Cloudflare Setup Guide for WordPress.

If your WordPress site is loading slowly, throwing mixed content warnings, or behaving oddly after a DNS change, Cloudflare is usually either the fix or the cause. This Cloudflare setup guide for WordPress is built to help you get the useful parts right without creating new problems.

For most business websites, the goal is simple. You want the site to load quickly, stay online, use HTTPS properly, and block a fair amount of rubbish traffic before it touches your server. Cloudflare can do that well, but only if the basics are set up cleanly.

What Cloudflare should do for a WordPress site

Cloudflare sits between your visitors and your hosting server. It handles DNS, filters traffic, serves cached files closer to the visitor, and can add SSL and security controls on top of your existing hosting stack.

For a standard WordPress site, that usually means four practical wins. Your DNS is easier to manage, static assets can be delivered faster, bot traffic gets filtered earlier, and HTTPS is simpler to enforce. That said, Cloudflare is not a magic speed switch. If your hosting is underpowered, your theme is heavy, or your plugins are doing too much work, Cloudflare will help around the edges but it will not fix the root issue.

Before you start the Cloudflare setup guide for WordPress

Have these details ready before you touch anything: your domain registrar login, your hosting server IP address, and access to your current DNS records. You should also be able to log in to WordPress and your hosting control panel.

If the site already sends email through the same domain, slow down and check every DNS record carefully. The most common mistake during setup is getting the website online while quietly breaking email delivery.

Add your domain and check DNS records

Start by adding your domain to Cloudflare and letting it scan existing DNS records. Do not assume the scan is complete or correct. Review each record one by one.

Your A record should point to the correct server IP. If you use a www version, make sure that record exists too, usually as a CNAME or matching A record. Mail-related records such as MX, SPF, DKIM and DMARC need to stay intact. If they are missing or altered, the website may work while email starts failing.

Cloudflare gives each record an orange cloud or grey cloud option. Orange means traffic is proxied through Cloudflare. Grey means DNS only. Your website records should usually be orange-clouded. Mail records should stay grey-clouded because email services should not be proxied through Cloudflare.

Once the DNS records look right, update your nameservers at the registrar to the ones Cloudflare provides. DNS changes can take a few hours to settle, sometimes longer.

Set SSL properly or you will create errors

This is the part that causes the most avoidable issues. In Cloudflare, go to SSL and choose Full or Full (strict). If your hosting server already has a valid SSL certificate installed, use Full (strict). That is the better option.

Do not use Flexible SSL for a normal WordPress setup unless you have a very specific reason and understand the trade-off. Flexible means Cloudflare talks to the visitor over HTTPS but may talk to your server over HTTP. That setup often leads to redirect loops, login issues, and mixed content headaches.

On the WordPress side, make sure both the WordPress Address and Site Address use https. If they still use http, you will end up forcing redirects in the wrong places and the site can become unstable.

Turn on the core security and performance settings

Once SSL is sorted, move through the basics rather than enabling every feature at once.

Start with Always Use HTTPS. That ensures all visitors are pushed to the secure version of the site. Then enable Automatic HTTPS Rewrites, which can help with older hard-coded asset URLs, though it is not a replacement for cleaning up mixed content properly.

Compression should be on. Caching should be left fairly standard to begin with. For most brochure-style WordPress sites, Cloudflare’s default caching behaviour is enough at the start. If you change too many caching settings too early, it becomes harder to work out why content is stale or why updates are not appearing.

Security settings depend on the kind of traffic the site gets. A normal small business site usually does well with a moderate security level and bot protection enabled. If you push security too aggressively, you can block real users, form submissions, or useful third-party services.

Page caching for WordPress needs care

This is where people often get overconfident. Caching can improve speed, but full-page caching on WordPress has trade-offs.

If your site is mostly static, such as a service website with infrequent updates, stronger page caching can work well. If the site has logged-in users, ecommerce, membership areas, booking tools, or personalised content, page caching needs much more care. You do not want a cached version of a logged-in page being served incorrectly.

A safe approach is to let Cloudflare cache static assets and let your server or WordPress caching plugin handle the rest. If you do use Cloudflare page rules or cache rules, exclude areas such as wp-admin, wp-login.php, cart, checkout, and account pages where relevant.

For many WordPress sites, the best result comes from using Cloudflare alongside a good server-level stack rather than trying to force Cloudflare to do everything.

Use rules sparingly

Cloudflare offers page rules, cache rules, redirect rules, WAF rules and more. Useful tools, but easy to overbuild.

For a standard setup, you may only need a handful of rules. One to bypass cache for admin and login paths. One to protect or challenge suspicious behaviour on sensitive URLs. Possibly one to handle a redirect cleanly if the site has changed structure.

More rules do not automatically mean a better setup. They usually mean more moving parts to troubleshoot later.

Check WordPress itself after Cloudflare is live

Once the domain is active through Cloudflare, test the site properly inside WordPress.

Log in and out. Submit the contact form. Open the site on mobile. Check whether images, stylesheets and scripts load over HTTPS. If there is an ecommerce or booking flow, test it end to end. Also purge the Cloudflare cache after major changes so you are not checking an old version of the site by mistake.

If the site uses a caching or security plugin already, review whether its settings now overlap with Cloudflare. Running too many security layers or duplicate optimisation features can create conflicts. It depends on the stack, but simpler is usually better.

Common mistakes to avoid

The biggest one is incorrect SSL mode. If you remember one thing from this guide, make it that.

The next is proxying records that should not be proxied, especially mail-related ones. After that comes over-caching, where site owners cache pages that should stay dynamic, then wonder why edits or enquiries are not appearing as expected.

Another common issue is forgetting the origin server. Cloudflare can hide some hosting weaknesses for a while, but if the server is slow, outdated, or badly configured, performance will still suffer. A good result usually comes from the combination of clean hosting, lean WordPress configuration, and sensible Cloudflare settings.

A practical setup order that works

If you want the short version, do the setup in this order. Add the domain, verify DNS records, switch nameservers, set SSL to Full (strict), force HTTPS, leave caching mostly standard, exclude admin and login from cache, then test the site thoroughly.

That order keeps risk down. It also makes it easier to spot where something has gone wrong.

When a plugin helps and when it does not

The official Cloudflare WordPress plugin can be useful for some setups. It gives you easier cache purging and access to a few Cloudflare options inside WordPress.

Still, it is optional. Most of the important setup happens in the Cloudflare dashboard, not inside WordPress. If you prefer fewer plugins, skipping it is perfectly reasonable.

When to get help

If the site handles leads, bookings or sales every day, be careful with DNS and caching changes during business hours. A poor setup can break forms, email routing, or checkout behaviour without being obvious straight away.

That is usually the point where a managed setup is worth it. For businesses in Tauranga and across the Bay of Plenty, the job is not just getting Cloudflare connected. It is making sure the website, hosting, SSL, caching and support workflow all work together cleanly. That is the part that reduces technical headaches long term.

A good Cloudflare setup should feel boring after launch. Pages load faster, HTTPS stays tidy, suspicious traffic gets filtered, and you stop having to think about it every week. If that is not the outcome, the setup probably needs another pass.