Increase WordPress security with CloudFlare; block hackers & spammers

Since we started using the CloudFlare (free plan) on a few sites a few months ago, it's greatly reduced comment spam and contact form spam. According to our CloudFlare dashboard, it's also blocked many botnet zombies and other threats, reducing the risk of sites being hacked. It also serves as a CDN (content delivery network), but sites were fast enough before, so there wasn't a noticeable speed improvement.

Here's how we set up CloudFlare for a WordPress site. The steps you need to follow may differ.

  1. Create or sign into your CloudFlare account.
  2. Add your website. CloudFlare imports the DNS records.
  3. Review the DNS records. Enable CloudFlare for the root domain (example: and the www A record. Click the cloud icons to enable (orange) or disable (gray).
  4. Choose settings.
    1. Plan: Free
    2. Performance: CDN + Basic Optimizations
    3. Security: Medium
  5. Change your name servers with your DNS provider.
  6. Log into your WordPress site and install the CloudFlare plugin.
  7. In your WordPress admin menu, click Plugins > CloudFlare. Enter your API key and email address.

The Dashboard in your CloudFlare account displays analytics and threats.

CloudFlare analytics
CloudFlare analytics
CloudFlare threats
CloudFlare threats. Notice that you can block IP addresses or entire countries (bottom).

Because the CloudFlare CDN provides caching, you may notice that some changes (such as CSS changes) don't immediately take effect. You can put CloudFlare in Development Mode to temporarily disable caching (for up to 3 hours). In the WordPress plugin (Plugins > CloudFlare), set Development Mode to On. Alternatively, log into CloudFlare and on the Websites page, use the Development Mode button there, or use the Pause CloudFlare button to deactivate CloudFlare indefinitely.

Many hosts allow you to enable CloudFlare from within cPanel. We tried this, but found that it only works if your domain begins with "www". To leave "www" off and use your root domain (like, you need to go directly to CloudFlare rather than going through the host. Reference: CloudFlare blog (comments).

If your site uses SSL, you won't be able to use the free plan. You'll need to upgrade to one of the paid plans.

One cool feature of CloudFlare is that it uses JavaScript to obfuscate email addresses, protecting them from many email address harvesters.

Have you used CloudFlare? What are your thoughts? Do you need help adding CloudFlare to your WordPress site? Contact us!

Filed Under: 

Want tips to rocket-boost your website?

Simply sign up.

15 comments on “Increase WordPress security with CloudFlare; block hackers & spammers”

  1. 9 out of 10 of the last spam I received originated from CloudFlare. I want nothing to do with CloudFlare and is looking for ways to exclude CloudFlare from all communication with my sites. Legitimate e-mail from CloudFlare will have to suffer, it is better than getting hordes of spam from CloudFlare.

    1. Gerard, what do you mean that the spam you received originated from CloudFlare and that you're getting hordes of spam from CloudFlare? Cloudflare is in the business of stopping spam and other Internet threats, not causing it. Have you sent samples to Cloudflare to ask them to analyze the messages? It's fairly easy to spoof emails and other messages so they look like they're coming from somewhere else. It would be worth asking Cloudflare for their input on the problem.

  2. Cloudflare is referenced in the body of 9 out of 10 spam I receive. Is it not the same thing as sending spam? Lately the sender is usually and and Cloudflare would do well not to extend services to those two accounts. To put it bluntly, it is common knowledge what CloudFlare is doing and it does not sit well with the majority of service providers. If you carry on not responding to spam reports, it is just a matter of time until CloudFlare is shut down.

    The support pages on CloudFlare is extremely user unfriendly. Contacting CloudFlare is almost not worth it.

    1. I haven't received such spam, and I haven't researched the issue, but I'll share my thoughts. It sounds like the spam is being sent from spammers who are using Cloudflare services, not from Cloudflare itself. Cloudflare is known to support free speech rights and provide services to controversial web properties and organizations. If Cloudflare's support pages haven't worked for you, you can try contacting CloudflareHelp on Twitter.

      You mention that it is common knowledge what CloudFlare is doing and it does not sit well with the majority of service providers. I'm interested to learn more about this. Are you able to share any links that I can reference?

    1. Thank you for the info. Those posts confirm what I suspected: the spam is being sent from spammers who are using Cloudflare services, not from Cloudflare itself. Unfortunately, because of Cloudflare's stance on free speech, many nefarious individuals and organizations use their services. However, that doesn't undermine the fact that legitimate website owners can also benefit from Cloudflare's services.

      1. I have just received another spam from and which was 'relayed' by CloudFlare. This has been going on for almost a month and before that it was and that was 'relayed' by CloudFlare. How long does it take for CloudFlare to respond? Every instance of spam was reported to CloudFlare together with the site that is actually sending the spam.
        [spam message details removed]
        No wonder that this is the talk that is going on:

        We know that CloudFlare does not send the spam originally but 'relays' the spam. It is no use repeating it. The fact is that CloudFlare extends services to spammers and, when the spammers are reported to CloudFlare, CloudFlare does nothing about it.

        CloudFlare must change its operation or CloudFlare is going to be shut down.

    1. Gerard, what is your reason for posting these reports here? I'm sure Cloudflare doesn't read this blog, and I don't have any affiliation with Cloudflare, so there's nothing I can do. Please help me understand what you hope to accomplish.

  3. Forgive me Chad, because the article above is so heavily in favor of Cloudflare, I mistakenly thought that it was written by someone who was associated with Cloudflare.

    Do not sell yourself short, Cloudflare probably has a person or panel of persons whose only job it is to report any and all negative comment about Cloudflare.

    What do I hope to accomplish? I want to add my voice to the people who are sick and tired of spam and those organizations who support spammers. Unfortunately my view is that Cloudflare is among those organisations who support spammers.

    On Thursday 12/20/18 I received another lot of spam from and that was 'forwarded' by Cloudflare. Until they react faster or change their model, they must expect the negatives to continue.

Ready to Blast Off?

Let's talk.

Contact OptimWise