Cloudflare's free plan provides a content delivery network, DNS management, DDoS protection, and basic security filtering in front of your WordPress site. For most sites, Cloudflare is worth enabling, but there are WordPress-specific pitfalls that will cause problems if you skip the configuration steps. Here is what to set up and what to watch out for.
When you add your domain to Cloudflare and update your nameservers, Cloudflare becomes your authoritative DNS provider and puts its global network between your visitors and your origin server. Static assets, images, CSS, JavaScript, fonts, are cached at Cloudflare's edge locations in 300+ cities worldwide. Visitors download them from the nearest edge node rather than from your server, which reduces latency and server bandwidth regardless of where your origin server is physically located.
Cloudflare also filters all inbound traffic before it reaches your server. It blocks known malicious IP ranges, absorbs volumetric DDoS attacks at the network layer, and provides bot protection that stops basic credential stuffing and vulnerability scanning from ever reaching WordPress. The free plan handles the vast majority of common threats with zero configuration, you get meaningful security simply by routing DNS through Cloudflare.
The DNS management interface is also significantly faster than most registrar DNS panels. Propagation for DNS changes typically completes in under five minutes rather than the hours that some registrar systems take.
The most critical WordPress-specific step is configuring cache exclusions. Cloudflare's default caching behaviour can cache pages that should never be cached, the WordPress admin, WooCommerce checkout, cart, and account pages, and any page shown to logged-in users. When a logged-in user gets served a cached version of a page meant for a different user, the result is broken or even sensitive data leaking between sessions.
In Cloudflare's Cache Rules (under Caching > Cache Rules), create a bypass rule that matches requests containing any of these cookies: wordpress_logged_in_*, woocommerce_cart, woocommerce_session_*, wp-settings-*. The rule action should be "Bypass cache." This ensures that dynamic, personalised, and admin content is always served fresh from your origin.
The official Cloudflare WordPress plugin (free, from the plugin repository) configures these exclusions automatically and adds a cache purge button directly to the WordPress admin toolbar. It is the most reliable way to manage the Cloudflare integration without manually maintaining cache rules.
Cloudflare terminates SSL between the visitor and Cloudflare's edge for free on all plans. The SSL mode you configure determines what happens between Cloudflare's edge and your origin server, and getting this wrong causes either a security gap or a broken site.
The four modes work as follows. "Off" serves everything over HTTP, never use this. "Flexible" encrypts the visitor-to-Cloudflare leg but leaves Cloudflare-to-your-server unencrypted over HTTP, this is insecure and creates a false sense of HTTPS protection. "Full" encrypts the entire connection but does not verify your origin server's SSL certificate. "Full (Strict)" encrypts end-to-end and validates that your origin has a trusted, valid certificate.
Use Full (Strict) whenever possible. Most hosting providers issue free Let's Encrypt certificates, which Cloudflare trusts. If your server has a valid certificate, Full (Strict) is the correct setting. One additional step: enable Cloudflare's "Always Use HTTPS" toggle under SSL/TLS > Edge Certificates. This redirects any HTTP requests to HTTPS at the Cloudflare layer, before they reach your origin, which means you do not need a separate redirect rule in your .htaccess.
In Cloudflare's Speed section, several free settings deliver genuine performance improvements. Auto Minify (under Speed > Optimization) minifies JavaScript, CSS, and HTML at the CDN layer without modifying your origin files, it is safe to enable all three. Brotli compression (under Speed > Optimization) serves compressed assets using Brotli, which produces smaller files than gzip for most content types. Enable it.
Rocket Loader, also in the Speed section, defers non-critical JavaScript by loading it asynchronously. It can meaningfully improve Largest Contentful Paint and First Contentful Paint scores. However, test it carefully, it sometimes conflicts with WordPress plugins that depend on synchronous script execution, particularly analytics scripts, chat widgets, and custom jQuery-dependent functionality. Enable it on staging first and run your full site test before applying to production.
Early Hints (under Speed > Optimization) is a newer feature that sends preload headers for critical resources before the full HTML response is sent. Cloudflare supports this on the free plan and it can reduce perceived load time for repeat visitors on supporting browsers.
Under Security > Settings, set Security Level to "Medium" if you have not changed it. This blocks requests from IPs with a known threat score above a threshold without impacting legitimate visitors. "High" is appropriate if your site is actively being targeted.
Bot Fight Mode (free) applies heuristic detection to block basic bots and crawlers that are not legitimate search engines. Enable it. If you receive reports of legitimate users being challenged or blocked, you can allowlist specific IP ranges under Security > Tools > IP Access Rules.
The Web Application Firewall (WAF) with managed rulesets is a paid feature, but the free plan includes rate limiting rules you can configure manually. Under Security > WAF > Rate Limiting Rules, create a rule to limit requests to /wp-login.php to a sensible threshold, five requests per minute from a single IP is a reasonable starting point. This reduces brute-force login attempts reaching your server without blocking legitimate users who may have typed their password incorrectly.
The most frequent issue is an infinite redirect loop between Cloudflare and WordPress when the SSL mode is set to Flexible but WordPress is configured to enforce HTTPS. WordPress redirects HTTP to HTTPS, Cloudflare serves the HTTPS request to your server as HTTP (because Flexible mode does not encrypt the Cloudflare-to-origin leg), your server serves HTTP, and WordPress redirects again. Fix: switch Cloudflare SSL mode to Full or Full (Strict).
Another common issue is cached pages not updating after content changes. If your caching plugin and Cloudflare are both caching, and the caching plugin's purge function only clears the server cache, Cloudflare may still serve a stale version. The Cloudflare WordPress plugin adds a purge button to the admin toolbar that clears both. Alternatively, configure your caching plugin to send a Cloudflare cache purge API call on post update, LiteSpeed Cache and WP Rocket both support this natively.
IP address logging is affected by Cloudflare proxying. Your server logs will show Cloudflare's IP ranges instead of real visitor IPs. The Cloudflare mod_remoteip Apache module (or the equivalent LiteSpeed configuration) restores real visitor IPs to server logs and to WordPress. The Cloudflare WordPress plugin handles this automatically for WordPress-level IP logging.
Cloudflare's CDN caches static assets and bypasses your server for cached responses, but it cannot accelerate uncached PHP execution on your origin. If your WordPress site has a slow TTFB on dynamic pages, the admin, WooCommerce checkout, logged-in views, that is an origin server problem. Cloudflare improves the delivery of static content regardless, but slow PHP execution requires fixing at the hosting level: better server resources, a faster PHP version, database query optimisation, or server-level caching via LiteSpeed Cache or Redis.
The most effective stack combines Cloudflare in front with LiteSpeed at the origin. LiteSpeed serves cached WordPress pages from server memory with sub-100ms TTFB. Cloudflare then handles global asset distribution, security filtering, and SSL termination. Each layer does what it does best, with no overlap in responsibility.
HostBible WordPress plans use LiteSpeed for fast origin performance. Add Cloudflare in front for global CDN delivery and you have a genuinely fast stack at every layer.
View Hosting Plans