Configure your Cloudflare account for the best website performance (full explanations provided).
If you’ve ever wondered what settings to choose or why someone would chance from the default options, this guide will explain it all for you. (QUICK NOTE: all you need is the FREE plan.)
Cloudflare settings (video guide)
Can watch either the short (quick settings only) or long video (detailed explanation).
QUICK Cloudflare settings guide
Leave everything on default and check/change the following settings:
- DNS – if enabling proxy, do it only for your domain name and WWW record. Can also be for subdomain as well if it leads to a website. Don’t enable proxy for your control panel or anything that points to an external server.
- SSL/TLS > SSL – set to “Full”.
- SSL/TLS > Always Use HTTPS – ON.
- Automatic HTTPS Rewrites – ON, unless you have some things that still need HTTP.
- Speed > Auto Minify – check all 3 (JS, CSS, HTML).
- Speed > Brotli – ON.
- Speed > Rocket Loader – leave it OFF.
DETAILED Cloudflare settings guide
- Under Attack Mode – usually off. Only enable if you’re getting hacked with tons of fake/bad traffic.
- Development Mode – enable if you’re constantly making design/styling changes to your site. It allows you to see the most recent version, otherwise you might see a cached (outdated) version of your site.
- Domain Registration – use if you registered domains with them.
- Active Subscriptions – choose which plan you want. The FREE is all I ever use.
- API (Zone ID & Account ID) – copy this somewhere as you may have to paste it into your plugins later.
- Pause Cloudflare on Site – I typically don’t use this. If I want to disable Cloudflare, I check off the proxy (to grey cloud) from the DNS page.
- Remove Site from Cloudflare – self explanatory.
How to read this and deciding whether it’s better to have it on vs off.
- Traffic – see your traffic, bandwidth usage, how many users and their location.
- Security – see how many times you’ve been hacked, where they come from, which crawlers/bots.
- Performance – it only shows if you have Argo service enabled.
- DNS – shows how many DNS queries get made.
- Workers – shows if you’re using any workers.
- Shows DNS records – up to you to know what you should have and not have.
- Enable/disable proxy – click the cloud icon to enable proxy (ORANGE) or disable proxy (GREY). The proxy features are the security and performance features. Basically decides whether all the settings you put on the different pages will take effect or not. REMINDER: disable proxy when generating SSL from your web server or webhosting control panel, then can turn it back on afterwards.
- TTL – when having proxy off, I recommend a higher TTL so that your DNS info is cached. Or lower TTL when migrating so that your DNS record changes take effect sooner. This is helpful to migrate without downtimes.
- Custom Nameservers – I never bother with this.
- DNSSEC – I never use this.
- CNAME flattening – I never mess with it.
- SSL – I use “Full” because it uses SSL but isn’t strict about it. I don’t use the “Full (strict)” setting because I hear it increases your SSL handshake times, slowing down every request.
- Edge Certificates – you are fine with the free shared options. Totally fine, you get a secure padlock and all that. But if for whatever reason, you don’t want a shared certificate…you can purchase business plan ($20/month) to upload a custom certificate or just pay $5/month and get a dedicated certificate from Cloudflare. If you don’t know what any of this means, you are fine with the free one!
- Custom Hostnames – I don’t use.
- Origin Certificates – this sounds like such a giant hassle when your web server probably already has free Let’s Encrypt certificates. I don’t waste any time with this.
- Always Use HTTPS – put to ON.
- HTTP Strict Transport Security (HSTS) – I don’t use this. Yes, it theoretically adds better security and speed by enforcing HTTPS on your site but it’s a giant risk if SSL renewal fails for whatever reason (it won’t allow users to visit your without a proper SSL in place). For that reason, I think it’s much much safer off. The busier and more 3rd-party assets you have on your site, the more this might be a risk to use. Then again, it’s not a risk if you know what you’re doing.
- Authenticated Origin Pulls – forces visitors to go through Cloudflare proxy instead of bypassing it. But requires extra configuration at your web server. I don’t use it.
- Minimum TLS version – leave this on the lowest setting for maximum compatibility with most browsers. Only raise it if you need your website to be compliant with certain security requirements for specific industries (health, legal, government, etc).
