What does Cloudflare offer with their paid Pro service plan – and is it worth it? I was curious to find out, so I decided to try it – and document my experience and impressions here. 🙂
The Cloudflare Pro plan includes the benefits of the Cloudflare WordPress APO (links to Cloudflare’s website), so I tested that too.
This isn’t a real review as much as my notes on everything I’ve noticed about these services – trying to figure out if they’re worth it for me.
In a separate article, I’ve explained how to configure Cloudflare’s free plan for WordPress.
Note:
See my forum’s discussion thread about “Cloudflare being shady” – and consider that before deciding whether to go with Cloudflare.
If you have any questions (or additions and corrections), please use the BikeGremlin forum:
www.bikegremlin.net
Table Of Contents (T.O.C.):
- Introduction
- How to “install” Cloudflare?
- Cloudflare dashboard overview
- Cloudflare WordPress APO
4.1. WordPress APO plugin configuration
4.2. Testing if APO Edge caching works - Cloudflare Pro
- Speed and stability testing results
- LiteSpeed Enterprise vs Cloudflare WordPress APO
- Conclusion
- Trouble(shooting)
9.1. Firewall problem (working “too well” 🙂 )
9.2. Huge CLS problem with mobile phones
1. Introduction
I’ve been using Cloudflare’s free plan since 2019 (or 2018, I’m not sure). In its free plan, Cloudflare provides extra security, makes website migrations faster and easier, and offers some performance boost. Here, I explained what Cloudflare is and how it works.
I’ll debunk a common myth: in its free version, Cloudflare isn’t a real CDN.
For static HTML websites, it can easily be configured to act as a CDN by adding a “Cache Level – Cache Everything” directive in the “Page Rules.” However, this doesn’t work well for dynamic content. For example, you don’t want webshop visitor A to see the basket contents of visitor B.
Still, you can force it to work even for dynamic stuff (like WordPress, WooCommerce etc.) by using some of these “tricks:”
- Using Cloudflare workers (link to their website docs).
This requires a lot of time, trial and error, and they charge you after 100,000 daily requests (this last item still doesn’t worry me). - Using the free WordPress plugin Super Page Cache for Cloudflare (link to wp.org).
I tested it for about a year. As with any other WordPress plugin, some updates cause hiccups, or some other plugin update causes conflicts. - Using Cloudflare WordPress APO (described in this article) – for $5 monthly per domain.
- Using a “Bypass cache on cookie” page rule that comes with the Cloudflare Business plan – $200 monthly.
The plugin mentioned above is good, and I’d recommend it as a free solution for WordPress websites. Likewise, suppose you have enough knowledge and time. In that case, you can configure Cloudflare Workers yourself (and make your own plugin/WP implementation for deleting stale Cloudflare Edge cache).
Aware of my time and technical knowledge limits, I decided to try Cloudflare WordPress APO (Automatic Platform Optimization). It comes with its own plugin to take care of the cache “refreshing” when website content is changed. I hope Cloudflare’s “official” plugin will work even more stably than its free alternative.
I also wanted to try Cloudflare Pro. It provides better security (improved firewall protection) and some extra speed options.
- Cloudflare WordPress APO costs $5 per domain monthly.
- Cloudflare Pro costs $20 per domain monthly, with WordPress APO included (“free of charge”).
I would not pay for APO without the extra Pro security, nor would I pay for Pro without the APO caching improvements.
If you’d like to know how to configure all that, what exactly it provides, and how it performs in practice (vs free Cloudflare + LiteSpeed) – read on.
2. How to “install” Cloudflare?
For a start, open a Cloudflare account. It’s free, and the procedure is more straightforward than making a Gmail account, so I won’t discuss it here (you can watch the video below for all the details).
After that, click on the “Add a Site” button to add a domain to Cloudflare. It will give you nameservers to add to your domain registrar (how to add Cloudflare nameservers).
I use and recommend Porkbun domain registrar (how to move a domain to another registrar).
Cloudflare should import all your existing DNS settings. In case you are starting from scratch, or have any problems, here’s how to configure Cloudflare DNS.
Finally, you should configure all of Cloudflare’s basic, free options. I wrote a general tutorial for that, with an emphasis on WordPress: “How to configure Cloudflare for WordPress?“
In the rest of this article, I’ll only deal with the extra options that become available with Cloudflare Pro and WordPress APO.
I’ve made a detailed, complete video tutorial on how to create, secure and configure a Cloudflare account – and how to connect it to your website:
3. Cloudflare dashboard overview
My guide for configuring (free) Cloudflare for WordPress used the old Cloudflare dashboard design. I prefer it. It’s nicer and easier to use:
Unfortunately, they’ve removed the old design, so now we all have to use this one:
In this article, I’ll refer to the options’ (and sub-options) layout and structure as shown in picture 2.
