How to Set Up Cloudflare CDN: Full Speed & Security Guide
Speed up your site 30-60% with Cloudflare's free CDN, get DDoS protection and free SSL. DNS change, cache settings, and performance tips.
Cloudflare is the most widely used CDN + security service — even the free plan speeds your site up 30-60%, gives DDoS protection, and offers free SSL. This guide covers account setup, DNS change, cache settings, and performance tips.
What does Cloudflare do?
- CDN: serves static content (CSS, JS, images) from 300+ data centers globally → visitors hit the nearest one
- DDoS protection: absorbs volumetric attacks at backbone scale (DDoS post)
- WAF: blocks SQL injection, XSS, and similar attacks
- Free SSL: domain-level SSL
- Bot management: auto-blocks bad bots
- Image optimization: WebP/AVIF conversion (Pro+)
1. Create account + add site
- https://www.cloudflare.com/ → Sign Up → free account
- Dashboard → Add a Site → enter your domain → choose Free plan
- Cloudflare auto-scans existing DNS records → check the A/AAAA/CNAME/MX list
2. Change nameservers
Cloudflare gives you 2 nameservers:
xxx.ns.cloudflare.com
yyy.ns.cloudflare.comAt your domain registrar (GoDaddy, Namecheap, etc.):
- Domain → Manage → Nameservers → Custom
- Paste Cloudflare’s 2 NS → save
DNS propagation takes 5 minutes to 24 hours. Cloudflare emails you on activation.
3. Proxy setting (important)
In the DNS panel, each A/CNAME record has a cloud icon:
- 🟠 Orange (Proxied): traffic goes through Cloudflare (CDN + DDoS + WAF active)
- ⚫ Gray (DNS only): DNS only, traffic hits your server directly
For WordPress, blogs, web sites: orange ✓ For SSH, FTP, mail: gray (Cloudflare doesn’t proxy non-HTTP/HTTPS)
4. SSL/TLS settings
SSL/TLS → Overview:
- Encryption mode: pick Full (strict)
- Off: no SSL (don’t)
- Flexible: only Cloudflare↔visitor encrypted, server gets plain HTTP (insecure)
- Full: both directions encrypted, but server cert not validated
- Full (strict): fully secure — requires Let’s Encrypt on your server (our post)
SSL/TLS → Edge Certificates:
- Always Use HTTPS ✓
- Automatic HTTPS Rewrites ✓
- Min TLS version: TLS 1.2
5. Cache settings
Caching → Configuration:
- Caching Level: Standard (default, ideal for most sites)
- Browser Cache TTL: 4 hours - 1 month (long if your static content rarely changes)
- Always Online: ✓ (when your server is down, Cloudflare serves from cache)
Caching → Tiered Cache:
- ✓ Enable — cross-region cache sharing, increases hit rate
6. Page Rules (advanced)
Free plan has 3 rules. Most useful 3:
Rule 1: bypass cache for WP admin
URL pattern: *yoursite.com/wp-admin*
- Cache Level: Bypass
- Disable Performance
Rule 2: bypass cache for WP login
URL pattern: *yoursite.com/wp-login.php*
- Cache Level: Bypass
Rule 3: long cache for static files
URL pattern: *yoursite.com/wp-content/uploads/*
- Edge Cache TTL: a month
- Browser Cache TTL: a month
7. Performance settings
Speed → Optimization:
- Auto Minify: HTML, CSS, JS all ✓ (deprecated; do via plugins now)
- Brotli: ✓ (20% smaller than gzip)
- Early Hints: ✓ (LCP improvement)
- Rocket Loader: ❌ (often breaks WordPress)
8. Firewall (Cloudflare-only mode)
Against attackers bypassing Cloudflare, allow only Cloudflare IPs in your server firewall:
# UFW example (full list)
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
sudo ufw allow from $ip to any port 80,443 proto tcp
done
sudo ufw deny 80/tcp
sudo ufw deny 443/tcpDetails in our UFW post.
9. Cloudflare plugin for WordPress
WP plugin → Cloudflare → connect API key → automatic cache purging, dynamic content cache settings.
Performance check
After activation, test:
- https://gtmetrix.com/ — compare TTFB and LCP
- https://www.webpagetest.org/ — waterfall view
- DevTools → Network → response headers should show
cf-cache-status: HIT
In the first 24 hours, cache “warms up” — speed gains are gradual.
Common issues
- “Too many redirects”: SSL mode “Flexible” but WP serves HTTPS → switch to Full (strict)
- “Error 521 - Web server is down”: server actually down or doesn’t allow Cloudflare → check firewall
- “Error 525 - SSL handshake failed”: no Let’s Encrypt on server → install
- WordPress admin slow: wp-admin being cached → bypass via Page Rule
- API/AJAX errors: some endpoints shouldn’t be cached → bypass via Page Rule
Conclusion
Cloudflare’s free plan = performance + security + SSL in one shot. First-thing-to-do for WordPress or any web site.
Cloudflare + KavesNET VDS + Let’s Encrypt + WP Rocket = production-ready stack.
Related: DDoS Protection · Let’s Encrypt SSL
相关 文章
您可能也喜欢这些。
The 3-2-1 Backup Rule: How to Never Lose Server Data
The 3-2-1 backup rule is the gold standard for server backup strategy. We cover the rule, automation, and KavesNET's backup infrastructure.
阅读更多
How to Migrate a Site from Plesk to Plesk: Migrator Tool Guide
Move sites, mail, DB, and DNS in one shot with Plesk Migrator. Step-by-step setup, test migration, and cutover.
阅读更多
FileZilla: VDS-to-VDS File Migration Guide
Move your site from old to new VDS: FileZilla over FTP/SFTP, speed tips, permissions, and error handling.
阅读更多