CloudFlare for WordPress

Cloudflare is a content delivery network (CDN) and security service that sits between your visitors and your hosting server. It can speed up your site by caching static content on servers around the world, and it can block malicious traffic before it reaches your account. As a Cloudflare Certified Hosting Partner, Ultra Web Hosting offers streamlined Cloudflare integration directly from cPanel. This guide walks you through signup, setup, recommended settings, and some important things to watch out for.

01. What Cloudflare Actually Does

Cloudflare works as a reverse proxy. Instead of visitors connecting directly to your server, they connect to the nearest Cloudflare data center (they have 300+ worldwide). Cloudflare then serves cached content when it can, and forwards requests to your server when it needs fresh content. This does two things:

• Performance - Static files like images, CSS, and JavaScript are served from Cloudflare's edge servers, which are typically closer to your visitors than your origin server. This reduces latency and takes load off your hosting account.
• Security - Cloudflare filters traffic before it reaches your server. Their free plan includes basic DDoS protection, a web application firewall (WAF), bot management, and SSL/TLS encryption.

Think of it as a security guard and a valet at the front door of your website. Most legitimate visitors won't even notice it's there, but the bad actors get turned away before they can cause problems.

02. Free vs Paid Plans: What You Get

Cloudflare's free plan is genuinely useful, and most shared hosting customers don't need to pay for anything beyond it. Here's a quick breakdown:

Free Plan (recommended for most sites)

• Global CDN with caching for static assets
• Universal SSL certificate (shared)
• Basic DDoS protection
• 5 Page Rules
• Basic bot management
• DNS management with fast propagation
• Limited WAF rules

Pro Plan ($20/month)

• Everything in Free, plus image optimization (Polish, Mirage)
• Mobile optimization
• Enhanced WAF with more managed rulesets
• 20 Page Rules
• Better analytics

04. Setup via Cloudflare.com Directly

If you prefer to manage Cloudflare separately from cPanel, or if you want access to all Cloudflare dashboard features, you can sign up directly at cloudflare.com. This method requires changing your domain's nameservers.

1. Create an account at cloudflare.com and click "Add a Site." Enter your domain name.
2. Select your plan. Choose Free unless you need Pro features.
3. Review DNS records. Cloudflare will scan your current DNS and import what it finds. Double-check that your A record, CNAME records, and MX records (for email) are all present and correct. Your A record should point to your server IP, which you can find in cPanel under "Server Information."
4. Change your nameservers. Cloudflare will give you two nameservers (like aria.ns.cloudflare.com and chad.ns.cloudflare.com). Update these at your domain registrar. If your domain is registered with us, you can update nameservers through your Client Area under Domains.
5. Wait for propagation. Nameserver changes can take up to 24-48 hours to fully propagate, though most complete within a few hours. Cloudflare will email you once the domain is active on their network.

06. Recommended Settings for Shared Hosting

After activating Cloudflare, these are the settings we recommend for sites hosted on our shared hosting plans:

SSL/TLS

• Encryption mode: Full (Strict)
• Always Use HTTPS: On
• Automatic HTTPS Rewrites: On (fixes mixed content issues)
• Minimum TLS Version: TLS 1.2

Speed

• Auto Minify: Enable for JavaScript, CSS, and HTML
• Brotli compression: On
• Early Hints: On
• HTTP/2 and HTTP/3: On (enabled by default)

Caching

• Caching Level: Standard
• Browser Cache TTL: Respect Existing Headers (lets your .htaccess expires rules take effect)
• Always Online: On (shows a cached version if your server goes down temporarily)

Security

• Security Level: Medium (Low if you're getting false positives, High if under attack)
• Challenge Passage: 30 minutes
• Browser Integrity Check: On

07. WordPress-Specific Configuration

If you're running WordPress, there are a few extra things to set up for the best experience:

Install the Cloudflare WordPress Plugin

The official Cloudflare plugin optimizes your WordPress settings for Cloudflare and lets you purge the cache from your WordPress dashboard. Install it from Plugins > Add New and connect it with your Cloudflare API token.

Set Up a Page Rule for wp-admin

Your WordPress admin area should never be cached by Cloudflare. If it is, you'll see stale data, form submission errors, and login issues. Create a Page Rule:

• URL pattern: yourdomain.com/wp-admin/*
• Settings: Cache Level = Bypass, Disable Performance, Security Level = High

Purge Cache After Updates

Whenever you update your theme, change CSS, or publish significant content changes, purge Cloudflare's cache so visitors see the new version. You can do this from the Cloudflare plugin in WordPress, or from the Cloudflare dashboard under Caching > Purge Everything.

Restoring Real Visitor IPs

Because Cloudflare acts as a proxy, your server logs and WordPress plugins will show Cloudflare's IP addresses instead of your actual visitors' IPs. Our servers already have the mod_remoteip module configured to restore real visitor IPs, so this should work automatically. If you notice analytics plugins showing unusual traffic patterns, make sure the Cloudflare WordPress plugin is active, as it also helps restore visitor IPs at the application level.

08. Useful Page Rules

Cloudflare's free plan includes 3 Page Rules. Here are the ones we recommend:

Rule 1: Bypass Cache for WordPress Admin

• URL: *yourdomain.com/wp-admin/*
• Setting: Cache Level = Bypass

Rule 2: Bypass Cache for WooCommerce

If you run a WooCommerce store:

• URL: *yourdomain.com/cart/* or *yourdomain.com/checkout/*
• Setting: Cache Level = Bypass

Rule 3: Force HTTPS

• URL: http://*yourdomain.com/*
• Setting: Always Use HTTPS

09. Honest Shortfalls and Things to Watch

Cloudflare is a great tool, but it's not a magic bullet. Here are some real-world issues we've seen that you should know about before enabling it:

It won't fix a slow site

Cloudflare speeds up delivery of static files like images and CSS, but it doesn't fix the root cause of a slow WordPress site. If your site is slow because of bloated plugins, unoptimized database queries, or no page caching, Cloudflare will just be a faster delivery truck for a slow kitchen. Fix the fundamentals first (see our WordPress Performance guide), then add Cloudflare on top.

Dynamic content isn't cached

WooCommerce cart pages, logged-in user dashboards, checkout flows, forum threads, and any personalized content are not cached by Cloudflare. These pages still hit your server on every request. If your site is primarily dynamic, the CDN benefit is smaller than you might expect.

Aggressive caching can show stale content

If you update your site and visitors are still seeing the old version, Cloudflare's cache is the likely reason. Get in the habit of purging cache after making changes, or use the "Development Mode" toggle in Cloudflare which temporarily bypasses the cache for 3 hours.

The free plan's WAF has limits

The free tier WAF blocks common threats, but it's not as comprehensive as what you get with the paid plans. Don't rely on Cloudflare's free WAF as your only security layer. Your Ultra hosting account already includes Imunify360 and ModSecurity with OWASP rules, and we recommend adding BBQ Firewall at the WordPress level for defense in depth. See our WordPress Security guide for the full picture.

DNS changes take time

If you set up Cloudflare by changing nameservers (the direct method), DNS propagation can take several hours. During this time, some visitors may reach Cloudflare while others still go directly to your server. This is normal but can be confusing when troubleshooting.

It can mask your real server IP

This is actually a security feature, but it complicates troubleshooting. If you're investigating slow load times, server errors, or connectivity issues, you may need to temporarily "pause" Cloudflare (gray-cloud the DNS record) to test your server directly.

Cloudflare outages affect your site

When you put Cloudflare in front of your site, you're adding a dependency. If Cloudflare has an outage (and they've had several notable ones), your site goes down even if your server is perfectly healthy. The "Always Online" feature can display a cached version during brief Cloudflare outages, but it's not a guarantee.

Flexible SSL creates real problems

We can't stress this enough. If you set the SSL mode to "Flexible," you'll get encryption between the visitor and Cloudflare, but the connection between Cloudflare and your server is unencrypted. This creates redirect loops on sites that force HTTPS, and it's also a security gap. Always use "Full (Strict)" since your Ultra hosting account already has a valid SSL certificate.

