(Tested on November 10, 2025 with WordPress 6.6+, Cloudflare free plan, and a real site in NY)
This guide walks you through every step with real performance test results (before/after), and exact DNS recommendations with proxy (🟠) vs DNS-only (⚪) reasoning.
Why Use Cloudflare with WordPress?
- Free global CDN (300+ data centers)
- Built-in DDoS protection & WAF
- Free universal SSL (no paid cert needed)
- Page Rules for fine control
- Automatic WordPress optimizations (via APO plugin)
Step 1: Create a Cloudflare Account & Add Your Site
- Go to https://dash.cloudflare.com/sign-up
- Enter your WordPress domain (e.g.,
example.com) - Cloudflare scans your existing DNS records.
- Choose the Free plan → Continue
- Cloudflare shows detected DNS records. Do NOT blindly copy them yet – we’ll customize below.
Step 2: Replace Nameservers at Your Registrar
Cloudflare gives you two custom nameservers (e.g., maya.ns.cloudflare.com and max.ns.cloudflare.com).
Go to your registrar (Namecheap, GoDaddy, etc.) and replace the old nameservers with these.
Propagation time: 5 min – 24 hrs (usually <2 hrs).
Step 3: Recommended DNS Records for WordPress (Proxy vs DNS-only)
Here’s the exact DNS setup I use on production WordPress sites.
🟠 = Proxied (orange cloud) → goes through CDN
⚪ = DNS-only (gray cloud) → direct to origin server
| Type | Name | Value | Proxy | Reason |
|---|---|---|---|---|
| A | @ | Your server IP | 🟠 | Main site traffic through CDN for speed & security |
| A | www | Your server IP | 🟠 | Same as above; www should also be cached |
| CNAME | www | example.com (target) | 🟠 | Canonical name; keeps www working |
| MX | @ | mail server (e.g., Google Workspace) | ⚪ | Email must bypass Cloudflare (proxy blocks SMTP) |
| TXT | @ | SPF record | ⚪ | Email authentication |
| TXT | _dmarc | v=DMARC1; p=quarantine | ⚪ | DMARC policy |
| TXT | google._domainkey | Google DKIM (if using Workspace) | ⚪ | Email signing |
| A | Mail server IP | ⚪ | Direct mail access | |
| A | webmail | Mail server IP | ⚪ | Roundcube / Horde |
| A | ftp | Server IP | ⚪ | FTP/SFTP must not be proxied (ports blocked) |
| A | cpanel | Server IP | ⚪ | Direct cPanel/WHM access |
| A | direct | Server IP | ⚪ | Emergency bypass URL (direct.example.com) |
| A | db | Server IP | ⚪ | phpMyAdmin / Adminer |
| A | staging | Staging IP | 🟠 or ⚪ | Use 🟠 only if staging is public; otherwise ⚪ |
Step 4: SSL/TLS Settings (Critical!)
- Dashboard → SSL/TLS → Overview
- Set to Full (strict)
- Encrypts origin → Cloudflare
- Requires valid cert on server (Let’s Encrypt works)
- Always Use HTTPS → On
- Automatic HTTPS Rewrites → On
- Minimum TLS Version → TLS 1.2
Step 5: Install Cloudflare WordPress Plugin (Official)
- WP Admin → Plugins → Add New → Search “Cloudflare”
- Install Cloudflare (by Cloudflare, Inc.)
- Activate → Settings → Cloudflare
Enable:
- Automatic Cache Purge
- Browser Cache TTL
- Minify HTML/JS/CSS (optional)
Step 6: Enable Automatic Platform Optimization (APO) – $5/mo (Worth It!)
APO caches dynamic WordPress HTML automatically.
- Cloudflare Dashboard → Speed → Optimization
- Automatic Platform Optimization for WordPress → Enable ($5/mo)
After enabling, add this to wp-config.php:
define('CLOUDFLARE_APO_TOKEN', 'your-token-here');Code language: JavaScript (javascript)Real-world result on a WooCommerce site (East Northport, NY test):
| Metric | Without Cloudflare | With Cloudflare + APO | Improvement |
|---|---|---|---|
| LCP (Largest Contentful Paint) | 4.2s | 1.1s | 74% |
| TTFB (Time to First Byte) | 1.8s | 180ms | 90% |
| Fully Loaded Time | 7.3s | 2.4s | 67% |
| Pages per minute (GTmetrix NY) | 8 | 42 | 425% |
Screenshots of GTmetrix tests:
Step 7: Page Rules (Fine Control)
Go to Rules → Page Rules
- Cache everything for logged-in users bypass:
example.com/wp-admin/*
Cache Level: Bypass- Cache WooCommerce checkout bypass:
example.com/checkout/*
Cache Level: Bypass- Force SSL on old URLs:
http://*example.com/*
Always Use HTTPSCode language: PHP (php)Step 8: Speed Settings (Recommended)
Dashboard → Speed → Optimization
- Auto Minify: HTML, CSS, JS (✓ all)
- Brotli: On
- Rocket Loader: On (test carefully – can break some themes)
- Early Hints: On
- Polish: On + WebP
- Image Resizing: On (if using Cloudflare Images)
Step 9: Security Hardening
- WAF → Managed Rules → WordPress Ruleset → Enable
- Firewall Rules → Block wp-config.php attempts:
(http.request.uri.path contains "wp-config")
→ BlockCode language: CSS (css)- Bot Fight Mode → On (free)
Step 10: Testing & Verification
- Check proxy status: https://www.cloudflare.com/cdn-cgi/trace
Should showfl=...andcolo=EWR(NYC) or nearby. - Use https://securityheaders.com → Should get A+.
- GTmetrix / WebPageTest from New York → confirm TTFB <200ms.
Common Issues & Fixes
| Issue | Fix |
|---|---|
| Mixed content warnings | Install Really Simple SSL plugin |
| Logged-in users see old cache | APO handles this automatically |
| Images not optimizing | Enable Polish + WebP |
| Too many redirects | Set SSL to Flexible temporarily, then back to Full (strict) after cert is active |
Final Checklist
- [ ] Nameservers changed
- [ ] DNS records set (proxy correctly)
- [ ] SSL/TLS → Full (strict)
- [ ] Cloudflare WordPress plugin installed
- [ ] APO enabled ($5/mo)
- [ ] Page Rules for wp-admin & checkout
- [ ] Tested with GTmetrix from New York
You now have a blazing-fast, secure WordPress site served from Cloudflare’s edge in nearby NYC (EWR) or Ashburn (IAD). Try LogicWeb’s WordPress hosting with LiteSpeed and NVMe for extra speed boosts.
