Step 4: Recommended First Steps for all Cloudflare users

Welcome to Cloudflare! You’re well on your way to a faster and more secure site. This article covers the initial configurations required to help you get the most out of Cloudflare.

Task 1: Whitelist Cloudflare IP addresses

Once you’ve changed your name servers to Cloudflare, web traffic is routed through Cloudflare’s network. Hooray! This means that your web server will see a lot of traffic proxied through Cloudflare, and in order to allow all this traffic to access it, you need to make sure that Cloudflare IPs are whitelisted and not rate-limited in any way on your origin web server (you can ask about this at your host). We have a page with all the CloudFlare IPs.

Task 2: Review your Performance settings

Once you’ve created your account and added your website, you can customize your performance settings in your Cloudflare Dashboard under the Speed and Caching apps along the top navigation menu. There, you can manage your settings, according to your performance needs.

To learn more, check out the Speed and Caching sections in the Cloudflare Help Center for more information.

If after enabling Cloudflare, you see parts of your website displaced or disappearing, try disabling RocketLoader and Auto-Minify.

Task 3: Review your Security settings

The Security Level you choose determines which visitors will see a Challenge Page. When a Challenge Page is presented, the visitor is prompted with a CAPTCHA. Once the visitor enters the correct CAPTCHA, they will resume to the appropriate page. By default, your security settings are set to Medium. To change your security settings, click the Firewall app in your Cloudflare Dashboard.

The table below describes each level.

Security Level



Available only with the Enterprise plan

Essentially Off

Challenges only the most grievous offenders


Challenges only the most threatening visitors


Challenges both moderate threat visitors and the most threatening visitors


Challenges all visitors that have exhibited threatening behavior within the last 14 days

I’m Under Attack!

Use only when your website is under a DDoS attack. Visitors see a transitional page while Cloudflare analyzes their traffic and behavior to make sure they are a legitimate human visitor trying to access your website.

Note: I'm Under Attack! may affect some actions on your domain. For example, it may block access to your API. You can set a custom security level for any part of your domain using Page Rules.

Task 4: Choose an SSL mode 

Choosing an SSL mode defines the https connections between your visitors, Cloudflare, and your server. Flexible can be used regardless of whether you already own a certificate on the server. Full should be used if you have a self-signed server certificate. And Full(Strict) is for customers who own a server certificate signed by a valid Certificate Authority (CA). For a full description of the various SSL modes, see What do the SSL modes mean?

If you want to only use HTTPS on your website, see how to redirect all visitors to HTTPS.

Cloudflare also offers other SSL options, including the ability to upload a custom SSL certificate (business plan feature) and Keyless SSL (for Enterprise customers).

Task 5: Preserve your visitors IP information

Because Cloudflare acts as a reverse proxy, Cloudflare IP addresses show up in your server logs, instead of the visitor IP address. If seeing the original visitor IP addresses is important to you, see Restoring visitor IP addresses.

If you are experiencing issues with GeoIP or .htaccess blocks not working properly on your site, installing mod_cloudflare will resolve the problem. Download the mod_cloudflare package at:

Note: This is not required if you signed up your site with Cloudflare through a Cloudflare Certified Partner.

Task 6: Allow the IPs of the services you use to access your website

We also recommend that you whitelist IP addresses of certain services (APIs, crawlers, payment providers, etc.) to access your site on a regular basis by creating an Access Rule.
To create an Access Rule, follow these steps:

  1. Log into your Cloudflare Dashboard.
  2. Click the Firewall app in the top menu.
  3. Click on the Tools tab.
  4. Under IP Access Rules, enter the IP, IP range, or two-letter country code of the service you wish to whitelist.
  5. Select Whitelist in the drop down, add a label (i.e. Payment Gateway), and then click Add.

Task 7: Customizing Error Pages (paid plans only)

One of the advantages of being on a paid plan is that you can customize your Error Pages. What this means is that, if and when something goes wrong, your visitors will see an error page designed by you, instead of a generic Cloudflare message. The error page will still display essential debugging information, but you can improve user experience by integrating the error page within your website’s general theme and design. 

Task 8: Troubleshooting common issues

Experiencing performance issues? Seeing an error page when visiting your website?  Is your website under attack? We have an article for that!

The Troubleshooting section of the Cloudflare Help Center contains a library of articles on the most common issues customers encounter.

Related Resources


Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk