Cloudflare settings are the DNS, SSL/TLS, WAF, security rules, bot filtering, and caching configurations that help make a website faster, safer, and more resilient against DDoS attacks. For a secure baseline setup, you should add your domain to Cloudflare, migrate DNS records accurately, choose Full (Strict) SSL mode whenever possible, enable WAF managed rules, apply challenges or rate limits for suspicious requests, and use protections such as “Under Attack Mode” carefully during active attacks.
Cloudflare works like a CDN and security layer that sits between your website and your visitors. When someone visits your site, the request first reaches Cloudflare’s global network. At that point, malicious traffic can be filtered, static files can be served from cache, and legitimate requests are forwarded to your origin server. This setup is especially valuable for WordPress, WooCommerce, business websites, SaaS dashboards, and high-traffic content sites. However, poorly configured Cloudflare settings can also create problems such as SSL errors, endless redirect loops, admin panel access issues, pages not updating because of cache, and even security gaps.
In this guide, we will walk through how to set up Cloudflare from scratch, enable the key options for website security, use DDoS protection in the right scenarios, and optimize performance settings without weakening security. If you want a fast, secure, and compatible infrastructure for your site, it is important to build a solid foundation on the domain, hosting, and SSL side as well: Domain kaydı, Web hosting paketleri, SSL sertifikası.
What Is Cloudflare and How Does It Help with Website Security?
Cloudflare is a cloud-based security and performance platform that provides DNS management, CDN, DDoS protection, web application firewall, bot mitigation, SSL/TLS management, and traffic analytics. In a traditional setup, visitors connect directly to your hosting server. When Cloudflare is used, visitors connect first to Cloudflare edge servers. This allows malicious traffic to be filtered before it reaches your origin server.
For example, a small WordPress site might normally receive 2,000 visitors per day and 20–30 requests per minute. During a basic HTTP flood attack, that number can jump to 20,000 requests per minute. Your server may become unable to respond because of CPU, RAM, or connection limits. Cloudflare helps separate legitimate visitors from harmful traffic using IP reputation, behavior analysis, rate limiting, challenges, and DDoS signatures so that real users can still reach your website.
Cloudflare is not a magic tool that “fixes everything” by itself. It becomes effective when used together with reliable hosting infrastructure, updated software, strong passwords, backups, SSL, and proper server configuration. If you use WordPress, theme and plugin updates, admin panel security, and a strong password policy remain critical: WordPress hosting, WordPress güvenliği.
Preparation Checklist Before Setting Up Cloudflare
Before moving to Cloudflare, a few basic checks can reduce access and SSL issues after the setup. DNS changes should be planned carefully, especially for websites that already receive live traffic.
- Export or document your current DNS records: Make a note of A, AAAA, CNAME, MX, TXT, SPF, DKIM, DMARC records and all subdomains.
- Verify your hosting IP address: An incorrect A record can send your site to the wrong server.
- Check SSL status: If your origin server has a valid SSL certificate, you can use Full (Strict) in Cloudflare.
- Pay attention to email records: MX records and mail-related CNAME/A records should usually remain unproxied, meaning DNS only.
- Take backups: DNS and website backups make it easier to roll back quickly if something goes wrong.
- Choose a maintenance window: Nameserver changes often appear within minutes, but global propagation can take up to 24 hours.
For business websites, a practical approach is this: first, migrate the DNS records exactly as they are; then enable the proxy only for the root domain and www records that carry web traffic. For services such as mail, FTP, cPanel, and webmail, you should proceed carefully depending on how they are used. For example, if you use a separate subdomain for cPanel access, leaving that record as DNS only may create fewer issues: cPanel hosting yönetimi.
How to Configure Cloudflare DNS Settings
Cloudflare setup begins by adding your domain to the dashboard. Cloudflare scans your existing DNS records and presents you with a list. At this stage, the automatic scan may not find every record perfectly, so manual verification is essential.
1. Add Your Domain to Cloudflare
After logging in to your Cloudflare account, add your domain through the “Add a site” step. Once you choose a plan, review the DNS records. For the root domain, there is usually an A record; for www, there is usually a CNAME record. A sample structure may look like this:
- A record: example.com → 192.0.2.10
- CNAME record: www → example.com
- MX record: example.com → your email provider
- TXT records: SPF, DKIM, and DMARC verification records
The important point here is deciding which records should pass through the Cloudflare proxy. For A and CNAME records used for web traffic, the orange cloud can be enabled. For mail traffic, FTP, and services that require direct server access, the gray cloud, meaning DNS only, is usually the better choice.
