Is Cloudflare free plan really free?

Yes, genuinely free with no trial period or credit card required. They make money from Pro ($20/mo), Business ($200/mo), and Enterprise plans. The free tier is their customer acquisition funnel — and it's legitimately useful. I've run sites on it for 4 years without needing to upgrade.

Does Cloudflare slow down my site?

The opposite, for most sites. Static assets are served from edge servers closer to your visitors, so international traffic especially gets much faster. The only edge case where Cloudflare might add a few milliseconds: if all your visitors are in the same city as your server. But even then, the security benefits are worth it.

Should I use Cloudflare with shared hosting?

Absolutely — shared hosting benefits the most. The CDN offloads static file serving from your shared server (your host will thank you), the WAF blocks malicious traffic before it ever hits your server, and the SSL is more reliable than some hosts' built-in certificates. It's the single best free upgrade for any shared hosting setup.

Cloudflare free vs Pro — is Pro worth $20/mo?

For most personal and small business sites, no. The free plan covers DNS, CDN, SSL, DDoS, basic WAF, and 3 page rules. Pro adds image optimization (Polish), more WAF rules, priority support, and better analytics. If you're running a business site with 50K+ monthly visitors or need image optimization at scale, Pro starts making sense. Otherwise, the free plan is genuinely enough.

Can I use Cloudflare with any host?

Yes. You change your domain's nameservers to Cloudflare's — that's it. Works with InterServer, SiteGround, Hostinger, Cloudways, WP Engine, VPS, everything. Takes about 15 minutes. The only exception: some managed hosting providers (like WP Engine) proxy your traffic themselves and may not play nicely with Cloudflare proxying on top. In those cases, use Cloudflare DNS-only mode.

What happens if Cloudflare goes down?

Cloudflare has had a few high-profile outages over the years — the most notable was in 2020. If they go down, proxied sites go down too. This is the legitimate tradeoff. You can mitigate it with Cloudflare's "Always Online" feature (serves cached pages during outages) and by having monitoring set up so you know immediately.

Will Cloudflare break my WordPress site?

Probably not, but there are two common issues. First: if you're using a WordPress caching plugin AND Cloudflare caching, you can get double-caching conflicts. Either use one or the other, or configure them to work together. Second: after updates, your visitors might see old cached content — purge the Cloudflare cache after deploying changes.

Jason Chen·Lead Reviewer & Founder

Testing hosting since 2009. 60+ accounts across major providers. Former web dev turned full-time reviewer.

𝕏 LinkedIn

Cloudflare Free Plan Guide: Everything You Get for $0

I moved all my sites to Cloudflare's free plan in 2021 and haven't paid them a cent since. The free tier is absurdly generous — but there are real gotchas that bit me early on. Here's my honest breakdown after 4+ years of daily use.

Cloudflare's free plan gives you DNS, CDN, SSL, DDoS protection, basic WAF, and email routing — all free, no trial, no credit card. Here's exactly what you get, how to set it up right, and the mistakes that'll cost you if you skip them.

Why Every Site Should Use Cloudflare

Even if your host includes SSL and has decent speed, Cloudflare adds a global CDN, DDoS protection, and a WAF on top — for free. There's almost no downside. Setup takes 15 minutes and the worst case is your site loads the same speed. The typical case is it loads faster and becomes significantly harder to attack.

I have 7 sites on Cloudflare's free plan. The one time I got hit with what looked like a small DDoS (about 50K requests in 20 minutes from rotating IPs), Cloudflare absorbed all of it without my server even noticing. My $6/month VPS stayed up. That kind of protection used to cost real money.

What You'll Need

Time: 15–30 minutes
Skill level: Beginner-friendly (you just need access to your domain registrar)
Cost: Free (you only pay if you upgrade to Pro later)

Follow the steps in order. Don't skip the DNS verification step — missing an MX record will break your email.

What's Included (and What's Not)

Quick reference — green = free, gray = paid upgrade required.

FREE

DNS Hosting

Fastest public DNS in the world (1.1.1.1 backbone). Unlimited records, no cost. This alone is worth switching to Cloudflare even if you use nothing else.

FREE

CDN (Content Delivery Network)

Caches your static files across 300+ data centers globally. Visitors load your site from the nearest edge server. Typical speed improvement: 30–60% for international visitors.

FREE

Universal SSL

Free SSL certificate, auto-renewed. Covers your root domain and one level of subdomains. No configuration needed — it just works.

FREE

DDoS Protection

Unlimited, unmetered DDoS mitigation. Cloudflare absorbs attacks at the edge before they reach your server. This protection alone costs $200+/mo from other providers.

