Example of a Cloudflare configuration for a website

Updated on / dernière mise à jour : 04/27/2022

If you want to protect your website, Cloudflare is an excellent tool and it also has a free plan for its users.

For those who find it a bit complicated to configure Cloudflare since it has numerous options, the following basic configuration might be helpful…


SSL/TLS Recommender: Yes
Always Use HTTPS: Yes
HSTS Status: On; Max-Age: 6 months; Preload: On
Minimum TLS Version: TLS 1.0 (default)
Opportunistic Encryption: No
TLS 1.3: Yes
Automatic HTTPS Rewrites: Yes
Certificate Transparency Monitoring: Yes
Disable Universal SSL: No
Authenticated Origin Pulls: No


WAF – Firewall rules

Rule 1: Allow

Expression Preview:
(http.request.uri contains "/ads.txt") or (cf.client.bot)

Rule 2: Managed Challenge

Expression Preview:
(cf.threat_score gt 10 and cf.threat_score lt 40 and not cf.client.bot) or (ip.geoip.country in {"CN"}) or (ip.geoip.country in {"RU"}) or (ip.geoip.country in {"BY"}) or (ip.geoip.country in {"T1"}) or (ip.geoip.country in {"BR"}) or (ip.geoip.country in {"ID"})

Rule 3: Block

Expression Preview:
(cf.threat_score ge 40) or (http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php" and ip.geoip.country ne "Your own country") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php" and ip.geoip.country ne "Your own country") or (http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "www.YourWebsite.com" and not cf.client.bot) or (http.request.uri.path eq "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "www.YourWebsite.com")


Bot Fight Mode: ON


Security Level: Medium
Challenge Passage: 1 month
Browser Integrity Check: ON
Privacy Pass Support: ON


Brotli: ON
Optimized Delivery: ON
Rocket Loader: OFF (it's better to not use it since it can affect advertising programs such as Google Adsense)


Caching Level: Standard
Browser Cache TTL: 4 hours
Crawler Hints: ON
Always Online: ON
Development Mode: OFF
Argo Tiered Cache: ON


Page Rules

URL (required): www.yourwebsite.com/wp-admin*
Security Level: High
Cache Level: Bypass
Disable Apps
Disable Performance


Normalization type: Cloudflare
Normalize incoming URLs: ON
Normalize URLs to origin: OFF


HTTP/3 (with QUIC): ON
0-RTT Connection Resumption: ON
IPv6 Compatibility: ON
WebSockets: ON
Onion Routing: ON
Pseudo IPv4: OFF
IP Geolocation: ON
Maximum Upload Size: 100 MB

Scrape Shield:

Email Address Obfuscation: ON
Server-side Excludes: ON
Hotlink Protection: OFF



Comments / Commentaires

%d bloggers like this: