Here are recommended Cloudflare settings to use as a baseline. Of course, this can depend on whether your site uses WooCommerce, WPML, or whether you’re using Cloudflare free vs. paid.
Benchmark results in KeyCDN’s Performance Test as well as core web vitals (i.e. PageSpeed Insights). Otherwise, sign up for a Cloudflare account (or open your dashboard) and let’s start.
If you’re using Rocket.net’s Cloudflare Enterprise (what I use) or Cloudways/Kinsta’s, or FlyingProxy, you don’t need to setup the dashboard since you’re using their integration.
DNS: Use Cloudflare’s DNS – Cloudflare is one of the fastest, most reliable DNS providers on dnsperf.com. Others like GoDaddy/NameCheap can be slow and cause latency. To switch your DNS to Cloudflare, sign up for Cloudflare through their website, add your website, and change nameservers to Cloudflare’s in your domain registrar. Some hosts let you activate Cloudflare in their dashboard in 1-click, but this doesn’t give you access to Cloudflare’s full dashboard. Since DNS & network latency are part of TTFB, using a fast DNS is critical and can be tested in KeyCDN.
CDN: Change Your Website To Proxied – go to Cloudflare’s DNS settings and change your website from DNS only to “proxied” which turns it orange. Proxying traffic through Cloudflare is needed to use APO, Argo, load balancing, Zaraz, and other Cloudflare features. But it does not cache HTML (that’s what APO or a cache everything page rule is for). There are several benefits to the CDN: you’re offloading bandwidth to Cloudflare’s 250+ data centers (saved bandwidth is shown in your Analytics tab). It reduces the geographical distance between your server/visitors, and it minimizes requests to your origin server. While Cloudflare is usually not the fastest CDN option on cdnsperf.com, it opens up other Cloudflare features which can typically optimize your site better than other CDNs, which is especially true if you plan on using Cloudflare’s paid plans.
SSL: Full Strict – best security of all options when using HTTPS (except on enterprise plans).
Edge Certificate: paid users can upload SSL to Cloudflare to eliminate SSL/TLS at the edge.
Always Use HTTPS: ON – redirects all HTTP links to HTTPS which forces a secure connection.
HSTS: Enable – forces browsers to use a secure connection. Once you confirm Cloudflare’s agreement, you’ll enable HSTS, set max age header to 6 months (what Cloudflare recommends), and enable preload/no-sniff header. If you have subdomains, you can enable HSTS on those too.
TLS: Enable TLS 1.3 And Set Min. Version To 1.2 – TLS 1.3 is the newest/fastest TLS protocol while TLS 1.0 and 1.1 have been deprecated. Your host may also have settings to set TLS versions. TLS speeds can be measured using KeyCDN and is short for Transport Layer Security.
Firewall Rules: commonly used to block bad bots, countries, XML-RPC, and wp-login. Here are a few common rules which can help block unwanted hits to your server and reduce CPU usage.