Cloudflare is free, dramatically speeds up your WordPress site, and adds a real layer of security. The setup takes about 20 minutes. But configure it wrong and you’ll wake up to a redirect loop that takes your site completely offline, with a panicked client on the phone.
After 10+ years of building WordPress sites and handling 950+ client projects, I’ve set up Cloudflare more times than I can count. The setup isn’t hard. The mistakes are what trip people up, and they’re almost always the same two or three settings. This guide walks you through doing it right the first time.
What Cloudflare Actually Does for Your WordPress Site
Cloudflare sits between your visitors and your hosting server. When someone visits your site, the request hits Cloudflare’s network first. Cloudflare either serves a cached version instantly from a server near the visitor, or passes the request through to your host.
The result: faster page loads for visitors regardless of where they are, significantly less load on your server, and a firewall that blocks a huge chunk of malicious traffic before it even reaches WordPress. The free plan covers all of this. You don’t need to spend a cent to get real performance and security gains.
Step 1: Create a Cloudflare Account and Add Your Domain
Go to cloudflare.com and sign up. Once you’re in, click “Add a site” and enter your domain name. Cloudflare will ask you to pick a plan: choose Free. It gives you everything you need for a WordPress site.
Cloudflare will then scan your existing DNS records. This usually takes 30 to 60 seconds. Let it finish before you touch anything.
Step 2: Review Your DNS Records Before You Do Anything
This is where most people rush and cause problems. Cloudflare will import your DNS records automatically, and most of them will be set to “Proxied” by default (shown as orange clouds).
Web traffic going through Cloudflare’s proxy is what gives you the speed and security benefits. But not everything should be proxied. The rule: if it’s not a regular web page your visitors load in a browser, it probably should not be proxied.
The most common mistake here is leaving your mail records (MX, mail A record) set to Proxied. If you do that, email silently breaks. Your emails stop delivering, and the connection to what you just changed isn’t obvious until you’ve spent an hour troubleshooting.
Check your DNS records before proceeding:
- Your root domain (example.com) and www: Proxied (orange cloud) — this is correct
- MX records: DNS only (grey cloud) — never proxy these
- Mail A record (if you have one): DNS only — never proxy
- Anything email-related: DNS only
Step 3: Update Your Nameservers
Cloudflare will give you two nameservers to add at your domain registrar. Log into wherever you bought your domain (Namecheap, GoDaddy, your hosting provider’s panel) and replace the existing nameservers with the ones Cloudflare gives you.
DNS propagation typically takes 30 minutes to a few hours. In rare cases it can take up to 48 hours, but in practice it’s usually done within an hour. Cloudflare will email you once it’s active. Don’t rush to the next steps before this is confirmed.
Step 4: Set SSL/TLS to Full (Strict) — This Is Non-Negotiable
This is the most important setting in your entire Cloudflare setup. Get it wrong and you’ll create an infinite redirect loop that takes your site down completely.
In your Cloudflare dashboard, go to SSL/TLS. You’ll see four options: Off, Flexible, Full, and Full (Strict). Here’s what each one actually does:
- Flexible: Visitors connect to Cloudflare via HTTPS, but Cloudflare connects to your origin server via plain HTTP. If your WordPress install or host forces HTTPS (which it should), this creates a redirect loop. Your site goes down. This setting causes more WordPress outages than anything else.
- Full: Encrypts traffic between Cloudflare and your origin, but accepts self-signed certificates. Better than Flexible, but not ideal.
- Full (Strict): Encrypts traffic and verifies your origin has a valid SSL certificate. This is the correct setting. Use this.
Your hosting provider almost certainly has a free Let’s Encrypt certificate available. Install that on your origin first if you haven’t already. Then set Cloudflare to Full (Strict). Most reputable hosts (SiteGround, Kinsta, Cloudways, etc.) install SSL automatically when you add a domain.
If your site is already on HTTPS before you connect Cloudflare, you’re fine. Just confirm that and set Full (Strict). A slow or misconfigured SSL setup will also tank your Core Web Vitals scores, so getting this right matters beyond just avoiding outages.
Step 5: Install the Cloudflare Plugin in WordPress
In your WordPress dashboard, go to Plugins, Add New, and search for “Cloudflare.” Install and activate the official Cloudflare plugin by Cloudflare, Inc.
Once activated, go to Settings and connect your Cloudflare account. You can authenticate with your email and API token (not the Global API Key if you can help it: use a scoped API token for better security). Cloudflare will generate one at dash.cloudflare.com under Profile, API Tokens.
The plugin lets you purge Cloudflare’s cache directly from WordPress, apply recommended performance settings, and manage Automatic Platform Optimization if you’re on that plan. It also lets you set development mode with one click when you’re making changes and need the cache bypassed.
