Cloudflare CDN Settings Guide 2021

I recommend Cloudflare’s FREE plan for every blogger that cares about Site speed and Security. Cloudflare adds another layer of security to your domain to protect against hackers while delivering your static site files super fast to your visitors. Cloudflare works in unison with WP Rocket to deliver blazing fast site speed.

How a CDN Speeds Up Your Site Delivery

Copies of your static site files like HTML, Javascript, CSS, and Images are cached in datacenters spanning the globe. Your site is served to visitors from the geographic location closest to them.  At the time of writing, the company reports of operating over 150 data centers around the world.

CloudFlare uses a proprietary technology to route your visitors to the nearest datacenter from their current location. This, in turn, causes your cached website to open twice as fast as the average load time.

You’ll Get Some Added Security Benefits, Too

Besides providing CDN optimization and site caching services, CloudFlare also blocks threats that might compromise your website or waste bandwidth and other server resources.

CloudFlare also offers the ability to block IP addresses by range or country. This helps to keep already known threats at bay.

You don’t have to worry about bots crawling your website and harvesting email addresses because CloudFlare provides protection against content scraping. Other standard security features include SSL encryption, HTTP/2 as well as protection against the bad stuff hackers do:  DDoS attacks, SQL injections, cross-site scripting, and comment spamming.

Cloudflare’s FREE Plan Features:

  • Global CDN with 152 Datacenters Worldwide
  • Unmetered Mitigation of DDoS Attacks
  • Shared SSL certificate
  • I’m Under Attack™ mode
  • Caches all static and dynamic content
  • Always Online feature serves a cached version of your site if it ever goes down

How to Set Up Cloudflare CDN for Bloggers

  1. Test your website with GTmetrix before implementing Cloudflare so you will have test data that proves it’s working and speeding up your site!
  2. You’ll need access to your Domain Registrar and your WP-Admin Dashboard
  3. Sign up for Cloudflare CDN from the link above, not through your Hosting. Your Hosting version of Cloudflare is very basic, the real power in these settings is only available in the full-free-version from Cloudflare’s website.

Cloudflare Sign-Up [ START HERE ]

1. Sign-Up

A) Sign-On page

Pretty straightforward here, enter your Email and Password and then click Create Account.

Cloudflare Settings: Sign-Up Page Screenshot

B) Add your Site

In the upper right-hand corner of the screen, click on ‘Add Site’ to get started.

Cloudflare Settings: Add Site Screenshot

Then you’ll enter your domain name, without the ‘https:// or http://’ and click on ‘Add Site’.

Example, I entered blogjolt.com for my setup.

Cloudflare Settings: Add Domain Page Screenshot

C) Select A Plan

Make sure you select the Free Plan. Pro has some nice-to-have extra features, but if it’s not in your budget, don’t sweat it! The Free plan alone will have a huge impact on speeding up your site and making it more secure. If you’re an established blogger with the income to match and just now adding Cloudflare, message me and I’ll send you the extra settings to configure for the Pro plan.

Cloudflare Settings: Select A Plan Page Screenshot

D) Review your DNS records

Cloudflare pulls these directly from your domain registrar. What you want to do is to make sure that what you see listed in Cloudflare match what’s at your Domain Registrar. Take a long look to make sure it’s carried over all the records, then you’ll need to mark which ones of the Orange cloud need to be Gray clouds. This will make those Gray cloud records DNS only.

Cloudflare Settings: DNS Records Screenshot

I’ve boxed 5 records in the screenshot above that are common with hosts that include ‘cPanel’.

If you see any of the following in this table in your DNS Records list, make sure you change the orange cloud to a gray cloud by clicking directly on the cloud to change it’s status. These DNS records handle mail delivery and backend server access, which we want to bypass the Cloudflare proxy and be served as DNS only.

