
Cloudflare's free plan is one of the best deals in the WordPress stack: a global CDN, free SSL, and DDoS protection for the price of changing two nameserver records. But the gap between "I added my domain" and "my site is faster and not broken" is full of WordPress-specific traps — an infinite redirect loop here, a Wordfence that thinks every visitor is one IP address there. This walkthrough gets you through the real setup, including the settings the official wizard quietly skips.
Cloudflare sits in front of your origin host as a reverse proxy. Once your DNS is proxied, every request hits Cloudflare's edge first. On the free plan you get:
What's not free: HTML edge caching (Cloudflare caches assets but not your dynamic HTML by default), Automatic Platform Optimization, and the more advanced WAF managed rulesets. We'll handle the caching question head-on.
The actual switch happens at your domain registrar, not inside WordPress. The sequence:
example.com).dana.ns.cloudflare.com). Go to your registrar — GoDaddy, Namecheap, Google Domains successor, wherever the domain lives — and replace the existing nameservers with these two.In the DNS tab, the orange cloud icon means a record is proxied (traffic flows through Cloudflare); grey cloud means DNS-only (Cloudflare answers the lookup but traffic goes straight to your origin). For the CDN and protection to do anything, your root A record and www record must be orange. Leave mail-related records (MX, and the A records they point to) grey — proxying email subdomains breaks delivery.
This is the single most important screen and the one that generates the most "my site is in a redirect loop" support tickets. Under SSL/TLS → Overview, you choose an encryption mode. There are two you might pick and only one is correct:
Once you're on Full (strict), turn on Always Use HTTPS (under SSL/TLS → Edge Certificates) so Cloudflare handles the HTTP-to-HTTPS redirect at the edge instead of making WordPress do it. Also enable Automatic HTTPS Rewrites to silence mixed-content warnings from old http:// asset URLs.
The moment your traffic is proxied, your origin server stops seeing visitors' real IP addresses — it sees Cloudflare's. The practical fallout: Wordfence shows every request coming from a handful of Cloudflare IPs, IP-based blocking becomes useless, comment author IPs all read the same, and analytics that rely on server logs get distorted.
Cloudflare sends the real IP in the CF-Connecting-IP header. To put it back where WordPress expects it, install the official Cloudflare plugin from the plugin repository, which restores original visitor IPs and exposes your API for cache control. Inside Wordfence, set the "How does Wordfence get IPs" option to use the Cloudflare header. Do not reach for the old mod_cloudflare Apache module — it's deprecated and no longer maintained; the header-based approach is the supported path.
Here's the part most "free Cloudflare" tutorials gloss over: on the free plan, Cloudflare caches your static assets automatically but does not cache your HTML pages. That means your TTFB still depends on your origin host generating each page, and the much-promised "Cloudflare made my site instant" only half happens.
You have three options, roughly in order of effort and reward:
/wp-admin/*, /wp-login.php, and — for WooCommerce — /cart/*, /checkout/*, and /my-account/*. With only three rules this gets tight fast, which is exactly why the next option exists.Whatever you choose, install the official Cloudflare plugin and connect it with an API token. Its most valuable job is automatic cache purge on publish — without it, you'll update a post and stare at the old version wondering why nothing changed.
For a typical WordPress site, this configuration is a solid starting point:
To confirm it's working, open your browser's network panel and look at the response headers for a page request. cf-cache-status tells the story: HIT means Cloudflare served it from the edge, MISS or DYNAMIC means it went to your origin (DYNAMIC is expected for HTML on the free plan without APO). Then run the URL through a field-data tool and watch the Core Web Vitals you actually care about: LCP under 2.5s, CLS under 0.1, and INP under 200ms (INP replaced FID as a Core Web Vital in 2024). The CDN should noticeably help LCP for visitors far from your origin; it won't fix layout shift or slow JavaScript, which are origin-side problems.
Done right, the free plan gives a small WordPress site faster global load times, real HTTPS, and a buffer against attacks — for nothing. The upgrades worth paying for (APO, advanced WAF) are real, but plenty of sites never need them. Get Full (strict), real IPs, and a publish-purge plugin in place first; that's where the value lives.
Site
Tools
We do not sell your email. We do not spam.
© 2026 RevealTheme. All rights reserved.