Recommended Cloudflare Settings for WordPress and Other Web Applications

In this article, we’ll explore how to use Cloudflare services, such as CDN and Bot Fight Mode, to enhance the security and performance of your website.

Many new bloggers sign up for Cloudflare and then notice a drop in their website’s performance. This often happens because they don’t fully understand Cloudflare’s default caching behavior. Cloudflare acts as an intermediary in a client-server architecture. Each request to your website is processed via Cloudflare, which adds an additional layer to each request and may introduce a slight delay. Configuring Cloudflare caching properly is crucial to minimize this delay and optimize page speed. This guide will help you achieve optimal page speed results using Cloudflare’s CDN.

Adding DNS Records

To enable Cloudflare services on your website, you need to use Cloudflare’s DNS/Nameservers. Follow these steps to activate Cloudflare’s nameservers:

• Log in or sign up for a Cloudflare account.
• Add your domain name (e.g., diversifyindia.in).
• Select the quick scan option for DNS records.
• Cloudflare will then provide nameservers for your domain. Nameservers handle internet requests, directing traffic to your site. To add Cloudflare’s nameservers, log in to your domain registrar account (e.g., Hostinger) and locate the option to change nameservers.

If your domain registrar is Hostinger, follow these steps:

• Log in to your Hostinger account.
• On the homepage of hPanel, find and select the Manage Domain option.
• In the domain overview section, click on Edit Nameservers.
• Replace Hostinger’s nameservers with Cloudflare’s nameservers and click Save.

It may take 1-2 hours for these changes to take effect.

SSL/TLS Encryption

Proper configuration of SSL/TLS encryption mode is essential because a misconfiguration can make your website inaccessible. Be sure to read the instructions carefully before configuring SSL/TLS encryption mode in Cloudflare.

• Full (Strict): Use this mode if your origin server supports HTTPS with a valid SSL certificate (e.g., Let’s Encrypt, Cloudflare’s Origin CA). This is the recommended SSL/TLS encryption mode.
• Full: Select this if your origin server has an SSL certificate that isn’t from a trusted certificate authority (e.g., self-signed certificates).
• Flexible: Choose this mode if your origin server doesn’t support HTTPS. The connection between Cloudflare and your origin server will use HTTP.
• Strict (SSL-Only Origin Pull): Enable this mode to ensure that all connections to your origin server are encrypted, regardless of the visitor’s request.
• Off (not secure): Select this if your origin server doesn’t support HTTPS and you don’t want to use SSL for the connection between clients and Cloudflare.

Note: It’s not recommended to disable SSL/TLS or use the Flexible mode, as these settings may compromise sensitive information, such as user login credentials, because they do not provide true end-to-end encryption. Always check that your website is accessible after selecting an encryption mode.

Edge Certificate Settings

Edge certificates are SSL/TLS certificates provided by Cloudflare to encrypt traffic between your visitors and Cloudflare. Here are the recommended Cloudflare settings for Edge certificates:

• Always Use HTTPS: Turn ON to redirect all HTTP requests to HTTPS.
• HTTP Strict Transport Security (HSTS): Enable this setting. Note that once HSTS is enabled, you cannot revert to HTTP for a set time period.
• Minimum TLS Version: Set to TLS 1.2, as versions lower than 1.2 have known security risks.
• Opportunistic Encryption: Turn ON to notify browsers that your website supports HTTPS.
• TLS 1.3: Enable this for better security and performance compared to TLS 1.2.
• Automatic HTTPS Rewrites: Turn ON to automatically rewrite HTTP links to HTTPS, where HTTPS is available.
• Certificate Transparency Monitoring: This feature can be enabled to receive notifications if a certificate authority issues a certificate for your domain.
• Disable Universal SSL: Cloudflare recommends keeping Universal SSL enabled, so there is no need to disable it.

There’s typically no need to modify other SSL/TLS settings like client certificates, origin certificates, and custom hostnames.