TypeName
Acpanel
Awebdisk
Awebmail
Awhm
CNAMEmail
imapmail.yourdomainname.com
popmail.yourdomainname.com
smtpmail.yourdomainname.com

E) Change your Nameservers to Cloudflare

The last major step in sign-up is to change your domain’s Nameserver’s with the ones provided to you by Cloudflare. As seen in the screenshot, Cloudflare tells you what your existing Nameservers and then what they should be changed too.

Cloudflare Settings: Change your Nameservers Page Screenshot

Order doesn’t matter, which is input into the first or second Nameserver field at your Domain Host. Most Web Hosting companies have help documentation and online chat that you can find help for changing Nameservers.

Most Common Domain Registrar’s Help Docs for Changing Nameservers:

After you’ve made the switch and remembered to save it, return to Cloudflare and click on the ‘Done, Check Nameservers’ button. Be prepared to wait, this could take a good half a day to change over. In the meantime you can continue to setup Cloudflare’s settings.

F) Quick Start Guide

Be sure to select the Blue link that says Finish Later. I’ve covered every ideal setting for bloggers site performance in this guide, versus the Cloudflare quick start will only recommend the most basic of settings.

Cloudflare Settings: Quick Start Guide Page Screenshot

2. Overview Dashboard

Once Cloudflare is active on your domain, after the Nameservers have verified, then you’ll start to see meaningful data on the Overview dashboard. I always check my Analytics here when I want a quick idea of how my traffic (Unique Visitors), and file caching efficiency (Percent Cached) are doing. There’s also what I call the ‘Oh Sh*t’ button you’d toggle in case you knew you’re currently being attacked by hackers.

Main functionality of the Overview dashboard:

  • Summarizes site analytics
  • Displays notifications
  • Links to common quick actions
  • Provides API authentication details, including Zone ID which you’ll need for setting up the ShortPixel and WP Rocket integrations.
Cloudflare Settings: Overview Page Screenshot

3. Analytics

You can monitor the security and cache effectiveness of Cloudflare working with your site.

The Analytics is broken down into Requests, Bandwidth, and Unique Visitors. Requests and Bandwidth relate to how much Cloudflare is off-loading work from your web hosting and Unique Visitors is just like Google Analytics but not as granular. Traffic is also broken down by Country. Looking at the security tab, you are reassured and both terrified at the same time. There you’ll see how many Security Threats bombard your website on an hourly, daily and monthly basis. This protection alone is what makes Cloudflare worth it to me to use on every site I create for myself and clients, and allows me to rest easy at night.

Cloudflare Settings: Analytics Page Screenshot

Questions you might have:

Why doesn’t Cloudflare caching everything? If you use WP Rocket Caching plugin as I recommend and ShortPixel Image Optimization plugin too, they both handle caching of certain requests from your website too. I’m happy to see +/- 35% of my total requests are being Cached by Cloudflare.

What are these ‘attacks’ that Cloudflare is blocking? Cloudflare blocks spam bots, content scraping, and account takeover attempts. As visible in my screenshot, in just 6 hrs I had over 1400 attacks blocked! Thank goodness I have Cloudflare installed!

4. DNS Settings

If you already configured the DNS in step D of the Setup process, then you can skip over this area for now.

In the future, if you change email providers or need to add Google or Bing or Pinterest verification txt records, you can do so here.

If you ever change your web hosting, you can find your Cloudflare Nameservers here that you’ll need for setting up Cloudflare to work with the new host.

Skip the three options below the DNS records. They do not need to be changed.
– Custom Nameservers
– DNSSEC
– CNAME flattening

5. SSL / TLS Settings

A) Overview section

Match the following settings exactly.

SSL/TLS encryption mode: FULL

SSL/TLS Recommender: OFF

Cloudflare Settings: SSL Overview section Screenshot

B) Edge Certificates section

Match the following settings exactly.

Always Use HTTPS: OFF – the preferred method for forcing Https is through an htaccess rule.

