As a Cloudflare partner, we recommend Cloudflare to be used as a DNS , Firewall and a CDN for the sites we host at WPOven. This guide is a small reference on settings up WordPress Cloudflare Plugin Perfectly and common questions surrounding it. It especially covers how to use Cloudflare in WordPress and how to utilize its free functionality to help your site improve speed and security. This guide does not require your site to be hosted at WPOven, so it applies to everyone who uses WordPress and is interested in using Cloudflare.
Using Cloudflare in WordPress
Setting up Cloudflare for WordPress is quite simple and requires nothing more than an email and access to your Domain registrar settings to change the name server, so Cloudflare is used as the default Domain Name Server. We assume that you already have a WordPress website up and running at the moment, if not, follow this guide on how to get started with Cloudflare for WordPress.
- Step 1: Signup with Cloudflare, Visit the signup page and use your email to signup and verify it, then log into Cloudflare so that we get started with moving our DNS over to Cloudflare so that we can starting using it with our website.
- Step 2: Once signed up, you will see an add site form, here we will add our site lets say it is weblisty.com. Click Add Site, and then this will take you to the plan selection –
Select the Free plan for now, which we will cover in this Guide in detail. This is also sufficient for many of the common types of sites we see users run.
Cloudflare will then take some time to import the existing Name Server entries, this process can sometimes take a bit of time, so have patience.
Once done, expect to see a list of name server entries. You may change them as required by your setup, but we will let them be as they look fine for now.
Cloudflare will ask you to change the name server records on your domain registrar so that it can take over the functionality of a DNS server and start acting as the frontend to your website.
- Step 3: The final step is to change the default nameserver and use Cloudflare provided name servers. This will be different for each Domain Registrar. Cloudflare will next run you through a small Quick Start Guide, and we will run through the defaults as they are sufficient and finish the setup.
- Step 4: If all went well you will arrive at a screen something like given below and we can get started with optimizing Cloudflare for our WordPress website.
Cloudflare WordPress plugin
As you will be using Cloudflare to cache your static assets or even dynamically generated ones, it is best to install the WordPress plugin provided by Cloudflare. This allows you to clear the Cloudflare cache easily in case you change make any updates to your site, it is also needed if you are using the Automatic Platform optimization (APO) feature provided.
To get started with the install it is quite easy , visit the Add new plugin section of WordPress and search for Cloudflare, once the plugin is found, simply click install then activate the plugin, the only configuration required for the plugin is to connect it to Cloudflare so that our site can notify it about the changes.
To connect the site to our Cloudflare plugin we will use the Token Method as we do not wish to share global API so use the following settings to create the custom token –
Once the token is created , copy the token and active the plugin you will see the following page –
Most settings will be already configured for best use.
Cloudflare Domain Name Server (DNS)
This is the core feature of Cloudflare offers, where they will host your DNS and in doing so will also enable the reverse proxy on your site (this can be disabled if required) and offer the various services and enhancements. If you have set up Cloudflare like above, it will import your existing NS records by default and you can easily add more if required. Cloudflare also comes in very handy to host DNS if your domain registrar does not provide any options to set advanced NS records or provides limited functionality.
DNS records are instructions provided by DNS servers that contain information on how to process a domain or a hostname. There are various types of DNS records that are used by different services. In our case, we are mainly interested in the Address name commonly known as A name and the Canonical name commonly known as the C Name.
- A Name: This record tells how the Domain name maps to the IP Address of the server
- C Name: tells how one domain points to another domain.
Listed below are some common domain name records –
http://www.electricmonk.org.uk/wp-content/uploads/2013/06/dns_records.bmp ( Convert it into table )
For our current requirements we will only set up the A name and point the www C name to the IP of our server –
As the default setup is sufficient for most users, we will not cover this in detail, for more information you can visit the Cloudflare help section.
Cloudflare Content Delivery Network (CDN)
A content delivery network (CDN) refers to a geographically distributed group of servers that work together to provide access to your site based on the user’s location. Cloudflare CDN is provided as a free service to sites whose DNS is hosted on Cloudflare. By default all static assets are cached, and this helps improve load time for your site through the main page is still fetched from your server ( you can change this behavior as we will see later on ).
Cloudflare then serves these static assets from the data center nearest to the user, reducing loading time and decreasing bandwidth and server load on our server. To enable CDN on your site, the only thing required is that Cloudflare is enabled on your site and it is not in bypass mode, it will show an Orange cloud in your NS Record if it’s behind Cloudflare. As a WordPress user you also have an option of using other CDN’s also, we have written about it in the past, which you can read here.
Here is a quick comparison of loading time with CDN enabled and CDN for a Vanilla eCommerce site currently, there are no optimizations applied ( Since the site is hosted in a Dallas Datacenter, we did the test from Sydney ) –
As you can see the site is not doing too great by default ( we are using Gtmetrix ), Now we will enable the CDN after 2 – 3 refresh, we get the following ( Things have improved )
If you wish to go even further and mainly run a static HTML site, you can improve things further and have Cloudflare completely cache your site and have it load really fast the world over. To do this, you will need to add a few page rules in Cloudflare, This will make Cloudflare even cache the main pages and reduce the Time to first Byte (TTFB) even further.
