WordPress powers over 43% of the entire web. Cloudflare sits in front of millions of those sites, providing a CDN, DDoS protection, and a free SSL certificate. But here is the problem: the default Cloudflare settings are not optimized for WordPress, and one wrong toggle can take your entire site down with a white screen of death or an infinite redirect loop.
This guide walks you through every critical Cloudflare setting for WordPress — from initial DNS setup to advanced caching rules — so you get maximum speed and security without the headaches. Whether you are running a personal blog or a high-traffic WooCommerce store, these steps apply to every WordPress + Cloudflare setup.
Prerequisites Checklist
Before you begin, make sure you have the following ready:
- A working WordPress installation (self-hosted, not WordPress.com)
- A registered domain name pointing to your server
- A Cloudflare account (the free plan works for everything in this guide)
- SSH or SFTP access to your server (for wp-config.php edits)
- Access to your domain registrar to change nameservers
- Your origin server IP address (the real IP, not Cloudflare's)
Step 1: Add Your Domain to Cloudflare
The first step is onboarding your domain into Cloudflare's network. This is straightforward, but there is one critical mistake people make that can cause downtime.
Go to dash.cloudflare.com and sign up with your email address. Verify your email before proceeding.
Click "Add a Site" and enter your root domain (e.g., example.com, not www.example.com). Select the Free plan — you can upgrade later if needed.
Cloudflare will scan your existing DNS records. Carefully verify that every record was imported correctly. Pay special attention to MX records (email), CNAME records, and any TXT records (SPF, DKIM, DMARC). Missing mail records will break your email delivery.
Cloudflare will give you two nameservers (e.g., ada.ns.cloudflare.com and bob.ns.cloudflare.com). Log in to your domain registrar and replace the existing nameservers with these. Propagation takes anywhere from 5 minutes to 48 hours, but usually completes within 1-2 hours.
Step 2: SSL Configuration — The Most Critical Step
This is where most WordPress + Cloudflare setups go wrong. Cloudflare offers four SSL modes, and choosing the wrong one will either break your site or create a security vulnerability.
| SSL Mode | Browser → CF | CF → Origin | Recommendation |
|---|---|---|---|
| Off | HTTP | HTTP | Never Use |
| Flexible | HTTPS | HTTP | Causes Redirect Loops |
| Full | HTTPS | HTTPS (any cert) | Acceptable |
| Full (Strict) | HTTPS | HTTPS (valid cert) | Always Use This |
To configure SSL correctly:
- In Cloudflare dashboard, go to SSL/TLS → Overview
- Set encryption mode to Full (Strict)
- Make sure your origin server has a valid SSL certificate (Let's Encrypt is free and works perfectly)
- Enable Always Use HTTPS under SSL/TLS → Edge Certificates
- Enable Automatic HTTPS Rewrites to fix mixed content
Step 3: WordPress Configuration
With Cloudflare proxying your traffic, WordPress needs to be told that it is behind a reverse proxy. Without this configuration, WordPress will think all requests come from Cloudflare's IP addresses, and it will not detect HTTPS correctly.
Add the following to your wp-config.php file, before the line that says /* That's all, stop editing! */:
// Trust Cloudflare proxy headers
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
$_SERVER['HTTPS'] = 'on';
}
// Restore real visitor IP from Cloudflare
if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];
}
// Force SSL for admin
define('FORCE_SSL_ADMIN', true);https://. If they are set to http://, update them. If you are locked out due to redirect issues, you can set these in wp-config.php:
define('WP_HOME', 'https://example.com');define('WP_SITEURL', 'https://example.com');
Step 4: Cache Configuration
Cloudflare's default caching is conservative. It caches static assets (images, CSS, JS) but does not cache HTML pages. For a WordPress site, you want to cache everything except dynamic pages like the admin area and login page.
What to Cache vs. What to Skip
| URL Pattern | Cache? | Reason |
|---|---|---|
/wp-content/uploads/* |
Yes — Cache Everything | Static images, never change |
/wp-content/themes/* |
Yes — Cache Everything | CSS, JS, images from theme |
/wp-content/plugins/* |
Yes — Cache Everything | Plugin static assets |
| Blog posts and pages | Yes, with Edge TTL | HTML pages, set 2h TTL |
/wp-admin/* |
Never | Admin panel, dynamic content |
/wp-login.php |
Never | Login page with CSRF tokens |
/wp-json/* |
Never | REST API, dynamic responses |
/wp-cron.php |
Never | WordPress scheduler |
| Logged-in users | Never | User-specific content |
Setting Up Cache Rules
In your Cloudflare dashboard, go to Caching → Cache Rules and create these rules in order:
Match: URI Path starts with "/wp-admin" OR URI Path equals "/wp-login.php" OR URI Path starts with "/wp-json"
Action: Bypass Cache
Match: Cookie contains "wordpress_logged_in" OR Cookie contains "wp-settings"
Action: Bypass Cache
Match: URI Path starts with "/wp-content/uploads"
Action: Cache Everything, Edge TTL: 1 month, Browser TTL: 1 month
Step 5: Security Settings
Cloudflare's WAF (Web Application Firewall) can block common WordPress attacks before they reach your server. Here are the essential security rules to configure.
