Cloudflare Setup
Quick and Easy Step-by-Step Guide
Disclosure: This content is reader-supported. If you click on my links, I may earn a commission. Read more...
Signup
Step 1 To start with Cloudflare setup fill in your e-mail, strong password, and “Create Account“.
Step 2 Fill in your website address and “Add Site“.
Step 3 You can tell Cloudflare to scan your website’s existing DNS records. Click “Next“.
Step 4 Please choose your preferred Cloudflare plan during setup. Start with “Basic” and upgrade whenever you need it. You can “Learn more” or click on “Confirm Plan“.
Step 5 Now you need to double-check that all required DNS records are listed for your domain. Don’t worry you can modify DNS records afterward when there’s an urgent need for that. When you are confident enough, please “Continue“, otherwise consult with professionals.
Step 6 Change the nameservers at your domain registrar by pointing your domain to Cloudflare. When you don’t know where to start you can check “I Need Help Changing My Nameservers“. You can find over 30 step-by-step guides for most popular registrars to change the nameservers. Meanwhile, you can “Continue“.
Step 7 Now you need to just wait. It may take up to 24 hours after you have changed the nameserver’s DNS records. You will receive an e-mail after your setup succeeded and your website has become active on Cloudflare. Simple!
Step 8 Make sure your domain status has changed to “Pending Nameserver Update” to “Active“.
Step 9 There is only one last thing to do. Please check your inbox and click on the confirmation e-mail link. Done? Congratulations, you have successfully signed up! Please proceed with setting up Cloudflare.
SSL/TLS (Cloudflare Setup)
Overview
Your SSL/TLS encryption mode Full (strict)
Encrypt communication to and from your website using SSL. By default, Cloudflare provides universal SSL certificates when SSL is turned on. I strongly suggest ordering a dedicated certificate(s).
NB! Make sure that when using the Full (strict) option you have a valid certificate installed on your origin server.
Note
You can create a certificate for your origin server when navigating to SSL/TLS > Origin Server > Origin Certificates.
Edge Certificates
Edge Certificates
Manage and purchase SSL certificates that will be served to your web visitors.
Plans:
- Basic – includes Cloudflare Universal SSL certificate pack.
- Business – enables the feature to upload any SSL certificates.
You can order a dedicated certificate with custom hostnames.
Always Use HTTPS On
Redirect all requests with scheme HTTP to HTTPS. This applies to all HTTP requests to the zone. Strongly suggested to turn this feature on to force clients to use a secure connection.
NB! Your origin server must support HTTPS connection first.
HTTP Strict Transport Security (HSTS)
Enforces a web security policy for your website. This is an advanced technique and certainly recommended for online stores. You can read more about How to Submit HSTS Preload Requests.
NB! All your subdomains must support HTTPS connection and have a valid certificate installed.
Minimum TLS Version TLS 1.2
Only allow HTTPS connections from visitors that support the selected TLS protocol version or newer.
Recommendation
Allow TLS protocol since version 1.2. Both TLS 1.0 and TLS 1.1 are expected to be discontinued by 2021.
Opportunistic Encryption On
If your website supports the improved performance of HTTP/2, turning on this setting is recommended. Opportunistic Encryption lets browsers to know that your site is available over an encrypted connection.
TLS 1.3 Enabled
Enable the latest version of the TLS protocol for improved security and performance. Strongly suggested to enable this feature as roughly 30% of the traffic is using already TLS 1.3.
Automatic HTTPS Rewrites On
Automatic HTTPS Rewrites helps fix mixed content by changing HTTP to HTTPS for all resources or links on your web site that can be served with HTTPS. Strongly suggested to turn this feature on to avoid browser’s „mixed content“ errors when the usage of HTTP and HTTPS is mixed within the website.
Certificate Transparency Monitoring BetaOff
Receive an email when a Certificate Authority issues a certificate for your domain. This is currently in the beta phase and is recommended to keep it off.