4. Cloudflare WordPress APO
Let’s begin with WordPress APO and see what it offers. In theory, it should create copies of your site’s contents on all its Edge cache servers spread worldwide. Then it should serve your site’s contents from the Edge server closest to the visitor – for each visitor. Chapters 6 and 7 show my tests of this system’s performance.
For a start, you should backup everything, just in case. Then, deactivate (and uninstall) any other caching plugins (like LiteSpeed cache). Now install the official Cloudflare WordPress plugin.
The plugin offers automatic Cloudflare configuration for WordPress. Still, chapter 2 gives you a link to a manual setting tutorial, which I prefer for more control.
Before we dive into the plugin configuration, let’s see what WP APO options need configuring on Cloudflare’s dashboard:
8. Speed -> 8.2. Optimization
Automatic Platform Optimization for WordPress
Even if your website is mobile-friendly (or mobile-first), check the “Cache By Device Type” checkbox.
4.1. WordPress APO plugin configuration
If you haven’t already created (and configured) a Cloudflare account, I suggest you do that first. Then, use the activated plugin to log into the account:
Next, enter your email and API credentials:
If you’ve configured it all manually, all you have to do is activate WordPress APO: 🙂
Instructions on manual configuration using Cloudflare’s dashboard are given in chapters 4 (this one) and 5 (next one) of this article, and in the article about configuring Cloudflare for WordPress (for the free-options configuration).
The plugin allows you to click on one button and have all the options configured to what Cloudflare considers to be the best setup for WordPress. Here’s a list of Cloudflare’s recommended settings for WordPress (CF website link).
4.2. Testing if APO Edge caching works
To confirm WordPress APO cache works, we should test it. Here’s how to do that:
- Open Chrome browser’s “New incognito window” (CTRL + SHIFT + N).
- Press the F12 button.
- Go to the “Network” tab.
- Uncheck the “Disable cache” option.
- Open a page on your website.
- Click on the first item in the list.
- Go to the “Headers” tab.
5. Cloudflare Pro
A brief overview of the Pro service options.
I marked the options I don’t use with an asterisk ( * ).
Two asterisks ( ** ) mark the options that sometimes need to be disabled.
6. Security -> 6.2. WAF -> 6.2.3. Managed rules
Better firewall protection compared to the free package.
Cloudflare Managed Ruleset – Enable the following:
Miscellaneous, PHP, ** Specials, WordPress
Package: OWASP ModSecurity Core Rule Set
Sensitivity: ** Low
Action: Legacy CAPTCHA
Disable the following:
OWASP Slr Et Joomla Attacks, OWASP Slr Et PhpBB Attacks
** If you have problems updating WordPress widgets, temporarily disable the “Specials” ruleset, and set “OWASP Sensitivity” to “Off”.
6. Security -> 6.2. WAF -> 6.2.4. Tools
The Zone Lockdown option lets you allow only listed IP addresses to access a specified URL. This is useful to protect an admin or protected area from non-listed IP addresses.
6. Security -> 6.3. Page Shield
Enabling this protects your visitors from Magecart-style supply chain attacks that steal credit card information and sensitive data through malicious third-party dependencies (good for webshops).
8. Speed -> 8.2. Optimization
* Image Resizing – Allows image resizing (in pixels) and even conversion to WebP format on the Edge servers that serve cached contents.
* Polish – Translates your website to this beautiful Slavic language… I’m joking. 🙂 It compresses your images if you hadn’t done your homework before uploading them to your website.
Enhanced HTTP/2 Prioritization – Optimizes the order of resource delivery.
TCP Turbo – TCP (Transmission Control Protocol) optimization for reducing latency.
* Mirage (BETA!) – Faster image loading for mobile phone visitors.
* Automatic Signed Exchanges (SXGs) (BETA) – Speeds up LCP (Largest Contentful Paint) for Chrome-like browsers by letting them prefetch content from Google’s search results page.
9. Caching -> 9.1. Overview -> Cache Analytics
Cache-related statistics. Available with the Pro plan.
* 13. Traffic -> 13.5. Health Checks
Get feedback on latency, uptime, and see any errors – for various global locations (as you configure it). I use the free HetrixTools for this (affiliate link).
14. Custom Pages
* IP/Country Block – Let’s you display your own page with an explanation of why you are an idiot who blocks visitor access from entire countries based on their IP address.
* WAF Block – Custom page explaining whatever you think is wise to explain when a visitor is blocked by a firewall rule.
* 500 Class Errors – Same, but for 500 errors
* 1000 Class Errors – Same, again.
