Cloudflare is one of the best free tools available for a small WordPress site. It sits between your visitors and your hosting server, handling caching, security, and DNS — all at once. But having Cloudflare installed is not the same as having it configured correctly. When I used Claude to audit kindoflost.com, we found that Cloudflare was active but had several misconfigurations that were silently causing problems — a duplicate DNS record, services being proxied that shouldn’t be, SSL running in a weaker mode than necessary, and no real caching rules in place.
This post walks through exactly what we fixed and how, so you can run the same checklist on your own Cloudflare setup. You don’t need technical expertise — just access to your Cloudflare dashboard and about an hour.
Step 1: Clean Up Your DNS Records
The DNS tab in Cloudflare is where most problems hide. Go to your Cloudflare dashboard, select your domain, and click DNS → Records. Look carefully at what’s there.
Three things to check:
- Duplicate records. We had two TXT records for the same DKIM key — one from an older email setup that was never cleaned up. Duplicate DNS records can cause email delivery failures. Delete any duplicates you find.
- FTP, cPanel, WHM, and webdisk records should be DNS only — not proxied. In Cloudflare, records can be either proxied (orange cloud) or DNS only (grey cloud). FTP and cPanel connections break when proxied through Cloudflare because Cloudflare only proxies HTTP/HTTPS traffic. Find any records for ftp., cpanel., whm., and webdisk. and make sure they’re set to grey cloud (DNS only).
- Add a DMARC record if you don’t have one. DMARC is an email authentication policy that tells receiving servers what to do with emails that fail your domain’s checks. Without it, your domain is easier to spoof. Add a TXT record: Name = _dmarc, Value = v=DMARC1; p=none; rua=mailto:[email protected]. The p=none policy is a safe starting point — it monitors without blocking anything.
Step 2: Set SSL to Full (Strict)
Go to SSL/TLS → Overview in Cloudflare. You’ll see four options: Off, Flexible, Full, and Full (Strict). Many sites are left on Flexible or Full without realizing the difference matters.
Here’s what each mode means:
- Flexible: Cloudflare connects to your visitors over HTTPS, but connects to your origin server over plain HTTP. Your data is unencrypted between Cloudflare and HostGator. Avoid this.
- Full: Cloudflare connects to your origin over HTTPS but does not validate the certificate. Slightly better, still not ideal.
- Full (Strict): Cloudflare connects to your origin over HTTPS and validates that the certificate is legitimate. This is what you want. HostGator provides a valid SSL certificate by default, so this mode works out of the box.
Select Full (Strict) and save. If your site was previously on Flexible and you have any hardcoded HTTP links, you might see some mixed content warnings — but for most sites this change is instant and seamless.
Step 3: Set Up Cache Rules (This Is the Big One)
Out of the box, Cloudflare caches static files like images, CSS, and JavaScript — but it does not cache HTML pages. That means every visitor to every page of your site hits your origin server directly. On shared hosting like HostGator, this is a real performance problem under any meaningful traffic.
Go to Caching → Cache Rules and set up three rules in this exact order — order matters because Cloudflare processes rules top to bottom and stops at the first match.
Rule 1: Bypass cache for dynamic pages (must be first)
Set the condition to match any of these:
- Cookie contains: wordpress_logged_in
- URI Path contains: /wp-admin
- URI Path contains: /wp-login.php
- URI Path contains: /checkout
- URI Path contains: /cart
- URI Path contains: /my-account
Set the action to: Bypass cache. This ensures logged-in users, admin, and WooCommerce pages never get served stale cached content.
Rule 2: Cache WordPress HTML (second)
Condition: Hostname equals yourdomain.com. Action: Eligible for cache + set Edge TTL to your preferred duration (I use 2 hours). This tells Cloudflare to cache all HTML pages that weren’t caught by Rule 1.
Rule 3: Cache static file extensions (third)
Cloudflare has a built-in template for this called “Cache default file extensions.” Use it. It covers images, CSS, JS, fonts, PDFs, and more. This rule makes sure all your static assets are cached at the edge regardless of where they’re served from.
After saving all three rules, go to Caching → Configuration and hit Purge Everything to start fresh. Your cache hit rate will build up over the next 24 hours as visitors warm the cache.
Step 4: Enable Security Features
Cloudflare’s free plan includes several security features that are worth enabling. Here’s what we turned on for kindoflost.com:
- Bot Fight Mode: Go to Security → Bots and enable Bot Fight Mode. This challenges known bot traffic — scrapers, crawlers, and automated scanners — before they reach your server. Free and effective.
- Smart Tiered Cache: Go to Speed → Smart Shield and enable Smart Tiered Cache. This adds a middle layer between Cloudflare’s edge servers and your origin — if one edge server doesn’t have a cached page, it asks another Cloudflare server before going all the way back to HostGator. Reduces origin load significantly. Free on all plans.
- X-Frame-Options security header: If you have a plugin handling this header (like the HTTP Headers plugin), replace it with a Cloudflare Transform Rule instead. Go to Rules → Transform Rules → Modify Response Headers, add a rule for all requests, set Header name: X-Frame-Options, Value: SAMEORIGIN. Then delete the plugin. One less potential vulnerability.
A Note on What Not to Proxy
One of the most common Cloudflare mistakes is leaving everything set to proxied (orange cloud) by default. Cloudflare’s proxy only works for HTTP and HTTPS traffic on standard ports. Anything else — FTP transfers, cPanel logins, WHM, webdisk — will silently fail or behave unpredictably when proxied.
The rule of thumb is simple: if it’s not a web page that your visitors load in a browser, it probably shouldn’t be proxied. Set those records to DNS only and save yourself the troubleshooting later.
How to Check If It’s Working
After making these changes, give it 24 hours and then check Caching → Cache Analytics in your Cloudflare dashboard. You’ll see a hit/miss ratio. A well-configured site with decent traffic typically reaches 60–80% cache hit rates on static assets. HTML page caching varies more depending on how often your pages change and how much traffic you get.
For security headers, you can verify them at securityheaders.com — type in your domain and it will show you exactly which headers are present and which are missing. After moving X-Frame-Options to Cloudflare, kindoflost.com went from a partial pass to a clean green result on that check.
Quick Recap: The Cloudflare Checklist
Here’s the full list of what we changed, in order:
- Remove duplicate DNS records
- Set FTP, cPanel, WHM, webdisk to DNS only (grey cloud)
- Add a DMARC TXT record
- Set SSL/TLS to Full (Strict)
- Create three cache rules in order: bypass dynamic pages → cache HTML → cache static extensions
- Enable Bot Fight Mode
- Enable Smart Tiered Cache
- Move X-Frame-Options header to a Cloudflare Transform Rule and delete the plugin
- Purge Everything from Caching → Configuration
- Check Cache Analytics in 24 hours
None of this requires paid Cloudflare features. Everything above is available on the free plan. The whole process took about two hours spread across a few sessions — mostly because we were investigating and discovering problems rather than just executing a known checklist.
→ Continue to Post 3: WordPress Security Hardening Without Touching Code
← Back to Post 1: My WordPress Site Was a Mess. Here’s How I Found Out.
Things that I use, like, and am affiliated with:
Mint Mobile offers great cell phone service for $15 flat, get $15 off using the link. Get discounted phones with service activation and no contract.
I never spend money before I check Mr Rebates or Rakuten to get cashbacks, rebates, discounts, coupons or cheaper gift cards.