Disable Universal SSL
Disabling Universal SSL removes any currently active Universal SSL certificates for your zone from the edge and prevents any future Universal SSL certificates from being ordered. If there are no dedicated certificates or custom certificates uploaded for the domain, visitors will be unable to access the domain over HTTPS.
NB! Make sure that you install a new dedicated SSL certificate before disabling the Universal SSL certificate.
Origin Server
Origin Certificates
Generate a free TLS certificate signed by Cloudflare to install on your origin server. Origin Certificates are only valid for encryption between Cloudflare and your origin server.
Recommendation for Advanced Users
When setting up Full (strict) SSL/TLS encryption mode, your origin server can also have a valid certificate signed by Cloudflare Origin CA. When your origin server uses cPanel manager, there is a strong recommendation to create a Certificate Signing Request (CSR) from your server. After that, you can paste your CSR hash to Cloudflare to get a valid certificate for your origin server. When acting differently, there may be problems of importing a certificate in cPanel, or converting a certificate to another format is necessary.
Authenticated Origin Pulls On
TLS client certificate presented for authentication on origin pull. This feature helps to verify whether incoming requests are originated from the Cloudflare network only.
NB! Setting this directive may require VPS or Dedicated hosting solution.
Apache
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pemNginx
ssl_client_certificate /path/to/origin-pull-ca.crt;
ssl_verify_client on;Firewall (Cloudflare Setup)
Managed Rules
Web Application Firewall (WAF) Pro Plan On
It provides enhanced security through a built-in ruleset to stop a wide range of application attacks. WAF blocks requests that contain malicious content and provides strong security without impacting performance. You will get protection for common attacks like cross-site scripting, SQL injections, and many more.
NB! Strongly suggested to turn this feature on to activate security packages like OWASP, Cloudflare Rules, and any custom rules.
Cloudflare Managed Ruleset Pro Plan On
Cloudflare’s Managed Ruleset has been created by Cloudflare security engineers and is designed to provide fast and performant protection for your applications. This ruleset is updated and improved on a frequent basis to cover new vulnerabilities and to improve false-positive rates.
Strong Recommendation
It is strongly recommended to enable at least Cloudflare Specials ruleset. Though when your website uses WordPress CMS, Cloudflare Php and Cloudflare WordPress rulesets must be also enabled.
Package: OWASP ModSecurity Core Rule Set Pro Plan High, Challenge
Covers OWASP Top 10 vulnerabilities, and more. It’s strongly recommended turning on the most OWASP rules when your website e.g. online store collects and stores some valuable data desired by the hackers. Skip rulesets based on the platform e.g. Joomla and PhpBB.
NB! When your website uses WordPress CMS, OWASP Slr Et WordPress Attacks ruleset must be also enabled.
Firewall Rules
Firewall Rules Coming Soon
Tools
Zone Lockdown Coming Soon
Settings
Security Level Medium
Adjust your website’s Security Level to determine which visitors will receive a challenge page.
NB! When running a website containing customer’s data, you should set this setting at least to Medium.
Bot Fight Mode On
There are thousands if not millions of bots out there and these automated workers may slow down your website significantly when making requests often. Turning on this option is highly recommended.
JavaScript Detections Off
Use lightweight, invisible JavaScript detections to improve Bot Management products. Though it’s the contribution to a better and more secure web, I suggest to keep this feature off for now.
Challenge Passage 30 minutes
Specify how long a visitor with a bad IP reputation is allowed access to your website after completing a challenge. After the Challenge Passage TTL expires, the visitor in question will have to pass a new Challenge.
Browser Integrity Check On
Evaluate HTTP headers from your visitors’ browser for threats. If a threat has found, a block page will be delivered.
NB! This may block access to your API. You can selectively enable or disable this feature for any part of your domain using page rules.
Privacy Pass Support On
Privacy Pass is a browser extension developed by the dedicated team to improve the browsing experience for your visitors. Enabling this feature will reduce the number of CAPTCHAs shown to your visitors.