Step 6: Settings Worth Turning On in Cloudflare
Once you’re connected and confirmed everything is working, here are the settings worth enabling in your Cloudflare dashboard:
- Always Use HTTPS (SSL/TLS): Forces all HTTP requests to redirect to HTTPS. Enable this.
- Auto Minify (Speed, Optimization): Minifies HTML, CSS, and JS files automatically. Low risk, easy win.
- Brotli compression (Speed, Optimization): Faster compression than gzip. Enable it.
- Bot Fight Mode (Security): Blocks a large portion of malicious bot traffic. Enable this. Good protection without false positives on most WordPress sites.
- Under Attack Mode: Leave this OFF. Only turn it on if you’re actively being DDoS’d. It adds a challenge page that blocks legitimate visitors.
One important rule: never cache your /wp-admin/ or /wp-login.php paths. Cloudflare typically respects these by default, but verify this in your Caching settings. Caching admin pages causes login and update issues. If you’re running a WooCommerce store, you’ll also need to exclude cart, checkout, and account pages from cache. This ties into why choosing the right caching plugin matters even when Cloudflare is handling some of the heavy lifting.
Is Cloudflare APO Worth It?
Cloudflare APO (Automatic Platform Optimization) costs $5/month and caches full HTML pages at Cloudflare’s edge, not just static assets. For most WordPress content sites with global traffic, it’s genuinely transformative, essentially turning your dynamic WordPress site into something that performs like a static site for first-time visitors.
The question is whether you need it. If your site is mostly content (a blog, portfolio, informational pages), and you’re already running a good caching plugin and addressing the core speed issues, the free plan delivers 80% of the benefit. APO makes the most sense for sites with traffic spread across multiple continents, or where TTFB (time to first byte) is still high despite on-server caching.
For a local business site primarily serving regional visitors, the free plan is almost always enough. For a global portfolio or SaaS product with visitors worldwide, APO is worth the $5.
One Last Thing: Development Mode
Every time you make design changes or update your theme, Cloudflare’s cache will serve the old version to visitors. Before working on your site, enable Development Mode in your Cloudflare dashboard (Caching, Configuration). It temporarily bypasses the cache for 3 hours. You can also do this from the Cloudflare WordPress plugin.
After you finish making changes, disable Development Mode and purge the cache manually. This is a habit worth building from day one. I’ve seen client sites where someone updated a logo and couldn’t figure out why visitors were still seeing the old one for hours. Cloudflare cache was the answer every time.
Frequently Asked Questions
Yes. Cloudflare’s free plan includes CDN caching, DDoS protection, a firewall, free SSL, and performance optimizations like minification and Brotli compression. For most WordPress sites, including small businesses and blogs, the free plan is all you need. The paid plans (Pro at $20/month, Business at $200/month) add more advanced firewall rules, WAF, image optimization, and priority support, but the free tier is genuinely capable.
Almost certainly your SSL/TLS mode is set to Flexible. Go to your Cloudflare dashboard, open SSL/TLS, and switch the encryption mode to Full (Strict). This resolves the redirect loop in 99% of cases. Flexible SSL causes your origin server and Cloudflare to bounce HTTP-to-HTTPS redirects back and forth endlessly. Full (Strict) requires a valid SSL certificate on your origin server, which your host should already have via Let’s Encrypt.
Not entirely. Cloudflare caches static assets (CSS, JS, images) at the edge very effectively. But on the free plan, it does not cache full HTML pages by default. A WordPress caching plugin like WP Rocket or LiteSpeed Cache still handles server-side page caching, database query caching, and file optimization that Cloudflare doesn’t cover. Use both together for best results. If you add Cloudflare APO ($5/month), it starts caching full pages at the edge and overlaps more with what a caching plugin does, but most users still benefit from running both.
It shouldn’t, because Cloudflare skips caching for wp-admin and wp-login.php by default. However, if you’ve added custom Page Rules or cache rules, double-check that these paths are excluded. If you’re seeing login issues (page reloads, session drops, changes not saving), enable Development Mode temporarily, test the behavior, and review your cache exclusion rules. Custom login page URLs (if you’ve changed /wp-login.php for security) also need to be explicitly excluded.
Open Chrome DevTools (F12), go to the Network tab, and reload your page. Click on any request and look at the Response Headers. If Cloudflare is active, you’ll see a cf-ray header and a server: cloudflare header. You can also check the cf-cache-status header: HIT means the response was served from Cloudflare’s cache; MISS means it was fetched from your origin. Seeing HIT on repeat page loads confirms caching is working correctly.
Leave a Reply