How to Configure Cloudflare Free Plan with WordPress in 2025

Most WordPress users sign up for Cloudflare, change their nameservers, and think they are done.

They aren’t. If you just do the basics, you are leaving 50% of the performance on the table. Worse, if you get the SSL settings wrong, you will trap your site in a “Too Many Redirects” loop that takes your business offline.

Cloudflare’s Free Plan is arguably the most powerful tool for WordPress sites, if you configure it correctly. In this guide, I’m going to walk you through the exact setup I use—moving away from the old “Page Rules” and using the modern “Cache Rules” system.

Here is how to set up Cloudflare for WordPress properly.

Step 1: The Foundation (DNS & SSL)

Before we touch any settings, we need to ensure the connection is secure. This is where most beginners fail.

1. Update Your Nameservers When you sign up, Cloudflare gives you two nameservers (e.g., sandy.ns.cloudflare.com). Go to your domain registrar (Namecheap, GoDaddy, Porkbun) and replace your existing nameservers with these.

2. Set SSL to “Full (Strict)” Once your site is active in Cloudflare, go to the SSL/TLS tab.

• Do not use “Flexible”: This is the default, and it is dangerous for WordPress. It causes redirect loops because Cloudflare talks to your server via HTTP while telling the browser it is HTTPS.
• Select “Full (Strict)”: This ensures the connection is encrypted all the way from the visitor to Cloudflare to your server.
  • Note: You must have a valid SSL certificate on your host (a free Let’s Encrypt certificate works perfectly).

Step 2: The “One-Click” Optimization

Cloudflare has an official plugin that handles the boring stuff for you.

1. Install the Cloudflare plugin on your WordPress site.
2. Go to Settings > Cloudflare and sign in using your API Key (found in your Cloudflare Dashboard under My Profile > API Tokens).
3. Click “Apply Recommended Settings”.
   • This automatically configures standard settings like “Automatic HTTPS Rewrites” so you don’t have to do it manually.

Step 3: The “Cache Rules” (The Modern Way)

Stop using Page Rules. In 2025, Cloudflare prefers “Cache Rules” because they are faster and you get more of them on the free plan. We need to ensure Cloudflare doesn’t cache your Admin Dashboard.

1. In Cloudflare, go to Rules > Cache Rules.
2. Click Create Rule.
3. Name: Bypass WP Admin.
4. Field:URI Path … starts with … /wp-admin
   • OR … URI Path … contains … wp-login.php
5. Cache Eligibility: Select Bypass cache.
6. Deploy.

Now, you can work on your site without Cloudflare accidentally caching your dashboard.

Step 4: Fix the “Admin Bar” Issue (Dynamic Caching)

Have you ever updated a post, viewed it, and saw the old version? Or logged in but didn’t see your Admin Bar? That’s because Cloudflare is caching the page for “guests” and showing that same cached version to you.

We need to tell Cloudflare: “If I am logged in, show me the live site.”

1. Create another Cache Rule.
2. Name: Bypass for Logged-In Users.
3. Field:Cookie … contains … wordpress_logged_in_
   • Note: This detects the standard WordPress authentication cookie.
4. Cache Eligibility: Select Bypass cache.
5. Deploy.

Now, your visitors get the super-fast cached version, but you see the live version instantly.

Step 5: Security Hardening (The WAF)

The Free Plan includes a powerful firewall. Let’s use it to stop hackers from brute-forcing your login page.

1. Go to Security > WAF > Custom Rules.
2. Click Create Rule.
3. Name: Protect Login.
4. If incoming request matches:
   • URI Path contains wp-login.php
   • AND
   • IP Source Address does not equal [Your Home IP Address]
5. Action: Managed Challenge (This forces a captcha).
6. Deploy.

Now, if a bot tries to guess your password, it gets stuck at a captcha. You (on your home IP) won’t even see it.

Step 6: Speed Settings (The Final Polish)

Go to Speed > Optimization and check these toggles:

• Early Hints: ON (Helps browsers load resources faster).
• Brotli: ON (Better compression than GZIP).
• Rocket Loader:OFF.
  • Warning: Rocket Loader sounds great, but it breaks Elementor, Divi, and Gutenberg more often than not. Keep it off unless you know how to debug JavaScript errors.

Final Thoughts

Cloudflare is not just a CDN; it is a shield and a turbocharger. By setting up these specific rules, you aren’t just caching static files—you are building a smarter, safer environment for your WordPress site.

Double-check your SSL setting right now. If it’s not on Full (Strict), fix it today.

Disclaimer: This guide assumes a standard WordPress setup. If you use complex caching plugins like LiteSpeed Cache, ensure you disable their “CDN” features to avoid conflicts.