How to Install Cloudflare on WordPress
Cloudflare is a company that provides content delivery network (CDN), DNS, DDoS protection, and security services. They have become very well known in the web performance industry for fast DNS lookup times and have a robust network of over 100 different data centers around the globe. They are backed by some of the biggest names in the industry such as Google, Microsoft, and Qualcomm. Some of their clients include Nasdaq, Digital Ocean, Zendesk, and Cisco.
1. Create Your Cloudflare Account
1: To get started, head on over to Cloudflare and create a new account:
2: Enter your site and Click on Add site
3: Select a plan We will choose the free plan and then click Confirm plan
4: Confirm DNS Records And Modify If Needed
On the next page, you can choose which DNS records will be routed through Cloudflare and which will bypass Cloudflare’s network.
You don’t necessarily need to do anything in this interface.
In fact, the only thing that you absolutely need to verify is that you see the orange icon next to the record for your actual domain name:
5: Change your Nameservers
Now, in order for Cloudflare to act as a reverse proxy for your site, you need to make few changes.
- You need to login to your domain management panel.
- You need to change your domain’s current nameservers with the one provided by Cloudflare.
Here are a couple of links to documentation with different domain registrars on how to change them.
Once you make the changes at your registrar, head back to Cloudflare and click the Continue button to finish the process.
Remember, DNS related changes can take as long as 24-hours to propagate globally. So, you need to keep patience.
note: You can always check the changes using a free tool called “intodns”.
Here’s what it looks like with Namecheap:
2: How to Install Cloudflare on WordPress
If you’re using WordPress, Cloudflare provides a dedicated plugin that:
- Lets you configure WordPress-optimized settings with one click
- Adds WordPress-specific rulesets to the web application firewall (for paid plans)
- Lets you automatically purge Cloudflare’s cache when you update your content
And the plugin also lets you change Cloudflare settings from inside your WordPress dashboard, rather than needing to use the Cloudflare website.
1: Activate Official WordPress Plugin
To set up the plugin, get started by installing and activating the Cloudflare plugin.
Then, go to Settings → Cloudflare in your WordPress dashboard and click the link to sign in:
On the next screen, you’ll need to enter your email address and API key:
To find your Cloudflare API key:
- Go to the Cloudflare interface
- Click on your email address in the top-right corner
- Select My Profile
- Scroll to the API Key section
- Click View API Key next to the Global API Key option
Copy that value and paste it into the API Key box in your WordPress dashboard:
3: Enable Optimized WordPress Settings
Once you activate your Cloudflare account within the plugin, you’ll see a number of new options in the Cloudflare plugin interface.
One nice thing about the plugin is that it includes an option to Optimize Cloudflare for WordPress. When applied, Cloudflare will make a number of tweaks to your settings to, well…optimize your settings for WordPress. You can view a full list of those changes here.
While you’ll need to further customize things still, applying these settings is a good way to get started:
If you’re using a caching plugin like WP Rocket, you should also consult the developer’s documentation for potential specific integration settings. For example, WP Rocket will automatically configure things for you if you authenticate your Cloudflare account with the WP Rocket plugin.
4: More Advanced Cloudflare Configuration Options You Should Set Up
While the basic Cloudflare setup process is fairly simple, if you want to optimize your site, you’ll need to configure some additional settings in your Cloudflare dashboard, especially if you’re using WordPress.
Step 1: Configure Cloudflare SSL Settings
Cloudflare gives you multiple options for how you configure your SSL connection:
- Off – no SSL active. This isn’t recommended
- Flexible – traffic is secure between your visitor and Cloudflare, but not between Cloudflare and your origin server.
- Full – secure connection between both your visitor and Cloudflare and Cloudflare and your origin server
- Full (strict) – the same as Full but with the benefit of authentication
Here’s which option to use:
- If you’re able to install an SSL/TLS certificate at your host, use one of the Full options (depending on the type of certificate you have).
- If you’re unable to install an SSL/TLS certificate at your host, use the Flexible option. It still adds some security and gets you the coveted “green padlock”.
To configure your SSL settings, go to the Crypto tab in your Cloudflare dashboard and use the drop-down:
Step 2: Set Up HTTPS And WordPress-Specific Page Rules
Page rules are a helpful feature that let you:
- Exclude specific URLs from Cloudflare
- Force HTTPS on all your pages/content
By default, Cloudflare gives you 3 free page rules, though you can add additional page rules starting at $5 per month for 5 rules.
For most WordPress sites, though, 3 page rules are enough to get started. Here’s what you’ll want to use them for:
- Force HTTPS
- Exclude wp-admin from Cloudflare and secure
- Secure wp-login.php
The latter two rules are important to secure sensitive areas of your site and ensure that you don’t experience any issues with the WordPress dashboard.
To set up your page rules, go to the Page Rules tab in your Cloudflare dashboard. Then, click Create Page Rule:
Page Rule #1: Force HTTPS
To force site-wide HTTPS use, create a page rule for http://*yourdomain.com/* like follows:
Page Rule #2: Secure wp-admin And Exclude From Cache
Next, create a rule for yourdomain.com/wp-admin* like follows:
Page Rule #3: Secure wp-login.php
Finally, create a third page rule for yourdomain.com/wp-login.php* like follows:
Here’s a quick recap:
Always use HTTPS
Security Level: High
Security Level: High, Cache Level: Bypass, Disable Apps, Disable Performance
If you’re willing to purchase additional page rules (starting at $5 per month for 5 page rules), you can also do things like:
- Set specific cache settings for different URLs or directories (e.g. /wp-content)
- Manage 301 redirects for pages or for redirecting attempts at XMLRCP.php
- Lots of other smaller tweaks, like using browser integrity checks to block brute force attempts
Step 3: Consider Using 2-Factor Authentication For Your Cloudflare Account
Because you can manage DNS records directly from your Cloudflare account (as well as a plethora of other sensitive settings), you need to pay serious attention to preventing unauthorized access to your Cloudflare account.
Thankfully, Cloudflare offers optional 2-factor authentication via:
- Google Auth
To configure it, go to My Profile and select your desired option:
5: How to Clear Cloudflare Cache
Running into problems? There will be times when you need to clear (purge) Cloudflare cache. There are two easy ways to do this.
Step 1 – Clear Cloudflare Cache in WordPress Plugin
If you have the Cloudflare WordPress plugin installed, you can purge the cache from “Settings → Cloudflare.”
Step 2 – Clear Cloudflare Cache from Control Panel
Your other option is to clear Cloudflare cache from their control panel. To do so, click into the “Caching” tab and then on “Purge Everything.”
Once you have everything up and running smoothly, it’s better to only purge the cache of individual files. Cloudflare provides an easy way to do this.
Note: If you purge everything, you may temporarily degrade performance on your website as assets have to re-cache. However, sometimes this is unavoidable, especially if you aren’t sure exactly what script or asset on your site needs to be refreshed.
Other Helpful Features + Reasons To Consider Cloudflare Pro
Beyond the core features above, Cloudflare has a number of other features that you might want to consider:
- Always Online – FREE – if your site goes down, this feature serves up a cached version so visitors can still access it. Configure in Caching tab.
- Rate Limiting – Billed on usage (first 10,000 requests are free) – protect your site by blocking certain IP addresses that fit specified rules. Configure in Firewall.
- Argo – Billed on usage – delivers responses to users more quickly by using optimized routes across the Cloudflare network.
- I’m Under Attack Mode – FREE – helps protect your site during a DDoS attempt. Enable in your main dashboard.
- Web Application Firewall – PAID – includes specific rulesets for WordPress sites. Configure in Firewall.
- Polish – PAID – automatically optimizes images, including WebP images. Configure in Speed.
If you want access to features like the Web Application Firewall and image optimization, Cloudflare’s paid plans start at $20 per month.
Final Thoughts On Cloudflare For WordPress Sites
Cloudflare offers an easy-to-implement way to both secure and speed up your WordPress website.
You can get started in just a few minutes by adding your site and pointing your nameservers to Cloudflare. After that, you’ll want to make some further tweaks by setting up SSL and page rules, as well as considering whether or not you want access to Cloudflare’s premium settings.
Give it a try and see if it improves your site’s page load times!