Step 4: Recommended First Steps for all Cloudflare users

Welcome to Cloudflare! You’re well on your way to a faster and more secure site. This article covers the initial configurations required to ensure that you get the most out of Cloudflare.


Step 1: Whitelist Cloudflare’s IP addresses
Step 2: Review your Performance settings
Step 3: Review your Security settings
Step 4: Choose an SSL mode


Step 5: Preserve your visitors’ IP information
Step 6: Allow the IPs of the services you use to access your website
Step 7: Customize your Error Pages (paid plan only)
Step 8: Troubleshooting common issues



Step 1: Whitelist Cloudflare’s IP addresses

Once you’ve changed your name servers to Cloudflare, web traffic will be routed through Cloudflare’s network. Hooray! This means that your webserver will see a lot of traffic proxied through Cloudflare, and in order to allow all this traffic to access it, you will need to make sure that Cloudflare IPs are whitelisted and not rate-limited in any way on your server (you can ask about this at your host). We have a page with all the CloudFlare IPs.


Step 2: Review your Performance settings

Once you’ve created your account and added your website, you can customize your performance settings in your Cloudflare Dashboard under the Speed and Caching apps along the top navigation menu. There, you can manage your settings, according to your performance needs.

To learn more, check out the Speed and Caching sections within the Cloudflare Help Center for more information.

If after enabling Cloudflare you see parts of your website displaced or disappearing, try disabling RocketLoader and Auto-Minify.


Step 3: Review your Security settings

The Security Level you choose will determine which visitors will be presented with a Challenge Page. When a Challenge Page is presented, the visitor is prompted with a CAPTCHA. Once the visitor enters the correct CAPTCHA, they will resume to the appropriate page. By default, your security settings are set to Medium. To change your security settings, click the Firewall app in your Cloudflare Dashboard.

The table below describes each level.

Security Level



Available only with the Enterprise plan.

Essentially Off

Challenges only the most grievous offenders.


Challenges only the most threatening visitors.


Challenges both moderate threat visitors and the most threatening visitors.


Challenges all visitors that have exhibited threatening behavior within the last 14 days.

I’m Under Attack!

Should only be used if your website is under a DDoS attack. Visitors will receive an interstitial page while we analyze their traffic and behavior to make sure they are a legitimate human visitor trying to access your website.

Note: I'm Under Attack! may affect some actions on your domain. For example, it may block access to your API. You can set a custom security level for any part of your domain using Page Rules.


Step 4: Choose an SSL mode


Choosing an SSL mode defines the https connections between your visitors, Cloudflare, and your server. Flexible can be used regardless of whether you already own a certificate, Full should be used if you have a self-signed certificate, and Full(Strict) is for users who own a certificate signed by a valid CA. For a full description of the various SSL modes, see What do the SSL modes mean?.

If you want to use HTTPS only on your website, we have a guide that explains how to redirect all visitors to HTTPS.

We also provide other options in terms of SSL, including the ability to upload a custom SSL certificate (business plan feature) and Keyless SSL (for Enterprise customers).



Step 5: Preserve your visitors’ IP information

Because Cloudflare acts as a reverse proxy, Cloudflare IP addresses will now show up in your server logs, instead of the visitor IP address. If seeing the original visitor IP addresses is important to you, see Restoring visitor IP addresses.

If you are experiencing issues with GeoIP or .htaccess blocks not working properly on your site, installing mod_cloudflare will resolve the problem. Download the mod_cloudflare package at:

Note: This is not required if you signed up your site with Cloudflare through a Cloudflare Certified Partner.

Step 6: Allow the IPs of the services you use to access your website

We also recommend that you whitelist IP addresses of certain services (APIs, crawlers, payment providers, etc.) to access your site on a regular basis by creating an Access Rule.
To create an Access Rule, follow these steps:

  1. Log into your Cloudflare Dashboard.
  2. Click the Firewall app in the top menu.
  3. Under Access Rules, enter the IP, IP range, or two-letter country code of the service you wish to whitelist.
  4. Select Whitelist in the drop down, add a label (i.e. Payment Gateway), and then click Add.

Step 7: Customizing Error Pages (paid plans only)

One of the perks of being on a paid plan is that you can customize your Error Pages. What this means is that, if and when somethings goes wrong, your visitors will see an error page designed by you, instead of a generic Cloudflare message. The error page will still display essential debugging information, but you can improve your users’ experience by integrating the error page within your website’s general theme and design. 

Step 8: Troubleshooting common issues

Experiencing performance issues? Seeing an error page when visiting your website?  Is your website under attack? We have an article for that!

The Troubleshooting section of the Cloudflare Help Center contains a vast library of troubleshooting articles on the most common issues customers encounter.

Related Resources


Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk