• Knowledge Base
Howto Setup Cloudflare for your WordPress website

How to: Set Up Cloudflare for Your WordPress Site

  • Published: April 19, 2025
  • Updated: April 19, 2025
  • 3 min read

Speed, security, and reliability. Those are three things every WordPress site owner needs. Cloudflare helps deliver all of them. In this step-by-step guide, you’ll learn how to set up Cloudflare for your WordPress website, improve load times, protect against security threats, and even reduce bandwidth costs.

What is Cloudflare?

Cloudflare is a content delivery network (CDN) and security platform that acts as a proxy between your website visitors and your server. It improves performance, adds a layer of security, and protects your site from malicious attacks like DDoS or bots.

Why Use Cloudflare With WordPress?

Using Cloudflare with WordPress offers several benefits:

  • Faster page load speeds via global CDN caching
  • Free SSL certificates and automatic HTTPS redirection
  • Bot protection and DDoS mitigation
  • Reduced server load by caching static content
  • Improved SEO due to faster load times and enhanced security

How to Set Up Cloudflare on WordPress (Step-by-Step)

1. Create a Free Cloudflare Account

2. Scan Your DNS Records

  • Cloudflare will automatically scan your existing DNS records
  • Review the records and ensure everything is correct
  • Click Continue

3. Update Nameservers

  • Cloudflare will provide you with two new nameservers
  • Log in to your domain registrar (e.g., GoDaddy, Namecheap, etc.)
  • Replace the current nameservers with the ones provided by Cloudflare
  • Save changes and wait for propagation (usually within a few hours)

4. Configure SSL Settings

  • In your Cloudflare dashboard, go to SSL/TLS
  • Set SSL mode to Flexible (or Full if your server already has SSL)
  • Enable Always Use HTTPS and Automatic HTTPS Rewrites

5. Install the Cloudflare Plugin for WordPress

  • From your WordPress dashboard:
  • Go to Plugins > Add New
  • Search for “Cloudflare” and install the official plugin
  • Activate the plugin and connect it to your Cloudflare account using your API token or key

6. Optimize Performance Settings

  • Enable Auto Minify (HTML, CSS, JavaScript)
  • Turn on Brotli compression for faster data delivery
  • Under Caching, set Browser Cache TTL to an appropriate value (e.g., 1 day)
  • Use the “Purge Cache” option when making major changes to your site

7. Set Up Page Rules (Optional but Recommended)

  • Go to Rules > Page Rules
  • Add rules like:
  • *yourdomain.com/wp-admin* > Cache Level: Bypass
  • *yourdomain.com/* > Always Use HTTPS

Pro Tips for WordPress + Cloudflare

  • Use the Development Mode when making visual changes to your site
  • Avoid enabling Rocket Loader if you’re using page builders like Elementor or WPBakery
  • Test your site with GTmetrix or PageSpeed Insights before and after enabling Cloudflare

Use APO for WordPress (Optional paid feature)

Cloudflare’s Automatic Platform Optimization (APO) for WordPress is a premium feature that serves full pages from its edge network, dramatically speeding up load times. It’s worth considering for performance-obsessed site owners.

Bonus: Create a Custom WAF Rule and Rate Limiting in Cloudflare

Want even more protection? Here’s how to block malicious bots and brute-force attempts by securing two common WordPress vulnerabilities: xmlrpc.php and wp-admin.

Block Access to xmlrpc.php with a WAF Rule

Why block it?

Unless you’re using apps like Jetpack or the WordPress mobile app, xmlrpc.php is often targeted for brute-force attacks and pingbacks.

Steps:

  • Log into your Cloudflare Dashboard
  • Go to Security > WAF > Custom Rules
  • Click Create rule
  • Rule Name: Block xmlrpc.php
  • Field: URI Path
  • Operator: contains
  • Value: /xmlrpc.php
  • Action: Block
  • Save and deploy

Your site is now protected from xmlrpc.php-based exploits.

Add Rate Limiting to wp-admin Requests

Why rate limit?

The wp-admin area is a common target for brute-force login attempts. Rate limiting helps you stop attackers from hammering your login form.

Steps:

  • Go to Security > WAF > Tools > Rate Limiting Rules
  • Click Create a Rate Limiting Rule
  • Set the following:
  • URL: yourdomain.com/wp-admin
  • Method: GET and POST
  • Threshold: 10 requests
  • Period: 10 seconds
  • Action: Block for 1 hour
  • Response Code: 403
  • Save and activate

With these extra layers of security, your WordPress site becomes much harder to target, especially for automated attacks. Combine WAF rules with strong login credentials and you’re ahead of most WordPress users in terms of security.

Conclusion

Setting up Cloudflare for your WordPress website is one of the simplest yet most powerful ways to speed up your site and protect it from common threats, bots, and LLM / AI scrapers. Whether you’re running a blog, business site, or WooCommerce store, integrating Cloudflare can deliver noticeable improvements in performance and security.

Need help setting up Cloudflare?

At WP Fix Fast, Cloudflare setup is included in all our WordPress Support Plans. Let our experts handle it for you. Quick, secure, and stress-free.

Related Posts