Surprising fact: a properly configured edge CDN can cut server time-to-first-byte by over 60% for global visitors.
You manage a site that must be fast and secure without breaking admin pages or dynamic features. If your host offers an integrated service (examples include managed hosts that handle dashboard settings), you may not need to tweak much yourself.
Quick baseline: use SSL/TLS Full (Strict), Always Use HTTPS, HSTS for 6–12 months, TLS 1.3, Brotli ON, Early Hints ON, HTTP/3 with QUIC ON, and leave Rocket Loader off for most sites.
The CDN’s APO serves HTML at the edge and speeds up page delivery, but keep your origin cache plugin active so your server still handles origin-level caching.
Use cache-bypass logic for wp-admin, previews, AJAX and lock down login entry points to reduce junk traffic. Consider Argo and Tiered Cache for global audiences and expect small trade-offs like Email Obfuscation injecting a tiny script into waterfalls.
Key Takeaways
- Start with host-managed settings; only edit the dashboard when needed.
- Enable APO or Cache Everything carefully; keep origin cache plugin active.
- Apply Full (Strict) TLS, HSTS, TLS 1.3, Brotli, and Early Hints for quick wins.
- Bypass cache on admin, previews, AJAX; lock wp-login and xmlrpc.php.
- Use Argo and Tiered Cache when your audience is global, not purely local.
What you’ll achieve with Cloudflare: speed, security, and sanity in 2025
A global CDN moves heavy work off your origin so your website feels faster to every visitor. You will see lower time-to-first-byte and fewer network hops. That improves page load and real-world performance.
Keep your origin safe while scaled traffic hits the edge. DDoS protection and a WAF filter bad requests before they reach your server. Free SSL/TLS keeps connections encrypted and simple to manage.
Caching static assets at points of presence speeds repeat visits. The WordPress plugin clears cache automatically when you update content so changes show up fast. APO-like features accelerate dynamic pages while targeted bypass prevents admin and preview pages from being cached.
- Stay online: load balancing and failover preserve responsiveness during spikes.
- See what matters: analytics show requests, visitors, bandwidth, and threat blocks.
- Modern transport: HTTP/3 and protocol upgrades shave milliseconds off load times.
| Goal | Benefit | Action |
|---|---|---|
| Lower TTFB | Faster page loads for visitors | Use global cdn and HTTP/3 |
| Reduce origin load | Stable site under spikes | Enable caching and load balancing |
| Better insight | Correlate traffic with threats | Review analytics and adjust rules |
Before you start: prerequisites, hosting caveats, and the Cloudflare plugin
Before you change anything, verify how your host handles CDN and security features. Some hosts (Rocket.net Enterprise stacks, Cloudways, Kinsta) manage most settings for you. If your host does this, avoid duplicate dashboard tweaks that create conflicts.
Confirm DNS and nameservers first. Keep your domain pointed to the provider’s nameservers and set key records to proxied (orange cloud) to unlock WAF, APO, and edge tools. This also ensures your site gets protection and acceleration.
Installing and connecting the official plugin
Install and activate the official Cloudflare plugin by Cloudflare, Inc. Then connect using your cloudflare account credentials: either a Global API Key or a scoped API token saved under Settings > Cloudflare. Enable Auto Purge on Update so pages refresh when you edit posts or pages.
- Use Development Mode during theme or code work to bypass edge cache.
- Keep your server/page cache plugin active while using APO; they operate at different layers.
- Document baseline settings, secure API credentials, and rotate them when users change.
- If you manage multiple domains, repeat the plugin setup per site and verify proxied DNS records.
Tour your Cloudflare dashboard: Overview, quick actions, and modes
Open the dashboard to get a quick snapshot of traffic, caching, and active protections for your site. The Overview page shows how many requests hit the edge, the bandwidth split (cached vs. uncached), and unique visitors. This helps you spot spikes and measure caching effectiveness.
Under Attack and Development Mode: when to flip the switch
Under Attack Mode raises challenge screens when a DDoS is active. Toggle it only during real incidents so normal users keep access.
