Cloudflare Recommended Settings and Caveats

Introduction
DNS
1. DNSSEC -> Enabled
SSL/TLS
1. Overview
  1. SSL/TLS Recommender -> Enable
Edge Certificates
Security
Changelog

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!

Introduction

The following article stemmed from a Facebook post in which Alexander van Aken posted his recommendations for Cloudflare settings. I’ve updated those to define where the settings are located correctly and any caveats you might run into.

DNS

DNSSEC -> Enabled

No caveats at this time.

SSL/TLS

Overview

SSL/TLS Recommender -> Enable

No caveats at this time.

Edge Certificates

SSL/TLS encryption mode-> Full (Strict) (Read More)

The option “Full (Strict)” will be fine for most WordPress installations. However, you may face the following error if your origin host doesn’t have a certificate that is signed by a valid root SSL signing authority.

Invalid SSL Certficate: Error Code 526

Bypass Full Strict for Specific URL

You can bypass this by setting a page rule for specific hosts to set SSL to “Full” versus “Full Strict.”

HTTP Strict Transport Security (HSTS) -> Enable

Enable HSTS (Strict-Transport-Security) -> Enable
Max Age Header (max-age): 6 months
Apply HSTS policy to subdomains (includeSubDomains) -> Enable
Preload -> Enable
No-Sniff Header -> Disabled

Minimum TLS Version -> 1.2

This will provide a better SSL Score at https://www.ssllabs.com/ssltest/ but might cause issues with older devices.

Always Use HTTPS -> Enabled

In some circumstances, this option might cause redirection loops; see the following article about debugging redirection loops in WordPress.

Automatic HTTPS Rewrites -> Enabled

In some circumstances, this option might cause redirection loops; see the following article about debugging redirection loops in WordPress.

Security

WAF

See my article on Locking down and Securing WordPress with Cloudflare

Bots -> Read More

This should only be used when required; use at your own risk.

Settings

Security Level -> Medium
Challenge Passage -> (Recommended: 4 Hours) If using Managing WP Cloudflare rules, then set to a number that would be enough so you’re not bothered by Cloudflare challenges when working on your site.

Changelog

09-19-2023 – Initial post

Author

Jordan Trask

With 20 years experience in technology spanning from Linux, Data Center Infrastructure and related services and applications. Jordan consults with small, medium and large organizations tackling problems and technology needs. With 10 years experience in WordPress, he’s created Managing WP as a means to dump his brain on the web.

Jordan operates LMT Solutions providing Technology Consulting Services and We Power WP for WordPress Care Plans and Support.

Table of Contents

Introduction