Skip to content
Websites

Cloudflare + WordPress: setup + cache strategy

Maciej Rostocki 10 min read Updated 2026-05-12
Cloudflare + WordPress: setup + cache strategy

Cloudflare on every WordPress site has been the Hanse Studio default since 2018. All our client deployments (our own studio, a drone videography client, a property developer client, a hospitality client) use Cloudflare for DNS plus CDN plus SSL plus WAF. This runbook covers step-by-step setup, the Cache Rules decision tree for 2026, how not to poison the Cloudflare plus LiteSpeed Cache combo and when to switch on extras (APO, Workers, R2).

Cloudflare is not just a CDN, it is a full infrastructure layer: DDoS protection, SSL management, edge HTML cache, WAF, analytics. The free tier covers 95 percent of Hanse Studio SMB B2B clients, with the Pro plan at 20 EUR/month reserved for those with budget (a property developer client, our own studio). Setup and workflow together with Lighthouse 99/100 optimisation and security hardening form a complete infrastructure stack for every B2B client.

Cloudflare plus WordPress: setup and cache strategy in 2026

Cloudflare setup is more than changing nameservers. Proper configuration requires 8 steps, each with measurable impact on security, performance and reliability. Below is the step-by-step plus Cache Rules patterns for a typical WP site and a decision tree for additional Cloudflare services.

Why Cloudflare on every WordPress site

Six reasons Cloudflare is the Hanse Studio default on every WP site, even on the free plan. First: DDoS protection. The Cloudflare free plan absorbs typical L7 attacks (HTTP flood, application layer) with no manual intervention. Layer 3-4 attacks are also mitigated, although without detailed control on the free plan. Second: a CDN with 300+ POPs globally (status: cloudflare.com/network), so static assets are served from the nearest POP, latency improvement 50 to 200 ms for international visitors.

  • DDoS protection (free): absorbs typical L7 attacks with no manual intervention
  • CDN: 300+ POPs globally, static assets served near the visitor
  • SSL free plus auto-renew: Universal SSL cert for every subdomain, no manual cert management
  • DNS performance: Cloudflare DNS is one of the fastest globally (1.1.1.1)
  • WAF Managed Rules (Pro plan): blocks OWASP Top 10 attacks at the edge
  • Edge cache HTML (Cache Reserve, Pro plan): cached page response in 30 ms vs 200 to 500 ms hitting origin
  • Analytics plus security insights: real-time dashboard for threats, traffic patterns, performance metrics

Real impact on our own studio site: after switching on Cloudflare, TTFB dropped from 480 ms (origin Hetzner CPX32, Falkenstein DE) to 90 ms (Cloudflare edge Warsaw plus Berlin POP for PL/DE visitors). Lighthouse Performance: 92 to 98. Bandwidth offload: 75 percent of traffic served from edge cache without touching the origin server.

Step-by-step setup

Full setup takes 30 to 60 minutes depending on DNS propagation. Procedure in 8 steps:

  • Step 1: Sign up cloudflare.com and add a domain (free plan is fine to start)
  • Step 2: Cloudflare auto-imports existing DNS records, review each and confirm
  • Step 3: Change nameservers at the registrar (e.g. OVH, GoDaddy, Namecheap), propagation usually takes 5 to 60 minutes, sometimes up to 24 hours
  • Step 4: Verify the domain is active in the Cloudflare dashboard (status: “Active”)
  • Step 5: SSL/TLS config: mode “Full (strict)”, requires an Origin Cert generated in Cloudflare and installed on the server
  • Step 6: Edge Certificates: enable HTTP/3, TLS 1.3, HSTS plus preload, opportunistic encryption
  • Step 7: Page Rules OR Cache Rules (preferable): edit bypass for wp-admin and wp-login, cache HTML edge for anonymous
  • Step 8: Rules to Configuration Rules: HTTP to HTTPS redirect, IPv6 enable, Brotli compression enabled

Origin Certificate plus Full (strict) mode is mandatory for production. SSL Full mode (without strict) accepts a self-signed cert on origin, which means a man-in-the-middle is theoretically possible. Full (strict) requires a real cert on origin: Cloudflare Origin Cert (free, 15 years lifetime) or Let’s Encrypt (free, 90 days lifetime, auto-renew).

Hanse Studio default: Cloudflare Origin Cert. The 15 year lifetime removes renewal cron job overhead. Generate it in the dashboard: SSL/TLS to Origin Server to Create Certificate (Origin CA, RSA 2048, hostnames domain.com plus *.domain.com). Install on the server (Hetzner: nginx config ssl_certificate and ssl_certificate_key, plus Cloudflare Authenticated Origin Pulls as an extra layer).

Page Rules vs Cache Rules in 2026

Page Rules is a legacy feature deprecated in 2024 (Cloudflare announce). Migration path: Cache Rules plus Configuration Rules plus Origin Rules. All available on the Pro plan, some on free (3 Page Rules still work but without new features).

  • Cache Rules: granular control over cache behavior, e.g. “cache HTML edge for anonymous users”, “bypass cache for wp-admin”
  • Configuration Rules: settings tweak per URL pattern, e.g. “HTTPS rewrites enabled on /shop/*”
  • Origin Rules: modify request before origin hit, e.g. “set X-Forwarded-Proto header for WordPress”

Common patterns for a typical WP site (Hanse Studio template):

  • Cache Rule 1: match wp-admin paths and /wp-login.php to Bypass cache
  • Cache Rule 2: match WP preview params (?p= or preview_id=) to Bypass cache
  • Cache Rule 3: /wp-content/uploads/* path to Edge TTL 1 month, browser TTL 1 week
  • Cache Rule 4: main domain host and path NOT starting with /wp- to Edge TTL 5 min, browser TTL 0 (anonymous HTML)

Cache key plus query string handling: by default Cloudflare includes every query string, so URLs with different UTM params are cached separately (bad cache hit ratio). Fix: Cache Rule plus “Custom cache key” to ignore query strings except whitelisted (e.g. only ?page=, ?lang=, ?ref= if you use them).

APO (Automatic Platform Optimization)

APO is a 5 USD/month add-on for WordPress sites on the free and Pro plan. Functionality: edge HTML cache (otherwise requires Pro plus Cache Rules), automatic image optimisation, mobile-specific optimisation. Worth it for high-traffic blog/news sites (10k+ daily visitors).

  • APO worth it: high-traffic content site (blog, news, magazine) with 10k+ daily uniques
  • APO overkill: small B2B site where LSCache plus Cloudflare base config already yields 99/100 Lighthouse
  • APO conflict: not compatible with LSCache crawler-based preload (LSCache also generates edge cache in parallel)
  • Alternative: Cloudflare Pro plus Cache Reserve plus manual Cache Rules (more control, similar effect)

Hanse Studio default: we do not use APO. The combination of LSCache 7.8 page cache plus Cloudflare CDN plus Cache Rules for anonymous HTML edge cache yields equivalent benefits without a recurring cost. Real test: our own studio reaches 99/100 mobile without APO, Cloudflare Cache Reserve mitigates cold cache after purge.

Cloudflare plus LSCache: how not to poison them

The Cloudflare plus LSCache combo is a powerful stack but requires care in the purge sequence. Default behavior without integration: after a post edit in WP, LSCache purges per post, but Cloudflare still serves stale content from the edge cache for 5 to 60 minutes. Effect: the client sees the update on origin while visitors see stale content. Frustration guaranteed.

  • Step 1: LiteSpeed Cache plugin to Cloudflare API integration tab
  • Step 2: Paste the Cloudflare API token (zone-level Edit permissions) plus Zone ID
  • Step 3: Enable “Purge Cloudflare cache on LiteSpeed purge”
  • Step 4: Test: edit post to LSCache auto purge to automatic Cloudflare API call to verify the new content in incognito after 10 to 15 seconds

Cache layering in a proper setup: LSCache page cache (origin) to Cloudflare edge cache (300+ POPs) to browser cache. Each layer has its own TTL. Purge sequence: WP edit to LSCache purge (instant, origin) to Cloudflare purge (5 to 15 seconds via API) to browser cache may still be stale (until TTL expiry). For critical updates, appending a cachebuster query param (?v=123) to the URL forces a fresh load.

Common mistake: cache HTML edge for logged-in users. Cloudflare should not cache responses when a user is logged in (different content per user). Cache Rule: when the cookie contains wordpress_logged_in_, Bypass cache. The LSCache plugin config handles this natively (page cache disabled for logged-in), Cloudflare requires a manual rule.

Workers, R2, Pages: when worth it

Cloudflare has services beyond DNS plus CDN, but for a typical WP site most are overkill. Quick decision tree:

  • Workers: edge serverless functions. Rare for typical WP, real use cases: custom redirect logic, A/B test routing, security header injection. Rarely worth the setup overhead for Hanse Studio
  • R2: S3-compatible object storage, very cheap (0.015 USD/GB/month, no egress fees). Worth it for offsite client backups or bulk media library when the client has 100+ GB of uploads
  • Pages: static site hosting (Astro, Hugo, Next.js export). Not for WP, but worth it for satellite static sites (e.g. landing page or mini-app)
  • Stream: video CDN. Overkill for a typical WP site, worth it for heavy video content (typically a drone videography studio kind of client)

Actual Hanse Studio usage: 1 client (a hospitality client) uses R2 for a bulk media library (300 GB of photos and videos). The rest of the clients are on Hetzner storage plus Cloudflare CDN front. Workers were tested experimentally for a property developer client for custom geo routing (PL visitors to /pl/, DE visitors to /de/), but the final solution went through standard Polylang plus Cloudflare Cache Rules.

Security: WAF plus bot protection

The Cloudflare security layer adds 3 main components: WAF Managed Rules (Pro plan), Super Bot Fight Mode, Rate Limiting Rules. All at the edge, meaning the attacker never reaches the WP origin.