Development Mode disables edge caching for three hours so you can view live changes to templates, CSS, and scripts. Use it while you test edits and then switch it off.
Reading the Overview at a glance: requests, bandwidth, visitors
Use the Overview to check how many requests are being handled and how much bandwidth you save via caching. Compare the cached vs. uncached split to see if your site is edge-optimized.
- Monitor unique visitors to correlate promos or seasonality with traffic.
- Use quick actions to purge everything after a big deploy, but prefer targeted purges for precision.
- Watch request counts and bandwidth day-over-day to catch anomalies early and adjust settings.
Favor data-driven changes: if uncached bandwidth spikes, review your page settings, APO or cache-level decisions, and any firewall rules. Keep a short log of what you change and when so you can map performance swings to a specific number of actions.
DNS done right: proxied records, DNSSEC, and origin basics
A precise DNS setup is the foundation that keeps your site fast and safe. Point your domain to the provider nameservers to enable the dashboard and edge acceleration. This step also allows WAF, caching, and other protection layers to work.
Orange cloud vs. DNS-only: mark hostnames you want proxied to route traffic through the CDN and WAF. Leave mail and services that rely on specific ports DNS-only to avoid breaking protocol-dependent tools.
Enable DNSSEC to add cryptographic signatures and prevent spoofing. Audit A, AAAA, and CNAME records so the right hostnames are proxied. Use TXT records for verification and email SPF/DKIM/DMARC—these do not affect web traffic.
- Document origin server IPs and reduce direct exposure.
- Test resolution and TTLs after changes to confirm propagation across the network.
- List performance-critical subdomains and proxy only those to avoid breaking auxiliary tools.
Lock it down: SSL/TLS settings that just work
Make sure your site enforces end-to-end encryption from the visitor browser to your origin server. Start with an origin certificate and pick Full (Strict) so the edge validates that cert and preserves a secure connection to your server.
Then enable these settings:
- Always Use HTTPS to redirect http requests to HTTPS at the edge.
- HSTS set for 6–12 months, include subdomains and consider preload only after verifying every host serves HTTPS.
- TLS 1.3 ON and Minimum TLS version ≥ 1.2 to use modern protocol benefits while avoiding deprecated ciphers.
- Automatic HTTPS Rewrites to fix mixed content by rewriting http assets to https on the fly.
Validation, monitoring, and quick checks
Use Certificate Transparency Monitoring to get alerts on new certs and spot unauthorized issuance of certificates for your domain.
Check response headers like HSTS and X-Content-Type-Options after changes. Re-test critical pages and embedded scripts so no insecure asset remains in templates.
| Setting | Why it matters | Action |
|---|---|---|
| Full (Strict) | Validates origin cert for true end-to-end security | Install origin cert and enable Full (Strict) |
| HSTS | Keeps browsers on HTTPS and prevents downgrade attacks | Set 6–12 months, includeSubDomains, test before preload |
| TLS versions | Faster, safer protocol and fewer handshake issues | Enable TLS 1.3, min TLS 1.2 |
| Automatic Rewrites | Stops mixed-content errors without editing all links | Enable and re-test pages with third-party scripts |
Security rules that actually reduce junk traffic
Taming automated scrapers and credential stuffing is the quickest way to lower server load. Start by turning on managed WAF presets to block common exploits like SQLi and XSS. Then add WordPress-focused custom rules to catch plugin and theme patterns that the managed sets miss.
Practical firewall moves:
WAF presets, custom rules, and Security Level tuning
Keep WAF managed sets active so known threats stop at the edge.
Create a few targeted custom rules for admin POSTs and suspicious query strings. Use Security Level at Medium or High to challenge sketchy IPs while avoiding friction for normal users.
Firewall rules to tame wp-login and XML-RPC
Block, challenge, or rate-limit requests to /wp-login.php. If you don’t need xmlrpc.php, disable or forward it behind a challenge to prevent pingback DDoS.
Allowlist your team IPs so trusted admins never get blocked during an emergency.
Bot Fight Mode and Browser Integrity Check
Enable Bot Fight Mode to push back scrapers and credential-stuffers that waste bandwidth and server cycles.
