Table of Contents
Content Error or Suggest an Edit
Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!
Introduction
The following article stemmed from a Facebook post in which Alexander van Aken posted his recommendations for Cloudflare settings. I’ve updated those to define where the settings are located correctly and any caveats you might run into.
DNS
DNSSEC -> Enabled
- No caveats at this time.
SSL/TLS
Overview
SSL/TLS Recommender -> Enable
- No caveats at this time.
Edge Certificates
SSL/TLS encryption mode-> Full (Strict) (Read More)
The option “Full (Strict)” will be fine for most WordPress installations. However, you may face the following error if your origin host doesn’t have a certificate that is signed by a valid root SSL signing authority.
Invalid SSL Certficate: Error Code 526
Bypass Full Strict for Specific URL
You can bypass this by setting a page rule for specific hosts to set SSL to “Full” versus “Full Strict.”
HTTP Strict Transport Security (HSTS) -> Enable
- Enable HSTS (Strict-Transport-Security) -> Enable
- Max Age Header (max-age): 6 months
- Apply HSTS policy to subdomains (includeSubDomains) -> Enable
- Preload -> Enable
- No-Sniff Header -> Disabled
Minimum TLS Version -> 1.2
This will provide a better SSL Score at https://www.ssllabs.com/ssltest/ but might cause issues with older devices.
Always Use HTTPS -> Enabled
In some circumstances, this option might cause redirection loops; see the following article about debugging redirection loops in WordPress.
Automatic HTTPS Rewrites -> Enabled
In some circumstances, this option might cause redirection loops; see the following article about debugging redirection loops in WordPress.
Security
WAF
See my article on Locking down and Securing WordPress with Cloudflare
Bots -> Read More
This should only be used when required; use at your own risk.
Settings
- Security Level -> Medium
- Challenge Passage -> (Recommended: 4 Hours) If using Managing WP Cloudflare rules, then set to a number that would be enough so you’re not bothered by Cloudflare challenges when working on your site.
Changelog
- 09-19-2023 – Initial post
Jordan Trask
With 20 years of experience in technology spanning Linux, Data Center Infrastructure, and related services and applications, Jordan consults with small, medium, and large organizations tackling technology problems and needs. With 10 years of experience in WordPress, he’s created Managing WP as a means of dumping his brain on the web.
Jordan operates LMT Solutions providing Technology Consulting Services and We Power WP for WordPress Care Plans and Support.
