How I use CloudFlare for my WordPress website

During the last 2 years I had some problems with this blog because of massive comment spam. I tried different ways to handle this unwanted traffic, but at the end I needed to host my website on a stronger VPS to handle all the requests. Something I don’t want because I have almost zero income with this web development blog.

Placing my website behind a proxy

Using a cache plugin for a WordPress website is in my opinion a required action, but for this website was this not enough and I decided to “hide” my online property behind a proxy or firewall. Sure you can power-charge your web host to a maximum, but I think it’s much better to keep the bad website traffic outside.

Cloudflare illustration
Image credits: CloudFlare 

Protecting and optimizing a website with CloudFlare

CloudFlare logoThere are several ways to optimize your website, one option is the CDN service provided by CloudFlare. They offer a free plan with basic functionality and premium plans for professional, business and enterprise type of websites. All CloudFlare plans come with these main features:

  • Website protection against online threats
  • A CDN that serves your static files from huge a worldwide network
  • Website optimizations that makes your website load faster
  • Web analytics for your website traffic including details about threats and robots
  • Plenty of apps which you can use right in your website

Installing CloudFlare for WordPress

The CloudFlare setup was very easy, there was only thing I need to do: Changing the name servers for my website’s domain name. To protect my WordPress application I decided earlier to restrict the access for the wp-admin directory and the wp-login.php file to a small selection of IP addresses. Because my site is now behind the CloudFlare proxy I need to update my rules inside the .htaccess files.

SetEnvIf X-FORWARDED-FOR 195.97.xx.xx allowedip
order deny,allow
deny from all
allow from env=allowedip

These modified rules are used by the web server to recognize my IP address while all site access is identified by one of the CloudFlare IP addresses. It’s also possible to create page rules from the CloudFlare interface, but these are limited to 3 rules in the free version.

CloudFlare offers also a plugin that identifies the user’s IP address inside a WordPress website. This is useful for the comment section. The same plugin reports also (new) spammers to the CloudFlare database.

Apache Log files

Since all visitors using the CloudFlare proxy to access your website, this visitor’s IP address isn’t stored in your Apache Log files. To translate the IP addresses to the original number in your log files it’s necessary to install the Apache module mod_cloudflare. If this is not possible you should look for a cPanel server or use one of the hosting providers offering CloudFlare as part of their hosting plan. Check the list of hosting providers on the CloudFlare website.

Performance settings

I customized my CDN + Basic settings a bit:

  1. The cache level is set to “Simplified”
  2. To keep my website’s HTML code unmodified I disabled the minify settings for the HTML files.

Cloudflare for WordPress

In the past I used the Bad Behavior plugin to keep most of the bad visitors away from my website. I disabled this plugin because CloudFlare’s blacklist should be strong enough.

Published in: Web Hosting


  1. After several weeks I’ve decided to remove this blog from the Cloudflare network. I’m still satisfied about the service provided by Cloudflare, but it’s time to try something else. :) This time it’s the NinjaFirewall which looks amazing to me. Even the free version offers a lot of features and according to some reviews I’ve read before, this firewall should help me to keep the bad traffic from my website.

    1. Hi, most of the static files are served by a CDN. Sure Nginx is often a better choice than Apache but in my case I need to stuck with Apache :(

    1. I found this tutorial on the Digital Ocean. Looks great and I’m sure I will try this setup once. I tried also a setup using Varnish (and Nginx), but this wasn’t so easy to setup.

  2. If your WordPress website becomes bigger, busy and older there is a bigger chance that your site needs a better host. I’ve learned that a “simple” VPS isn’t enough, or better sometimes a valuable shared host might even better. Cloudflare is great option but you can’t do anything if your website is down because of some bigger DDOS attach on the cloudflare network.

  3. Thanks for sharing your ideas on how to use Cloudflare on WordPress. The part about protecting the wp-admin directory is something I need to solve for my current website.

    1. Hello Leaner,

      how do you customize the database for WordPress and how does it help to raise the performance for your WP website?

  4. Hi Olaf Lederer,
    I am using cloudflare but w3 total cache plugin seems not working with cloudflare setting, I have downloaded cloudflare plugin for WordPress and configured it, it’s working perfectly. I have been using cloudflare on almost all of my blogs, it’s really prevent spam and bad bots attack to blogs.

    Thanks for the great post.

  5. Hi Bhavesh,
    W3 Total cache has it’s own Cloudflare extension, I suggest to use that on instead. I think Cloudflare is the great if nothing else works and of course it’s much easier to use Cloudflare instead of tweaking your site with hacks and plugins.
    I’m glad you like my post, keep in touch I will post an article this week about how to block bad bots using hacks and plugins :)

  6. I love the CF W3 combo it has worked wonders for a lot of my sites. Using it on my primary business site now.

    My only difficulty seems to be asynchronously loading css properly. I would love to minimize the number of request any advice would be greatly appreciated

    1. Hi Vincent,
      Right Cloudflare very powerful for default configurations and there are often a few limits if you try to tweak your site. What if you try to combine CSS/JS using W3TC or the CloudFlare Optimizer? Does it work better?

Comments are closed.