Block XML-RPC
The xmlrpc.php file is WordPress's legacy API. It is rarely needed anymore (the REST API replaced it), and it is one of the most exploited attack vectors for brute force and DDoS amplification attacks.
Go to Security → WAF → Custom Rules. Create a rule:
Match: URI Path equals "/xmlrpc.php"
Action: Block
Protect wp-login.php with Rate Limiting
Create a rate limiting rule:
Match: URI Path equals "/wp-login.php" AND Request Method equals "POST"
Rate: 5 requests per 10 seconds
Action: Challenge (CAPTCHA) for 1 hour
Block Sensitive Paths
Create a WAF rule to block direct access to:
URI Path contains "wp-config.php" OR URI Path contains ".env" OR URI Path starts with "/.git"
Action: Block
Step 6: Performance Optimization
Beyond caching, Cloudflare offers several performance features that work well with WordPress — but some of them can cause issues.
Auto Minify Enable
Go to Speed → Optimization → Content Optimization. Enable minification for HTML, CSS, and JavaScript. This reduces file sizes by removing whitespace and comments. Safe for virtually all WordPress sites.
Brotli Compression Enable
Found under Speed → Optimization. Brotli compresses better than gzip (15-20% smaller files). Enable it — there is no downside. All modern browsers support it.
Early Hints (103) Enable
Under Speed → Optimization. Early Hints tells the browser to start loading critical CSS and JS before your server even finishes generating the page. Free performance boost with no risk.
Rocket Loader Use with Caution
Rocket Loader defers all JavaScript execution. While this can improve initial paint time, it frequently breaks inline scripts, analytics trackers, and plugin-dependent JavaScript. Test thoroughly before leaving it enabled.
HTTP/2 and HTTP/3 Enable
These are enabled by default on Cloudflare. HTTP/2 multiplexes requests, and HTTP/3 (QUIC) reduces latency. No configuration needed — just verify they are on in the Network section.
Image Optimization Pro Plan
Cloudflare Polish (lossy/lossless compression) and WebP conversion are Pro plan features. If you are on the free plan, use a WordPress plugin like ShortPixel or Imagify instead.
Common Issues and Fixes
Even with perfect configuration, issues can arise. Here are the most common WordPress + Cloudflare problems and their solutions.
Infinite Redirect Loop (ERR_TOO_MANY_REDIRECTS)
Cause: SSL mode set to "Flexible" while WordPress forces HTTPS.
Fix: Change SSL mode to Full (Strict). Install a valid SSL certificate on your origin server. Clear browser cookies and Cloudflare cache.
White Screen of Death
Cause: Rocket Loader breaking critical JavaScript.
Fix: Disable Rocket Loader in Speed → Optimization. If the issue persists, disable Auto Minify for JavaScript. Check your browser console for errors.
REST API Returns 403
Cause: Cloudflare WAF or a security rule blocking /wp-json/ requests.
Fix: Check Security → Events for blocked requests. Create a WAF exception rule to allow /wp-json/ paths. This is essential for Gutenberg editor and many plugins.
Cannot Login to wp-admin (403 Forbidden)
Cause: WAF rule or Bot Fight Mode blocking your IP.
Fix: Whitelist your IP in Security → WAF → Tools → IP Access Rules. If using Bot Fight Mode, create a Skip rule for /wp-admin/* and /wp-login.php paths.
Images Not Loading (Mixed Content)
Cause: Image URLs still using http:// in the database.
Fix: Enable "Automatic HTTPS Rewrites" in SSL/TLS settings. For a permanent fix, run a search-replace in the database to update all http:// URLs to https://. WP-CLI: wp search-replace 'http://example.com' 'https://example.com'
Comments Show Cloudflare IPs
Cause: WordPress logging Cloudflare proxy IPs instead of real visitor IPs.
Fix: Add the HTTP_CF_CONNECTING_IP header restoration code from Step 3 to your wp-config.php. Alternatively, install the official Cloudflare plugin.
Panelica Integration: WordPress + Cloudflare Made Easy
If you are managing WordPress sites on a Panelica-powered server, the entire Cloudflare integration is built right into the panel. Here is what Panelica handles for you:
One-Click WordPress Install
Panelica's WordPress toolkit installs WordPress with optimized PHP-FPM pools, Redis object caching, and correct file permissions — all in under 30 seconds. No manual configuration needed.
Automatic SSL Provisioning
When you add a domain, Panelica automatically provisions a Let's Encrypt SSL certificate and configures Nginx for Full (Strict) compatibility. No redirect loops, ever.
Cloudflare Zone Sync
Connect your Cloudflare API key, and Panelica will automatically sync DNS records when you add domains, create subdomains, or change server IPs. One-click A record and MX record management.
Pre-Configured Security
Panelica's nftables firewall comes pre-configured with Cloudflare IP ranges whitelisted. ModSecurity with OWASP CRS rules protect your WordPress sites at the server level, adding a second layer of security behind Cloudflare's WAF.
Instead of spending an hour configuring Cloudflare settings manually, Panelica gives you a production-ready WordPress + Cloudflare stack in minutes. The panel manages 20+ services including Nginx, PHP-FPM, Redis, and automatic SSL — everything your WordPress site needs to be fast, secure, and reliable.