No items found.
Offering preview picture

How to Perfectly Tune Cloudflare for WordPress

Cloudflare and WordPress go together like macaroni and cheese. This guide will show you how to maximize your WordPress performance through Cloudflare configuration.

Cloudflare and WordPress logo with wording "Best Settings"

Cloudflare and WordPress go together like macaroni and cheese. Surprisingly, many people aren't putting them together - thier loss. Well, actually, it's their visitors' loss too.

Without Cloudflare, WordPress is slower and more vulnerable.

Now let's go over the best way to configure Cloudflare to jibe well with WordPress to get the best performance and security.

Watch my video or read ahead below. Or don't. You can do whatever you want.


For starters, your DNS needs to be managed by Cloudflare. Ensure that's the case and make sure the "clouds are orange," meaning traffic is proxied through Cloudflare.

Orange clouds mean your traffic goes through Cloudflare functionality beyond the DNS (which points the visitor to the right server).

Now that the traffic can use Cloudflare features let's go over which features to configure.

Firewall 🔥🧱

A firewall is a barrier that sits between the server and the visitor that analyzes traffic and lets the good ones through.

WordPress is the most popular and hacked CMS on the internet so it's up to us to protect it from malicious traffic.

Cloudflare makes the defense super easy. Let's dive in.

Firewall Rules

Head over to "Firewall" then "Firewall Rules". We are going to add a rule that blocks traffic to the login page if they can't pass the challenge. Many hackers target the login page with automated bots. Blocking them will improve performance and reduce security threats. There are multiple effective ways to go about this.

First, add a rule and call it something like "Block Bots from Login Page". Second set field to "URI Path", operator is set to "contains", and value is "wp-login.php". Third, choose the action "Challange (Captcha)".

While we are at it, let's block people from using xmlrcp.php. Just like the login, hackers target this feature. Unlike the login, we don't need this, so instead of providing a challenge, we can block it altogether. Add another rule, call it "Block xmlrcp.php", set field to "URI Path", operator to "contains", and value to "xmlrcp.php". Then for the action, set it to "block". Adding this rule will prevent all traffic from hitting this file.

Next, go over to Settings in the top right and change "Challange Passage" to 1 month. Doing this will hide the challenge from you for one month after completing it. The challenge will continue to show for other people.

Managed Rules

Managed Rules are pre-configured by Cloudflare to look for specific exploits and stop them before they hit your server.

Here's what you need to ensure is enabled:

  • Cloudflare Php
  • Cloudflare Specials
  • Cloudflare WordPress

Keep everything else as it was (whether it was on or off) unless you know there is one you need specific to your website.


Go to "Speed" then "Optimization" and do the following to make your WordPress website faster.


Enable Lossy image compression to reduce the file sizes of your images. The difference is negligible to the eyes but impactful to performance.

Also, enable WebP, which is an alternative image format to JPG and PNG. The format boasts smaller file sizes.

Auto Minify

Code is written in a human consumable way which involves a lot of line breaks and spaces. Consequently, code interpreters (e.g. your web browser) take longer to go through the code.

Minifying code puts all the code on one line and removes unnecessary spaces and line breaks. Doing this reduces the file size and improves the interpretation speed of web browsers.

Minify JavaScript, CSS, HTML

Note: Purge cache in Cloudflare and check your website after. Minifying JavaScript sometimes causes issues.


Enable Brotli for faster delivery of web pages.


APO, or Automatic Platform Optimizations, are many pre-configured options and features built specifically for WordPress optimization. You must be on the $20/month paid tier and install the corresponding WordPress plugin.

Once you do that:

  • Enable APO in Cloudflare
  • Enable Cache by Device Type
  • Enable Mirage
  • Optionally enable Rocket Loader if you use a lot of JavaScript


Lastly, let's configure caching in Cloudflare to get the best performance out of WordPress.

Go to Caching, then Configuration, and modify "Browser Cache TTL". If your website updates content frequently, I recommend a lower time, such as four hours. Static websites can have higher times, such as one month or higher.

Bang bang!

That's how you configure Cloudflare for optimal WordPress performance. Want me to do this for you? Reach out, and I'll set it up!

Offering preview picture
No items found.