Best CloudFlare Settings For WordPress

These days, CloudFlare is almost universally well known among tech-savvy WordPress servers and web performance geeks. However, many users don’t realize how important it is to optimize all the settings. Many users will simply enable CloudFlare and then leave it, and then wonder why they are having some performance issues later on.

This blog post is an exhaustive list of all the settings you should change in CloudFlare when running SlickStack — however, nearly all of these recommendations apply for any other WordPress sites too, even if they are not running on Nginx (LEMP stacks).

  • DNS: Ensure you are using A records (IPv4) and AAAA records (IPv6) when pointing your domain to the origin server (SlickStack server). In some dynamic setups, using CNAMES can be recommendable but the truth remains that performance can be a bit slower than A records. Plus, with the advent of Anycast DNS technology which enables practically real-time DNS changes, there really isn’t a need for CNAMES to be used for pointing to your origin server.
    • DNSSEC = enabled
    • CNAME Flattening = Flatten all CNAMES at root
  • SSL/TLS: When running SlickStack, or any other HTTPS-only stack, it is critical to set your SSL status in CloudFlare to “Full” and never “Flexible”. This is because redirect loops will happen if you set this setting to “Flexible” as CloudFlare’s proxy servers are trying to allow your website to load on both HTTP and HTTPS (but SlickStack force redirects all URIs to the HTTPS version).
    • Always Use HTTPS = enabled
    • HSTS = disabled (safer to enable in Nginx, SlickStack does this)
    • Authenticated Origin Pulls = disabled
    • Minimum TLS Version = 1.1
    • Opportunistic Encryption = enabled
    • Onion Routing = enabled
    • TLS 1.3 = enabled
    • Automattic HTTPS Rewrites = enabled
    • Certificate Transparency Monitoring = enabled

 

…more coming soon, check back!

P.S. while there is an official WordPress plugin now from CloudFlare, it is very janky and is mostly just an iFrame that opens cloudflare.com. Also many of their “recommended” settings are actually a bad idea for most WordPress stacks.

Leave a Comment