Setting Up Cloudflare for WordPress: The Free Tier Walkthrough

Cloudflare's free tier sits between your visitors and your WordPress host, caching static content at edge locations near visitors, blocking malicious traffic before it hits your origin, and providing SSL certificates without any configuration on your hosting side. The setup is straightforward but the right configuration choices aren't obvious from Cloudflare's dashboard. Here's the working configuration for a typical WordPress site.

The setup assumes you control DNS for your domain. If your domain is registered with one company and DNS is at another, the steps work but you'll need to change nameservers at the domain registrar to point to Cloudflare's nameservers. The domain change propagates within hours typically; some TLDs take up to 48 hours.

The five-step setup

Step 1: sign up at cloudflare.com. Add your domain. Cloudflare will scan your existing DNS records and import them. Review the import to make sure all your records appear correctly. The most common miss is MX records for email; if your domain receives email at a separate provider, verify the MX records came across intact.

Step 2: change your nameservers at the domain registrar. Cloudflare provides two nameservers (something like dane.ns.cloudflare.com and pat.ns.cloudflare.com). Update these at your domain registrar (Namecheap, GoDaddy, Cloudflare Registrar, etc.). The change takes effect within hours.

Step 3: configure SSL mode. In Cloudflare's dashboard under SSL/TLS, set the mode to "Full (strict)" if your origin server has a valid SSL certificate. Set to "Flexible" if your origin only serves HTTP. For most WordPress sites on modern hosts, the origin already has a Let's Encrypt certificate from the host; "Full (strict)" is the correct setting.

Step 4: enable specific performance features. Under "Speed" → "Optimization": enable Auto Minify for HTML, CSS, and JavaScript. Enable Brotli compression. Skip Rocket Loader (it can break some WordPress JavaScript) unless you've specifically tested it on your site.

Step 5: configure caching behavior. Under "Caching" → "Configuration": set Caching Level to "Standard." Set Browser Cache TTL to "4 hours" as a safe default. Under "Page Rules," create a rule for /wp-admin/* with caching disabled (so admin areas don't get cached). Create another rule for /wp-login.php with caching disabled.

The configuration that breaks WordPress

Cloudflare's default settings work for most static sites. WordPress has dynamic content patterns that interact with Cloudflare in specific ways. Three common breakages and fixes:

Breakage one: cart fragments getting cached on WooCommerce sites. Add a Page Rule for /?wc-ajax=* with "Cache Level: Bypass." Without this, cart counters show 0 for all visitors except the first.

Breakage two: form submissions failing on sites with high Cloudflare security level. Cloudflare's Bot Fight Mode can challenge form submissions from real users. Either lower the security level to "Medium" or add specific bypass rules for /wp-admin/admin-ajax.php (which forms use).

Breakage three: previews of unpublished WordPress posts getting cached. Add a Page Rule for /*preview=true* with "Cache Level: Bypass."

What the free tier actually includes

Cloudflare's free tier provides: global CDN with 300+ edge locations, free SSL certificate for your domain, DDoS protection that scales with attack size, basic WAF rules, analytics on visitor patterns. The paid tiers add: image optimization at the edge, faster cache purging, advanced bot management, custom WAF rules, more granular page rules.

For most WordPress sites, the free tier is sufficient. The paid Pro tier ($20/month) adds image optimization (Polish + Mirage) which can be valuable for image-heavy sites. The Business tier ($200/month) is rarely justified for typical WordPress operations.

Performance impact of free Cloudflare: typical WordPress site sees 100-300ms improvement on TTFB for non-local visitors. The improvement is largest for visitors geographically far from your origin server. US visitors hitting a US-hosted site see modest improvement; international visitors hitting the same site see substantial improvement.