Website owners are obsessed with speed and security—for a good reason. Kaspersky identified over 24,610,126 unique malicious objects in 2020 alone, nearly 14% more than 2018 and 12% more than 2019. Another report by the Info Security Magazine stated that online threats have increased by 600% during the pandemic. Additionally, Google has started ranking pages according to loading speed, giving SEO experts another headache to deal with.

With website security and speed both being concerns, what can website owners do?

Except hoping for the best—a lot. 😊 Website security is essential, but it should not compromise website loading time. This is why an optimized content delivery framework is critical for WordPress websites. This is why hosting providers such as Pack Web Hosting use LiteSpeed Cache and content delivery networks such as Cloudflare to boost website speeds. Cloudflare provides the extra advantage of keeping your website safe from DDoS and other attacks.

What is Cloudflare?

Cloudflare is a content delivery network and a DNS service that secures your website and speeds it up in the process. Cloudflare keeps your website safe from DDoS attacks, code injections and more. In conjunction with LiteSpeed Cache, Cloudflare also significantly boosts content delivery speed, boosting your Google SEO page ranks.

How does Cloudflare help my website?

Cloudflare performs two key functions for your website:

1. Protection from malware and malicious requests
   Cloudflare acts as a mediator between your website and the requests made to your site. Additionally, it analyses the authenticity of the request based on IP and other factors. If a requestor fails the checks set by Cloudflare, they cannot access your website.
2. Website content caching for faster delivery
   Cloudflare caches your website’s static content (images, css/js files) and delivers it straight to the requester from a server closest to their location. This makes your website appear to be faster than others.

This makes your website secure and fast—which is what most website owners are after.

Do I need to pay extra for using Cloudflare?

No. The basic plan of Cloudflare is free for everyone and has enough features to provide basic security for your website. You can use other tools such as WordFence and LiteSpeed Cache to speed up and further secure your website. To know more about these two tools, read our WordFence and LiteSpeed Cache blogs.

How do I configure Cloudflare for my website?

Cloudflare provides three ways to install and configure Cloudflare for your WordPress website. These include:

1. Through the Cloudflare cPanel plugin
   Note: Cloudflare has now deprecated this interface, and you must either use the Cloudflare web interface or the WordPress plugin. Also, we would like to let you know that the cPanel plugin has limited functionality compared to the other options.
2. Through the Cloudflare web interface
   This is the easiest option. All you need to do is visit the Cloudflare website and sign up.
3. Through the Cloudflare WordPress plugin
   This option gives you the added advantage of automatically applying WordPress-specific optimizations.

Common hosting and DNS terms

Before we continue, it is essential to understand some common terms that you will encounter while configuring Cloudflare for your website.

What is a DNS record? How many types of DNS records are there?

A DNS record is an instruction stored in an Authoritative DNS server. This record provides information about a domain, including its IP address and how to handle requests for the domain. Your website must have a DNS entry or a nameserver for it to be resolved and for services such as web browsing, FTP and others to work. You can do this using entries in various DNS record types. Some of these DNS record types include:

• A—this record specifies the IP address of your domain and its subdomain. For example, the A record of packwebhosting.com would be 139.162.47.194.
• CNAME—this record specifies all the redirects from your domain’s subdomain to other domains or subdomains. For example, the domain www.packwebhosting.com will have a CNAME entry pointing it to the root domain, packwebhosting.com. Here’s how this works:
  1. You type www.packwebhosting.com in your browser. The browser sends this request to a DNS resolver
  2. The DNS resolver checks the DNS Zone file for records with packwebhosting.com
  3. The DNS request resolves and sends the CNAME record to the client
  4. The client now creates a new DNS query for packwebhosting.com
  5. The DNS resolver checks the domain and returns the A record for packwebhosting.com with its IP
  6. The browser connects to packwebhosting.com using the IP address.
• MX—This record type specifies where the emails for your record will be delivered
• TXT—This record stores text entries with SPF data
• SPF—This is a mail validation protocol that prevents spoofing
• AAAA—This entry maps a domain to the IP address (IPV6) of the computer.
• SRV—This is a Service Record, and it provides an IP and a Port

Please note that this is not an exhaustive list that contains every single DNS entry. You may encounter these commonly used DNS entries while attempting to administer your website.

What are Reverse Proxies and Proxy Servers?

Usually, clients visit websites by entering the website’s domain in the browser, resolving the website’s IP address. The origin server of the website then sends the data directly to the client machine.

• Proxy Servers: If you’ve installed a Proxy Server (also called the forward proxy), the client will request the proxy instead of sending a request directly to the server. The proxy server then sends the request to the origin server of the website that you requested. Once the website’s origin server sends a response, the proxy will forward this response to the client.
• Reverse Proxy: A reverse proxy sits in front of web servers (websites) and intercepts requests to these sites. It then sends requests to and receives responses from the origin server.

To simplify this further, a forward proxy ensures that no website’s origin server directly interacts with a client and a reverse proxy ensures that no client directly interacts with an origin server. Reverse proxies are used for load balancing, caching and protecting websites from attacks. Cloudflare acts as a content delivery network (CDN) and a reverse proxy, helping your website become faster and more secure.

