Cloudflare Setup Guide: Free CDN & DNS Configuration

Cloudflare is the most impactful free tool available to website owners. It sits between your visitors and your web server, caching content on 300+ global data centers, blocking malicious traffic, providing free SSL certificates, and dramatically reducing page load times. Over 20% of all websites use Cloudflare, including major enterprises and personal blogs alike.

Setting up Cloudflare takes under 30 minutes and requires zero technical expertise. You do not need to change your hosting provider, modify your website code, or install any server software. The entire setup happens through Cloudflare's dashboard and a single nameserver change at your domain registrar. This guide walks you through every step, from account creation to advanced optimization settings that most tutorials skip.

Cloudflare provides five core services on its free plan that every website benefits from:

Beyond these core features, Cloudflare also provides basic bot management, hotlink protection, email address obfuscation, and analytics — all free. The paid Pro plan ($20/month) adds Web Application Firewall (WAF), image optimization (Polish), mobile optimization (Mirage), and more detailed analytics.

Step 1: Create Your Account

Visit cloudflare.com and sign up with your email. Choose the Free plan to start — you can upgrade later without any migration. Cloudflare will ask for your domain name (e.g., yourdomain.com). Enter the root domain without www or any subdomain.

Step 2: Automatic DNS Import

Cloudflare scans your existing DNS records automatically. Review the imported records carefully — it catches A records, CNAME records, MX records, and TXT records in most cases. However, verify that:

• Your main A record points to the correct server IP
• www CNAME exists and points to your root domain
• MX records are present if you use email on this domain
• Any SPF, DKIM, and DMARC TXT records are imported correctly

Add any missing records manually. This step is critical — incomplete DNS import is the #1 cause of email disruption after Cloudflare setup.

Step 3: Change Your Nameservers

Cloudflare provides two nameservers (e.g., ada.ns.cloudflare.com and bob.ns.cloudflare.com). Log into your domain registrar and replace the existing nameservers with Cloudflare's. Here is where to find the setting for popular registrars:

Propagation typically completes in 5-30 minutes, though it can take up to 24 hours. Cloudflare emails you when your nameservers are active. Until then, traffic continues flowing to your server normally — there is zero downtime during migration.

Step 4: Quick Start Guide

Cloudflare shows a Quick Start setup wizard after nameserver activation. Enable these recommended settings:

• Auto Minify: Enable for HTML, CSS, and JavaScript (reduces file sizes 10-20%)
• Brotli compression: Enable (better compression than gzip, supported by all modern browsers)
• Always Use HTTPS: Enable (redirects all HTTP requests to HTTPS automatically)
• Automatic HTTPS Rewrites: Enable (fixes mixed content issues by rewriting HTTP URLs to HTTPS)

Understanding Cloudflare's DNS proxy is essential for correct configuration. Each DNS record has a proxy toggle (orange cloud = proxied, gray cloud = DNS only).

What to Proxy (Orange Cloud)

• A record for @ (root domain): Proxy to enable CDN, DDoS protection, and SSL
• CNAME for www: Proxy for the same benefits on www subdomain
• A/CNAME for any web subdomain: blog, shop, app — proxy all web-facing subdomains

What NOT to Proxy (Gray Cloud)

• MX records: Never proxied (Cloudflare does not handle email)
• Mail server A records: If mail.yourdomain.com points to your mail server, keep it gray
• FTP subdomains: FTP traffic cannot pass through Cloudflare's proxy
• Game servers, SSH, VPN: Non-HTTP traffic requires gray cloud or Cloudflare Spectrum (paid)

Cloudflare offers four SSL/TLS encryption modes. Choosing the correct one is critical for security and avoiding redirect loops:

Recommended: Use Full (Strict) whenever possible. Install a free Cloudflare Origin CA certificate on your server (valid for 15 years) to encrypt traffic between Cloudflare and your server. This prevents man-in-the-middle attacks on the server-side connection. If you use the Flexible mode, the connection between Cloudflare and your server is unencrypted — a significant security gap.

For a comprehensive SSL overview including certificate types and installation for various hosting platforms, read our SSL certificate guide.

