Ultimate Cloudflare Configuration: Speed, Security & Settings Guide

Slow-loading websites are the bane of a marketer’s existence. Everyone knows speed matters, but with Cloudflare, it doesn’t have to be difficult to find that sweet spot between fast and stable. Whether you’re looking for a quick optimization or want to geek out on all the details, we’ve got everything you need to know about your Cloudflare settings in this guide! With easy-to-follow instructions, step-by-step visuals, and recommended settings along the way – get ready for maximum browser speeds from start to finish.

Let’s dig in!

Cloudflare Network Settings Page

Head over to the ‘Network’ tab and make sure you have both the latest version of HTTP/3 (QUIC) as well as 0-RTT switched on. By utilizing the new version 0-RTT, WordPress users who’ve connected with your site before will experience enhanced performance.

Note: I currently have them turned off only because I am running tests on our system. I do recommend having them on to increase performance.

Cloudflare Argo Smart Routing (Optional)

This step is entirely optional, yet highly beneficial. If you navigate to the “Traffic” tab and click on the “Argo” screen, you can enable Argo which decreases network latency, thus resulting in a faster connection with your origin server. The minimum cost for utilizing this tool is $5/month; any data transfer exceeding 1GB will be charged at an additional rate of $0.10 per GB – meaning that if your average monthly data transfer equals 50GB then it would only amount to $7.50/month.

Cloudflare Scrape Shield Settings Page

In the “Scrape” tab, it’s suggested that you disable the “Email Address Obfuscation”. Supposedly this could be used to hide email addresses from your website. Nevertheless, we would advise against displaying any kind of contact information on a public site – there are plenty of loopholes for spammers and malicious actors to exploit.

We recommend disabling this feature because a JavaScript file (email-decode.min.js) is added to your WordPress site when. This has been the source of multiple Core Web Vitals warnings such as: chaining critical requests; long main thread tasks and inefficient caching policies for static assets. We currently have it live and have seen a slow done in our Core Web Vitals

Cloudflare SSL/TLS Settings Page

By navigating to the “SSL/TLS” tab and selecting “Edge Certificates,” ensure that TLS 1.3 support is enabled for maximum performance and security. Also enable Opportunistic Encryption.

Security Settings Page

To ensure the best user experience and performance on your website, click over to the “Settings” page. We recommend selecting from one of these options for security: Essentially Off, Low or Medium; anything else could start to hamper your site’s capabilities.

Enable Browser Integrity check and Privacy Pass Support while you’re in there.

Security Settings Page > Fight Bots

Under Security, there is an option for Bots and fighting bots. I really recommend clicking under Defineteily automated and select “Allow”. Then under Verified Bots select “Allow”. I allow Definitely Automated option only because I have under Rules strict security rules. If you don’t have strict rules setup, I would recommend selecting “block”.

Speed Settings Page

Go to the “Speed” tab and click into the “Optimization” screen. The most crucial step is enabling “Auto Minify.” Some plugins may do this, yet Cloudflare will take care of it for you much more effectively at a CDN-level which comes with several advantages: your web server does not expend resources; minified files are sent directly from the CDN; and they’re minified with no delays in first-time requests.

With many theme and plugin developers already minifying their code, .min.js or .min.css files signify the code has been compressed for faster performance. Although it may not significantly improve your speed compared to before, every little bit does count! As an additional measure of optimization, you should also enable Brotli compression- which is a newer form that outdoes GZIP in terms of swiftness.

Automatic Platform Optimization (APO)

What’s even better is you don’t have to leave the free Cloudflare plan in order to use Automatic Platform Optimization. This adds an additional $5 fee per month, but it makes all the difference – this feature has been essential for us on our WordPress websites! APO offers more improvements than anything else that Cloudflare provides.

What makes APO so remarkable? It caches the entirety of your website, from HTML to assets. Normally, a request would need to go through the hosting provider’s server for downloading HTML and CDN for obtaining assets such as images, CSS and JS. However, with APO in place, all requests (until their expiration) are redirected straightaway toward the Cloudflare edge server which is closest to the user’s location, including not only assets but also HTML.

Say goodbye to slow load times and those pesky “Reduce initial server response time” warnings in PageSpeed Insights – this solution is lightning-fast! No more waiting around for websites that take forever to load. This eliminates the TTFB issue with ease, so you can experience ultra-fast loading speeds on your website today.

With APO, you don’t have to worry about preloading cache per edge server like with a traditional CDN – utilized for storage and quickly distributes across all their edge servers. This allows your website to be instantly hosted in several areas around the world without having to manually change page rules.

In other words, it’s a breeze!

Cloudflare Rocket Loader

We advise that Rocket Loader remain off in most cases, as it has a tendency to slow WordPress sites and oftentimes leads to compatibility issues with plugins and themes. For this reason, we don’t employ the use of Rocket Loader on any of our websites here at Ignite Digital. To ensure your website is running optimally, turn off Rocket Loader!

Automatic Signed Exchanges

Automatic Signed Exchanges (SXGs) is an innovative feature that allows Chromium-based browsers to fetch your website even before it appears on Google’s search results pages, drastically reducing the time taken for Largest Contentful Paint (LCP). To use this amazing tool, you will need either a Cloudflare Pro or higher subscription or APO.

Warning: This feature is currently bugged when used with preloads, causing Google’s Mobile-Friendly Test Tool to fail and display the error message “Something went wrong. If the issue persists, try again in a few hours.” We highly advise against enabling this feature until they have rectified the problem.

Cloudflare Caching Settings Page

To address the PageSpeed Insights’ warning about serving static assets with an efficient cache policy, open the Caching tab and navigate to Configuration. We suggest setting your Browser Cache TTL to a minimum of one month; Google demands that caching headers are no less than 24 days in length.

If your cache expiration time is extended, the HIT cache proportion will be improved. This means that more users are able to access our website quickly with Cloudflare’s edge servers’ ultra-fast caches!

Crawler Hints

By utilizing the IndexNow protocol, search engines such as Bing, Yandex and DuckDuckGo can stay informed of any new content. Cloudflare Hints further boosts this efficiency while also guaranteeing that crawlers are not unnecessarily accessing information that has remained unchanged. For maximum origin server load reduction, we highly suggest enabling this feature!

Always Online

Cloudflare’s Always Online service, which adds your website to the Internet Archive’s Wayback Machine, may seem like a great idea; however, it is not really beneficial for e-commerce websites. These would not function properly with crawlers anyway and thus we prefer in such cases to keep them at a minimum level wherever possible. We suggest that you do not activate Always Online since fewer things hitting/crawling your site can actually provide better performance results. While here change the Caching level to standard if it’s not already.