2. Change the Nameservers
Cloudflare gives you two nameservers. You replace the current nameservers at your domain registrar with these values. If your domains are registered with Hostragons, you can manage nameservers from the domain panel: Domain yönetimi. After the change, the status in the Cloudflare dashboard should become “Active”.
3. Choose the Correct Proxy Status
When the orange cloud is enabled, HTTP/HTTPS traffic passes through Cloudflare and security features are applied. When the gray cloud is used, Cloudflare only provides DNS resolution. The proxy should be enabled for your website; however, for mail.example.com, ftp.example.com, or server management subdomains, it should generally remain disabled.
SSL/TLS Settings: The Most Secure Configuration
Cloudflare SSL/TLS settings determine how traffic is encrypted between the visitor and Cloudflare, and between Cloudflare and your origin server. The wrong SSL mode is one of the most common causes of Cloudflare-related errors.
The Difference Between Flexible, Full, and Full (Strict)
| SSL Mode | Cloudflare - Visitor | Cloudflare - Server | Recommendation |
|---|---|---|---|
| Flexible | HTTPS | HTTP | Not recommended except for temporary use; it can create redirect loops and security risks. |
| Full | HTTPS | HTTPS | SSL exists on the server, but certificate validation is not strict. |
| Full (Strict) | HTTPS | HTTPS, valid certificate | The most secure standard option; use it whenever possible. |
For professional use, your target should be Full (Strict). To use this mode, the origin server must have a valid SSL certificate. You can use Let’s Encrypt, a commercial SSL certificate, or a Cloudflare Origin Certificate. With Hostragons hosting plans, you can use this mode safely by configuring SSL installation and renewal correctly: SSL sertifikası kurulumu.
Always Use HTTPS and Automatic HTTPS Rewrites
The “Always Use HTTPS” option redirects HTTP requests to HTTPS. “Automatic HTTPS Rewrites” helps convert some HTTP resources inside a page to HTTPS. However, if your website has mixed content issues, the real solution is to permanently update HTTP links in the database and theme files to HTTPS.
Be Careful When Using HSTS
HSTS tells browsers to connect to your site only over HTTPS. It is a strong security measure, but if SSL is misconfigured, visitors may be unable to access your site. Before enabling HSTS, make sure Full (Strict), valid SSL, subdomains, and redirects all work correctly. In the first stage, testing with a short max-age value is safer.
Website Application Security with Cloudflare WAF Settings
WAF, or Web Application Firewall, filters requests related to SQL injection, XSS, file inclusion, malicious bot behavior, and known application vulnerabilities. Cloudflare WAF settings are especially important for WordPress, Joomla, Laravel, custom software panels, and e-commerce websites.
Enable Managed Rules
Managed Rules are ready-made security rule sets maintained by Cloudflare. If you use WordPress, WordPress-specific rules, general OWASP rules, and known CVE signatures can reduce your attack surface. A healthy first setup is to monitor rules in “Log” mode or with low-impact actions, check for false positives, and then apply “Block” or “Managed Challenge” where appropriate.
Protect Critical Areas with Custom Rules
Custom rules provide targeted security based on your site’s structure. For example, you can allow access to login pages such as wp-login.php or /admin only from certain countries, or send suspicious user agents on specific URIs to a challenge. However, when writing rules, be careful not to block real users. On an e-commerce site, accidentally challenging the checkout page can cause a drop in conversions.
Example use case: On a business website targeting Turkey, Managed Challenge can be applied to non-local access attempts for the /wp-admin path. However, if you have remote team members or overseas offices, you should define an IP allowlist. This approach significantly reduces brute force attacks while preserving access for authorized users.
How to Set Up DDoS Protection
A DDoS attack aims to make your website or server unavailable by overwhelming it with excessive traffic. Cloudflare’s main advantage is that it can absorb this traffic across its global network and forward only cleaned requests to your origin server. For the best results, however, DDoS protection should not be treated as a passive feature waiting in the background. Think of it as a defense plan configured according to real scenarios.
1. Keep the Proxy Enabled for Web Traffic
Cloudflare DDoS protection works for proxied records. If your root domain and www record are not behind the orange cloud, web traffic goes directly to your server and Cloudflare cannot filter it. It is also important that your origin IP address is not publicly exposed. Old DNS records, mail headers, or direct IP access can allow attackers to bypass Cloudflare.
2. Use Security Level and Challenge Settings
Security Level determines whether visitors see a challenge based on their risk score. During normal periods, “Medium” is enough for most sites. During an attack or suspicious traffic spike, “High” or temporarily “I’m Under Attack Mode” can be used. Under Attack Mode shows visitors a short verification page, so it can affect the normal user experience and should not be left on permanently.