Keep Browser Integrity Check on to drop requests with malicious headers before they reach your application.
- Review Firewall Events regularly to spot repeat offenders.
- Use analytics before blocking countries; avoid cutting off real traffic.
- Revisit rules after big plugin or theme changes—new endpoints may need protection.
| Action | Why it helps | When to use |
|---|---|---|
| WAF managed + custom | Blocks common exploits and site-specific patterns | Always on; tune after monitoring |
| Firewall rate-limit /wp-login.php | Stops brute-force and reduces server CPU | Enable immediately if login attempts spike |
| Bot Fight Mode + Browser check | Pushes away scrapers and malformed requests | Turn on for public sites under automated attacks |
Smart caching strategy: origin headers, Browser Cache TTL, and Edge Cache TTL
A clear TTL plan keeps your edge cache hot and your origin server out of extra work.
Start by deciding whether to respect existing headers or set your own browser cache values. If your origin server already sends sane headers, choose Respect Existing Headers. That avoids fighting your app’s intent. If it doesn’t, set a long Browser Cache TTL for static assets (Google suggests up to one year for images and fonts).
When to use Edge Cache TTL and Cache Everything
Use Edge Cache TTL to keep frequently requested assets closer to visitors. Longer edge TTLs reduce origin pulls and boost site performance.
Cache Everything can speed HTML, but apply it sparingly. Always pair it with bypass patterns for admin, login, previews, and AJAX. For eCommerce, bypass cart and checkout flows to avoid stale content and user confusion.
- Let Origin Cache Control rule if your app emits granular headers.
- Tune TTLs per asset type: long for images/fonts, shorter for CSS/JS you deploy often.
- After purges, revalidate key pages to warm caches and cut first-visit latency.
| Setting | Why it matters | Suggested action |
|---|---|---|
| Respect Existing Headers | Preserves origin directives | Use when server sends correct headers |
| Browser Cache TTL | Controls client-side caching | Long for static assets; shorter for changeable files |
| Edge Cache TTL | Keeps content at the edge | Increase for high-traffic, stable assets |
| Cache Everything + Bypass | Speeds pages but risks stale HTML | Use with strict bypass rules for dynamic endpoints |
cloudflare rules for wordpress 2025: Page Rules you should set first
Start by locking down behavior at the page level so dynamic parts of your site never serve stale content. Create high-priority page patterns that match admin, preview, and AJAX endpoints. Only the top matching rule applies, so specificity matters.
Bypass cache for wp-admin, previews, and AJAX
- Add a high-priority rule for
/wp-admin*that bypasses cache, disables Apps/Performance, and sets Security Level to High. - Also bypass
/preview*and/ajax*so editors and dynamic widgets always get fresh responses.
- Force HTTPS with an Always Use HTTPS page rule for
http://*example.com/*if you need domain-specific redirects. - Forward
/xmlrpc.php*to the homepage with a 301 if you don’t use it to stop brute-force vectors before they hit your server. - Cloak affiliate links via Forwarding URL rules and use
$1placeholders to keep dynamic slugs intact.
Email Obfuscation on contact pages without breaking performance
Enable email obfuscation only on your contact page to hide addresses from harvesters. This adds a small email-decode.min.js script, so limit it to the few pages that need protection.
- Set Edge Cache TTL and optional Cache Everything on
/wp-content/uploads*and keep a reasonable Browser Cache TTL for visitors. - Order rules from most to least specific and test with real URLs so only the intended page rule fires.
- Watch wildcard placeholders closely and never redirect a path to itself to avoid loops. Keep a changelog of edits for fast troubleshooting.
APO, SXG, and WordPress: configure, verify, and avoid conflicts
Enable edge HTML delivery to shave milliseconds off global page loads and keep dynamic areas fresh.
APO serves HTML at the edge while your origin retains control. Enable APO in the plugin after authenticating your cloudflare account and confirm key pages show edge headers. This cuts TTFB and helps LCP for distant visitors.
Do not stack “Cache Everything” on top of APO. APO already handles HTML; layering cache-everything rules risks stale admin pages, previews, carts, and AJAX endpoints. Use precise bypass patterns instead.
APO vs. Cache plugins and SXG
Keep your origin server cache plugin active. APO handles edge caching, while your plugin manages origin caching and clears local caches on updates. They complement each other when configured properly.
Turn on SXG if your plan supports it. Signed Exchanges can speed perceived rendering from search results and pair well with APO for organic clicks.
Measure TTFB wins and purge correctly
Benchmark before and after using PageSpeed Insights and KeyCDN Performance Test. Compare TTFB and LCP to verify real improvements.
After theme or plugin updates, purge edge cache and consider a warm-up crawl for priority pages. Confirm edge headers on responses so you know pages were served from the edge and not the origin.
- Watch personalization: check cookie-based pages and add exceptions for logged-in users.
- Rollback plan: disable APO briefly if something breaks to isolate issues.
- Reassess: revisit settings and purging strategy as your site and traffic patterns change.
| Action | Why it matters | Recommended step |
|---|---|---|
| Enable APO via plugin | Edge HTML reduces TTFB for global users | Authenticate your cloudflare account and verify headers |
| Keep origin cache plugin | Handles server-side caching and purge hooks | Keep plugin active and avoid duplicate purges |
| Avoid Cache Everything | Prevents stale dynamic content | Use bypass rules for admin, previews, carts, AJAX |
| Measure and purge | Prove gains and avoid serving outdated pages | Run PageSpeed/KeyCDN, purge edge after updates, warm key pages |
Performance boosters: Brotli, HTTP/3, Early Hints, and more
Small transport and scheduling changes can cut real-world load times and reduce work on your origin server. Turn on modern transport features to let the network and browser do more of the heavy lifting.
Enhanced HTTP/2 Prioritization, TCP Turbo, and when to skip Rocket Loader
Enable Brotli to compress text assets more efficiently than gzip. That reduces payload size and makes pages load faster for desktop and mobile visitors.
Flip on HTTP/3 with QUIC and Enhanced HTTP/2 Prioritization so the browser can schedule resources better and the network reduces head-of-line blocking.
Use TCP Turbo to auto-tune transport parameters on flaky routes and lower round-trip overhead.
Leave Rocket Loader off unless you test thoroughly. It can break themes and plugins and many cache plugins recommend disabling it.
Argo + Tiered Cache: when global sites see real gains
Argo can route traffic over faster network paths and reduce latency for distant visitors.
Pair Argo with Tiered Cache so POPs share assets and protect your origin server from repeated pulls. This setup helps global sites more than local ones.
Zaraz for third-party scripts (analytics, pixels, custom HTML)
Zaraz offloads third-party scripts (analytics, pixels) and reduces main-thread blocking in the browser. Moving tracking into Zaraz often improves Core Web Vitals.
“Measure changes with PageSpeed Insights and KeyCDN; don’t assume a transport tweak is always a win.”
- Set sensible cache ttl for static assets and confirm browser cache headers match your deploy cadence.
- Verify Tiered Cache is enabled so edge POPs re-use assets and cut origin hits.
- Re-test performance and network metrics after each tweak to validate the data.
Analytics and troubleshooting: verify hits, misses, and rule priority
Start by verifying hits and misses so you know whether the edge or the origin handled each page view. Use analytics to compare cached vs. uncached bandwidth and the number of requests over time. That data shows whether your cache TTL and browser cache settings are working.
Traffic, security, and DNS analytics to guide tweaks
Look at request counts, unique visitors, and blocked events. Security analytics tells you which bots were challenged and which attacks the WAF stopped.
Review DNS analytics to confirm your records are proxied. If DNS isn’t routed through the edge, page-level rules won’t fire and diagnostics will mislead you.
Rule ordering, wildcards, and common 500s from bad placeholders
Audit page rule order: only the highest-priority match applies, so order from most to least specific.
- Inspect response headers to see HIT, MISS, or BYPASS and confirm TTL logic via headers.
