Speed & Performance 6 min read

Cloudflare + WordPress Setup Guide 2026 (The Right Way)

Configure Cloudflare for WordPress correctly: SSL mode, cache rules, WooCommerce bypass, firewall rules, and settings that break WordPress if wrong.

Dobromir Dechev
Dobromir WordPress agency owner
Quick answer

Set Cloudflare SSL to Full (Strict) — never Flexible — add cache bypass rules for wp-admin and WooCommerce cart/checkout, disable Rocket Loader, and enable Polish for automatic WebP conversion. These five steps cover 90% of what matters.

Cloudflare is the easiest performance and security win available for a WordPress site — a free CDN, DDoS protection, and SSL with a 5-minute DNS change. But several Cloudflare settings actively break WordPress if configured incorrectly, and the documentation doesn't make this obvious.

This guide covers the correct setup for WordPress (and WooCommerce) — what to enable, what to disable, and why.

Step 1: Add your site to Cloudflare

  1. Create a free account at cloudflare.com
  2. Add your domain under "Add a Site"
  3. Cloudflare scans your existing DNS records — verify they're imported correctly
  4. Update your domain's nameservers at your registrar to Cloudflare's nameservers (shown in setup)
  5. DNS propagation takes 5–30 minutes

After nameserver change, all traffic routes through Cloudflare before reaching your origin server.

Step 2: Set SSL/TLS mode — this is critical

Go to SSL/TLS > Overview and set the encryption mode.

Use: Full (Strict)

Never use: Flexible

Here is why this matters:

Flexible SSL encrypts traffic between the visitor and Cloudflare, but sends unencrypted HTTP to your origin server. WordPress, which is on your origin server, sees HTTP requests. If WordPress or your server is configured to redirect HTTP to HTTPS (which it should be), it redirects the Cloudflare connection. Cloudflare then sends the request again. You get an infinite redirect loop (ERR_TOO_MANY_REDIRECTS).

Full SSL encrypts all the way to your server but doesn't validate your origin certificate. Works but less secure.

Full (Strict) encrypts end-to-end and validates your origin SSL certificate. This is the correct setting. Your hosting provider already gives you a free Let's Encrypt certificate — use it.

If your SSL certificate isn't set up on the origin server yet, use Cloudflare's Origin Certificate (under SSL/TLS > Origin Server) — a free certificate specifically for the Cloudflare-to-origin connection.

Step 3: Configure caching

Cloudflare caches static assets (CSS, JS, images) by default. For WordPress, you need to be more deliberate about what gets cached and what doesn't.

What Cloudflare should cache

Static assets: images, fonts, CSS, JavaScript. Cloudflare handles these automatically based on file extension.

What Cloudflare should NOT cache for WordPress

Dynamic WordPress pages (containing Set-Cookie headers or logged-in session data) should bypass Cloudflare's cache and be served directly from your origin server's own caching layer (WP Rocket, LiteSpeed Cache, etc.).

Cache Rules for WordPress

Go to Caching > Cache Rules and create rules in this order:

Rule 1 — Bypass cache for wp-admin and logged-in users

Expression:

(http.request.uri.path contains "/wp-admin/") or
(http.request.uri.path contains "/wp-login.php") or
(http.cookie contains "wordpress_logged_in") or
(http.cookie contains "wordpress_sec")

Action: Bypass cache

Rule 2 — Bypass cache for WooCommerce (if applicable)

Expression:

(http.request.uri.path contains "/cart/") or
(http.request.uri.path contains "/checkout/") or
(http.request.uri.path contains "/my-account/") or
(http.cookie contains "woocommerce_items_in_cart") or
(http.cookie contains "woocommerce_cart_hash")

Action: Bypass cache

Without the WooCommerce rule, Cloudflare can cache a user's cart page and serve it to a different user — this is a serious data issue, not just a UX problem.

Step 4: Disable Rocket Loader

Go to Speed > Optimization > Content Optimization.

Disable Rocket Loader.

Rocket Loader rewrites how JavaScript loads on your page. It conflicts with a significant number of WordPress plugins — page builders, form plugins, sliders, and anything with complex JS initialisation. The errors are often intermittent and difficult to diagnose.

Your WordPress caching plugin (WP Rocket, LiteSpeed Cache) handles JavaScript deferral and optimisation more reliably. Let it handle JS — disable Cloudflare's version.

Step 5: Configure Speed settings

In Speed > Optimization:

Auto Minify: Disable all (JavaScript, CSS, HTML)

Same reason as Rocket Loader — your caching plugin handles this better. Double-minifying assets (once by Cloudflare, once by WP Rocket) can break things.

Polish: Enable

Polish converts images to WebP format automatically for browsers that support it. This is a free performance gain — enable it. Use "Lossy" for photos, "Lossless" for graphics with text.

Mirage: Only if needed

Mirage optimises image loading for mobile networks. Worth enabling on image-heavy sites but has minimal impact on already-optimised WordPress sites using lazy loading.