HTTP Strict Transport Security (HSTS): Click on Enable HSTS

Cloudflare Settings: SSL Edge Certificates - Enable HSTS section Screenshot
Cloudflare Settings: SSL Edge Certificates - Enable HSTS section Screenshot

Minimum TLS Version: 1.2

Opportunistic Encryption: ON

TLS 1.3: ON

Automatic HTTPS Rewrites: OFF – the preferred method for forcing Https is through an htaccess rule.

Certificate Transparency Monitoring: OFF

Disable Universal SSL: SKIP

Cloudflare Settings: SSL Edge Certificates section Screenshot

C) Client Certificates, Origin Server, Custom Hostnames sections

Skip these sections. No changes from default are needed.

6. Firewall Settings

Match the following settings exactly.

A) Overview, Managed Rules sections

Skip these sections. No changes from default are needed.

B) Firewall Rules section

We will set a rule to protect our WP Admin area from Hackers trying to access it.

Click on the ‘Create a Firewall Rule‘ button.

Firewall Rule #1: Protect the WP Admin Area

Substitute your home country for United States. If you have a distributed team of website workers, make sure you click ‘And’ and then add their countries too.

Field: URL path
Operator: contains
Value: /wp-admin

Field: Country
Operator: does not equal
Value: United States

Action: Block

Cloudflare Settings: Firewall Rules #1 section Screenshot

After deploying the rule, you’ll return to the Firewall Rules list. You’ll now see your one rule.

Cloudflare Settings: Firewall Rules List section Screenshot

C) Bots section

Bot Fight Mode: OFF

*this interferes with Page Speed Testers like GTmetrix and PageSpeed Insights testers, as well as generating Critical Path CSS in WP Rocket.

D) Tools Section

IP Access Rules: Create rules to protect your site as well as to set a ‘safe-list’ of known IP addresses that should be allowed unchallenged access.

There are 5 sets of rules you’ll want to add:

  • The IP address for wherever you access the internet: home, coworking place, office, etc.
    From that location, go to google.com and type “what’s my IP?”. Then add it as an IP Access Rule. Paste the long string of numbers/letters in the first box, then set it to ‘Allow’, then choose ‘All websites in account’ and finally type a description of it, like ‘Home IP’. Click Add. Do this for all places you work on your website from.
  • Web Host’s IP address: this should be readily available from your hosting account dashboard, if not, ask them via their online chat. It differs for every host and often every account.
  • WP Rocket: If you use the recommended WP Rocket Caching plugin, enter these 3 IP addresses into your IP Access Rules. Paste the 1st row of numbers in the first box, then set it to ‘Allow’, then choose ‘All websites in account’ and finally type a description of it, like ‘WP Rocket 01’. Repeat for the 2nd and 3rd lines. Click Add.
167.114.226.142
109.234.160.58
51.83.15.135
  • ShortPixel: If you use the recommended ShortPixel Image Optimization plugin, enter these 3 IP addresses into your IP Access Rules. Each IP will need it’s own rule. Paste the numbers in the first box, then set it to ‘Allow’, then choose ‘All websites in account’ and finally type a description of it, like ‘ShortPixel 01’. Click Add.
176.9.21.94
176.9.106.100
176.9.40.54
  • Country Rules: Enter these known heavy Hacker-attack countries. These won’t block real human being traffic from them, it will present a challenge button that you must click to be allowed through. Bots and automated Hacker malicious scripts will fail the challenge. Obviously, if your blog is centered around and International topic such as Travel or Eating, you’ll want to leave off the countries that you know for sure your readers live within. Paste the letters in the first box, then set it to ‘Challenge’, then choose ‘All websites in account’. Click Add.

List of Countries for IP Access Rules:

Brazil (BR)
Bulgaria (BG)
Czech Republic (CZ)
China (CN)
Indonesia (ID)
Iran (IR)
Israel (IL)
Kazakhstan (KZ)
Korea, North (KP)
Korea, South (KR)
Latvia (LV)
Malaysia (MY)
Philippines (PH)
Poland (PL)
Romania (RO)
Russian Federation (RU)
Serbia (RS)
Slovakia (SK)
Turkey (TR)
Ukraine (UA)
Cloudflare Settings: Firewall Tools section Screenshot

The 3 settings below the IP Access Rules can be skipped, Rate Limiting, User Agent Blocking, and Zone Lockdown.