After basic setup, these Cloudflare speed settings squeeze maximum performance from the free plan:

Caching Settings

• Caching Level: Set to "Standard" (default). This caches static files based on file extension.
• Browser Cache TTL: Set to "Respect Existing Headers" or at least 1 month. Longer cache = fewer repeat requests = faster return visits.
• Always Online: Enable. Cloudflare serves cached pages if your server goes down, keeping your site accessible during outages.

Speed Settings

• Auto Minify: Enable for HTML, CSS, JavaScript. Removes unnecessary whitespace and comments, reducing file sizes by 10-20%.
• Brotli: Enable. Modern compression algorithm that produces 15-25% smaller files than gzip.
• Early Hints: Enable (free). Sends 103 Early Hints responses to preload critical assets before the full HTML response, improving LCP (Largest Contentful Paint).
• Rocket Loader: Test carefully. It defers all JavaScript loading to improve paint times but can break scripts that expect immediate execution. Enable, test your site thoroughly, and disable if you see JavaScript errors.

Performance Impact

With these settings properly configured, expect these typical improvements:

For even better results, combine Cloudflare with fast origin hosting. See our VPS hosting guide or web hosting comparison for recommended providers.

Cloudflare's free security features protect against common web attacks. Configure these settings immediately after setup:

Essential Security Settings

• Security Level: Set to "Medium" (default). Challenges suspicious IPs. Increase to "High" or "I'm Under Attack" during active attacks.
• Bot Fight Mode: Enable. Blocks known malicious bots from consuming server resources and scraping content.
• Email Address Obfuscation: Enable. Hides email addresses on your site from scrapers while keeping them visible to visitors.
• Hotlink Protection: Enable. Prevents other sites from embedding your images, saving bandwidth.
• Browser Integrity Check: Enable. Evaluates visitor browser headers and blocks requests from bots that fake browser user agents.

HTTPS Security Headers

Add these security headers via Cloudflare Transform Rules (free) or your server configuration:

• Strict-Transport-Security: max-age=31536000; includeSubDomains — Forces HTTPS for one year
• X-Content-Type-Options: nosniff — Prevents MIME-type sniffing
• X-Frame-Options: SAMEORIGIN — Prevents clickjacking
• Referrer-Policy: strict-origin-when-cross-origin — Controls referrer information

Learn more about domain security fundamentals in our WHOIS privacy guide.

The Cloudflare Free plan includes 3 page rules. Use them strategically for maximum impact:

Recommended Page Rules (Free Plan)

For WordPress sites, rule #2 is essential — without it, Cloudflare might cache your admin dashboard or login page, causing authentication issues. The "Always Use HTTPS" page rule is a belt-and-suspenders approach alongside the SSL/TLS settings toggle.

Cache Everything for Static Sites

If your site is fully static (HTML files with no dynamic content), use this powerful page rule:

*yourdomain.com/* → Cache Level: Cache Everything, Edge Cache TTL: 1 month

This caches your entire site at Cloudflare's edge, serving all content from the CDN without hitting your origin server. This achieves near-zero TTFB globally and effectively makes even a cheap shared hosting plan perform like a premium dedicated server for visitors.

WordPress powers 43% of all websites, and Cloudflare integrates perfectly with it. Follow these WordPress-specific optimizations:

Essential WordPress + Cloudflare Setup

• Install the Cloudflare plugin: It adds automatic cache purging when you publish or update content, and shows Cloudflare analytics in your WordPress dashboard.
• Configure real IP restoration: Cloudflare proxies requests, so your server sees Cloudflare's IP by default. The plugin (or mod_cloudflare for Apache / set_real_ip_from for nginx) restores the real visitor IP in logs and comments.
• APO (Automatic Platform Optimization): For $5/month, Cloudflare APO caches your entire WordPress site (including dynamic HTML) at the edge. This is the single most impactful paid optimization — it typically reduces TTFB from 400ms to under 50ms globally. If you spend any money on Cloudflare, spend it on APO.

Compatibility Notes

Cloudflare works with all major WordPress caching plugins (WP Rocket, W3 Total Cache, LiteSpeed Cache). If using both Cloudflare and a caching plugin, let the WordPress plugin handle HTML caching and Cloudflare handle static asset caching to avoid cache conflicts. Disable Rocket Loader if you use WP Rocket's JavaScript optimization, as they can conflict. Compare your hosting and site builder options in our website builder comparison.