3. Limit Request Volume with Rate Limiting
Rate limiting is used to restrict how many requests can come from the same IP or client within a certain period. For example, applying a challenge to a user who sends more than 20 requests to a login page within 1 minute can reduce brute force attacks. For API endpoints, you should be more careful. If you have a mobile app or integrations, setting aggressive limits before measuring real usage volume can cause incorrect blocks: API ve entegrasyon güvenliği.
4. Restrict the Origin Server Based on Cloudflare
For advanced security, you can configure your server firewall to allow HTTP/HTTPS traffic only from Cloudflare IP ranges. This way, even if an attacker knows your origin IP address, they cannot reach the server directly. This step requires care; the Cloudflare IP list must be kept up to date, and access for SSH, control panels, backup services, and other management tools should be evaluated separately.
Bot Protection and Brute Force Prevention
Bot traffic is not always bad. Search engine bots such as Googlebot are necessary for your site to be indexed. The real problem is spam bots, scraping tools, fake login attempts, and automated traffic that consumes resources. Cloudflare bot protection helps distinguish this traffic using behavioral signals.
- Bot Fight Mode: Can be used to reduce basic bot traffic, but it should be tested with some integrations.
- Turnstile: Provides a more user-friendly verification method for forms as an alternative to CAPTCHA.
- Login page protection: wp-login.php, xmlrpc.php, and admin paths can be restricted with custom rules.
- XML-RPC control: If it is not used in WordPress, blocking it reduces brute force risk.
- Form spam reduction: Turnstile and rate limiting can be used together on contact forms.
As a concrete example, if a WordPress site receives thousands of POST requests per minute through xmlrpc.php, CPU usage can increase rapidly. Blocking xmlrpc.php requests with a Cloudflare Custom Rule, or allowing only the IP addresses of required services such as Jetpack, can significantly reduce server load.
Cache and Performance Settings: Speed Without Breaking Security
Cloudflare is powerful not only for security but also for performance. It can reduce page load time by serving static files from the edge location closest to the visitor. However, caching everything is not the right approach. Logged-in user pages, cart, checkout, membership dashboards, and personalized content should be excluded from cache.
Recommended Cache Settings
- Caching Level: Standard mode is suitable for most websites.
- Browser Cache TTL: For static files, 1 week or longer can be preferred.
- Cache Rules: Areas such as /wp-admin, /cart, /checkout, and /my-account should be bypassed.
- Always Online: Provides limited help during temporary outages; expectations should be realistic for dynamic sites.
- Purge Cache: After design or content updates, purging the relevant URL is more controlled than clearing the entire cache.
The hosting layer also matters in performance optimization. LiteSpeed, NVMe storage, an up-to-date PHP version, and a properly configured cache plugin produce better results when combined with Cloudflare: LiteSpeed hosting, web sitesi hızlandırma.
Recommended Starter Profile for Cloudflare Security Settings
The table below provides a secure starting profile for most small and medium-sized websites. Because every website has different traffic, software, and business requirements, you should monitor these settings using live data.
| Setting | Recommended Value | Why It Matters |
|---|---|---|
| SSL/TLS | Full (Strict) | Provides verified end-to-end HTTPS. |
| Always Use HTTPS | On | Redirects HTTP traffic to a secure connection. |
| WAF Managed Rules | On | Automatically filters known web attacks. |
| Security Level | Medium | Provides balanced protection for daily use. |
| Under Attack Mode | Only during an attack | Applies additional verification during heavy DDoS periods. |
| Rate Limiting | Controlled for login and API | Reduces brute force attempts and abuse. |
| Cache Rules | Bypass on dynamic pages | Prevents cart, checkout, and dashboard errors. |
| DNSSEC | On if suitable | Adds extra protection against DNS spoofing. |
Common Cloudflare Mistakes and How to Fix Them
Endless Redirect Loop
This issue usually occurs when Cloudflare SSL mode is set to Flexible while the origin server also has an HTTPS redirect. The solution is to install a valid SSL certificate on the server and set Cloudflare SSL mode to Full or preferably Full (Strict).
521, 522, and 525 Errors
A 521 error means the server refused the connection, 522 indicates a timeout, and 525 points to an SSL handshake problem. Check that your firewall is not blocking Cloudflare IPs, that the hosting server is running, that the SSL certificate is valid, and that DNS records point to the correct IP address.
Updates Not Appearing in the Admin Panel
This is usually caused by an overly aggressive cache rule. Exclude admin, cart, checkout, and user account pages from cache. On WordPress, using an integration between your cache plugin and Cloudflare cache purge makes management easier.
Email Problems
Cloudflare’s web proxy does not carry email traffic. MX records must be correct, and records pointing to the mail server should remain DNS only. If SPF, DKIM, and DMARC TXT records are missing, you may experience email delivery problems.