  • WAF Managed Rules (Pro plan, 20 EUR/month): blocks OWASP Top 10 attacks (SQL injection, XSS, CSRF), regularly updated by the Cloudflare security team
  • Super Bot Fight Mode (Pro plan): blocks known bad bots (credential stuffing networks, scrapers), allows good bots (Googlebot, Bing)
  • Rate Limiting: 5 failed login attempts from a single IP per minute to block 1 hour
  • Geofencing: a regional client (PL B2B) can block traffic from high-risk geographies (Russia, North Korea)
  • Cloudflare Analytics: real-time dashboard for threats, top attack patterns, blocked IPs

Hanse Studio default for Pro plan clients: WAF Managed Rules enabled, Super Bot Fight Mode set to “Bot Fight Mode” (free option for Pro), Rate Limiting Rule for /wp-login.php (5 attempts/minute per IP to block 1h). Effect: zero brute force attacks reaching the WP origin in 6 months (real metric from our own studio).

For a deeper understanding of Cloudflare features we recommend: official Cloudflare cache documentation plus the Cloudflare blog for current product updates and security advisories.

Worth emphasising: Cloudflare is not a replacement for baseline hosting and baseline security. Cloudflare without Lighthouse 99/100 fundamentals (Astra theme plus child theme plus LSCache plus image optimisation) yields 5 to 10 Performance points but no magic 100. Cloudflare without security hardening plugins (Wordfence, 2FA, strong passwords) leaves the origin server vulnerable to attacks that bypass the edge (file upload exploits, plugin CVEs already in pass-through traffic). The full stack is: hosting baseline plus theme plus plugin discipline plus Cloudflare. Each layer addresses a different attack surface.

FAQ

Cloudflare Free vs Pro 20 USD/month: which to pick for SMB B2B?

Free is enough for 95 percent of SMB B2B cases. Decision factors for an upgrade to Pro: 1) WAF Managed Rules needed (typically a client with compliance requirements or after an incident), 2) Image Resizing (rarely worth it, LSCache converts anyway), 3) Page Rules limit 3 to 25 (rarely a blocker), 4) advanced bot protection (Super Bot Fight Mode). Hanse Studio: 2 of 4 clients on Pro (a property developer client, our own studio), the rest on Free.

Does Cloudflare proxy hide the real server IP?

Yes, when the domain is proxied (orange cloud icon), all requests go through the Cloudflare edge and the real origin IP is not publicly visible. Caveat: if the IP was previously publicly indexed (e.g. before Cloudflare deployment), an attacker can find it via Shodan or Censys cache. Mitigation: change the server IP (Hetzner deallocate plus reallocate) or Cloudflare Authenticated Origin Pulls (additional layer requiring a Cloudflare cert for every request to origin).

Does Cloudflare break LSCache, or do they work together?

They work together with minimal config. Required integration: LSCache plugin Cloudflare tab plus API token plus enable auto-purge. Without it, Cloudflare edge cache does not purge after a WP edit (5 to 60 minutes of stale content). Common stack: LSCache page cache (origin) plus Cloudflare CDN (edge) plus Cloudflare Cache Rules (edge HTML cache for anonymous). Working in stack: 100 ms TTFB, 0.5 to 0.8 s LCP for cached requests.

What about Cloudflare and GDPR: where are the servers?

Cloudflare is GDPR compliant (DPA available, signed via the dashboard), it has EU servers for EU traffic. Worth checking: the Cloudflare Data Localization Suite (paid, 0.05 USD/1M requests) enforces EU-only data residency for strict compliance. For typical B2B Hanse Studio (Poland, DACH clients) the default Cloudflare without DLS is GDPR compliant, plus a DPA signed with Cloudflare as a processor.

Next step: Cloudflare audit of your site

If your WordPress site does not use Cloudflare, or uses it with basic config (free plan, default settings), Hanse Studio runs a Cloudflare audit plus optimisation in the package from 1500 PLN. The audit covers: SSL config plus Origin Cert install, optimal Cache Rules setup, WAF rules tuning, LSCache integration, security headers config. Result: typically 5 to 10 Lighthouse Performance points plus 50 to 80 percent bandwidth offload to the edge. Contact us for a quote, we reply within 24 hours on business days.

§ Tags cache CDN Cloudflare DDoS SSL WAF WordPress
Author

Maciej Rostocki

Full-stack engineer, 10 years of WordPress + Next.js + Claude API in production. Hanseatic web dev from Szczecin. Writes about what was built and what went wrong. → Get in touch

§ From the studio

A new article every month, zero spam.

One case study or technical deep-dive. No clickbaits, no „10 reasons". Unsubscribe with one click.

— Related articles
Websites

Multilingual WordPress: Polylang vs WPML in 2026

2026-03-09 · 11 min read Websites

Elementor to Gutenberg migration: runbook

2026-03-02 · 9 min read Websites

WordPress security hardening: 10 mandatory steps

2026-02-23 · 9 min read
Back to all posts
Scroll to Top