Cloudflare for WordPress: Practical Setup for Speed and Security

Cloudflare’s CDN and firewall improve WordPress performance and security. Let’s walk through setup, cache rules, WAF configs, and common troubleshooting.

Why Cloudflare for WordPress

Global delivery and protection

Cloudflare’s CDN caches static assets (images, CSS, JavaScript (JS)) at edge locations worldwide, reducing latency for visitors. The WAF blocks malicious traffic before it hits your origin server, protecting against brute-force attacks, SQL injection, and other common threats.

For WordPress specifically, Cloudflare helps with:

  • Faster page loads via CDN and automatic image optimization
  • Protection against Distributed Denial of Service (DDoS) attacks and login abuse
  • Flexible caching rules to balance speed and freshness
  • Free Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates and auto-renewal

Initial Setup

1. Sign up and add your site

Create a Cloudflare account (free tier works for most WordPress sites). Add your domain and Cloudflare will scan your Domain Name System (DNS) records. Verify that all records are correct before proceeding.

2. Update nameservers

Cloudflare provides custom nameservers. Update your domain registrar’s nameserver settings to point to Cloudflare. This typically takes 5-30 minutes to propagate, but can take up to 24 hours.

3. Enable proxy (orange cloud)

In Cloudflare DNS settings, ensure your domain records have the orange cloud icon enabled. This routes traffic through Cloudflare’s network for CDN and security benefits. If you see a gray cloud, click it to enable proxying.

Cache Rules for WordPress

Default caching

By default, Cloudflare caches static assets (images, CSS, JS) but not HTML. For WordPress, you want to cache HTML for logged-out users while bypassing cache for logged-in users and admin pages.

Custom cache rule

Create a Cache Rule in Cloudflare dashboard:

  • If: URI path does not contain /wp-admin or /wp-login.php AND Cookie does not contain wordpress_logged_in
  • Then: Cache everything for 4 hours

This caches HTML for anonymous visitors while ensuring logged-in users and admin pages always see fresh content.

Purge cache on update

Install the Cloudflare WordPress plugin to automatically purge cache when you publish or update content. This keeps your site fast without serving stale pages.

WAF and Security Settings

WAF managed rules

Enable Cloudflare’s managed WAF rulesets (free on all plans). These block common WordPress exploits, SQL injection attempts, and cross-site scripting (XSS) attacks automatically.

Rate limiting

Create a rate limit rule to block brute-force login attempts:

  • If: URI path is /wp-login.php
  • Then: Block IP if more than 5 requests per minute

This stops most automated attacks without affecting legitimate users.

Bot management

Enable Bot Fight Mode (free) or Super Bot Fight Mode (paid) to block bad bots. Be careful with aggressive bot blocking if you rely on search engine crawlers or analytics bots—whitelist known good bots.

SSL/TLS Configuration

SSL mode

Set SSL/TLS mode to “Full (strict)” if your origin server has a valid SSL certificate. This encrypts traffic between Cloudflare and your server. Avoid “Flexible” mode—it leaves origin traffic unencrypted.

Always use Hypertext Transfer Protocol Secure (HTTPS)

Enable “Always Use HTTPS” to redirect all Hypertext Transfer Protocol (HTTP) requests to HTTPS. Also enable HTTP Strict Transport Security (HSTS) for added security (set max-age to 6 months).

Troubleshooting Common Issues

Redirect loops

If your site shows infinite redirects after enabling Cloudflare, check your SSL mode. Set it to “Full (strict)” and verify your origin server has a valid SSL certificate.

Stale content after updates

If visitors see old content after you publish updates, purge Cloudflare cache manually or check that the Cloudflare plugin is configured correctly.

Admin pages loading slowly

If /wp-admin is slow, ensure your cache rules bypass admin pages. Also check that you’re not rate-limiting your own IP.

References

Cloudflare Developers
Cloudflare Support

Key Takeaways

  • Cloudflare CDN caches assets globally and improves page load times.
  • Configure cache rules to cache HTML for logged-out users, bypass for logged-in.
  • Enable WAF and rate limiting to block attacks on /wp-login.php.

Get help with Cloudflare setup

More Like This

Security Basics for 2026: Patching, Backups, and Vulnerability Monitoring

Security isn't a once-a-year chore. Here's a pragmatic maintenance checklist to reduce risk and keep your site stable.
Read More

9 Reasons It is Time to Update Your Website

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *