A step-by-step guide to configuring Cloudflare settings for WordPress: SSL/TLS, caching, rules, and security, without breaking your admin or login.
Putting Cloudflare in front of a WordPress site is one of the cheapest ways to add a global CDN, a firewall, and DDoS protection at once. The catch is that a handful of default settings are actively wrong for WordPress, and one of them, Flexible SSL, causes more broken sites than any other Cloudflare option. This guide walks through how to configure Cloudflare settings for WordPress the right way: the encryption mode that won't send your site into a redirect loop, the caching setup that speeds up pages without freezing wp-admin, and the security rules that protect your login without locking you out.
Cloudflare has also changed how a lot of this works. Page Rules, which nearly every older tutorial tells you to use, are now deprecated in favor of separate Cache Rules, Configuration Rules, and Redirect Rules. Where a setting has moved, this guide points to the current location and flags where the exact screen depends on your plan or on whether your zone has been migrated to newer features.
TL;DR
- Set SSL/TLS encryption mode to Full (Strict) and enable Always Use HTTPS. Never use Flexible; it is the top cause of "Too Many Redirects" on WordPress.
- Your origin needs a valid certificate for Full (Strict). Use your host's free Let's Encrypt certificate, or generate a Cloudflare Origin CA certificate if your host doesn't provide one.
- Leave caching on Standard and add a Cache Rule to bypass cache for
/wp-admin/*and/wp-login.phpso the dashboard and login stay dynamic.- Page Rules are deprecated. Use Cache Rules for caching, Configuration Rules for per-URL settings, and Redirect Rules for forwarding.
- For per-page HTML caching, consider Cloudflare APO (a $5/month add-on on the Free plan, included on paid plans), driven by the official Cloudflare plugin.
- Run only one cache integration. If a page-cache plugin already manages Cloudflare, don't duplicate it with the Cloudflare plugin.
Before you touch any Cloudflare settings, make sure you have the following in place:
*.magicwp.dev domain and on any custom domain, so the origin already has a trusted certificate. If your host doesn't provide one, you'll generate a Cloudflare Origin certificate in Step 2.Important: Point your nameservers and confirm the zone is Active before configuring SSL. Changing the encryption mode while DNS is still resolving to your old setup can produce confusing, intermittent errors.
In your Cloudflare DNS settings, each record has a toggle shown as an orange or grey cloud. An orange cloud (Proxied) routes that hostname's traffic through Cloudflare, which is what enables caching, the firewall, and HTTPS at the edge. A grey cloud (DNS only) means Cloudflare just answers DNS and traffic goes straight to your origin.
For a normal WordPress site you want the root record (@) and the www record proxied (orange). Records that should usually stay DNS only (grey) include your mail (MX) records and anything that needs to reach the origin directly, such as a record used for domain validation or a service that doesn't work behind a proxy.
This matters because every setting later in this guide only applies to proxied traffic. If your site is grey-clouded, Cloudflare is doing nothing but DNS, and none of the SSL, cache, or security settings below take effect.
This is the single most important setting, and the one most often set wrong. The encryption mode controls how Cloudflare connects to your origin server. Cloudflare offers four modes: Off, Flexible, Full, and Full (Strict).
| Mode | Browser to Cloudflare | Cloudflare to origin | Use for WordPress? |
|---|---|---|---|
| Off | Not encrypted | Not encrypted | No |
| Flexible | Encrypted | Not encrypted | No (causes redirect loops) |
| Full | Encrypted | Encrypted, certificate not validated | Only as a fallback |
| Full (Strict) | Encrypted | Encrypted and validated | Yes |
Use Full (Strict). It encrypts both legs of the connection and verifies that your origin's certificate is real, which is the only mode that prevents a man-in-the-middle between Cloudflare and your host. Cloudflare's own documentation recommends Full or Full (Strict) whenever feasible and warns against Flexible for any site that handles sensitive data, which includes anything with a login. WordPress has a login.
Avoid Flexible. In Flexible mode, Cloudflare talks to your origin over plain HTTP while telling the visitor's browser the page is HTTPS. WordPress sees an insecure request, tries to redirect to HTTPS, Cloudflare sends another HTTP request to the origin, and you get an infinite loop, the classic ERR_TOO_MANY_REDIRECTS error. This is the most common Cloudflare support issue for WordPress, and the fix is almost always switching to Full (Strict).
To set it:
Note: Cloudflare is rolling out an Automatic SSL/TLS option that probes your origin and picks the safest mode for you. If your dashboard shows Automatic and Custom SSL/TLS choices, you can either let Automatic manage it (it will not downgrade you to a less secure mode) or select Custom and set Full (Strict) yourself. If your zone hasn't been migrated, you'll only see the classic Custom options. Both paths lead to the same recommended result.
If the page errors out the moment you switch, your origin either has no certificate or one Cloudflare doesn't trust (Cloudflare Error 525 is an SSL handshake failure). You have two options:
Once encryption is correct, force every request onto HTTPS at the edge.
With Full (Strict) plus Always Use HTTPS handling the redirect at the edge, you can remove any HTTP-to-HTTPS redirect from your origin's server config or from a plugin. One redirect is enough; stacking two is another way to create a loop.
A few other Edge Certificate settings worth setting on the same screen:
http:// references to https:// for resources Cloudflare recognizes, which fixes many "mixed content" padlock warnings without a plugin.max-age of at least six months with subdomains included, and preload left off until you're sure.Important: Verify each change in a private browser window before moving on. Load the homepage and the login page over HTTPS. If you see a redirect loop, revisit the encryption mode in Step 2 before changing anything else.
Cloudflare caches your static assets (images, CSS, JavaScript) automatically once traffic is proxied. The default Caching Level: Standard is correct for most WordPress sites, and by default Cloudflare does not cache HTML, which is what keeps dynamic pages, logged-in sessions, and the admin area working.
Under Caching > Configuration you'll also find:
Cache-Control headers; otherwise a fixed value works.Even though HTML isn't cached by default, it's worth adding an explicit rule so that a future "cache everything" experiment, yours or a plugin's, can't accidentally cache logged-in pages. This is where the modern Rules products come in.
Page Rules are deprecated. Older guides tell you to create a Page Rule with "Cache Level: Bypass" for the admin area. Cloudflare has replaced Page Rules with separate products and is moving toward ending their life. Use a Cache Rule instead.
To bypass cache for the dashboard and login:
/wp-admin/ or equals /wp-login.php. In the Expression Editor this looks like:(http.request.uri.path contains "/wp-admin/") or (http.request.uri.path eq "/wp-login.php")
One behavior change worth knowing: in Cache Rules, choosing "Eligible for cache" turns on Cache Everything by default, so be deliberate about which rule does what. Modern Rules are also stackable and evaluated in a fixed order (Origin Rules, then Cache Rules, then Configuration Rules, then Redirects), and they take precedence over any legacy Page Rules still on the zone.
For WooCommerce or membership sites, the same principle extends further: cart, checkout, and account pages must never be served from a shared HTML cache. If you enable full-page caching (via APO or a plugin), confirm those paths are excluded.
Under Speed > Optimization and the caching screens, Cloudflare offers several toggles. Most are safe; a couple need judgment.
If you need to change one of these settings for only part of the site, that's now a job for Configuration Rules, which replace the old Page Rules that toggled features per URL. For example, you can raise the Security Level or disable Rocket Loader for a specific path there.
Cloudflare's security features protect WordPress from bot traffic, credential-stuffing attempts against wp-login.php, and DDoS attacks. What's available depends heavily on your plan.
/wp-login.php, the current recommendation is WAF Custom Rules, which support finer conditions like bot scoring and cookie exceptions. Common uses: challenge or rate-limit requests to wp-login.php, and block or challenge xmlrpc.php if you don't use it (many sites don't, and it's a frequent brute-force target). Verify your own usage first; some plugins and the Jetpack app rely on XML-RPC.Cloudflare's security is a layer on top of, not a replacement for, host-level protection. On MagicWP, managed security already includes a WAF, malware scanning, isolated containers, and automatic core updates with rollback, so Cloudflare's rules complement what the platform provides rather than being your only line of defense.
Note: If you enable an aggressive challenge on login paths, test that you can still log in from your own network before you close the tab. Locking yourself out is easy to do and annoying to undo.
The official Cloudflare WordPress plugin does two useful things: it purges the Cloudflare cache automatically when you publish or update content, and it lets you toggle Automatic Platform Optimization (APO).
APO is the feature that makes Cloudflare genuinely fast for WordPress rather than just a static-asset CDN. It caches your full HTML pages at Cloudflare's edge and serves them without hitting your origin, which flattens time-to-first-byte for visitors worldwide. APO caches content for up to 30 days and invalidates within about 30 seconds of a change when the plugin is installed, so you don't need to hand-build edge-cache rules for it.
Pricing, which you should confirm as it can change: APO is a $5/month add-on on Cloudflare's Free plan and is included at no extra cost on paid plans (Pro, Business, Enterprise). To enable it, install the plugin, authenticate it with a Cloudflare API token, and turn on APO from the plugin or the Speed > Optimization screen.
Two important cautions:
Also note: Cloudflare has signaled it doesn't intend to actively maintain this plugin long-term. It still works and is the supported way to enable APO today, but keep an eye on its status and treat plugin details as version-dependent.
Before you consider the configuration done, verify it end to end:
curl -svo /dev/null -A "CF" 'https://<example.com>/' -H 'accept: text/html' 2>&1 | grep 'cf-cache-status\|cf-edge-cache\|cf-apo-via'
Seeing cf-cache-status, cf-edge-cache, and cf-apo-via headers means APO is serving pages from the edge.
If something breaks and you need to isolate whether Cloudflare is the cause, the fastest test is to grey-cloud the record (turn off the orange cloud) in DNS temporarily. Traffic goes straight to your origin, Cloudflare's settings stop applying, and you can tell in seconds whether the problem is at the edge or on your server. Re-enable the orange cloud once you've found it. For content that got cached wrongly, use Caching > Configuration > Purge Everything to clear the edge cache.
Getting Cloudflare settings right for WordPress comes down to a short list of decisions that matter far more than the dozens of toggles in the dashboard. Set the encryption mode to Full (Strict) with a valid origin certificate, force HTTPS at the edge, keep /wp-admin/ and /wp-login.php out of the cache with a modern Cache Rule, and lean on Configuration Rules and WAF Custom Rules instead of the deprecated Page Rules. Add APO through the official plugin if you want true edge HTML caching, and never run two cache integrations at once. Test over HTTPS and confirm you can still log in before you walk away.
Because Cloudflare keeps moving features between screens and plans, treat any exact menu path or price here as something to re-check against the current dashboard and official documentation, and date this configuration so you can revisit it.
Cloudflare handles the edge; your host handles the origin, and the two work best when the origin is fast and secure to begin with. If you'd rather not manage certificates, WAF rules, and backups by hand, MagicWP gives every site free HTTPS, a managed WAF, isolated containers, and daily off-site backups with one-click restore out of the box, so Cloudflare becomes an enhancement rather than a crutch.
Monthly engineering notes, product updates, and WordPress performance tips. No spam, unsubscribe anytime.