Step-by-Step Secure Cloudflare Setup Checklist
The following order of implementation gives beginners a secure and practical roadmap:
- 1. Add your domain to Cloudflare and compare DNS records with your current provider.
- 2. Enable the proxy for the root domain and www record used for web traffic.
- 3. Evaluate DNS only usage for mail, FTP, and management services.
- 4. Change the nameservers from your domain panel.
- 5. Install a valid SSL certificate on the origin server and choose Full (Strict) in Cloudflare.
- 6. Enable Always Use HTTPS and Automatic HTTPS Rewrites.
- 7. Turn on WAF Managed Rules; monitor logs and false positives during the first few days.
- 8. Define rate limiting or managed challenge for login pages.
- 9. Bypass dynamic areas with Cache Rules.
- 10. During an attack, increase Security Level and temporarily enable Under Attack Mode if needed.
- 11. Plan to tighten your server firewall based on Cloudflare IP ranges.
- 12. Review Security Events, Analytics, and DNS records weekly.
This checklist reduces mistakes, especially during the first setup. On higher-traffic e-commerce or membership sites, it is healthier to apply changes during low-traffic hours and monitor conversion metrics afterward.
Monitoring Cloudflare Analytics and Security Events
After Cloudflare is installed, the work is not finished. The real value comes from monitoring and continuous improvement. In the Security Events section, you can see which rules blocked how many requests, which countries or IP ranges attacks came from, and which URLs were targeted. This data helps you write custom rules based on evidence rather than guesswork.
For example, if logs show 18,000 failed requests to /wp-login.php within 24 hours, it is better to create a rate limit and challenge specifically for that endpoint instead of simply increasing the overall security level for the entire site. Similarly, if your API endpoint is heavily used, you can target only the abused method, country, or user-agent combination instead of applying strict rules across the whole website.
Is Cloudflare Enough on Its Own?
Cloudflare is a powerful layer, but security should be approached in multiple layers. If your hosting server is outdated, your software has vulnerabilities, your admin password is weak, or you do not have a backup policy, Cloudflare will not eliminate every risk. A solid approach includes secure hosting, an up-to-date PHP version, regular backups, SSL, security plugins, file permissions, and access control together.
Choosing the right hosting plan for your website on Hostragons infrastructure can help you build a more stable security and performance architecture together with Cloudflare. As traffic grows, moving from shared hosting to a VPS or cloud server can be evaluated in terms of resource limits and attack resilience: VPS sunucu, kurumsal hosting çözümleri.
Conclusion: A Balanced Approach to Secure Cloudflare Settings
Correct Cloudflare settings are built through accurate DNS migration, Full (Strict) SSL, WAF rules, controlled bot protection, rate limiting, proper cache exclusions, and DDoS modes used specifically during attacks. For the best results, do not treat these settings as a one-time task. Think of them as a security process that should be improved regularly based on traffic data.
In short: route your web traffic through the proxy, protect your origin server, use strict SSL mode, and configure WAF and rate limit rules according to real usage patterns. If you want to create a secure foundation on the domain, hosting, or SSL side, you can explore Hostragons solutions and plan the right infrastructure for your website’s needs: Hostragons hosting paketleri.
Frequently Asked Questions
Which SSL mode is the most secure for Cloudflare settings?
In general, the most secure SSL mode is Full (Strict). In this mode, HTTPS is used between the visitor and Cloudflare, and also between Cloudflare and the origin server, while the origin certificate is validated. A valid SSL certificate must be installed on the server for this to work.
Does Cloudflare DDoS protection work on the free plan?
Cloudflare also provides basic DDoS protection on the free plan. However, paid plans offer more options for advanced WAF, more detailed rate limiting, bot management, and enterprise-level controls. For small and medium-sized websites, even a properly configured free plan can provide meaningful protection.
Should Under Attack Mode be left on all the time?
No. Under Attack Mode should be used temporarily during an active attack. If it stays enabled all the time, real visitors may see an extra verification screen and the user experience can suffer. During normal periods, WAF, rate limiting, and an appropriate Security Level are more balanced solutions.
Do I still need hosting if I use Cloudflare?
Yes. Cloudflare provides a security and performance layer in front of your website; your website files, database, and application still live on a hosting account or server. That is why reliable hosting infrastructure remains a core requirement even when using Cloudflare.
Can Cloudflare cache settings cause problems on e-commerce websites?
Yes, if configured incorrectly. Dynamic pages such as cart, checkout, user account, and admin panel pages should be excluded from cache. If static files are cached while personalized content is bypassed, Cloudflare can be used safely on e-commerce websites.
