Back to Hosting & Infrastructure
Hosting & Infrastructure12 min read time

Setting Up Cloudflare: Complete Beginners Guide

Step-by-step guide to setting up Cloudflare for your website. From sign-up to configuration - everything for a faster, more secure site.

Cloudflare is one of the most powerful free tools to make your website faster and more secure. In this guide, we take you step by step through the setup and configuration.

What is Cloudflare?

Cloudflare is a service that sits between your visitors and your server. It offers:

  • CDN (Content Delivery Network): Your content is cached worldwide
  • DDoS Protection: Attacks are automatically blocked
  • SSL Certificate: Free HTTPS for your website
  • Performance: Optimizations for faster load times
  • Security: Firewall and bot protection

How Does It Work?

Visitor → Cloudflare → Your Server
              ↓
       Cache, Security, Optimization

Cloudflare intercepts all traffic to your site, filters malicious traffic, serves cached content where possible, and only forwards legitimate requests to your server.

Creating an Account

Step 1: Register

  1. Go to cloudflare.com
  2. Click "Sign Up"
  3. Enter your email address and password
  4. Confirm your email

Step 2: Add Site

  1. Click "Add a Site"
  2. Enter your domain name (without www)
  3. Select the Free plan (or paid if you want)
  4. Cloudflare scans your current DNS records

Step 3: Verify DNS Records

Cloudflare imports your current DNS records. Check:

  • [ ] All records have been imported
  • [ ] A records point to correct IP
  • [ ] MX records for email are correct
  • [ ] Any subdomains are present

Orange cloud = Traffic goes through Cloudflare (proxied) Gray cloud = Direct to server (DNS only)

Step 4: Change Nameservers

Cloudflare gives you two nameservers, for example:

adam.ns.cloudflare.com
bella.ns.cloudflare.com

At your domain registrar:

  1. Log in to your domain provider
  2. Go to DNS settings
  3. Change nameservers to Cloudflare's nameservers
  4. Wait for propagation (up to 24 hours, usually faster)

Note: After changing, you manage DNS entirely through Cloudflare.

Basic Configuration

SSL/TLS Settings

Go to: SSL/TLS → Overview

Encryption mode choices:

| Mode | Description | When to use | |------|-------------|-------------| | Off | No encryption | Never | | Flexible | HTTPS to Cloudflare, HTTP to server | Temporary solution | | Full | HTTPS end-to-end, self-signed cert OK | If you have your own SSL | | Full (Strict) | HTTPS end-to-end, valid cert required | Recommended |

Recommendation: Full (Strict) with a valid SSL certificate on your server.

Edge Certificates:

  • Enable "Always Use HTTPS"
  • Enable "Automatic HTTPS Rewrites"

Caching Settings

Go to: Caching → Configuration

Caching Level:

  • Standard: Recommended for most sites
  • Aggressive: More caching, check if dynamic content works correctly

Browser Cache TTL:

  • Respect Existing Headers: Use settings from your server
  • Or choose a specific time (4 hours is a good starting point)

Purge Cache: When you make changes that are not visible:

  1. Go to Caching → Configuration
  2. Click "Purge Everything"
  3. Or purge specific URLs

Speed Optimizations

Go to: Speed → Optimization

Auto Minify:

  • JavaScript: On
  • CSS: On
  • HTML: On

Brotli:

  • Enable for better compression

Rocket Loader (experimental):

  • Test well, can cause JavaScript problems
  • Disable if you experience issues

Polish (Pro plan):

  • Automatic image optimization
  • WebP conversion

Firewall Settings

Go to: Security → WAF

Security Level:

  • Essentially Off: No protection
  • Low: Only worst threats
  • Medium: Recommended
  • High: Stricter, can give false positives
  • I'm Under Attack: Only during active attack

Bot Fight Mode:

  • Enable for basic bot protection

Browser Integrity Check:

  • Enable (checks for suspicious headers)

DNS Management

Adding Records

Go to: DNS → Records

A Record (IPv4):

Type: A
Name: @ (for root domain) or subdomain
IPv4 address: Your server IP
Proxy status: Proxied (orange cloud)

CNAME Record:

Type: CNAME
Name: www
Target: example.com
Proxy status: Proxied

MX Record (email):

Type: MX
Name: @
Mail server: mail.provider.com
Priority: 10
Proxy status: DNS only (gray - MUST for email)

TXT Record (verification, SPF, etc.):

Type: TXT
Name: @
Content: v=spf1 include:_spf.google.com ~all

Important Tips

  1. Email records: Never proxied, always DNS only
  2. Subdomains: Add each subdomain separately
  3. TTL: Auto is fine for most cases
  4. Proxy: Enable for CDN/security benefits

Page Rules

Page Rules let you set specific behavior per URL pattern.

Go to: Rules → Page Rules

Useful Page Rules

Cache everything for static assets:

URL: *example.com/wp-content/*
Setting: Cache Level → Cache Everything
Setting: Edge Cache TTL → a month

Bypass cache for admin:

URL: *example.com/wp-admin/*
Setting: Cache Level → Bypass
Setting: Security Level → High

Redirect www to non-www:

URL: www.example.com/*
Setting: Forwarding URL (301)
Target: https://example.com/$1

Redirect HTTP to HTTPS:

URL: http://*example.com/*
Setting: Always Use HTTPS

Note: Free plan has 3 page rules. Priority: from top to bottom.

