How to Set Up Cloudflare CDN: Full Speed & Security Guide

Cloudflare is the most widely used CDN + security service — even the free plan speeds your site up 30-60%, gives DDoS protection, and offers free SSL. This guide covers account setup, DNS change, cache settings, and performance tips.

What does Cloudflare do?

• CDN: serves static content (CSS, JS, images) from 300+ data centers globally → visitors hit the nearest one
• DDoS protection: absorbs volumetric attacks at backbone scale (DDoS post)
• WAF: blocks SQL injection, XSS, and similar attacks
• Free SSL: domain-level SSL
• Bot management: auto-blocks bad bots
• Image optimization: WebP/AVIF conversion (Pro+)

1. Create account + add site

1. https://www.cloudflare.com/ → Sign Up → free account
2. Dashboard → Add a Site → enter your domain → choose Free plan
3. Cloudflare auto-scans existing DNS records → check the A/AAAA/CNAME/MX list

2. Change nameservers

Cloudflare gives you 2 nameservers:

xxx.ns.cloudflare.com
yyy.ns.cloudflare.com

At your domain registrar (GoDaddy, Namecheap, etc.):

• Domain → Manage → Nameservers → Custom
• Paste Cloudflare’s 2 NS → save

DNS propagation takes 5 minutes to 24 hours. Cloudflare emails you on activation.

3. Proxy setting (important)

In the DNS panel, each A/CNAME record has a cloud icon:

• 🟠 Orange (Proxied): traffic goes through Cloudflare (CDN + DDoS + WAF active)
• ⚫ Gray (DNS only): DNS only, traffic hits your server directly

For WordPress, blogs, web sites: orange ✓ For SSH, FTP, mail: gray (Cloudflare doesn’t proxy non-HTTP/HTTPS)

4. SSL/TLS settings

SSL/TLS → Overview:

• Encryption mode: pick Full (strict)
  • Off: no SSL (don’t)
  • Flexible: only Cloudflare↔visitor encrypted, server gets plain HTTP (insecure)
  • Full: both directions encrypted, but server cert not validated
  • Full (strict): fully secure — requires Let’s Encrypt on your server (our post)

SSL/TLS → Edge Certificates:

• Always Use HTTPS ✓
• Automatic HTTPS Rewrites ✓
• Min TLS version: TLS 1.2

5. Cache settings

Caching → Configuration:

• Caching Level: Standard (default, ideal for most sites)
• Browser Cache TTL: 4 hours - 1 month (long if your static content rarely changes)
• Always Online: ✓ (when your server is down, Cloudflare serves from cache)

Caching → Tiered Cache:

• ✓ Enable — cross-region cache sharing, increases hit rate

6. Page Rules (advanced)

Free plan has 3 rules. Most useful 3:

Rule 1: bypass cache for WP admin

URL pattern: *yoursite.com/wp-admin*

• Cache Level: Bypass
• Disable Performance

Rule 2: bypass cache for WP login

URL pattern: *yoursite.com/wp-login.php*

• Cache Level: Bypass

Rule 3: long cache for static files

URL pattern: *yoursite.com/wp-content/uploads/*

• Edge Cache TTL: a month
• Browser Cache TTL: a month

7. Performance settings

Speed → Optimization:

• Auto Minify: HTML, CSS, JS all ✓ (deprecated; do via plugins now)
• Brotli: ✓ (20% smaller than gzip)
• Early Hints: ✓ (LCP improvement)
• Rocket Loader: ❌ (often breaks WordPress)

8. Firewall (Cloudflare-only mode)

Against attackers bypassing Cloudflare, allow only Cloudflare IPs in your server firewall:

# UFW example (full list)
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
    sudo ufw allow from $ip to any port 80,443 proto tcp
done
sudo ufw deny 80/tcp
sudo ufw deny 443/tcp

Details in our UFW post.

9. Cloudflare plugin for WordPress

WP plugin → Cloudflare → connect API key → automatic cache purging, dynamic content cache settings.

Performance check

After activation, test:

• https://gtmetrix.com/ — compare TTFB and LCP
• https://www.webpagetest.org/ — waterfall view
• DevTools → Network → response headers should show cf-cache-status: HIT

In the first 24 hours, cache “warms up” — speed gains are gradual.

Common issues

• “Too many redirects”: SSL mode “Flexible” but WP serves HTTPS → switch to Full (strict)
• “Error 521 - Web server is down”: server actually down or doesn’t allow Cloudflare → check firewall
• “Error 525 - SSL handshake failed”: no Let’s Encrypt on server → install
• WordPress admin slow: wp-admin being cached → bypass via Page Rule
• API/AJAX errors: some endpoints shouldn’t be cached → bypass via Page Rule

Conclusion

Cloudflare’s free plan = performance + security + SSL in one shot. First-thing-to-do for WordPress or any web site.

Cloudflare + KavesNET VDS + Let’s Encrypt + WP Rocket = production-ready stack.

Related: DDoS Protection · Let’s Encrypt SSL