E) Settings Section

Match the following settings exactly.

Security Level: High

Challenge Passage: 1 hour – If a visitor successfully completes the ‘challenge’ from a Firewall IP Access Rules country, they’ll have 1 hour to access your website, more than enough time for legitimate browsing purposes.

Browser Integrity Check: ON

Privacy Pass Support: ON

Cloudflare Settings: Firewall Settings section Screenshot

>> SKIP: Access Settings >>

7. Speed Settings

Match the following settings exactly.

Optimization section

Skip over ‘Image Resizing’ and ‘Polish’ settings, as they’re paid features and unnecessary if you use the recommended ShortPixel Image Optimization plugin.

Auto Minify: Check all boxes.

Brotli: ON

Cloudflare Settings: Speed Settings - Optimization section Screenshot

Skip over everything underneath the ‘Brotli’ setting.

8. Caching Settings

Match the following settings exactly.

Configuration section

Skip over ‘Image Resizing’ and ‘Polish’ settings, as they’re paid features and unnecessary if you use the recommended ShortPixel Image Optimization plugin.

Caching Level: Standard

Browser Cache TTL: Respect Existing Headers

Always Online: ON , also click the blue ‘Update’ button.

Cloudflare Settings: Caching Settings - Configuration section Screenshot

>> SKIP: Workers Settings >>

9. Page Rules Settings

Match the following settings exactly.

Page Rules section

The Cloudflare FREE plan allows 3 page rules to be set, we’ll use these to fine-tune our caching. Replace the ‘yourblogdomain.com’ part of each rule with your blog’s domain name.

Page Rule #1: Cache Everything Possible

*Note: If you run Ads on your site, such as ‘Ezoic’ or ‘Mediavine’, you’ll want to skip this rule.

*yourblogdomain.com/*
Cloudflare Settings: Page Rules Settings section Screenshot

Page Rule #2: Protect WP Admin Pages

*yourblogdomain.com/wp-admin/*
Cloudflare Settings: Page Rules Settings section Screenshot

Page Rule #3: Protect WP Login Pages

*yourblogdomain.com/wp-login.php*
Cloudflare Settings: Page Rules Settings section Screenshot

Transform Rules & Settings sections

Skip these sections. No changes from default are needed.

10. Network Settings

Match the following settings exactly.

HTTP/2: ON and greyed out.

HTTP/3 (with QUIC): ON

0-RTT Connection Resumption: ON

IPv6 Compatibility: ON and greyed out.

gRPC: OFF

WebSockets: ON

Onion Routing: ON

Pseudo IPv4: Add Header

IP Geolocation: ON

Maximum Upload Size: 100 MB

Cloudflare Settings: Network Settings section Screenshot

>> SKIP: Traffic, Stream, Custom Pages & Apps Settings >>

11. Scrape-Shield Settings

Match the following settings exactly.

Email Address Obfuscation: ON , only if you know you’ve got your email typed somewhere on your website, otherwise save a little speed and select OFF.

Server-side Excludes: ON

Hotlink Protection: OFF – turning this on will prevent Pinterest from indexing your images.

Cloudflare Settings: Scrape Shield Settings section Screenshot

12. WP Rocket Plugin Integration

Part 1: WP Rocket Settings > CDN

Check the box to Enable Content Delivery Network. Nothing else needed on this part. The Cloudflare integration happens in the next section.

Cloudflare Settings: WP Rocket Settings Guide: CDN Integration Screenshot

Part 2: WP Rocket Settings > Cloudflare

Complete for the best Cloudflare integration with your site. Doing so will purge your Cloudflare cache at the same time that your WP Rocket cache is cleared. This will prevent the site visitor from seeing outdated content.

