Best Cloudflare Settings for WordPress in 2023

It’s very important to ensure that your website has a fast loading speed to increase traffic. When your website’s loading speed is too slow, you can lose a lot of visitors. Generally, most regular visitors expect a website to load immediately, and if it takes more than a second, usually they leave. In this article, I’ll show you the best Cloudflare settings for WordPress blog: we’ll increase your website’s loading speed using the free Cloudflare CDN (Content Delivery Network) plan, and, if you’re a paying customer, I’ll mention some essential paid features as well.

However, the purpose of the Cloudflare CDN isn’t just limited to increasing a website’s speed: this service is also used to improve security. While default security settings are good enough, I’ll show you how to apply some advanced settings to make your website even more secure from possible external attacks.

Before proceeding with this tutorial, keep in mind that you must have your website already connected to Cloudflare. All the steps on connecting a website to Cloudflare are provided in this article. Also, note that I won’t go through all the options enabled at Cloudflare by default to save our time and focus only on additional settings.

What is a CDN?

A CDN stands for Content Delivery Network – it’s a group of geographically distributed servers that spreads your website’s content across other locations so that your visitors can reach your content faster. For example, if you live in the USA and your CDN provider has a server near your current location, you’ll probably get faster data transfer speeds than living somewhere else, e.g., Australia. Simple explanation: the farther away a server is from your location, the longer distance data needs to travel, slowing your website’s loading speed. Cloudflare is the most used CDN globally that has two main goals: to speed up your website and protect it against possible DDoS attacks.

Performance Settings

Cloudflare has multiple performance settings to help increase your website’s loading speed. However, while some of these settings have a more significant effect on performance, others may have little or no effect: it all depends on your website’s configuration and other aspects.

To increase your website’s loading speed, the first method we’ll use is called “minification”: it’s the process of minimizing JavaScript, CSS, and HTML code, which, in most cases, dramatically improves the speed by eliminating all white space in the code, and your website becomes much lighter to load in a browser.

To minify earlier mentioned files, sign in to your Cloudflare account and go to Speed → Optimization. Then, next to Auto Minify, check JavaScript, CSS, and HTML.

Having any paid Cloudflare plan, you can enable Image Resizing, which resizes, adjusts quality, and converts images to WebP format. The conversion to WebP only takes place at Cloudfare’s side, and it doesn’t affect your original images stored on your server. However, if you have a new website and haven’t uploaded any images yet, I suggest using only the WebP format, excluding all other old formats. WebP is a modern image format that provides lossless and lossy compression for images on the web. In addition, WebP images are usually smaller than PNG and JPEG images of the same quality and therefore load faster.

Polish – it’s another setting that paying users can enable, which improves image load time by optimizing images hosted on your domain. You can choose these options:

• Off: Polish is disabled
• Lossless: compresses PNG and GIF images without impacting visual quality and removes metadata from PNG, GIF, and JPEG images
• Lossy: compresses JPEG images using lossy compression, which may reduce visual quality (compression rate is better compared to lossless)
• Serve WebP images: if visitor’s web browser supports the WebP image codec, Cloudflare will serve a WebP version of the image when WebP offers a performance advantage over the original image format.

I suggest choosing the Lossy compression option with Serve WebP images for best results.

Brotli – it’s a compression program that compresses transmitted HTTP data to the client (e.g., HTML, CSS, and JS assets) and consequently makes websites load faster. Brotli is an alternative to the older GZIP compression program and has a better compression ratio. All major web browsers support this compression method, and you should always keep it enabled.

Early Hints – 103 Early Hints is an HTTP status code designed to increase the speed of content delivery. When enabled, Cloudflare can cache the Link headers from HTML pages and serve them in a 103 Early Hints response before reaching the origin server. Therefore, this setting can dramatically improve page load speeds. However, keep in mind that Early Hints is still in beta and might not work as it should, and I advise you to keep it disabled for now.

