How to Set Up Cloudflare CDN: Full Speed & Security Guide
Speed up your site 30-60% with Cloudflare's free CDN, get DDoS protection and free SSL. DNS change, cache settings, and performance tips.
Cloudflare is the most widely used CDN + security service — even the free plan speeds your site up 30-60%, gives DDoS protection, and offers free SSL. This guide covers account setup, DNS change, cache settings, and performance tips.
What does Cloudflare do?
- CDN: serves static content (CSS, JS, images) from 300+ data centers globally → visitors hit the nearest one
- DDoS protection: absorbs volumetric attacks at backbone scale (DDoS post)
- WAF: blocks SQL injection, XSS, and similar attacks
- Free SSL: domain-level SSL
- Bot management: auto-blocks bad bots
- Image optimization: WebP/AVIF conversion (Pro+)
1. Create account + add site
- https://www.cloudflare.com/ → Sign Up → free account
- Dashboard → Add a Site → enter your domain → choose Free plan
- Cloudflare auto-scans existing DNS records → check the A/AAAA/CNAME/MX list
2. Change nameservers
Cloudflare gives you 2 nameservers:
xxx.ns.cloudflare.com
yyy.ns.cloudflare.comAt your domain registrar (GoDaddy, Namecheap, etc.):
- Domain → Manage → Nameservers → Custom
- Paste Cloudflare’s 2 NS → save
DNS propagation takes 5 minutes to 24 hours. Cloudflare emails you on activation.
3. Proxy setting (important)
In the DNS panel, each A/CNAME record has a cloud icon:
- 🟠 Orange (Proxied): traffic goes through Cloudflare (CDN + DDoS + WAF active)
- ⚫ Gray (DNS only): DNS only, traffic hits your server directly
For WordPress, blogs, web sites: orange ✓ For SSH, FTP, mail: gray (Cloudflare doesn’t proxy non-HTTP/HTTPS)
4. SSL/TLS settings
SSL/TLS → Overview:
- Encryption mode: pick Full (strict)
- Off: no SSL (don’t)
- Flexible: only Cloudflare↔visitor encrypted, server gets plain HTTP (insecure)
- Full: both directions encrypted, but server cert not validated
- Full (strict): fully secure — requires Let’s Encrypt on your server (our post)
SSL/TLS → Edge Certificates:
- Always Use HTTPS ✓
- Automatic HTTPS Rewrites ✓
- Min TLS version: TLS 1.2
5. Cache settings
Caching → Configuration:
- Caching Level: Standard (default, ideal for most sites)
- Browser Cache TTL: 4 hours - 1 month (long if your static content rarely changes)
- Always Online: ✓ (when your server is down, Cloudflare serves from cache)
Caching → Tiered Cache:
- ✓ Enable — cross-region cache sharing, increases hit rate
6. Page Rules (advanced)
Free plan has 3 rules. Most useful 3:
Rule 1: bypass cache for WP admin
URL pattern: *yoursite.com/wp-admin*
- Cache Level: Bypass
- Disable Performance
Rule 2: bypass cache for WP login
URL pattern: *yoursite.com/wp-login.php*
- Cache Level: Bypass
Rule 3: long cache for static files
URL pattern: *yoursite.com/wp-content/uploads/*
- Edge Cache TTL: a month
- Browser Cache TTL: a month
7. Performance settings
Speed → Optimization:
- Auto Minify: HTML, CSS, JS all ✓ (deprecated; do via plugins now)
- Brotli: ✓ (20% smaller than gzip)
- Early Hints: ✓ (LCP improvement)
- Rocket Loader: ❌ (often breaks WordPress)
8. Firewall (Cloudflare-only mode)
Against attackers bypassing Cloudflare, allow only Cloudflare IPs in your server firewall:
# UFW example (full list)
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
sudo ufw allow from $ip to any port 80,443 proto tcp
done
sudo ufw deny 80/tcp
sudo ufw deny 443/tcpDetails in our UFW post.
9. Cloudflare plugin for WordPress
WP plugin → Cloudflare → connect API key → automatic cache purging, dynamic content cache settings.
Performance check
After activation, test:
- https://gtmetrix.com/ — compare TTFB and LCP
- https://www.webpagetest.org/ — waterfall view
- DevTools → Network → response headers should show
cf-cache-status: HIT
In the first 24 hours, cache “warms up” — speed gains are gradual.
Common issues
- “Too many redirects”: SSL mode “Flexible” but WP serves HTTPS → switch to Full (strict)
- “Error 521 - Web server is down”: server actually down or doesn’t allow Cloudflare → check firewall
- “Error 525 - SSL handshake failed”: no Let’s Encrypt on server → install
- WordPress admin slow: wp-admin being cached → bypass via Page Rule
- API/AJAX errors: some endpoints shouldn’t be cached → bypass via Page Rule
Conclusion
Cloudflare’s free plan = performance + security + SSL in one shot. First-thing-to-do for WordPress or any web site.
Cloudflare + KavesNET VDS + Let’s Encrypt + WP Rocket = production-ready stack.
Related: DDoS Protection · Let’s Encrypt SSL
İlgili Yazılar
Bunlar da ilgini çekebilir.
3-2-1 Yedekleme Kuralı: Sunucu Verilerini Asla Kaybetmemenin Yolu
3-2-1 yedekleme kuralı, kurumsal sunucu yedekleme stratejisinin altın standardıdır. Bu yazıda kuralı, otomasyon yöntemlerini ve KavesNET yedek altyapısını anlatıyoruz.
Devamını Oku
Plesk'ten Plesk'e Site Nasıl Taşınır? Migrator Aracı Rehberi
Plesk Migrator ile site, mail, DB ve DNS'i tek seferde yeni sunucuya taşı. Adım adım kurulum, migration test ve cutover.
Devamını Oku
FileZilla ile VDS'ten VDS'e Dosya Taşıma Rehberi
Eski sunucudan yeni VDS'e siteni taşı: FileZilla ile FTP/SFTP, hız ipuçları, izin ayarları ve hata kontrolü.
Devamını Oku