How to Set Up Cloudflare CDN for WordPress (Free & Fast)
Every WordPress site I've ever built gets Cloudflare. Not because it's trendy, not because some blogger told me to — because it genuinely makes sites faster and more secure, and the free tier is shockingly generous. I've been using Cloudflare since 2015, and I've set it up on well over a hundred WordPress sites. The entire process takes about 15 minutes, and the performance gains are immediate.
In this guide, I'll walk you through every step of setting up Cloudflare CDN for your WordPress site. We'll cover what a CDN actually does, why Cloudflare's free plan is enough for most sites, the exact setup process, my recommended settings, and how Cloudflare compares to alternatives like BunnyCDN.
What Is a CDN and Why Your WordPress Site Needs One
A Content Delivery Network (CDN) is a global network of servers that stores copies of your website's static files — images, CSS, JavaScript, fonts — and serves them from the server closest to each visitor. Without a CDN, every visitor hits your origin server, no matter where they are. A visitor in Tokyo loading your site hosted in Amsterdam has to wait for data to travel literally halfway around the world.
With a CDN, that same visitor gets served from a data center in Tokyo. The result? Dramatically lower latency, faster page loads, and a better experience for everyone. CDNs also reduce the load on your origin server, which means your hosting can handle more traffic before slowing down. If you're serious about WordPress speed optimization, a CDN is non-negotiable.
Why Cloudflare Is My Default Recommendation
There are plenty of CDN providers out there, but Cloudflare's free tier is hard to beat. Here's what you get without paying a cent:
- Global CDN with over 300 data centers worldwide
- Free SSL certificate — no need to configure Let's Encrypt separately
- DDoS protection — automatic mitigation with no configuration needed
- DNS management — Cloudflare's DNS is one of the fastest in the world (1.1.1.1)
- Basic firewall rules — block bots, countries, or specific IPs
- Web analytics — basic traffic insights without any tracking scripts
For a free service, that's an absurd amount of value. Most WordPress sites will never need to upgrade to a paid plan. I only recommend the Pro plan ($20/month) for sites that need image optimization (Polish) or the Web Application Firewall (WAF) with managed rulesets.
Step-by-Step: Setting Up Cloudflare for WordPress
Here's the exact process I follow every time I set up Cloudflare on a new WordPress site. No guesswork, no unnecessary steps.
Step 1: Create a Cloudflare Account
Go to cloudflare.com and click "Sign Up". Enter your email and create a password. That's it — no credit card required for the free plan.
Step 2: Add Your Website
Once logged in, click "Add a Site" in the top navigation bar. Enter your domain name (e.g., yoursite.com) and click "Add Site". When asked to select a plan, choose the "Free" tier at the bottom and click "Continue".
Cloudflare will scan your existing DNS records. This usually takes about 60 seconds. Review the records it found — they should match what you currently have at your domain registrar. If anything is missing, add it manually. The most important records are your A record (pointing to your server IP) and any CNAME records (like www).
Step 3: Change Your Nameservers
This is the critical step. Cloudflare will give you two nameservers — something like ada.ns.cloudflare.com and bob.ns.cloudflare.com. You need to update your domain registrar to use these nameservers instead of the current ones.
How to do this depends on your registrar:
- Namecheap: Go to Domain List → click your domain → under "Nameservers," select "Custom DNS" and paste both Cloudflare nameservers
- GoDaddy: My Products → DNS → scroll to Nameservers → click "Change" → select "Enter my own nameservers"
- Google Domains / Squarespace Domains: DNS → Custom name servers → toggle on and paste the Cloudflare nameservers
After updating, click "Done, check nameservers" in Cloudflare. Propagation typically takes 15 minutes to a few hours, though I've seen it happen in under 5 minutes. Cloudflare will email you when the nameservers are active.
Step 4: Configure SSL Mode — Full (Strict)
This is where most people mess up. In the Cloudflare dashboard, go to SSL/TLS → Overview. Set the encryption mode to "Full (Strict)".
Here's why this matters:
- Flexible — encrypts traffic between visitors and Cloudflare, but sends unencrypted traffic to your server. This causes redirect loops with WordPress and is a security risk. Never use this.
- Full — encrypts both legs but doesn't verify your server's SSL certificate. Better, but not ideal.
- Full (Strict) — encrypts everything and verifies your server has a valid SSL certificate. This is the correct setting if your host provides SSL (and in 2026, they all do).
If you're using a host like Cloudways, SiteGround, or any host that provides free Let's Encrypt SSL, Full (Strict) is the right choice. If you see redirect loops or errors after enabling Cloudflare, the SSL mode is almost always the problem.
Step 5: Enable Caching
Go to Caching → Configuration. Set the Caching Level to "Standard" — this is the default and works well for WordPress. Set the Browser Cache TTL to "Respect Existing Headers". This lets your WordPress caching plugin control browser cache duration instead of Cloudflare overriding it.
Turn on "Always Online" — this serves a cached version of your site if your origin server goes down. It's saved me during more than one hosting outage.
Step 6: Set Up Cache Rules (Replaces Page Rules)
Cloudflare has moved from the old "Page Rules" system to the new Rules section. You get 10 free rules. Here are the essential ones for WordPress:
Rule 1: Bypass cache for WordPress admin
Go to Rules → Cache Rules → Create Rule. Set the rule to match when the URI path contains /wp-admin/ or when the URI path contains /wp-login.php. Set the action to "Bypass Cache". This ensures your admin dashboard always loads fresh content.