Step 6: Firewall rules

Go to Security > WAF (on free plan: Security > Tools).

Block xmlrpc.php

WordPress's XML-RPC endpoint (/xmlrpc.php) is a common attack vector for brute-force and DDoS amplification. Block it unless you have a specific integration that requires it (Jetpack uses it, for example).

(http.request.uri.path eq "/xmlrpc.php")

Action: Block

Block wp-login.php brute force

Rate-limit login attempts to 5 per minute per IP:

(http.request.uri.path eq "/wp-login.php")

Action: Rate limit (5 requests per 1 minute per IP)

Block user enumeration

WordPress author archive URLs (/?author=1) can reveal usernames. Block them:

(http.request.uri.query contains "author=" and not http.request.uri.path contains "/wp-admin/")

Action: Block

Step 7: Always Use HTTPS

Go to SSL/TLS > Edge Certificates and enable:

  • Always Use HTTPS: Redirects all HTTP requests to HTTPS at Cloudflare edge level
  • Automatic HTTPS Rewrites: Fixes mixed content by rewriting HTTP asset URLs to HTTPS

With these enabled, you can remove the HTTP-to-HTTPS redirect from your .htaccess (or keep both — they're redundant but harmless).

Step 8: Verify setup

After configuring everything:

Check response headers using browser DevTools (Network tab). Look for:

  • cf-cache-status: HIT on static assets (images, CSS, JS)
  • cf-cache-status: BYPASS on wp-admin and WooCommerce cart pages
  • x-content-type-options header present (Cloudflare adds this)

Test redirect behaviour:

  • http://yourdomain.com should 301 to https://yourdomain.com
  • No redirect loops

Test WooCommerce cart (if applicable):

  • Add an item to cart, load the cart page, verify it shows the correct item
  • Load the cart URL in a different browser (no session) — it should be empty

Common problems and fixes

ERR_TOO_MANY_REDIRECTS

Cause: Flexible SSL mode + WordPress configured to force HTTPS Fix: Change SSL/TLS to Full (Strict)

wp-admin loads slowly or breaks after login

Cause: Cache rule not bypassing wp-admin, or a cookie isn't matching the bypass rule Fix: Verify your bypass cache rule includes the wordpress_logged_in cookie

Images not converting to WebP

Cause: Polish is disabled or set to "Off" Fix: Enable Polish > Lossy in Speed settings. Check browser DevTools to confirm content-type: image/webp on image responses

WordPress login creates redirect loop

Cause: Missing cookie in bypass rule — the wordpress_sec cookie is set before wordpress_logged_in during login Fix: Add both wordpress_sec and wordpress_logged_in to your bypass rule

Page builder preview breaks

Cause: Rocket Loader interfering with builder JavaScript Fix: Disable Rocket Loader

The minimal correct setup summary

Five things that cover 90% of what matters:

  1. SSL/TLS: Full (Strict) — never Flexible
  2. Cache bypass rules for wp-admin, wp-login, logged-in cookies
  3. WooCommerce cache bypass for cart/checkout cookies
  4. Rocket Loader: Off — let your caching plugin handle JS
  5. Polish: Lossy — automatic WebP conversion

Everything else is refinement.

Frequently Asked Questions

What SSL mode should I use for Cloudflare with WordPress?
Always use Full (Strict). This encrypts traffic between Cloudflare and your origin server and validates your server's SSL certificate. Flexible SSL only encrypts between the visitor and Cloudflare — traffic to your server is unencrypted, and many WordPress configurations will create infinite redirect loops when Flexible is enabled.
Does Cloudflare free plan work well with WordPress?
Yes. The free plan includes the CDN, DDoS protection, SSL, and the cache and firewall rules needed for a well-configured WordPress site. Paid plans add more advanced features (custom cache TTLs, image resizing, Workers), but the free plan handles the vast majority of WordPress use cases.
Should I enable Rocket Loader for WordPress?
No. Disable Rocket Loader for WordPress sites. Rocket Loader rewrites JavaScript loading in a way that frequently conflicts with WordPress plugins — particularly page builders, sliders, and form plugins. The performance gains from your caching plugin's own JS optimisation are more reliable.
How do I configure Cloudflare for WooCommerce?
Add a Cache Rule to bypass Cloudflare's cache for URLs containing /cart/, /checkout/, /my-account/, and any page with a woocommerce_items_in_cart cookie. Without this bypass, Cloudflare can serve a cached version of the cart to different users — displaying one customer's cart to another.
Why am I getting a redirect loop after enabling Cloudflare?
You're using Flexible SSL mode. WordPress detects HTTPS from Cloudflare but your server sends HTTP, and WordPress redirects back to HTTPS, creating an infinite loop. Change SSL/TLS mode to Full or Full (Strict) to fix it immediately.

Was this article helpful?