Cloudflare Recommended Settings and Caveats

Last Updated on September 21, 2023 EDT by Jordan

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!

Introduction

The following article stemmed from a Facebook post in which Alexander van Aken posted his recommendations for Cloudflare settings. I’ve updated those to define where the settings are located correctly and any caveats you might run into.

DNS

DNSSEC -> Enabled

  • No caveats at this time.

SSL/TLS

Overview

SSL/TLS Recommender -> Enable

  • No caveats at this time.

Edge Certificates

SSL/TLS encryption mode-> Full (Strict) (Read More)

The option “Full (Strict)” will be fine for most WordPress installations. However, you may face the following error if your origin host doesn’t have a certificate that is signed by a valid root SSL signing authority.

Invalid SSL Certficate: Error Code 526

Bypass Full Strict for Specific URL

You can bypass this by setting a page rule for specific hosts to set SSL to “Full” versus “Full Strict.”

HTTP Strict Transport Security (HSTS) -> Enable

  • Enable HSTS (Strict-Transport-Security) -> Enable
  • Max Age Header (max-age): 6 months
  • Apply HSTS policy to subdomains (includeSubDomains) -> Enable
  • Preload -> Enable
  • No-Sniff Header -> Disabled

Minimum TLS Version -> 1.2

This will provide a better SSL Score at https://www.ssllabs.com/ssltest/ but might cause issues with older devices.

Always Use HTTPS -> Enabled

In some circumstances, this option might cause redirection loops; see the following article about debugging redirection loops in WordPress.

Troubleshooting Redirection Loops in WordPress – Managing WP – All about Managing WordPress
managingwp.io

Automatic HTTPS Rewrites -> Enabled

In some circumstances, this option might cause redirection loops; see the following article about debugging redirection loops in WordPress.

Troubleshooting Redirection Loops in WordPress – Managing WP – All about Managing WordPress
managingwp.io

Security

WAF

See my article on Locking down and Securing WordPress with Cloudflare

Secure, Protect and Lock Down your WordPress site with Cloudflare Custom WAF Rules (was Firewall Rules) – Managing WP – All about Managing WordPress
This is a huge article that covers a lot of topics. If you’re looking for the Cloudflare rules I’ve developed, then click on the button below 🙂
managingwp.io

Bots -> Read More

This should only be used when required; use at your own risk.

Settings

  • Security Level -> Medium
  • Challenge Passage -> (Recommended: 4 Hours) If using Managing WP Cloudflare rules, then set to a number that would be enough so you’re not bothered by Cloudflare challenges when working on your site.

Changelog

  • 09-19-2023 – Initial post
0 Shares:

You May Also Like