Rule 2: Cache everything else aggressively
Create another rule matching all other URLs. Set the action to "Eligible for Cache" with an Edge TTL of 1 month. This tells Cloudflare to cache your static pages at the edge, massively reducing origin server load.
Recommended Cloudflare Settings for WordPress
After the basic setup, here are the optimizations I enable on every WordPress site. All of these are available on the free plan unless noted otherwise.
Speed → Optimization → Content Optimization
- Auto Minify: Enable for JavaScript, CSS, and HTML. This strips whitespace and comments from your files, reducing their size by 10-20%. If your caching plugin already minifies, you can skip this to avoid double-processing.
- Brotli compression: Turn this on. Brotli is more efficient than gzip and is supported by all modern browsers. Your files will be 15-20% smaller than with gzip alone.
- Early Hints: Enable this. It sends
103 Early Hintsheaders, telling the browser to start loading critical resources before the HTML even finishes loading. Free performance boost. - Rocket Loader: I recommend leaving this off for WordPress sites. It defers all JavaScript loading, which sounds great in theory but frequently breaks WordPress plugins, sliders, and interactive elements. Not worth the debugging headaches.
Cloudflare APO (Automatic Platform Optimization)
If you want to go further, Cloudflare offers APO for WordPress at $5/month (or free with the Pro plan). APO caches your entire WordPress page — HTML included — at the edge. This effectively turns your dynamic WordPress site into a static site from a performance perspective. Load times can drop to under 200ms globally.
APO requires installing the official Cloudflare WordPress plugin. Go to Plugins → Add New in your WordPress dashboard, search for "Cloudflare," install it, and connect it with your API token. Then enable APO in the plugin settings.
For most sites, the free CDN settings above are enough. APO is worth it for high-traffic sites or sites where every millisecond matters for Core Web Vitals scores.
Security Settings Worth Enabling
- Security → Settings → Security Level: Set to "Medium"
- Security → Settings → Challenge Passage: Set to 30 minutes
- Security → Settings → Browser Integrity Check: Leave on
- Security → Bots → Bot Fight Mode: Turn on — this blocks known bad bots from wasting your server resources
Cloudflare vs BunnyCDN vs Other CDNs — Quick Comparison
Cloudflare is my default choice, but it's not the only option. Here's how the main CDN providers stack up for WordPress sites:
| Feature | Cloudflare (Free) | Cloudflare Pro ($20/mo) | BunnyCDN | KeyCDN |
|---|---|---|---|---|
| Price | Free | $20/month | ~$1/mo for small sites | Pay-per-use ($0.04/GB) |
| Global PoPs | 300+ | 300+ | 123 | 60+ |
| Free SSL | Yes | Yes | Yes | Yes |
| DDoS Protection | Yes | Yes (advanced) | Basic | Basic |
| Image Optimization | No | Yes (Polish) | Yes (Bunny Optimizer) | No |
| WordPress Plugin | Yes | Yes | Yes (CDN Enabler) | Yes |
| Setup Complexity | Nameserver change | Nameserver change | CNAME only | CNAME only |
| Best For | Most WordPress sites | High-traffic / security focus | Budget-conscious, media-heavy | Developers, pay-per-use |
My recommendation: Start with Cloudflare Free. It costs nothing and handles 90% of what you need. If you run a media-heavy site with lots of images and video, BunnyCDN's pay-as-you-go pricing ($0.01/GB in most regions) combined with their image optimizer is excellent value. You can even use both — Cloudflare as your DNS/security layer and BunnyCDN specifically for media delivery.
Frequently Asked Questions
Does Cloudflare slow down WordPress?
No — if configured correctly, Cloudflare speeds up WordPress significantly. The most common issue I see is people setting the SSL mode to "Flexible," which causes redirect loops and makes the site appear broken. Set it to Full (Strict) and you'll be fine. If you notice any issues, disable Rocket Loader first — that setting causes more problems than it solves on WordPress sites.
Do I still need a caching plugin with Cloudflare?
Yes. Cloudflare caches static files at the edge, but a WordPress caching plugin handles server-side page caching, HTML minification, and database query caching. They work at different levels and complement each other. I typically pair Cloudflare with WP Rocket or LiteSpeed Cache.
Can I use Cloudflare with any hosting provider?
Yes. Cloudflare works with every hosting provider because it sits in front of your server as a reverse proxy. You simply point your domain's nameservers to Cloudflare, and Cloudflare routes traffic to your host. Whether you're on shared hosting, a VPS, or managed WordPress hosting, the setup process is identical.
Will Cloudflare break my WordPress site?
It shouldn't, but there are two common issues: redirect loops (fix: set SSL to Full Strict) and broken dynamic features like WooCommerce carts or membership login pages (fix: create cache bypass rules for those URLs). If you follow the setup steps in this guide, you'll avoid both problems entirely.
Setting up Cloudflare is one of the highest-impact, lowest-effort optimizations you can make for your WordPress site. Combined with a good caching plugin and image optimization, you're well on your way to a fast, globally-distributed WordPress site. For the complete picture of everything that affects your site's speed, check out my full WordPress Speed Optimization guide.
Written by Marvin
Our team tests and reviews WordPress products to help beginners make confident choices.
Learn more about our team →