Cloudflare with WordPress

Getting Started

Cloudflare with WordPress – Getting Started

Step 1: Sign up for a Cloudflare account.

You can do this in one of two ways, either via cPanel if Cloudflare has been installed on your server or if not, directly from the Cloudflare website.

  • cPanel
    • If your webhost has installed Cloudflare on your server, open cPanel and you should see a Cloudflare icon. Click on that icon and then the green button to “Create Your Free Account”. Follow the onscreen instructions.

Step 2: Install the Cloudflare WordPress plugin: Cloudflare

Note: the Cloudflare WordPress plugin is optional and while recommended, Cloudflare will work just fine without it but you’ll need to adjust the Cloudflare settings from the Cloudflare website instead of via the WordPress dashboard >Settings>Cloudflare.

  • The plugin has a one click option to “Optimize Cloudflare for WordPress”. Here are the settings that are applied when you use this option. What settings are applied when I click “Optimize Cloudflare for WordPress” in Cloudflare’s WordPress plugin?
  • While the Optimize option is a good starting point, you may need to click on the “Settings” option within the Plugin interface to adjust as desired. Also, be aware that not all Cloudflare settings are accessible through the plugin. So it’s a good idea to login to the Cloudflare website and become familiar with all the available options, some of which will vary depending on account type, i.e. free vs pro vs business vs enterprise.

Step 3: Cloudflare Page Rules for WordPress

Cloudflare page rules

Cloudflare dashboard menu

 

  • Page Rules trigger specified actions on specific urls.
  • For WordPress, it’s recommended to implement the following page rule for logging into the WordPress dashboard.

cloudflare page rule to bypass wordpress dashboard login

The * in the designated url serves as a wildcard. Do NOT include a period before or after  the * wildcard.

Step 4: Speed Settings

Switch to the speed tab on the Cloudflare menu.

cloudflare menu speed settings

The following options are available on the Cloudflare “free” plan.

cloudflare speed settings

IMPORTANT: Make sure that you are NOT using a WordPress plugin that is also minifying the content.

cloudflare speed settings

Brotli is a compression algorithm developed by Google. It is capable of compressing smaller files than gzip but it also uses more cpu resources in doing so. Note that all Speed features, including Brotli, are only being applied to assets cached at the Cloudflare Edge. Unfortunately, Cloudflare doesn’t support brotli for uncached requests, only gzip. Consequently, gzip should be enabled on your origin server.

Rocket Loader defers javascript loading until other page assets are loaded, thus improving the page loading speed. Be sure to test this option as some scripts may need to be excluded in order for the page to load correctly.

IMPORTANT: For Cloudflare free or Pro plan customers, Railgun is only available if your webhost has installed specialized Cloudflare software. Railgun compresses the data stream for uncached request responses that must be pulled from your origin server.

Step 5: Scrape Shield

Switch to the Scrape Shield tab and confirm that the following options are turned on.

cloudflare menu scrape shield

cloudflare scrape shield

Email address obfuscation insures that email addresses are hidden from harvesters and bots, but still visible to human visitors. If you are certain your site doesn’t expose any hard-coded email addresses on your site then you may be able to turn this off.

Server-side excludes will hide sensitive content IF the content is wrapped in these tags:   <!--sse--><!--/sse-->.

Hotlink protection will prevent other sites from linking to your images and using up your bandwidth.

Step 6: Security

Switch to the Crypto tab of the Cloudflare menu.

cloudflare security settings

SSL Full (strict)
If you have an SSL certificated installed on your server then choose Full or Full(strict). Full indicates that the data path from browser to Cloudflare to your server is fully encrypted. Full (strict) instructs Cloudflare to validate your certificate on each request. Although you can use Cloudflare’s Universal SSL without having an SSL certificate installed on your server, it’s not recommended since only the path from the browser to Cloudflare will be encrypted. You can use a free SSL certificate so there’s really no excuse for not having one installed on your server. You can install the SSL certificated yourself or request your web hosting provider install it for you.

free ssl certificate

cPanel free SSL (Let’sEncrypt)

 

Always use HTTPS

Adjust this setting to your own preference. Once you have your SSL certificate installed, you want to automatically redirect all HTTP requests to HTTPS. You can use Cloudflare to do that or you can execute the redirect via your .htaccess file or your pre virtual hosts include file, if you have access to your server config files. I’ve chosen to redirect via my server, hence this option is turned off in my Cloudflare settings. Pick one or the other method to redirect but not both, as this will incur additional performance delays. If you choose to implement this redirect on your server, you can verify the implementation using the Varvy Redirect Mapper.

Automatic HTTPS rewrites

Once you have your SSL certificate installed and WordPress is accessible via HTTPS, you’ll need to insure that all links, both internal and external are configured for https only. Think of this option as a temporary fix to prevent the dreaded “mixed content warning” in the browser. Ideally though, you’ll want to change all http links in your content to https. Internal links can be referenced using “relative” links, e.g. /thisisalinkto/mycontent/ and external links can be either relative, e.g. //example.com/content/ (note the double slash at the beginning) or explicit, i.e. https://example.com/content/. If an external website does not use https then the relative link should be used, otherwise, use explicit links for improved performance.

NOTE: Use a free website crawler like Screaming Frog to locate all http links on your website. You can then update your http links manually or using a plugin, e.g. Better Search Replace. MAKE SURE YOU HAVE A FULL BACKUP FIRST.

Step 7: Firewall Rules

IMPORTANT: before activating your firewall rules, be sure to first whitelist your own ip address:

whitelist ip address

On the Free plan, you are allowed to create 5 firewall rules. Here are some examples.

You can block an entire country by creating a firewall rule:

firewall rule block country

You can protect your plugins folder by creating a firewall rule:

firewall rule protect plugins

You only have 5 custom firewall rules available on the Free plan so use them wisely. Make sure that you are not duplicating actions that are already happening via a security plugin.

By implementing these 7 steps, you’ll have a solid setup for using Cloudflare with WordPress.