- Opportunistic Encryption – leave it ON. (It allows TLS for other protocols like HTTP/2.)
- Onion Routing – leave it ON. Protects privacy of Tor network users.
- TLS 1.3 – leave it ON for best security/performance.
- Automatic HTTPS rewrites – leave it ON, unless you have some items that only work on HTTP.
- Disable Universal SSL – only used if you’re planning to have dedicated or custom SSL certificates.
- Overview > Firewall Event – look at the visitors that got blocked (or challenged) by Cloudflare’s security proxy. You can also filter the list to look for certain traffic.
- Managed Rules – enable web application firewall (requires paid service), see explanations of Cloudflares DOS protection.
- Firewall Rules – can create custom rules to block, challenge, or allow specific traffic. I never use much as default Cloudflare rules along with my webserver security has worked just fine.
- Tools > IP Access Rules – allow/block/challenge traffic via IP. This is the place to whitelist your IP if you get challenged a lot from your own site for whatever reason.
- Tools > Rate Limiting – I don’t use it and I think it costs money. It blocks IP’s based on (defined) usage pattern.
- Tools > User Agent Blocking – block certain browsers or applications from accessing your site.
- Tools > Zone Lockdown – limits certain URLs on your site to only the IP’s that you allow. Most commonly used for “admin” or other protected areas of your site.
- Manage access to applications – I don’t use this at all.
- Image Resizing – paid service. Not necessary when you have image plugins already.
- Enhanced HTTP/2 Prioritization – enable if you have the paid plan.
- TCP Turbo – enable if you have the paid plans.
- Auto Minify – check all (JS/CSS/HTML). I love to do this from Cloudflare (using their servers) rather than from my site plugins (which uses resources from my own web server).
- Polish – paid service, but I’m not sure if you’ll like their exact image optimization settings.
- AMP Real URL – for AMP users only. Uses your URL instead of Googles. I think it makes sense to enable, no?
- Railgun – really cool service that really does speed up your site. But it often breaks site style/functionality. Test carefully or if you want to be safe, just don’t use it.
- Brotli – leave it ON to benefit from superior Brotli compression.
- Mirage (BETA) – I don’t have the paid plan but it’s worth a try if you have the paid plan.
- Rocket Loader – I feel this often breaks sites and isn’t worth risking.
- Mobile Redirect – use this if you need it. It’s a nice service since these redirects would be faster from a Cloudflare proxy than from a website plugin.
- Prefetching URLs From HTTP Headers – you should enable it if you have the paid service.
- Purge Cache – can purge your Cloudflare cache from here, if you didn’t already do it from the Overview page or even from a website plugin. Useful for when you make changes to your site (or assets) but Cloudflare is still caching the old version.
- Caching Level – I recommend standard since it’s the safest one that can cache assets with or without query strings.
- Browser Cache Expiration – the default 4-hour setting works fine. But if your site doesn’t change its assets often, picking a longer time (2-8 days) would be better for repeat visitors. I probably wouldn’t go too far above that since any changes might take that much longer to refresh in your user’s browsers.
- Always Online – leaving it ON sounds good.
- Development Mode – temporarily disables the proxy so you can see changes in real time. Don’t forget to purge cache after you re-enable since this feature doesn’t do it.
- Enable Query String Sort – very clever feature that’s extremely beneficial for ecommerce sites caching HTML (via page rule). Allows Cloudflare to cache multiple URLs with same-but-misordered query strings as the same page (since they ARE the same). Great for when you want to cache product-filtering pages so that it doesn’t require exhaustive database lookups on your origin server. Can also be used for other types of pages that alter content depending on the query string.
- This is so freaken cool but I don’t use this at all right now and it shouldn’t concern you at the moment. It’s pretty much advanced stuff you can toy with later when you got lots and lots of time.
- There are a million guides out there of what (and what not) to put here. If you want to be safe, don’t mess with it. Or play at your own risk.
- HTTP/2 – turn it ON if you have the option to.
- HTTP/3 with QUIC (BETA) – I signed up for the waitlist and still waiting. Yes, HTTP/3 is all that and a bag of chips. You should get it as soon as you can.