Automatic Platform Optimization for WordPress – it serves your whole WordPress site from Cloudflare’s edge network and caches third-party fonts. APO is the most powerful option because it caches almost everything publicly available on your website. In addition, using this setting is the best way to save bandwidth cost because your webserver doesn’t get any external requests – everything is served directly from Cloudflare itself.

While APO is a paid feature, you can get a similar effect for free by creating Page Rules: go to Rules → Page Rules and click Create Page Rule.

To cache your entire website, let’s enter and select the following values:

• If the URL matches: *yourdomain.com/*
• Then the settings are: Browser Cache TTL: an hour, Cache Level: Cache Everything, Edge Cache TTL: a month

When you’re done, click Save and Deploy.

For the site to work properly, we need to exclude some areas from being cached. So, first, let’s exclude the preview pages that have a URL with the preview=true value by creating a new page rule:

• If the URL matches: *yourdomain.com/*&preview=true*
• Then the settings are: Cache Level: Bypass

Now, let’s exclude your WordPress Admin panel from being cached by creating the next page rule with the following values:

• If the URL matches: *yourdomain.com/wp-admin*
• Then the settings are: Security Level: High, Cache Level: Bypass, Disable Apps, Disable Performance

Make sure to sort these rules exactly as shown in the image below (the order is important):

• First position: bypass the “wp-admin” directory cache
• Second position: prevent the preview pages from being cached
• Third position: cache the rest of the site

Additional Performance Settings

Go to the Network section and enable 0-RTT Connection Resumption that speeds up connections to your website for clients who have previously connected to the website.

Security Settings

To prevent or minimize the risk of successful hacking attempts, you should keep your website as secure as possible. While Cloudflare can’t be your primary defense against all external threats, it still provides robust security features. For example, once you set up your domain on Cloudflare, you get protection against DDoS attacks out of the box. However, Cloudflare offers more than that – you get additional free and paid security features to make your website even more secure.

Configure SSL/TLS settings

First, we need to protect your website with a secure HTTPS connection that encrypts data between a web browser and a website. Using HTTPS is important because it protects sensitive user’s data such as passwords while communicating with a website. Additionally, you may get better SEO rankings because Google’s search engine prioritizes sites that use HTTPS.

Go to SSL/TLS → Overview and enable Flexible, Full, or Full (strict) SSL/TLS encryption mode. Suppose you have a Let’s Encrypt or any other trusted certificate installed on your origin server. In that case, I recommend choosing Full (strict) encryption mode as it provides the most secure connectivity to your website. Otherwise, choose Full encryption mode if you have a self-signed certificate installed or Flexible if you don’t have any.

To enable Full (strict) encryption mode, you must first set up a trusted certificate on your origin server, such as Let’s Encrypt. How to do this, you can check the example with Cloudways in this article.

Next, go to SSL/TLS → Edge Certificates and enable (only if needed) the Always Use HTTPS option to redirect all requests with scheme HTTP to HTTPS.

It is recommended to leave the Always Use HTTPS option disabled if your web server is already configured to redirect all HTTP requests to HTTPS as it might cause redirect loop errors. In the example below, I left this option disabled as my webserver already redirects such requests.

Then, enable the HTTP Strict Transport Security (HSTS) header that protects secure websites from downgrade attacks, SSL stripping, and cookie hijacking. Set the following options on the Configure tab:

• Enable HSTS (Strict-Transport-Security): On
• Max Age Header (max-age): 6 months (Recommended)
• Apply HSTS policy to subdomains (includeSubDomains): On
• Preload: On
• No-Sniff Header: On

Apply Firewall Rules

Firewall Rules control incoming traffic to your website by filtering requests based on location, IP address, user agent, URI, etc. Here I’ll show you how to protect your website’s sensitive parts from malicious users and bots by filtering IP addresses.

First, let’s add your IP address to the firewall by going to Firewall → Tools, and under IP Access Rules, entering the following values:

This way, you’ll add your IP address to the whitelist and prevent it from being blocked by the firewall once we set the firewall rules. You can add as many IP addresses as you want to be whitelisted.

Go to Firewall → Firewall Rules and click Create a Firewall rule.