NB! This works only for the websites using Cloudflare.
Speed (Cloudflare Setup)
Optimization
Polish Pro Plan Lossless, WebP
Improve image load time by optimizing images hosted on your domain. Optionally, the WebP image codec can be used with supported clients for additional performance benefits.
NB! Purge cache to have your change take effect immediately.
Auto Minify JavaScript, CSS, HTML
Reduce the file size of the source code on your website. You find couple of reasons below why minification doesn’t work when expected.
- If the file is served from an external domain not powered by Cloudflare.
- If the file contains .min in the filename.
- If the file has syntax errors and it cannot be parsed.
- Inline CSS or JS embedded inside your HTML code will not be minified.
NB! Purge cache to have your change take effect immediately.
Brotli On
Speed up page load times for your visitor’s HTTPS traffic by applying Brotli compression.
Automatic Platform Optimization for WordPress Pro Plan On
Cloudflare APO for WordPress is a performance feature improving website loading and speed. All your pages and third party fonts are served from Cloudflare’s edge network. This significantly improves TTFB and creates a better user experience. For free users, there is an additional $5/month fee for APO.
Notice
When using Cloudflare APO for WordPress, then you can delete the Cache Everything page rule. APO is more efficient and works on a Workers KV’s “push” model, which automatically pushes HTML globally.
Recommendation
Install the Cloudflare plugin when enabling Cloudflare APO for your WordPress website. After the release of the new feature, Cloudflare has made a promise to keep their WordPress plugin operational and up-to-date.
When using Cloudflare APO feature please make sure to you use the following officially recommended setup:
Security level Medium
Caching level Standard
Auto Minify All Enabled
Browser Cache TTL 4 hours
Always Online On
Development Mode Disabled
IPV6 Compatibility Off
WebSockets On
IP Geolocation On
Email Address Obfuscation On
Server-side Excludes On
Hotlink Protection Off
Image optimization (Polish and Mirage) Off (unless on Pro or higher plan)
Rocket Loader Off
Enhanced HTTP/2 Prioritization Pro Plan On
When enabled, resources will be delivered in the optimal order for the fastest experience across all browsers. Read more on Cloudflare’s Blog Post.
TCP Turbo Pro Plan Enabled
Enabled automatically, reduces latency and throughput over TCP connection.
NB! Only disabled for free plans.
Mirage Pro Plan Beta Off
Improve load time for pages that include images on mobile devices with slow network connections. You can try this feature out, but as it’s on the beta phase, then strongly recommended to keep disabled.
NB! May cause problems when lazy-loading library is enabled for your site.
Rocket Loader™ On
Improve the paint time for pages that include Javascript. You can have Rocket Loader ignore individual scripts by adding the data-cfasync="false" attribute to the relevant script tag, for example:
<script data-cfasync="false" src="/path-to-your-javascript.js"></script>Caching
Configuration
Purge Cache
Clear cached files to force Cloudflare to fetch a fresh version of those files from your web server. You can purge files selectively or all at once.
NB! Purging the cache may temporarily degrade performance for your website and increase the load on your origin.
Caching Level Standard
Determine how much of your website’s static content you want to cache. Increased caching can speed up page load time. You can set cache static content according to these levels:
- No Query String – only delivers files from the cache when there is no query string.
- Ignore Query String – delivers the same resource to everyone independent of the query string.
- Standard – delivers a different resource each time the query string changes.
Recommendation for Advanced Users
When your website uses any caching plugin generating combined CSS/JS files with random file names, use the No Query String option instead.
Browser Cache TTL 8 days
Determine the length of time Cloudflare instructs a visitor’s browser to cache files. During this period, the browser loads the files from its local cache, speeding up page loads. Therefore, it’s up to you how long you set the cache period. Set it to a longer period when your website’s content doesn’t change that often.
