Cloudflare WordPress configuration

bikegremlinbikegremlin ModeratorOGContent Writer

Nothing special, "nothing to write home about" as the Americans say, but I put all of my Cloudflare settings in an article. With some notes on what's worked well, and what hasn't (and why):

How to configure Cloudflare for WordPress

I needed something like this to make it easy when configuring any new websites/accounts for friends and acquaintantces. 1000 times better than logging into my account to see "now what were those settings that should be disabled, but aren't noticeable to cause problems right away..."

As always - any improvements, especially corrections are very welcome. :)

Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews

Thanked by (3)rthwakel level6 Marry

Comments

  • johnkjohnk Hosting Provider

    Set the first option to “Full (strict)“

    I'd generally go with Full. cPanel doesn't always properly renew certs with Cloudflare active, which could cause some issues

    HSTS
    Simply put: it is listing your website for using https only, (practically) permanently. In case of any certificate problems, or a need to access the website using a protocol without encryption, your website will simply be inaccessible through non encrypted http.

    I wouldn't preload HSTS, but you can still turn it off, clear your HSTS domains, and access your site over HTTP. So, if something gets borked, there still is a fix.

    Everything else looks good!

    Thanked by (1)bikegremlin
  • bikegremlinbikegremlin ModeratorOGContent Writer

    @johnk said:

    Set the first option to “Full (strict)“

    I'd generally go with Full. cPanel doesn't always properly renew certs with Cloudflare active, which could cause some issues

    Noted.
    Though, I haven't had these problems since mid-2019, tested with several different providers.
    I did have them on occasion before that.

    Thinking out loud:
    On the upside - "Full (strict)" will show an error if an untrusted cert is installed on the hosting server. I think that's good for the visitor's security (not fooling them that I have a proper cert by the CF's "front end," while CF connects to the server using who-knows-which cert).

    HSTS
    Simply put: it is listing your website for using https only, (practically) permanently. In case of any certificate problems, or a need to access the website using a protocol without encryption, your website will simply be inaccessible through non encrypted http.

    I wouldn't preload HSTS, but you can still turn it off, clear your HSTS domains, and access your site over HTTP. So, if something gets borked, there still is a fix.

    On a rate from 1 to 10, how complicated you suppose this is for an average Joe?
    I.e. how likely are they to require professional assistance if something goes wrong, in order to "remove" HSTS?

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • johnkjohnk Hosting Provider

    HSTS
    Simply put: it is listing your website for using https only, (practically) permanently. In case of any certificate problems, or a need to access the website using a protocol without encryption, your website will simply be inaccessible through non encrypted http.

    I wouldn't preload HSTS, but you can still turn it off, clear your HSTS domains, and access your site over HTTP. So, if something gets borked, there still is a fix.

    On a rate from 1 to 10, how complicated you suppose this is for an average Joe?
    I.e. how likely are they to require professional assistance if something goes wrong, in order to "remove" HSTS?

    Probably 5-6, and the menu to remove HSTS is a bit obscure

    Thanked by (1)bikegremlin
  • @bikegremlin this is one of your best articles, actually a definitive guide to get the best of Cloudflare with or without Wordpress.

    I think the possibility to also caching html pages should not be overlooked. There is a free alternative to paid plans including APO that I've been using for a while and it works much better than the "tricks" you refer to: it's WP Cloudflare Super Page Cache plugin. Try it, you will not regret! :)

    Thanked by (1)bikegremlin
  • Excellent article, one of your best!

    Thank you!

    Thanked by (1)bikegremlin
  • bikegremlinbikegremlin ModeratorOGContent Writer

    @rthwakel said:
    @bikegremlin this is one of your best articles, actually a definitive guide to get the best of Cloudflare with or without Wordpress.

    I think the possibility to also caching html pages should not be overlooked. There is a free alternative to paid plans including APO that I've been using for a while and it works much better than the "tricks" you refer to: it's WP Cloudflare Super Page Cache plugin. Try it, you will not regret! :)

    Thanks.

    I have tried that plugin. It had some hiccups. Fine most of the time, but not all the time.
    Didn't write down the exact problems (sorry), but I know for sure that I removed that plugin eventually.

    To be fair: It did work perfectly fine for about a whole year. And the problems could have been caused by some other plugin updates (LiteSpeed is excellent but some updates do mess some things up, for example).

    It's worth giving a try though, probably. I did think about mentioning it in the article, but decided to play it safe - sticking to what I'm currently using.

    Thanked by (1)rthwakel

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @bikegremlin said: the problems could have been caused by some other plugin updates

    Most of time problems are because of that:

    Anyway is still fully compatible with LiteSpeed plugin:

    Thanked by (1)bikegremlin
Sign In or Register to comment.