This is a list of recommended Cloudflare settings you can use as a baseline.
Of course, this can completely depend on whether your site uses WooCommerce, WPML, or whether you’re using Cloudflare free vs. paid. I’m still using the free plan but pay for APO/Argo.
DNS: Use Cloudflare’s DNS – Cloudflare is one of the fastest, most reliable DNS providers on dnsperf.com. Others like GoDaddy/NameCheap can be slow and cause latency. To switch your DNS to Cloudflare, sign up for Cloudflare through their website, add your website, and change nameservers to Cloudflare’s in your domain registrar. Some hosts let you activate Cloudflare in their dashboard in 1-click, but this doesn’t give you access to Cloudflare’s full dashboard. Since DNS/network latency is part of TTFB, using a fast DNS is critical and can be tested in KeyCDN.
CDN: Change Your Website To Proxied – go to Cloudflare’s DNS settings and change your website from DNS only to “proxied” which turns it orange. Proxying traffic through Cloudflare is needed to use APO, Argo, load balancing, Zaraz, and other Cloudflare features. But it does not cache HTML (that’s what APO or a cache everything page rule is for). There are several benefits to the CDN: you’re offloading bandwidth to Cloudflare’s 250+ data centers (saved bandwidth is shown in your Analytics tab). It reduces the geographical distance between your server/visitors, and it minimizes requests to your origin server. While Cloudflare is usually not the fastest CDN option on cdnsperf.com, it opens up other Cloudflare features which can typically optimize your site better than other CDNs, which is especially true if you plan on using Cloudflare’s paid plans.
SSL: Full Strict – best security of all options when using HTTPS (except on enterprise plans).
Edge Certificate: paid users can upload SSL to Cloudflare to eliminate SSL/TLS at the edge.
Always Use HTTPS: ON – redirects all HTTP links to HTTPS which forces a secure connection.
HSTS: Enable – forces browsers to use a secure connection. Once you confirm Cloudflare’s agreement, you’ll enable HSTS, set max age header to 6 months (what Cloudflare recommends), and enable preload/no-sniff header. If you have subdomains, you can enable HSTS on those too.
TLS: Enable TLS 1.3 And Set Min. Version To 1.2 – TLS 1.3 is the newest/fastest TLS protocol while TLS 1.0 and 1.1 have been deprecated. Your host may also have settings to set TLS versions. TLS speeds can be measured using KeyCDN and is short for Transport Layer Security.
Firewall Rules: commonly used to block bad bots, countries, XML-RPC, and wp-login. Here are a few common rules which can help block unwanted hits to your server and reduce CPU usage.
Browser Integrity Check: ON – another layer to block bad bots, spammers, and crawlers. Cloudflare will scan for commonly malicious HTTP headers and present them with a block page.
- Image Resizing: resize, adjust quality, and convert images to WebP/AVIF format.
- Mirage: optimizes images on slow network connections by replacing images with low resolution placeholders (only until the page is rendered) and combining image requests.
- Polish: compresses images, removes metadata, and converts images to WebP. Doing this with Cloudflare can be less taxing on your server, but most people just use a free plugin.
Auto Minify: Depends – minifying from your CDN is supposed to be faster since it’s closer to the end-user. However, Cloudflare says (at least when you’re using APO), you should minify from your cache plugin and disable it in Cloudflare. Either way, make sure you test your results.
Brotli: ON – Brotli is faster than GZIP but should also be activated in your hosting account. However, not all hosts support Brotli (screenshot shown below is for cPanel on NameHero).
Early Hints: ON – sends early preload/preconnect hints which cuts down on server wait time.
APO: ON – serves HTML from Cloudflare’s network which can significantly reduce TTFB, LCP, and other metrics for visitors far away from the origin server. Use KeyCDN to test before/after results, then see my Cloudflare APO instructions. You’ll need to create an API token and add it to Cloudflare’s plugin. Keep page caching enabled in your cache plugin (or server caching) since this will cache HTML to the web server, while APO caches HTML to Cloudflare’s edge network. In other words, since they are different types of caching layers, both of them should be enabled.
Enhanced HTTP/2 Prioritization: ON – optimizes order of when resources are loaded to be as fast as possible without relying on the different ordering methods used by different browsers.
TCP Turbo: ON – reduces latency by automatically choosing TCP settings with optimizations.
Railgun: OFF – requires special software to be installed by your host (unless it’s already integrated into their system). It’s mainly used for large dynamic/WooCommerce sites in which case it can accelerate the request when the dynamic version of the website calls for the origin.
Rocket Loader: OFF – often causes errors and most cache plugins recommend turning this off. It’s supposed to improve paint times by loading JS asynchronously, including third-party scripts.
SXGs: ON – included with APO/paid plans. This speeds up your site when someone clicks your result in Google by prefetching content which leads to faster rendering and may improve LCP.
Caching Level: Standard – you can read the descriptions but it should be set to standard unless your site has a lot of complicated user php functions in which case you can ignore query strings.
Browser Cache TTL (Respect Existing Headers) – uses the same expiration in your server (your hosting account). Or you can change it to 1 year since Google recommends this for static assets.
Crawler Hints: ON – tells search engines when content is updated so they can time crawling more precisely while preventing wasteful crawls (can help reduce CPU usage from crawlers).
Page Rules: common page rules are used to cache everything and bypass cache in wp-admin and preview pages. A cache everything page rule is different than APO and should usually not be created when using APO. The ordering of your page rules will also determine their priority.
HTTP/3 With QUIC: ON – enables HTTP/3 which runs on QUIC. You can check whether your site is using HTTP/3 on http3check.net. However in a YouTube video published by NameHero, Ryan (NameHero’s founder) says this about Cloudflare’s HTTP/3: “it’s still having to pull from the server-side. It’s pulling from HTTP/2 then delivers HTTP/3, so it’s not full HTTP/3 support.” In other words, if you’re using LiteSpeed Cache, you should set up HTTP3/QUIC through that.
Argo + Tiered Cache: one of the few paid features I use. It routes traffic through the fastest Cloudflare network paths based on their real-time intelligence on traffic congestion. Doesn’t make sense for local websites, but can reduce latency. Don’t forget to enable tiered caching in Cloudflare’s caching settings which helps control bandwidth as well as number of connections.
Load Balancing: creates a failover so traffic is re-routed from unhealthy origin servers to healthier origins. This can reduce things like latency, TLS, and general errors. The pricing is based on how you customize the number or origins servers, check frequency/locations, and whether traffic steering is enabled (which it should be since that’s a key part to load balancing).
Hotlink Protection: ON – saves bandwidth by preventing people from copying images while hosted on your server. Common on sites with high res images, but can happen to any website.
Zaraz: offloads third-party scripts to Cloudflare. Check your “reduce impact of third party code” report in PSI for third-party code to add to Zaraz. You can do this with Google Analytics, Facebook Pixel, and custom HTML/images/requests. When you select an option, it will prompt you with unique fields. For example, Google Analytics prompts you to enter your tracking-ID with the option to anonymize IP addresses. This is a great way to load third-party scripts faster.
If you have any questions, feel free to drop me a comment.