Global API Key: Click on the person icon in the upper right corner, then click on Profile. Next, go to API Tokens and scroll down till you see Global API Key and click on the View button. It’ll ask you for your password and then will show it to you. Paste this in a notepad/word doc to keep handy, as we’ll need it in a moment.

Cloudflare Settings Guide - My Profile
Cloudflare Settings Guide - API Tokens - Global API

Account Email: The email that you signed up for Cloudflare with. Can’t remember, it’ll list it in your profile information.

Zone ID: If you were just in the API Token area, click on the Cloudflare logo to return to the home screen, then click on your domain name to be taken to the Overview section. On the right-hand side near the bottom of the page, you’ll find your Zone ID. Paste this in a notepad/word doc to keep handy, as we’ll need it in a moment.

Cloudflare CDN Settings Guide 2021

Back in WP Rocket Settings, retrieve the Global API key and the Zone ID that we had pasted in a notepad/word doc to keep handy. Enter the Account Email you used to setup Cloudflare with. Skip over the settings options, as it will use very generic settings that are not the best for bloggers.

Click the orange Save Changes button.

Cloudflare Settings: WP Rocket Settings Guide: Enter Cloudflare Credentials Screenshot

13. ShortPixel Plugin Integration

Complete for the best Cloudflare/ShortPixel integration with your site. Doing so will purge your Cloudflare cache at the same time that your images are updated. This will prevent the site visitor from seeing outdated images.

Create Custom Token: Click on the person icon in the upper right corner, then click on Profile. Next, go to API Tokens and click on the ‘Create Token‘ button.

Cloudflare Settings Guide - My Profile
Cloudflare Settings Guide - API Tokens - Create Token for ShortPixel Integration

Scroll down the page until you see ‘Create Custom Token’ and click on the blue ‘Get Started‘ button.

Cloudflare Settings Guide - API Tokens - Create Custom Token for ShortPixel Integration

On the ‘Create Custom Token’ page, there’s several fields to complete.

Give your API token the name: ShortPixel Cache Purge

Permissions

Select ‘Zone’ for box 1.
Select ‘Cache Purge’ for box 2.
Select ‘Purge’ for box 3.

Zone Resources

Select ‘Include’ for box 1.
Select ‘Specific Zone’ for box 2.
Select ‘YourDomainName’ for box 3.

Then click on the blue button ‘Continue to Summary‘.

Cloudflare Settings Guide - API Tokens - Create Custom Token for ShortPixel Integration

Then click on the blue button ‘Create Token‘.

Cloudflare Settings Guide - API Tokens - Create Custom Token for ShortPixel Integration

Your ShortPixel Cache Purge API token is now ready to use. Click the ‘Copy‘ button. Paste this in a notepad/word doc to keep handy, as we’ll need it in a moment.

Cloudflare Settings Guide - API Tokens - Create Custom Token for ShortPixel Integration

Back in ShortPixel Plugin Settings, click on the Cloudflare API tab. Enter your Zone ID you pasted in a notepad/word doc to keep handy during the WP Rocket integration, and the ShortPixel Cache Purge token we just created as well.

Click the blue ‘Save Changes‘ button.

Cloudflare Settings Guide - API Tokens - Create Custom Token for ShortPixel Integration

Real Results from following this Tutorial:

Have you followed this Speed Tutorial and achieved incredible results you are proud of? I want to hear from you… let me know, I’d love to share your results here with other Bloggers so they’ll be that much more confident to try it themselves too.

Cloudflare CDN Tutorial DIY Site Speed Optimization Before/After results
Cloudflare CDN Tutorial DIY Site Speed Optimization Before/After results
Cloudflare CDN Tutorial DIY Site Speed Optimization Before/After results
Cloudflare CDN Tutorial DIY Site Speed Optimization Before/After results
Cloudflare CDN Settings Guide 2021