Configuring Cloudflare for your WordPress website

Below are the instructions w.r.t. configuring Cloudflare for a WordPress website. If you do not have a WordPress based website, you can still easily configure it by creating your account directly on cloudflare.com

1. Open and log in to the WordPress administrative interface for your website. If you’re do not know how to log in to your WordPress admin interface, contact your web hosting provider.
2. Click on Dashboard > Plugins
3. Click on Add New and search for Cloudflare
4. Install and activate the plugin
5. Once the plugin is activated, click on Cloudflare > Settings
   The Cloudflare welcome screen displays. If you’ve already created a Cloudflare account, sign in. Else, click on Create your Free Account to sign up.

6. Once you’ve signed up and logged in, you will see the following screen in a pop-up dialog. Click Add Site to add your website to Cloudflare.

7. Enter your website URL. Now choose the free tier plan and click Continue.

8. Once you click Continue, Cloudflare will automatically scan and import your DNS entries. You can see those entries in the import screen.

Note: You may see some entries flagged as DNS Only, marked with a grey “cloud” icon. Click the cloud to set these entries to Proxied. DNS only means that Cloudflare will not proxy these records, but only provide DNS response w.r.t. those records. Additionally, some entries do not have a cloud icon. These entries cannot be proxied. Also very importantly ensure that the main A record for your domain shows up in the above list. If this does not show up, then please manually add it.

Important: Please ensure that you check all these entries carefully. Cloudflare may sometimes not import ALL the entries defined in the Zone in cPanel. If you see missing DKIM, SPF and MX entries, add them through the Add Record functionality on this screen. Failing to add them can cause services such as email to break. Contact your web host or your website administrator if you do not know what to do with these entries.

Note: You will see the same settings from the web or the WordPress Cloudflare plugin interface. The way to access them differs. To revisit settings it is best to log in to the Cloudflare website. If you want to change these settings from within WordPress, go to Dashboard > Settings > Cloudflare. Add your email ID and Global API Key Or API Token. If you do not have your API key, you can get it by clicking Get your API Key from here.

9. The next step is critical. You now need to swap your existing nameserver entries with Cloudflare’s nameservers. To do this, log on to your hosting provider’s account and make the changes to the nameserver. If you do not know how to make these changes, contact your web host.
10. Once you’ve changed the nameserver entry of your domain name, it may take up to 24 hours for the changes to reflect in Cloudflare. Usually, this takes around 20 minutes. Once done, click Complete, check nameservers.
11. The Quick start guide displays. Click Get started to continue

12. Now change the settings you want to. Here, I chose to minify JavaScript, CSS and HTML. You may either change these settings or leave them as is if you do not know what you’re doing.

13. Once your nameservers are active, you will receive the following email from Cloudflare:

That’s it! You will see the following screen once your nameservers are pointing to Cloudflare. Some of the sections in the Cloudflare configuration are important and can break your website or functionality if not configured correctly. 

Configuring SSL encryption mode in Cloudflare

Configuring SSL in Cloudflare is easy. It is best to use the recommended option (Full). Only change this option if you have a reason to or know what you’re doing. Cloudflare allows you to use a self-signed certificate in the “Full” setting without displaying the “Not Trusted” warning. Additionally, to avoid those pesky 525 errors configure your origin webserver to allow HTTPS connections on port 443 with a self-signed SSL certificate, a Cloudflare Origin CA certificate, or a valid certificate purchased from a Certificate Authority before enabling the Full SSL option.

Note: You will require a valid certificate purchased from a certificate authority if you choose the Full (strict) option.

Using Firewall Rules in Cloudflare

Cloudflare also provides a robust firewall that allows you to create up to 5 active firewall rules to protect your website. If, for instance, your host reports that you are receiving a lot of traffic or malicious hits from a specific country—say China, you can easily create a firewall rule to block traffic from that country altogether. This option can help prevent DDoS attacks from a particular region and reduce excessive bandwidth usage for you and your hosting provider.

You can also create agent blocking rules to prevent attackers from using older, unpatched systems to launch attacks. You can also use blocking rules to block specific client types. For example, if you do not wish to honour requests from Internet Explorer 6, you can choose to block or challenge it. As always, do not tinker with these settings unless you know what you’re doing.

Configuring caching on Cloudflare

Caching is an important functionality in Cloudflare, and it can significantly speed up your website. Do not change the settings in the caching tab unless you know what you’re doing. Some important options include:

Purge cache: This will force Cloudflare to fetch a new version of the cached web assets (images/CSS/JS files). You can either purge specific files or purge everything. Purging will increase the load on your server.

Removing or disabling Cloudflare

Removing or disabling Cloudflare is easy and can be done from the Overview tab. If you wish to turn off Cloudflare temporarily, it is best to use the Development Mode. Switch on the Under Attack Mode If you believe that hackers or bots are attacking your website.

However, if you wish to remove your website from Cloudflare or pause using Cloudflare, you can do so from the Advanced Actions tab.

Final Thoughts

Cloudflare is a very powerful tool. If configured and used right, it can make a substantial difference in the load time of your website, significantly boosting your Google SEO rankings. Additionally, Cloudflare can also enhance the security of your website by shielding it from malicious entities and external attacks. Cloudflare has helped millions of websites stay safe from hackers, service attacks and other malicious attempts.