- Validate wildcard placeholders like
$1and$2. A mismatch can return HTTP 500s. - Keep a runbook for mixed content, redirect loops, stale admin pages, and APO conflicts.
“Use analytics first, then act—data fixes guesswork.”
Test changes in Development Mode or staging. Track who edited settings, the date, and which account made the change to speed root-cause analysis when things break.
Conclusion
,Tie everything together by documenting settings, verifying headers, and testing real user flows.
Recap: keep DNS proxied, lock SSL/TLS to Full (Strict), enable HSTS and TLS 1.3, and use APO or edge HTML to speed page delivery. Turn on Brotli, Early Hints, and HTTP/3 so your site serves faster to visitors and reduces server load.
Fine-tune page level bypasses for admin, previews, and AJAX. Consider Argo + Tiered Cache if traffic is global. Offload third-party scripts to Zaraz and use Email Obfuscation only where needed to avoid extra JS.
Act: measure with analytics, document your cloudflare settings and purge/warm key pages after big updates. Revisit quarterly to keep security and optimization aligned with real-world traffic.
FAQ
What do you need before you start using Cloudflare with your WordPress site?
You’ll want admin access to your WordPress dashboard, your host’s DNS or control panel, and an API token from your CDN account if you plan to use the WordPress plugin. Verify your origin server accepts the Cloudflare proxy IPs and confirm backups are in place. Check that your hosting provider doesn’t lock DNS changes or manage the integration for you.
When should you leave your host’s managed integration alone?
If your host provides a built-in proxy or integration that handles SSL, caching, and automatic updates correctly, leave it alone—especially on managed WordPress plans. Changing DNS or double-proxying can cause certificate conflicts, higher latency, or broken admin access. Only override when you need a feature the host doesn’t offer.
How do you install and connect the official WordPress plugin safely?
Install the plugin from the WordPress plugin directory, then use an API token scoped to the minimal permissions required (zone:read, cache_purge:write, etc.). Avoid using the global API key. Confirm the plugin shows “connected” and test a cache purge and one-page load to verify settings sync.
When should you enable Under Attack or Development Mode?
Use Under Attack when you see an active HTTP flood or targeted bot hits; it shows an interstitial challenge page. Use Development Mode when editing CSS/JS or debugging server-side changes so the edge won’t cache assets for three hours. Don’t leave either mode enabled permanently.
What key metrics should you read on the dashboard overview?
Watch requests per minute, bandwidth saved, top URLs, and visitor geography. Security hits and blocked threats help tune firewall rules. Track cache hit ratio to spot if cache policies or headers need adjustment.
Should you proxy all DNS records or keep some DNS-only?
Proxy records you want accelerated and protected, like your main site, API endpoints, and static asset subdomains. Keep mail, FTP, and third-party verification records DNS-only to avoid breaking delivery or third-party checks. Use DNSSEC if your registrar supports it for added domain integrity.
Which SSL/TLS mode is best for WordPress?
Full (Strict) is ideal if you have a valid certificate on the origin. It ensures end-to-end encryption and prevents MITM risks. Avoid Flexible; it causes mixed-content and redirects. Enable TLS 1.3, HSTS carefully after testing, and Automatic HTTPS Rewrites to reduce mixed content errors.
How do you avoid mixed content and TLS version issues?
Serve all assets over HTTPS, update hardcoded HTTP links in theme and plugins, and set the minimum TLS version to 1.2 or 1.3. Use site scanners or browser dev tools to spot mixed resources and correct them in templates or content.
What security settings reduce junk traffic without blocking real users?
Start with WAF managed rules, enable Browser Integrity Check, and tune Security Level based on threat patterns. Create targeted firewall rules to protect wp-login.php and restrict XML-RPC, limit rate of abusive paths, and test changes against analytics to avoid false positives.
How do you protect wp-admin, XML-RPC, and login pages?
Bypass caching for wp-admin and login-related endpoints, add firewall rules that block or challenge unknown IPs, and consider IP whitelisting or 2FA. Disable XML-RPC if you don’t use it or proxy only known clients.
What’s the best approach to Browser Cache TTL and Edge Cache TTL?
