses images, removes metadata, and converts images to WebP. Doing this with Cloudflare can be less taxing on your server, but most people just use a free plugin.

Auto Minify: Dependsminifying from your CDN is supposed to be faster since it’s closer to the end-user. However, Cloudflare says (at least when you’re using APO), you should minify from your cache plugin and disable it in Cloudflare. Either way, make sure you test your results.

Brotli: ON –  Brotli is faster than GZIP but should also be activated in your hosting account. However, not all hosts support Brotli (screenshot shown below is for cPanel on NameHero).

Brotli cpanel

Early Hints: ONsends early preload/preconnect hints which cuts down on server wait time.

APO: ONserves HTML from Cloudflare’s network which can significantly reduce TTFB, LCP, and other metrics for visitors far away from the origin server. Use KeyCDN to test before/after results, then see my Cloudflare APO instructions. You’ll need to create an API token and add it to Cloudflare’s plugin. Keep page caching enabled in your cache plugin (or server caching) since this will cache HTML to the web server, while APO caches HTML to Cloudflare’s edge network. In other words, since they are different types of caching layers, both of them should be enabled.

Cloudflare plugin automatic platform optimization
Create an API Token and add it to the Cloudflare plugin to set up APO

Enhanced HTTP/2 Prioritization: ON optimizes order of when resources are loaded to be as fast as possible without relying on the different ordering methods used by different browsers.

TCP Turbo: ON reduces latency by automatically choosing TCP settings with optimizations.

Railgun: OFFrequires special software to be installed by your host (unless it’s already  integrated into their system). It’s mainly used for large dynamic/WooCommerce sites in which case it can accelerate the request when the dynamic version of the website calls for the origin.

Rocket Loader: OFFoften causes errors and most cache plugins recommend turning this off. It’s supposed to improve paint times by loading JS asynchronously, including third-party scripts.

SXGs: ON included with APO/paid plans. This speeds up your site when someone clicks your result in Google by prefetching content which leads to faster rendering and may improve LCP.

Caching Level: Standardyou can read the descriptions but it should be set to standard unless your site has a lot of complicated user php functions in which case you can ignore query strings.

Browser Cache TTL (Respect Existing Headers) – uses the same expiration in your server (your hosting account). Or you can change it to 1 year since Google recommends this for static assets.

Crawler Hints: ONtells search engines when content is updated so they can time crawling more precisely while preventing wasteful crawls (can help reduce CPU usage from crawlers).

Workers: I’m not a big programmer so I have no business writing about this. But one example that looked interesting was Gijo’s post on setting up cron jobs using Workers. Otherwise, feel free to browse examples and Cloudflare’s documentation. It runs JavaScript using V8 (same JavaScript engine developed for Google Chrome) and deploys the script on their edge servers.

Page Rules: common page rules are used to cache everything and bypass cache in wp-admin and preview pages. A cache everything page rule is different than APO and should usually not be created when using APO. The ordering of your page rules will also determine their priority.

Cloudflare main page rules

HTTP/3 With QUIC: ONenables HTTP/3 which runs on QUIC. You can check whether your site is using HTTP/3 on http3check.net. However in a YouTube video published by NameHero, Ryan (NameHero’s founder) says this about Cloudflare’s HTTP/3: “it’s still having to pull from the server-side. It’s pulling from HTTP/2 then delivers HTTP/3, so it’s not full HTTP/3 support.” In other words, if you’re using LiteSpeed Cache, you should set up HTTP3/QUIC through that.

Argo + Tiered Cache: one of the few paid features I use. It routes traffic through the fastest Cloudflare network paths based on their real-time intelligence on traffic congestion. Doesn’t make sense for local websites, but can reduce latency. Don’t forget to enable tiered caching in Cloudflare’s caching settings which helps control bandwidth as well as number of connections.

Cloudflare argo

Load Balancing: creates a failover so traffic is re-routed from unhealthy origin servers to healthier origins. This can reduce things like latency, TLS, and general errors. The pricing is based on how you customize the number or origins servers, check frequency/locations, and whether traffic steering is enabled (which it should be since that’s a key part to load balancing).

Cloudflare load balancing

Email Address Obfuscation ONencrypts your email address to hide it from bots/spammers when shown on your website, without affecting how it’s shown for humans. However, it also adds a small piece of JavaScript (email-decode.min.js) shown in your GTmetrix Waterfall chart.

Cloudflare email obfuscation psi

Hotlink Protection: ONsaves bandwidth by preventing people from copying images while hosted on your server. Common on sites with high res images, but can happen to any website.

Zaraz: offloads third-party scripts to Cloudflare. Check your “reduce impact of third party code” report in PSI for third-party code to add to Zaraz. You can do this with Google Analytics, Facebook Pixel, and custom HTML/images/requests. When you select an option, it will prompt you with unique fields. For example, Google Analytics prompts you to enter your tracking-ID with the option to anonymize IP addresses. This is a great way to load third-party scripts faster.

Cloudflare zaraz
Use Zaraz to offload Google Analytics, Facebook Pixel, and other third-party scripts to Cloudflare

That’s It!

If you have any questions, feel free to drop me a comment.

Cheers,
Tom

You Might Also Like:

14 Comments...

  1. Do you need the cloudlfare plugin on your Wordpress site? I’m guessing not with rocket.net but what about other hosts? I’ve noticed the image compression doesn’t seem to be working and wondered if that’s the issue. Thanks! Love your blog by the way!

    Reply
    • Thanks Dana!

      The Cloudflare plugin is for APO only. You would need Mirage/Polish for image optimization which is included with Cloudflare Pro or (some host’s) third-party Cloudflare integrations like Rocket.net/Cloudways.

      Reply
  2. When doing the Admin lock area on the firewall protection what are you adding in the value section? I have tried a couple of tutorials but no success.
    Thank you it has sped my website up tremendously.

    Reply
    • Ah, I accidently put allow when it should be block. Looks like Cloudflare may have updated this doc too.

      You can copy that expression and replace the IP with yours.

      (not ip.src in {10.20.30.40 192.168.1.0/24} and lower(http.request.uri.path) contains "/wp-admin")

      Or if that doesn't work, do this, but replace your IP address:

      wp admin firewall rule

      Reply
    • Right now I’m using Cloudflare Enterprise on Cloudways but am changing setups soon to Rocket.net (Cloudflare Enterprise but free full-page caching, more CPU/RAM, etc). Cloudflare settings don’t apply when using a host with Cloudflare Enterprise since it’s integrated into their hosting.

      Sorry if it’s confusing. I’ve been working on a staging site for 4 months now which will be launched in August. I am rewriting pretty much all tutorials to be more current/accurate/detailed. Hard for 1 person to keep 250 tutorials updated with so many changes happening in the industry so I apologize about any conflicting info. The new website should clarify everything though but that’s the gist of it.

      Lmk if you have other questions.

      Reply
    • Can a cloudflare free user apply all these settings exactly the ways it is? Or are there some differences?

      Also, can this help a free user to get 100% in Google psi and stop getting “failing URL” in core web vitals?

      Reply

Leave a Comment