As page rules will not allow you to work on your site directly, you will need to setup a local hosts file entry on your machine, which points your domain directly to your server. You can read about setting these host records. This will also require a Cloudflare plugin installed on your site to clear cache when you have made the changes. You can download it here or using the internal WordPress Add new plugins search.
Here is a quick comparison with the rule enabled and load time before and after the rules were put in place. You can think of this as your own free Cloudflare APO alternative.
If you wish to take the numbers even further up with near 100 ratings on GTMetrix you can explore the nitro boost feature on our WPOhub plugin which delays the Javascript load and increases both Pagespeed and GTMetrix performance.
Cloudflare SSL
Another great feature of Cloudflare is the free SSL offered to all websites hosted through it. This feature ensures that communication between your site and the clients is secure and cannot be snooped. Cloudflare supports multiple ways on how to set it up. Cloudflare supports three common ways –
We recommend the Full or the Strict mode, The default settings are usually fine for most setups, but if required, you can Tweak the following settings –
- Under Edge Certificates, Enable “Always Use HTTPS” , this will not allow unsecured access to your site.
- Similarly, set “Minimum TLS Version” to 1.2 as below that it is not considered secured, also if your compliance standard requires it.
- Similarly, enable “Automatic HTTPS Rewrites” this will make sure you do not get a mixed content warning when you migrate from a http to a https site.
Cloudflare Automatic Platform Optimization (APO)
By default Cloudflare only caches static assets for the sites and can cache pages if you require but this entails some extra steps to update and work with the site. By Defaults, Cloudflare also has this special setup with WordPress where if you use the provided WordPress plugin, even the pages are cached and does not require any special setups. With APO, all assets, including the pages, are moved to the edge nodes, reducing the TTFB for the site globally, giving a more positive experience overall. This functionality available as a 5$ paid addon on the free plan and requires an additional Cloudflare WordPress Plugin to be added to the site.
As this is a paid addon we will not be covering it here at the moment.
WordPress Firewall using Cloudflare
Another very useful feature of Cloudflare is the Web Application Firewall it offers on all sites. For a simple WordPress Firewall, we recommend at least 2 rules which will help you protect against content brute force attacks against the xmlrpc.php and wp-login.php , If you are using a strong password, you should not be worried, but a lot of requests from bots do cause excessive CPU and resource usage.
To get started we will first whitelist our own IP address. Under Firewall > Tools You can add your own IP ( google “whats my ip” to know your public ip), if you have a dynamic IP you can put in a IP range similar to the IP you are assigned at different times.
Next we go and add a few page rules to address the most common issues we usually see with a standard WordPress Site.
1. Block access to the wp-login.php, this page is used to login into your site and is a common endpoint for attackers to perform brute-force attacks on, so we will create a rule to check if the browser is being used and also perform additional checks to make sure it is not a bot.
Create a Page rules like given below and deploy –
You can also use a plugin like to hide WordPress login to avoid adding this rule.
2. We will also restrict access to xmlrpc.php, so it is also not used for brute-force attacks on the site, So in Firewall under firewall Rules you can create the following rule, we will block all access other than to JetPack ( You can find a list of JetPack IP range on this page )
You can also use the expression below and build the rule –
|
1 |
(http.request.uri contains "xmlrpc.php" and not ip.src in {192.0.64.0/24 192.0.65.0/24 192.0.66.0/24 192.0.67.0/24 192.0.68.0/24 192.0.69.0/24 192.0.70.0/24 192.0.71.0/24 192.0.72.0/24 192.0.73.0/24 192.0.74.0/24 192.0.75.0/24 192.0.76.0/24 192.0.77.0/24 192.0.78.0/24 192.0.79.0/24 192.0.80.0/24 192.0.81.0/24 192.0.82.0/24 192.0.83.0/24 192.0.84.0/24 192.0.85.0/24 192.0.86.0/24 192.0.87.0/24 192.0.88.0/24 192.0.89.0/24 192.0.90.0/24 192.0.91.0/24 192.0.92.0/24 192.0.93.0/24 192.0.94.0/24 192.0.95.0/24 192.0.96.0/24 192.0.97.0/24 192.0.98.0/24 192.0.99.0/24 192.0.100.0/24 192.0.101.0/24 192.0.102.0/24 192.0.103.0/24 192.0.104.0/24 192.0.105.0/24 192.0.106.0/24 192.0.107.0/24 192.0.108.0/24 192.0.109.0/24 192.0.110.0/24 192.0.111.0/24 192.0.112.0/24 192.0.113.0/24 192.0.114.0/24 192.0.115.0/24 192.0.116.0/24 192.0.117.0/24 192.0.118.0/24 192.0.119.0/24 192.0.120.0/24 192.0.121.0/24 192.0.122.0/24 192.0.123.0/24 192.0.124.0/24 192.0.125.0/24 192.0.126.0/24 192.0.127.0/24}) |
Using these two basic rules we can block the most common brute force and automated threats the WordPress faces.
![Cloudflare Market Share 2023 [Statistics & Report]](https://www.wpoven.com/blog/wp-content/uploads/2021/10/Cloudflare_Market_Share.png "Cloudflare Market Share 2023 [Statistics & Report]")