Caching

By default, Cloudflare’s CDN does not cache HTML or JSON files, so each request to your website is processed dynamically, which can add a delay. However, other static resources such as images, JavaScript, and CSS are automatically cached. To leverage the full power of the CDN, you’ll need to manually configure cache rules for HTML files. Enabling HTML caching can significantly improve your website’s performance. Here’s how to set up cache rules for a WordPress site:

• Go to your website’s dashboard on Cloudflare.
• In the left sidebar, navigate to Caching > Cache Rules.
• Click on Create Rule to add a new cache rule.
• You can either use the Cache Everything template or create a customized cache rule. To create a custom rule, select Custom Filter Expression and define conditions (e.g., cache HTML only if the user is not logged in).
• Ensure Cache Eligibility is set to Eligible for Cache.
• Click Deploy to activate your cache rule.

Cache Configuration Settings

The cache configuration settings allow you to manage cache purging, caching levels, and browser cache duration. Here are the Cloudflare recommended settings for optimal performance:

• Caching Level: Set to Standard. In Standard mode, Cloudflare serves a different resource whenever the query string changes.
• Browser Cache TTL: If browser caching is properly configured on your origin server, select Respect Existing Headers. Otherwise, you can set the TTL (time-to-live) to control how long resources are cached in the client’s browser.
• Crawler Hints: Turn ON. This feature helps crawlers and search engines detect content updates on your site, reducing resource load on both the crawlers and your origin server.
• Always Online: Turn ON. Cloudflare will display cached copies of your web pages from the Internet Archive’s Wayback Machine if your site goes down.
• Development Mode: Keep OFF unless you need to temporarily bypass Cloudflare’s cache to view real-time changes on your website.

Security Settings

Cloudflare is well-known for its cloud-based cybersecurity and DDoS mitigation features. All Cloudflare users benefit from a default ruleset managed by Cloudflare, which automatically helps mitigate HTTP-based DDoS attacks. This feature is enabled by default, so no additional configuration is needed. If desired, you can customize these rulesets by navigating to Security > DDoS.

For most blogging websites, advanced settings like rate limiting, IP access rules, and user-agent blocking may not be necessary. However, you can easily implement these features using Cloudflare’s Web Application Firewall (WAF). To access these options, go to Security > WAF. For example, you can create rate-limiting or IP access rules specifically for your admin page.

Additionally, you can enable Cloudflare Page Shield to provide client-side protection. This feature helps safeguard your visitors against script-based attacks and potential data theft.

Cloudflare Bot Fight Mode

In Security > Bot, you’ll find options to enable Bot Fight Mode and Block AI Bots. These features are valuable for reducing unnecessary resource consumption by blocking access from non-essential bots and AI web scrapers.

• Bot Fight Mode: Turn ON. This mode uses JavaScript challenges to block known bots. Note that enabling this feature prevents online tools like HTML Cleaner or WordCounter from accessing your website.
• Block AI Bots: Turn ON. As AI continues to evolve, many AI bots crawl websites to gather data for model training. This feature blocks AI scraping bots from accessing your content.

Speed Optimization

Cloudflare offers features for optimizing images, content, and protocols. While image optimization is available only on paid plans, you can still take advantage of several free content and protocol optimization features. Below are the recommended settings for speed optimization in Cloudflare:

Content Optimization

• Speed Brain: Turn ON. This feature uses the Speculation Rules API to enhance page load times.
• Cloudflare Fonts: Turn ON if you use third-party fonts on your site. It reduces external font requests, speeding up page loads.
• Early Hints: Turn ON. This feature helps browsers preload assets, improving content delivery speed.
• Rocket Loader: Turn OFF initially, as it may cause inconsistent website behavior. Test your site after enabling it if you decide to use it.

Protocol Optimization

• HTTP/2: Turn ON. Improves overall site performance.
• HTTP/2 to Origin: Turn ON to enable HTTP/2 connections between Cloudflare and your origin server.
• HTTP/3 (with QUIC): Turn ON for enhanced performance and security over TCP and TLS.
• 0-RTT Connection Resumption: Turn ON to improve speed for repeat visitors.