Recommendation for Advanced Users
Use Respect Existing Headers option when you would like to respect header instructions set by the origin server. For example, you have set the Cache-Control: public, s-maxage=31536000, max-age=604800, must-revalidate header in your origin server for static resources.
CSAM Scanning Tool Beta Coming Soon
Always Online™ On
If your server goes down, Cloudflare will serve your website’s static pages from their cache.
Development Mode Off
Temporarily (lasts for three hours) bypass cache allowing you to see changes to your origin server in realtime.
NB! Enabling this feature can significantly increase the origin server load.
Note
Development mode does not purge the cache so files will need to be purged after development mode expires.
Reliable and Recognized Web Hosting Partners
Overview of Best WordPress Hosting Providers
Provides auto-scalable cloud hosting for high-performing sites. Go to SiteGround.
The fastest WordPress stack with LiteSpeed server technology provided by A2 Hosting.
Source HostScore
Network
HTTP/2 On
HTTP/2 improves the way HTTP requests and responses are sent over the Internet by allowing faster page load times. According to W3Techs, 48% of the top 10 million websites support HTTP/2. Turn this switch on to be part of this league.
NB! Free plans can’t disable this option.
HTTP/3 (with QUIC) On
HTTP/3 is the next version of the network protocol designed to take advantage of QUIC, a new Internet transport protocol that provides a number of improvements designed to accelerate HTTP traffic. According to W3Techs, 7% of the top 10 million websites support HTTP/3. Turn this switch on to gain encryption and performance improvements compared to TCP and TLS.
0-RTT Connection Resumption On
Turn this switch on to improves performance for clients who have previously connected to your website.
WebSockets Off
When you have a mission-critical real-time application, you can allow web socket connections to your origin server. Otherwise, turn this feature off.
Onion Routing On
Onion Routing allows routing traffic from legitimate users on the Tor network through Cloudflare’s onion services rather than exit nodes, thereby improving the privacy of the users and enabling more fine-grained protection. It doesn’t make any harm to turn this feature on.
Pseudo IPv4 Off
Cloudflare offers Pseudo IPv4 which supports IPv6 addresses in legacy applications expecting IPv4 addresses. Keep this feature off unless you have a specific need.
IP Geolocation Off
Keep this feature off when you are not a developer. Otherwise, keep this setting enabled when you need to send different results back from the origin server based on the visitor location.
NB! Cloudflare adds CF-IPCountry header to the request.
Note for Advanced Users
Cloudflare special header is visible only for the origin server and not for the browser. For browsers use AJAX request to /cdn-cgi/trace endpoint. Don’t worry about the extra requests as this is very fast.
Maximum Upload Size 100MB
The amount of data visitors can upload to your website in a single request.
NB! This setting can be changed since Business plan.
Scrape Shield
Email Address Obfuscation On
Cloudflare can obfuscate e-mail addresses found on your website to stop harvesters and bots getting e-mail addresses for spamming purposes, but still visible to human visitors. Please keep this setting enabled to make spammers’ life as harder as possible.
Server-side Excludes On
If you have some sensitive content on your webpage and you would like to hide this from suspicious visitors, enable this option. Put everything between SSE tags and Cloudflare will show this wrapped content only to real users.
<!--sse-->Suspicious visitors won’t see my phone number, (+372) 5 555 555<!--/sse-->
Hotlink Protection On
Hotlink Protection prevents your images from being used by other websites. When consumed by other websites this can reduce the bandwidth of your origin server. As a result, your website visitors will still be able to download and view images.
NB! You can still hotlink images by putting them into /hotlink-ok/ sub-folder and Cloudflare will allow them to consume by other websites.
[Next Steps] Quick Website Setup
- Configure WordPress Website – please follow the instructions on How to Configure WordPress
Thanks for Reading and Good Luck on Your Journey! Need Some Help or Would Like to Ask Something about Current Content? Please Add a Comment 🙂
When you have any questions, do not hesitate to contact me!
Like It? Share It!
