Cloudflare sits between your visitors and your site, accelerating delivery, blocking attacks, and protecting against downtime. The free tier alone solves problems most bloggers don’t realize they have. This post is the practical setup guide.

Short answer: Set up Cloudflare’s free tier — DNS pointed through Cloudflare, SSL, basic caching, basic firewall. That alone gives most blogs measurable speed and security gains. Add APO ($5/month) if you want deeper WordPress-aware caching. Don’t pay for Pro or higher unless you have specific needs.
Cloudflare dashboard showing traffic served, security threats blocked, and bandwidth saved

What Cloudflare does

Cloudflare is a reverse proxy: visitors hit Cloudflare first, Cloudflare hits your site if it doesn’t have a cached response.

Functions:

  • CDN: caches static assets (images, CSS, JS) at global edge locations.
  • DDoS protection: absorbs and filters attack traffic.
  • Web Application Firewall (WAF): blocks malicious requests.
  • SSL: free SSL termination.
  • DNS: fast, reliable DNS hosting.
  • Analytics: visitor data, threat blocking stats.

All of this is free for the basic tier.

Setting up Cloudflare

Step 1: Create account

cloudflare.com → Sign up.

Step 2: Add your site

Enter your domain. Cloudflare scans your existing DNS records.

Pick the Free plan.

Step 3: Verify DNS records

Cloudflare lists your detected DNS records. Check:

  • A record points to your host’s server IP.
  • MX records (email) are correct.
  • TXT records (SPF, DKIM for email auth) are present.
  • Subdomains all included.

Anything missing — add it manually.

Step 4: Change nameservers

Cloudflare gives you two nameservers (something like chris.ns.cloudflare.com and liz.ns.cloudflare.com).

Update your domain’s nameservers (at your registrar — Namecheap, Cloudflare Registrar, etc.) to point to these.

Propagation takes 5 minutes to 24 hours. Usually fast.

Step 5: Configure SSL

Cloudflare → SSL/TLS → Overview → set to “Full (strict).”

This requires your host to have a valid SSL certificate too (Let’s Encrypt works). Without this, you get “Flexible” SSL which is less secure.

Essential free-tier settings

SSL/TLS

  • Encryption mode: Full (strict).
  • “Always Use HTTPS”: ON.
  • “Automatic HTTPS Rewrites”: ON.
  • Minimum TLS Version: 1.2.

Caching

  • Caching Level: Standard.
  • Browser Cache TTL: 4 hours or “Respect Existing Headers.”
  • Enable “Always Online” (serves cached version when your site is down).

Speed

  • Auto Minify: ON for HTML, CSS, JS.
  • Brotli: ON.
  • Early Hints: ON.
  • Rocket Loader: TEST first (can break some sites). Many WordPress sites benefit; some break.

Network

  • HTTP/3 (with QUIC): ON.
  • 0-RTT Connection Resumption: ON.
  • IPv6 Compatibility: ON.

Security

  • Security Level: Medium.
  • Bot Fight Mode: ON.
  • Challenge Passage: 30 minutes.
  • Browser Integrity Check: ON.
Cloudflare SSL settings page with Full (strict) selected and Always Use HTTPS enabled

Page Rules (3 free)

Free tier gives 3 page rules. Suggested uses:

Rule 1: Cache everything on static pages

For your homepage or specific URLs:

  • URL: yourdomain.com/*
  • Cache Level: Cache Everything
  • Edge Cache TTL: 2 hours

Be careful: this can cache logged-in pages. Better to use APO for full-site caching (covered below).

Rule 2: Bypass cache on wp-admin

  • URL: yourdomain.com/wp-admin/*
  • Cache Level: Bypass
  • Disable Performance

Keeps WordPress admin uncached so you see fresh changes.

Rule 3: Bypass cache on preview links

  • URL: *preview=true*
  • Cache Level: Bypass

Cloudflare APO ($5/month)

APO (Automatic Platform Optimization) is Cloudflare’s WordPress-specific caching.

It caches dynamic pages too (not just static assets), with WordPress-aware purging when you publish or update.

What you get:

  • Full-page caching at edge.
  • Smart purging on post updates.
  • Significantly faster TTFB.