10. Common Cloudflare Errors and Fixes

Error 520: Web Server Is Returning an Unknown Error

This means Cloudflare connected to your server but received an empty or unexpected response. Common causes: a PHP fatal error, a plugin crash, or your .htaccess file blocking Cloudflare's IPs. Check your server error logs in cPanel > Error Log.

Error 521: Web Server Is Down

Cloudflare can't reach your server at all. Either the server is actually down, or your firewall is blocking Cloudflare's IP ranges. Our server firewall (CSF) already has Cloudflare's IPs whitelisted, so if you're seeing this, open a support ticket and we'll investigate.

Error 522: Connection Timed Out

Cloudflare started connecting to your server but the connection timed out before completing. This usually means your server is overloaded, or there's a network issue. On shared hosting, resource limit hits during a traffic spike are the most common cause. If this happens regularly, it may be time to consider upgrading to our WordPress Optimized or VPS plan.

Error 526: Invalid SSL Certificate

This appears when SSL mode is set to "Full (Strict)" but your server's SSL certificate has expired or doesn't cover the domain. Check cPanel > SSL/TLS Status to make sure AutoSSL has provisioned a valid certificate for your domain. If it hasn't, click "Run AutoSSL" to generate one.

"Too Many Redirects" Loop

Almost always caused by SSL mode being set to "Flexible" while your site forces HTTPS. Change SSL mode to "Full (Strict)" in the Cloudflare dashboard.

11. When to Temporarily Disable Cloudflare

There are times when you'll want to temporarily bypass Cloudflare to troubleshoot or make changes:

• Troubleshooting server errors - Pause Cloudflare to see if the error is from your server or from Cloudflare itself. In the Cloudflare dashboard, click the orange cloud next to your A record to turn it gray (DNS only). This sends traffic directly to your server.
• Migrating your site - When moving to a new server, disable Cloudflare first so DNS changes point directly to the new server IP. Re-enable once everything is confirmed working.
• SSL certificate renewal issues - If AutoSSL is having trouble validating your domain, it may be because Cloudflare is intercepting the validation request. Temporarily gray-cloud the domain, let AutoSSL run, then re-enable.
• Development Mode - For less drastic troubleshooting, enable "Development Mode" in the Cloudflare dashboard. This bypasses the cache for 3 hours without fully disabling Cloudflare's proxy.

12. Email and DNS Considerations

One of the most common issues after setting up Cloudflare is email breaking. Here's why and how to prevent it:

MX Records Should NOT Be Proxied

Cloudflare's proxy is for web traffic only (HTTP/HTTPS). Email uses completely different protocols (SMTP, IMAP, POP3). Your MX records should always show a gray cloud (DNS only) in the Cloudflare dashboard, never an orange cloud (proxied). If you're using Cloudflare via the cPanel integration, this is handled automatically.

Mail Subdomain

If you access webmail at mail.yourdomain.com, make sure there's an A record for "mail" in your Cloudflare DNS pointing to your server IP, and make sure it's not proxied (gray cloud). Same goes for smtp.yourdomain.com and imap.yourdomain.com if you use those.

SPF Records

If you have an SPF record for email authentication, it should still work fine with Cloudflare since SPF is a TXT record and doesn't go through the proxy. But double-check that Cloudflare's DNS scan imported it correctly. For more on email authentication, see our guide: Understanding Email Authentication: SPF, DKIM, and DMARC.

Quick Recap: Getting Started

If you're setting up Cloudflare for the first time, follow this order:

1. Use the cPanel integration for the fastest, most hassle-free setup
2. Set SSL mode to Full (Strict) right away to avoid redirect loops
3. Verify your MX records are present and not proxied (gray cloud) so email keeps working
4. Create a Page Rule to bypass cache on /wp-admin/* if you're running WordPress
5. Test your site from a different device or incognito window to confirm everything looks right

338 users found this article useful · Last updated March 2026 · Browse all WordPress articles