Advanced Features

Firewall Rules

Go to: Security → WAF → Custom rules

Example: Block specific countries:

(ip.geoip.country in {"CN" "RU"})
Action: Block

Example: Protect login page:

(http.request.uri.path contains "/wp-login.php")
Action: Managed Challenge

Rate Limiting

Go to: Security → WAF → Rate limiting rules

Limit the number of requests per IP:

If: URI Path contains /api/
Rate: 100 requests per 10 seconds
Action: Block

Workers (advanced)

Cloudflare Workers are serverless functions at the edge.

Use cases:

  • Custom redirects
  • A/B testing
  • Header modification
  • Edge-side includes

Go to: Workers & Pages

WordPress Specific Setup

Recommended Settings

SSL/TLS:

  • Full (Strict) with SSL on server

Caching:

  • Caching Level: Standard
  • Browser Cache TTL: 4 hours

Speed:

  • Auto Minify: All on
  • Brotli: On
  • Rocket Loader: Test first, often off

Page Rules:

1. *example.com/wp-admin/*
   - Cache Level: Bypass
   - Security Level: High

2. *example.com/wp-content/*
   - Cache Level: Cache Everything
   - Edge Cache TTL: 1 month

WordPress Plugin

Install the official Cloudflare plugin:

  1. Plugins → Add New
  2. Search for "Cloudflare"
  3. Install and activate
  4. Connect with your Cloudflare account

Features:

  • Automatic cache purge on changes
  • Apply optimal settings
  • Activate APO (Automatic Platform Optimization)

APO (Pro feature)

Automatic Platform Optimization for WordPress:

  • Caches complete HTML pages
  • Drastic speed improvement
  • $5/month extra or included with Pro

Troubleshooting

Site Not Accessible

Check:

  1. Are nameservers correctly changed?
  2. Is propagation complete? (check via whatsmydns.net)
  3. Does the A record point to the correct IP?
  4. Is your server accessible? (test via DNS only mode)

Temporary fix: Set Proxy status to DNS only (gray cloud) to bypass Cloudflare.

SSL Errors

Error 525: SSL Handshake Failed

  • Your server does not have a valid SSL certificate
  • Fix: Install SSL on server or use Flexible mode temporarily

Error 526: Invalid SSL Certificate

  • SSL certificate on server is invalid/expired
  • Fix: Renew or install valid certificate

Redirect Loop:

  • Cloudflare and server both redirect to HTTPS
  • Fix: Disable SSL redirect on server or use Full mode

Cache Problems

Changes not visible:

  1. Purge cache in Cloudflare
  2. Clear browser cache
  3. Test in incognito mode
  4. Check page rules that force caching

Dynamic content cached:

  • Add query string: ?nocache=1
  • Create page rule to bypass
  • Use Cache-Control headers

Performance Problems

Site slow via Cloudflare:

  1. Check if origin server is fast (bypass Cloudflare to test)
  2. Review Rocket Loader (disable if JavaScript problems)
  3. Check for large non-cached resources
  4. Analyze with Browser DevTools

Best Practices

Security

  • [ ] SSL on Full (Strict) with valid cert
  • [ ] Security Level on Medium
  • [ ] Bot Fight Mode on
  • [ ] Firewall rules for admin pages
  • [ ] Two-factor authentication for Cloudflare account

Performance

  • [ ] Auto Minify on for JS, CSS, HTML
  • [ ] Brotli compression on
  • [ ] Correct cache settings
  • [ ] Page rules for static content
  • [ ] APO for WordPress (paid)

Maintenance

  • [ ] Monitor Analytics for issues
  • [ ] Regularly check security events
  • [ ] Purge cache after major changes
  • [ ] Keep DNS records up-to-date

Post-Setup Checklist

  • [ ] Nameservers changed and propagated
  • [ ] SSL/TLS on correct mode
  • [ ] Always HTTPS enabled
  • [ ] Auto Minify configured
  • [ ] Brotli on
  • [ ] Security Level set
  • [ ] Bot protection on
  • [ ] Page rules configured
  • [ ] WordPress plugin installed (if applicable)
  • [ ] Test site thoroughly

Conclusion

Cloudflare is a powerful, largely free tool that every website should use. The basic setup is simple:

  1. Create account
  2. Add site
  3. Change nameservers
  4. Configure basic settings

Start with the standard settings and optimize as you go. Most problems come from too aggressive cache settings or SSL misconfiguration.

Need help with Cloudflare configuration? Contact us.

Further Reading

More hosting & infrastructure guides

Choosing Web Hosting: Complete Guide for Beginners

Everything you need to know about web hosting. From shared hosting to dedicated servers - make the right choice for your website.

Website Security: Essential Measures for Every Site

Protect your website from hackers and malware. From SSL to backups - all security measures you need to take.

Website Monitoring: Keep Your Site Online and Fast

Learn how to monitor your website for uptime, performance, and errors. From free tools to professional monitoring solutions.

Need help?

Do you have questions about this guide or need help with implementation?

Contact us