We’ll create a firewall rule that blocks all IP addresses from accessing the wp-login.php page, except those whitelisted. The external automated bot scans commonly target the WordPress login page, so the following rule should help protect your website’s login page from possible brute force attacks. Since you have already whitelisted your IP address, the rule won’t block you from accessing this page.

Under Rule name, enter any name you want, e.g., block /wp-login.php, and next to Expression Preview, click Edit expression. Then enter this value:

(http.request.uri.path contains "/wp-login.php")

Under Then…, select Block and click Deploy.

Next, we’ll create additional rules to protect other commonly attacked pages.

Protect the xmlrpc.php page that allows communicating remotely between WordPress and other systems. If you’re not using this feature, it’s a good idea to block it:

• Rule name: block /xmlrpc.php
• Action: Block

(http.request.uri.path contains "/xmlrpc.php")

Now, let’s protect the wp-admin directory, which contains the most critical files used to administrate your website. Here we’ll block access to the whole wp-admin directory with some exceptions.

The first exception we need to make is to allow public access to the admin-ajax.php file that some plugins use to display dynamic content on your website.

The second exception we need to add is the theme-editor.php file, which allows you to edit your theme with the built-in theme editor (WordPress → Appearance → Theme Editor). If you don’t add theme-editor.php to exceptions, you won’t be able to save your theme’s edits.

And this is the rule you need to add:

• Rule name: block /wp-admin/
• Action: Block

(http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php")

Because WordPress is one of the most popular content management systems, it’s often hacked when insecure plugins are used. Unfortunately, from time to time, vulnerabilities are also discovered in well-known reputable plugins so that no WordPress site is fully secure against potential hacking. However, you can at least partially protect your site from these threats by using a firewall rule that allows access to the /wp-content/plugins/ directory for requests coming only from your site and known good bots.

Here is the rule (replace yourdomain.com to your domain):

• Rule name: block no-referer requests to plugins
• Action: Block

(http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "yourdomain.com" and not cf.client.bot)

Additionally, we can add a firewall rule that can help prevent comment spam from external sources: the rule allows saving comments coming directly from your site only. However, I inform you that the effect can be minimal, as current spambots can bypass such protections.

Rule to be added (replace yourdomain.com to your domain):

• Rule name: block wp-comments-post.php
• Action: Block

(http.request.uri.path eq "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "yourdomain.com")

Here’s what your firewall rules should look like in the end:

Additional Security Settings

Cloudflare has even more settings to enhance your site’s security further, so follow the following steps to enable additional security options.

Go to Firewall → Bots and enable Bot Fight Mode. This mode challenges requests that match patterns of known bots before they access your site, thus saving additional site bandwidth.

Next, go to Scrape Shield and enable Hotlink Protection. This setting prevents your images from being displayed on other websites, so it helps to save your site bandwidth even further. However, note that Google Images or other similar places won’t display your site images, so you should consider if this setting is relevant.

To protect other website areas, make sure that Email Address Obfuscation and Server-side Excludes are enabled too.

Install Cloudflare Plugin

Now that Cloudflare’s setup is complete, we can perform one last step – install the official Cloudflare WordPress plugin that allows changing some Cloudflare settings remotely and automatically purge content from the cache that you update.

Log in to your WordPress dashboard, go to Plugins → Add New, search for Cloudflare, then click Install Now and Activate.

Go back to your Cloudflare account → Overview, and under the API section, click Get your API token.

On the next page, next to Global API Key, click the View button and copy your key to the clipboard (this key will be required to sign in to your Cloudflare account from your site).

Then go back to your WordPress dashboard → Settings → Cloudflare to sign in to your Cloudflare account.

After signing in, we don’t need to set up anything else, as we have already done everything on the Cloudflare website.

Summary

I’ve provided you with the most important and recommended Cloudflare settings that I suggest enabling for better WordPress performance and security. Remember that Cloudflare constantly introduces new features, so you can always expect to find new settings to try.

If you have any questions, simply leave a comment below.

Frequently Asked Questions