Honor origin headers when you want fine-grained control from WordPress or a caching plugin. Use fixed Edge Cache TTL for assets that rarely change. For dynamic pages, use shorter TTLs or Cache Everything with appropriate cache keys and purge rules.
When should you choose Respect Existing Headers vs. setting TTLs in the dashboard?
Use Respect Existing Headers if your origin or plugin sets correct Cache-Control and ETag values. Override with dashboard TTLs when your origin doesn’t send reliable headers or when you need a site-wide policy for static assets.
When is “Cache Everything” useful and when should you bypass?
Use Cache Everything for mostly-static front pages, landing pages, or brochure sites to slash TTFB. Bypass caching for wp-admin, shopping carts, user dashboards, previews, and endpoints that vary per user to avoid serving stale or private data.
Which page rules should you set first for a WordPress site?
Immediately add rules to bypass cache for /wp-admin*, /wp-login.php, and preview or nonce-driven paths. Force HTTPS for the whole site, create a redirect from non-www to www (or vice versa), and set cache policies for static folders like /wp-content/uploads/.
How do you prevent email scraping without hurting performance?
Enable email obfuscation on contact pages that show plain addresses, and test that it doesn’t interfere with contact forms, CAPTCHA, or inline scripts. Use it selectively on public-facing pages, not on admin or API endpoints.
How does APO interact with caching plugins and Cache Everything?
APO serves a cached HTML copy from the edge and can conflict with a Cache Everything rule or server-side full-page caches. Use APO when you want automatic dynamic cache purging by WordPress; disable overlapping Cache Everything rules or configure cache keys to avoid double caching.
How should you measure TTFB and purge caches correctly?
Measure TTFB with real-user monitoring or synthetic tests before and after changes. Purge by URL or tag from the plugin/API after content updates. Avoid full-zone purges except when necessary, since they spike origin load.
Which performance features give the biggest wins?
Brotli compression, HTTP/3, and Early Hints (103) typically yield quick wins. Combine them with optimized images, minimal third-party scripts, and selective use of Argo or Tiered Cache for global audiences. Skip Rocket Loader if it breaks critical JS.
When does Argo and Tiered Cache make sense?
Use Argo and Tiered Cache for high-traffic global sites with many origin requests—these reduce latency and origin hits by routing through optimal network paths. For small regional sites, the cost may outweigh benefits.
How can Zaraz help with third-party scripts?
Zaraz loads analytics and pixels in a controlled way from the edge, reducing client-side blocking and improving performance. Move nonessential scripts there and test functionality, especially form tracking and ad pixels.
How do you verify analytics and debug cache rule priority?
Use the dashboard’s analytics to check hits vs. misses, inspect headers for CF-Cache-Status, and review firewall logs for blocked requests. Adjust rule order so specific paths match before generic patterns and test with staging copies to avoid surprises.
What common 500 errors come from bad placeholders or rules?
Misconfigured origin headers, infinite redirect loops from conflicting HTTPS or page rules, and malformed custom rules can cause 5xx responses. Check server error logs, rule expressions, and remove suspicious custom headers or transforms.
How do you tune bot protection without losing real users or search crawlers?
Start with Bot Fight Mode and Browser Integrity, then create allow rules for major crawlers (Googlebot, Bingbot) by user agent and verified IP ranges if needed. Monitor analytics for drops in organic traffic after changes.
What headers should you inspect to confirm caching behavior?
Look for CF-Cache-Status (HIT/MISS/EXPIRED), Age, Cache-Control, and the server’s ETag or Last-Modified. These show whether the edge served content or fetched it from origin and guide TTL adjustments.
How often should you audit your security and caching setup?
Review settings quarterly or after major site updates, traffic spikes, or plugin/theme changes. Run automated scans and check logs monthly to catch evolving threats and stale cache rules.
What are safe defaults if you want a low-maintenance setup?
Use Full (Strict) TLS, enable TLS 1.3, set Browser Cache TTL for static assets to a week, Edge Cache TTL for images to a month, enable WAF managed rules, bypass cache for admin and login pages, and use the official plugin with an API token for purges.