- IPv6 Compatibility – turn it ON if you can.
- WebSockets – leave it ON.
- Psuedo IPv4 – leave it OFF, unless you need it on.
- IP Geolocation – leave it ON. It allows your server to track country location of visitors coming through Cloudflare’s proxy. Can be useful for content-filtering or security-filtering purposes.
- Maximum Upload Size – left on 100MB for free plans.
- Response Buffering – not available for free plans. Speeds up delivery of many small files.
- True-Client-IP Header – not available for free plan. When enabled, Cloudflare includes yet another header (more convenient for servers) containing the original client IP. Helpful for reporting, content-filtering, or security purposes.
- Argo – Cloudflare premium routing service. Speeds up your DNS times. Many people don’t feel it’s worth it for the price you pay. Probably makes more sense for really large companies.
- Argo Tunnel – used to quickly expose any applications or your network directly to the internet without configuring DNS records or firewall/router.
- Load Balancing – can use Cloudflare’s paid load balancing service. It seems pretty cheap to me considering the complexity of their infrastructure, but I never tried it.
- I don’t know about you but I think their pricing is expensive, although could be more convenient than setting up S3 and Cloudfront and all that. If you’re doing a membership site, just stick to Vimeo PRO.
- Being able to customize all the error pages that are shown to visitors sounds cool, but I don’t need it.
- Oh, I pretty much salivated at the idea of playing with this page. It’s so cool to see many widely-used applications that can be now be integrated with your site through Cloudflare rather than through a WordPress plugin. Why is this such a big deal? It means those plugins will be processed and loaded through Cloudflare’s servers rather than yours. More speed and less load on your server…HOORAY!
- Email Address Obfuscation – hahaha, man they thought of everything! Yes, leave it ON (so bots don’t collect your email off your website).
- Server-side Excludes – one of those ‘good-to-know’ features that I’ll probably never use. Really cool that Cloudflare can exclude desired content from “bad visitors”. I leave it ON but haven’t bothered to exclude anything.
- Hotlink Protection – it’s OFF by default and for good reason. Usually, people don’t mind having their web images linked to and shared by other sites. Part of the reason may be because they don’t want their images “stolen” but more likely, they just don’t want their web-server to take extra load. But that really isn’t such a concern when your static assets are now server by Cloudflare’s servers. I know I prefer having my content exposed and freely shared all over!
HTTP/3 (with QUIC) is not available to enable/disable on the dashboard! Enable? 😉
“0-RTT Connection Resumption
Improves performance for clients who have previously connected to your website.”
Which you forgot to cover (or maybe it wasn’t there when you wrote the guide)
Thanks for the great guide Johnny!
I meant HTTP/3 is NOW available
Yes, more support added recently! Thanks for the update. 🙂
Wonderful Johnny. loved it, cleared all my questions.
very resourceful article
Great guide. Thanks Johnny. A typo confused me for a second though:
“Remote Site from Cloudflare – self explanatory.”
I’m sure it’s supposed to be Remove.
Thank you and fixed!
Cau Lac Bo Vip
Should i turn on gRPC and Onion Routing in Network? Your post doesn’t have these functions
I don’t care about those. Are they PRO settings?
Cau Lac Bo Vip
No. It is Free now. Should i turn it on?
Could you review it?
Thue xe Phu Quoc
I turned on gRPC and off Onion Routing. Onion Routing is improving privacy of the users and enabling more fine-grained protection When you use Tor Browser (may be Speed slow down)
Great post, and very nice.
However, I have question… Google recommends using 6month to 1year Cache Expiration for static files for web browsers Cache but you asked us to set it to 4hrs or 2 to 5 days at most.
Can you explain why your suggestions is better than Google recommendation?
Just want to learn.
An amazing guide Johnny.
Still having confusion about Page rules.
Can you provide some guidance in this aspect, what will be your top 3 choices if working in a free plan.
Any update in the near feature? And perhaps some more advises on using their firewall and pagerules.
I’ll update this soon enough. Thanks for the reminder.
My cloudflare have Railgun. What is it?
Than you so much. 🙂
You nailed, Johnny. Thanks fam
Thanks for the info, keep it up.