FREE

Web Application Firewall (WAF)

Basic managed ruleset included on free plan since 2022. Blocks common attacks like SQL injection and XSS. Not as thorough as Pro ($20/mo) but covers the essentials.

FREE

Page Rules (3 free)

URL-based rules for redirects, caching behavior, and security settings. 3 rules on free plan. Enough for most sites — use them for forcing HTTPS, caching everything on static pages, or forwarding URLs.

FREE

Bot Fight Mode

Blocks obvious bots automatically. Simple but effective — stops most scrapers, vulnerability scanners, and credential stuffing bots without any configuration.

FREE

Cloudflare Workers

100K requests/day free. Serverless functions at the edge — overkill for most sites, but powerful if you need custom logic (A/B testing, redirects, header manipulation).

FREE

Analytics

Basic traffic analytics without JavaScript — server-side, so it catches visitors that block scripts. Not a Google Analytics replacement, but useful as a secondary data source.

FREE

Email Routing

Forward emails from your domain to any inbox. Up to 200 destination addresses. A free alternative to paying for email hosting if you just need forwarding.

PAID

Image Optimization (Polish)

Lossless/lossy compression and WebP conversion require Pro ($20/mo). Use ShortPixel or Imagify on your server instead — they're free or cheap and work just as well.

PAID

Argo Smart Routing

Routes traffic through Cloudflare's fastest paths. Typically 30% faster TTFB. Pay-per-use (~$5/mo for small sites). Worth it if speed is critical.

PAID

Advanced Bot Management

Scoring and analytics for bot traffic require Enterprise. Free Bot Fight Mode covers the basics for most sites.

Setup in 15 Minutes

I've done this setup probably 20 times across different sites and hosts. These are the exact steps, including the things that trip people up.

1
Create a Cloudflare account
Go to cloudflare.com, sign up with email. Free, no credit card required. They'll ask for one later if you upgrade — but not for the free plan.
2
Add your domain
Enter your domain name. Cloudflare scans your existing DNS records automatically. This usually takes 30–60 seconds and imports most records correctly.
3
Select the Free plan
It'll try to upsell you on Pro ($20/mo). Click "Free" and continue. You can always upgrade later — but start free and see if you actually need the extras.
4
Verify DNS records carefully
Cloudflare imports your existing records, but check them. Specifically: confirm your A record points to your server IP, and that your MX records are there and set to DNS-only (gray cloud, not orange). Missing MX records = broken email.
5
Change nameservers at your registrar
Cloudflare gives you two nameservers (like ada.ns.cloudflare.com). Log into your domain registrar (Namecheap, GoDaddy, Porkbun, etc.) and replace the existing nameservers with Cloudflare's. DNS propagation takes 1–24 hours — usually under 2 hours in practice.
6
Configure SSL mode
In Cloudflare dashboard → SSL/TLS → set to "Full (strict)" if your host has its own SSL certificate. Set to "Full" (not strict) if your host uses a self-signed cert. Set to "Flexible" ONLY if your host doesn't support SSL at all — which is rare in 2026. Wrong SSL mode = mixed content errors or redirect loops.
7
Enable "Always Use HTTPS"
SSL/TLS → Edge Certificates → toggle "Always Use HTTPS" on. This forces all HTTP traffic to redirect to HTTPS at the Cloudflare edge, before it even hits your server.

5 Settings to Change Right After Setup

Default Cloudflare settings are conservative. These five tweaks take about 5 minutes and make a real difference.

Enable Auto Minify (Speed → Optimization)

Check all three boxes: JavaScript, CSS, HTML. Cloudflare strips whitespace and comments from your code before serving it. Not a huge win on its own, but it's free and takes one click.

Set Browser Cache TTL to 4 hours (Caching → Configuration)

Default is "Respect Existing Headers" which often means short cache times. Setting 4 hours means repeat visitors load your static files from their browser cache — much faster. For sites you update frequently, keep it at 1–2 hours.

Enable Brotli compression (Speed → Optimization)

Brotli compresses text content better than gzip — typically 15–25% smaller files. Cloudflare handles this at the edge so there's no CPU overhead on your server. Just toggle it on.

Set Security Level to Medium (Security → Settings)

Default is "Medium" but worth confirming. "High" starts challenging more visitors with CAPTCHAs and can hurt conversion rates for legitimate users. "Medium" is the right balance for most sites.

Enable Email Obfuscation (Scrape Shield)

If you have email addresses on your site, this rewrites them in a way that scraper bots can't read. Visitors see the address normally. One less source of spam.

Gotchas Nobody Talks About

These are the things that bit me personally or that I've seen bite other people repeatedly.

The WordPress double-caching conflict

If you use a WordPress caching plugin (WP Rocket, W3 Total Cache, LiteSpeed Cache) AND have Cloudflare caching enabled, you can end up with stale content that's impossible to clear — because you clear WordPress cache but Cloudflare still serves the old version, or vice versa. Fix: Either use the Cloudflare plugin for WordPress (it coordinates cache purging), or configure your caching plugin to set short cache-control headers that Cloudflare respects.

The "my real IP is exposed" problem

Cloudflare hides your server's IP by routing traffic through their network. But if you've ever sent email from your server, hosted anything at a subdomain, or have an old DNS record pointing to your IP, that IP is already public. Cloudflare can't retroactively hide it. If server IP privacy matters to you, get a new IP from your host after enabling Cloudflare — then it's actually hidden.

Orange-cloud vs gray-cloud confusion

In Cloudflare's DNS panel, each record has either an orange cloud (proxied through Cloudflare) or a gray cloud (DNS-only, bypasses Cloudflare). Your main A record should be orange. But: mail-related records (MX, mail.yourdomain.com), FTP records, and some specialty services need to be gray — otherwise their traffic gets routed through Cloudflare and breaks. When in doubt, gray cloud it.

Cloudflare doesn't cache HTML by default

This surprises a lot of people. Cloudflare only caches static assets (images, CSS, JS) by default — not your HTML pages. Your server still has to generate each page. To cache HTML, you need to create a Cache Everything Page Rule. For most dynamic sites (WordPress, etc.) you don't want full HTML caching anyway. But for static sites, enabling it can dramatically reduce your server load.

The SSL redirect loop trap

If you set Cloudflare SSL to "Full (strict)" but your host's SSL certificate has expired or was never set up, you'll get an infinite redirect loop. Visitors see an ERR_TOO_MANY_REDIRECTS error. Fix: Set SSL to "Full" (not strict) temporarily, or ensure your host has a valid SSL cert. This is the #1 reason people think Cloudflare broke their site.

Common Mistakes

Using "Flexible" SSL when your host supports SSL

This creates an unencrypted connection between Cloudflare and your server — visitors see the padlock but your traffic is insecure between CF and your host. Always use "Full (strict)" if your host has a valid SSL cert.

Proxying (orange-clouding) MX records

Email records must be DNS-only (gray cloud). Proxying MX records routes email through Cloudflare's HTTP proxy, which breaks email delivery entirely. Your registrar may not warn you about this.

Not purging cache after site updates

If you update your site and don't see changes, Cloudflare is serving the old cached version. Dashboard → Caching → Purge Everything. Or for WordPress, the Cloudflare plugin can auto-purge on publish.

Enabling Rocket Loader without testing

Rocket Loader defers JavaScript loading to improve page speed scores. But it can break some WordPress plugins and theme scripts. If your site looks wrong after enabling it, turn Rocket Loader off first — it's often the culprit.

When NOT to Use Cloudflare

Cloudflare is right for almost every site, but there are real exceptions:

You're on WP Engine, Kinsta, or another premium managed host

These hosts already run their own CDN and proxy layer. Adding Cloudflare on top creates a double-proxy situation that can cause conflicts and actually slow things down. In this case, use Cloudflare DNS-only mode (gray cloud) to get the DNS benefits without the proxy.

Your site requires accurate visitor IP addresses

When proxied through Cloudflare, your server sees Cloudflare's IP, not the visitor's real IP. This breaks IP-based access control, some login security plugins, and certain analytics. Cloudflare sends the real IP in a header (CF-Connecting-IP) — make sure your application reads that header instead.

You need non-HTTP/HTTPS traffic on your domain

Cloudflare's free proxy only supports HTTP/HTTPS (ports 80, 443, and a few others). If you run a mail server, game server, or custom TCP service on the same domain, those records need to be DNS-only.

FAQ

Need Hosting for This?

Cloudflare works best paired with a reliable host. Most beginners overpay — start cheap, upgrade when you actually need to.

InterServer $2.50/mo Hosting Comparison

Why Every Site Should Use Cloudflare

What You'll Need

What's Included (and What's Not)

DNS Hosting

CDN (Content Delivery Network)

Universal SSL

DDoS Protection

Web Application Firewall (WAF)

Page Rules (3 free)

Bot Fight Mode

Cloudflare Workers

Analytics

Email Routing

Image Optimization (Polish)

Argo Smart Routing

Advanced Bot Management

Setup in 15 Minutes

5 Settings to Change Right After Setup

Gotchas Nobody Talks About

The WordPress double-caching conflict

The "my real IP is exposed" problem

Orange-cloud vs gray-cloud confusion

Cloudflare doesn't cache HTML by default

The SSL redirect loop trap

Common Mistakes

When NOT to Use Cloudflare

FAQ

Need Hosting for This?

Related Reading