Network Settings

The recommended Cloudflare network settings for your website are:

• IPv6 Compatibility: Turn ON to support IPv6 traffic.
• WebSockets: Turn ON to allow real-time connections, useful for live chat, gaming, and other applications.
• Pseudo IPv4: Turn OFF unless required for specific use cases.
• Maximum Upload Size: Free plan users have a 100 MB limit, meaning visitors can upload files up to this size.
• Network Error Logging: Turn OFF unless you need to monitor site accessibility for visitors.
• Onion Routing: Turn ON. This improves privacy for users accessing your site via the Tor Browser.
• gRPC: Turn ON if your site uses high-performance APIs, as this protocol supports efficient API interactions.

Scrape Shield

Cloudflare’s Scrape Shield includes useful features like Email Address Obfuscation and Hotlink Protection:

• Email Address Obfuscation: Turn ON. Email Address Obfuscation prevents email harvesters and bots from detecting email addresses on your website by encrypting them on your web pages.
• Hotlink Protection: Turn ON to prevent other websites from using your images, reducing bandwidth usage on your origin server.

Cloudflare Rules

Cloudflare Rules is a powerful feature that allows you to customize Cloudflare’s behavior under specific conditions. For example, you could create a rule to enable Email Address Obfuscation only on specific pages like the “About Us” or “Contact Us” page.

Cloudflare’s latest update includes preconfigured templates for popular rules, such as Redirect from HTTP to HTTPS and Cache Everything, making setup easier. Here are the types of rules supported by Cloudflare:

• Configuration Rules: Enable/Disable Cloudflare features for specific requests.
• Transform Rules: Rewrite rules for incoming requests.
• Redirect Rules: Create redirects, such as from root to WWW.
• Origin Rules: Create rules to route requests to different ports on the origin server.
• Cache Rules: Used to enable caching of HTML files and other content.
• Page Rules: Trigger rules for specific URL patterns.

URL Normalization

Cloudflare’s URL Normalization feature standardizes the format of incoming URLs, helping to prevent duplicate content issues in search engines and improve caching efficiency. Below are the recommended settings for URL Normalization in Cloudflare:

• Normalization Type: Cloudflare
• Normalize Incoming URLs: Turn ON.
• Normalize URLs to Origin: Turn ON.

Email Settings

Cloudflare’s Email Routing allows you to create custom email addresses for your domain, forwarding any messages sent to these addresses to your personal email. This feature is useful for managing domain-specific emails. Follow these steps to set up a custom email address for your site:

• Go to Email > Email Routing.
• In the Routing Rules tab, click Create Address.
• Enter a custom address and the destination email where you’d like messages to be forwarded.
• Click Save to activate your custom email address.

Useful Paid Features

Cloudflare offers various paid services that can significantly boost your website’s performance. Here are some of the most beneficial options:

• Cache Reserve: Increases your cache hit ratio, reducing requests to the origin server and improving page speed.
• Automatic Platform Optimization (APO) for WordPress: This plugin converts a dynamic WordPress site into a static version, potentially increasing website speed by up to 300%. Alternatively, you can try free cache plugins like WP Super Cache or LSCache to achieve similar results. For more details, read our article on recommended settings to enable page caching with WP Super Cache.
• Argo Smart Routing: Ideal for high-traffic websites, Argo dynamically routes traffic along the most efficient paths to reduce latency by up to 30% and connection errors by up to 27%.
• Zaraz: Zaraz allows you to load third-party tools and tags (e.g., Google Analytics 4) more efficiently. The free plan includes up to 1,000,000 Zaraz events per month.

Conclusion

In this article, we covered how to configure Cloudflare’s DNS, Email, SSL/TLS, Security, Speed Optimization, Caching, Rules, Network, and Scrape Shield features for optimal results. Implementing these ideal Cloudflare settings can improve scores on tools like PageSpeed Insights, SSL Labs, and ScamAdviser.