$5/month if you don’t have Pro plan. Often worth it for content-heavy blogs.

Plugin: install “Cloudflare” official plugin on WordPress side for integration.

Image optimization (Polish + Mirage)

Cloudflare Pro tier ($25/month) includes:

  • Polish: auto-WebP/AVIF conversion of images.
  • Mirage: mobile image optimization.

If you already have an image optimization plugin (Imagify, ShortPixel), you don’t need Polish.

If you don’t, Polish is convenient.

WAF (Web Application Firewall)

Free tier: basic WAF rules.

Pro tier: more rules, custom rules, OWASP rule set.

For most blogs, free WAF + the host’s WAF + a security plugin is enough. Pro WAF matters for sites with serious threat exposure.

Cloudflare Workers (advanced)

Cloudflare’s serverless platform. Run code at edge locations.

Most bloggers don’t need this. Use cases: advanced redirects, custom A/B testing, geo-targeting.

Cloudflare Tunnel (advanced)

Securely expose a local development site through Cloudflare without opening firewall ports.

Niche use. Bloggers rarely need.

Analytics

Cloudflare Analytics shows:

  • Total requests.
  • Bandwidth saved (cached responses).
  • Threats blocked.
  • Geographic traffic distribution.
  • Browser / OS breakdown.

Complements GA4. Cloudflare analytics is server-side (counts all visits including bots and cached responses); GA4 is client-side (counts only when JavaScript fires).

Common issues

“Too many redirects” error after setup

Usually: SSL mode mismatch. Check Cloudflare → SSL/TLS is “Full (strict)” and your host has a valid certificate.

White screen / 521 errors

Cloudflare can’t reach your origin server. Check your host status and that the A record points to the right IP.

Changes not appearing

Cache hasn’t purged. Cloudflare → Caching → Purge Cache → Purge Everything.

WordPress admin slow

Make sure wp-admin is excluded from caching (the page rule above).

Login issues

Cookies sometimes get stripped. Ensure “Caching Level” isn’t aggressive on login URLs.

WordPress plugin integration

Install “Cloudflare” plugin (official) on WordPress.

Configure with your Cloudflare API token. Enables:

  • One-click cache purge from WordPress admin.
  • Automatic purge on post updates.
  • APO integration.

Alternatively, plugins like WP Rocket integrate with Cloudflare too.

Caching plugin interaction

You can run a caching plugin (WP Rocket, LiteSpeed) AND Cloudflare. They complement.

  • WP Rocket / LiteSpeed: optimizes WordPress side (database, asset minification, lazy loading).
  • Cloudflare: caches at the edge globally.

Avoid duplicating: don’t enable minification in both. Pick one place.

Email considerations

When you put DNS on Cloudflare, make sure email DNS records (MX, SPF, DKIM, DMARC) are preserved.

If using a host-provided email service, check that mail still delivers after the DNS switch.

What Cloudflare won’t do

  • Cloudflare doesn’t replace caching plugins entirely (you still want WordPress-side caching for the database query layer).
  • Cloudflare doesn’t fix slow code (poorly written plugins, themes still hurt origin server response time).
  • Cloudflare doesn’t fix bad hosting (origin servers still need to respond).
  • Free tier doesn’t include image optimization (Polish is Pro+).

Cloudflare vs other CDNs

Alternatives:

  • BunnyCDN: ~$1/month minimum, simple, fast.
  • StackPath: enterprise CDN.
  • KeyCDN: pay-per-GB.
  • AWS CloudFront: AWS ecosystem.

Cloudflare’s free tier with full DNS + WAF + CDN + DDoS is hard to beat. Other CDNs handle just the CDN piece.

The honest summary

Cloudflare’s free tier alone gives most blogs measurable speed, security, and reliability gains. Set up DNS, full-strict SSL, basic caching, page rules for wp-admin bypass, and bot protection. Add APO ($5/month) for WordPress-aware full-page caching if you want more performance. Don’t pay for Pro unless you need specific features (Polish, advanced WAF, custom rules). Cloudflare won’t fix bad code or bad hosting, but it adds a strong protective and accelerating layer between visitors and your site.