* Always Online™ Error – Same, for the case when Alway Online hasn’t got a cached page copy to show in case the site has crashed.
* Legacy CAPTCHA Challenge -Serve your own CAPTCHA page if you like.
* Managed Challenge – Same, for the managed challenge rules.
* Country Challenge – Same, for Country challenge rules.
* I’m Under Attack Mode™ / JavaScript Challenge – Same, again, for those rules.
* 429 errors – Show your custom page to visitors who’ve hit a rate limit.
6. Speed and stability testing results
My websites ran on a LiteSpeed Enterprise server, using the free LiteSpeed WordPress plugin, and with Cloudflare Railgun enabled.
In 2022, on July 15th, I activated Cloudflare Pro and WordPress APO. Here is my test setup by websites:
- A – bicikl.bikegremlin.com – left it with LiteSpeed cache plugin, as before, but added the Cloudflare Pro boost options.
(cycling website in Serbocroatian) - B – bike.bikegremlin.com – uninstalled the LiteSpeed cache and installed the Cloudflare plugin (so, Cloudflare Pro + WordPress APO).
(cycling website in English) - C – io.bikegremlin.com – let two plugins work in parallel: LiteSpeed and Cloudflare plugin (Cloudflare Pro + WordPress APO + LiteSpeed).
(IT-themed website) - D – blog.bikegremlin.com – control website, LiteSpeed uninstalled, Cloudflare plugin installed.
(my blog that no sane person reads 🙂 )
The first three websites see visitors from all around the world. Generic tests show the best results with option B and the worst results with option A. The C setup is closer to B (i.e. faster performing) than A.
My concerns:
Regarding setup C, will the cache be updated adequately for edited pages or pages where a comment is added? Because with setup C, I am using two caching plugins/setups in parallel.
During the initial testing, my concerns were confirmed. LiteSpeed combined with WordPress APO resulted in cache not being correctly invalidated (refreshed). That’s why I immediately stopped testing setup C.
After having deleted the LiteSpeed plugin, I’m using the Advanced Database Cleaner Pro plugin (link to its website) for database optimization – and it’s stellar.
One of the setup B advantages over setup A is that it correctly refreshes only changed pages. Or only a part of a page, like the “latest comments” widget. Configuring LiteSpeed to do this (refresh only the edited widget on a page) is quite complex (at least for me).
I have also tested WordPress APO with the BikeGremlin webshop. All the updates were correctly shown on the frontend, as well as any cart updates and changes. Looks good.
Here are some speed test results for Australian visitors:
Note 1:
See chapter 9.2. Huge CLS problem with mobile phones.
Note 2:
When you activate APO plugin on a website, Railgun for that website will no longer work. That’s good – because with APO you are using the Edge caching servers. Railgun makes sense when you can’t effectively cache dynamic content on the Edge servers.
I tracked real-user page load statistics with Google Analytics.
These stats align with the generic test results from various geo-locations. My subjective impression is that with Cloudflare Pro configured, website A (that uses LiteSpeed cache) works just as fast. Only when I’m using a VPN from a location far away from the hosting server (like Hong Kong) do I see a slight speed difference in favour of site B (WordPress APO). Even then, both websites still load very quickly, but B is slightly quicker.
7. LiteSpeed Enterprise vs Cloudflare WordPress APO
High-quality shared (and reseller) hosting providers usually have LiteSpeed Enterprise servers. So, as far as you as a customer are concerned, LiteSpeed is free. You just install and configure the LiteSpeed plugin.
Cloudflare WordPress APO costs $5 monthly per domain (if you have several websites on different subdomains, they are all covered by that one subscription).
Cloudflare Pro costs $20 monthly and comes with the WordPress APO included (free of any extra charge).
If we disregard the WordPress APO, LiteSpeed is the best solution for caching WordPress websites. You can easily integrate it with its own CDN – QUIC.cloud (link to their site) if you wish. QUIC.cloud’s downside is that it requires you to use their DNS for it to work **. This prevents you from using Cloudflare’s DNS and firewall protection. It’s fair to add that QUIC.cloud offers some of its security solutions, and it isn’t free (additional CDN locations and bandwidth are charged).
** See my comment below for more details on this. Thanks to Ivan Arnaudov and Fabian Kastner from WordPress for Business Facebook group for the feedback.
So far, I have used the “ordinary” LiteSpeed (i.e. no QUIC.cloud) combined with Cloudflare (that does speed things up even with its free service). For this test, I compared that setup against Cloudflare Pro and WordPress APO.
I’d say that LiteSpeed is a bit slower, especially for remote locations with a slow Internet connection. For example, my websites are hosted in the USA. When I access them from Serbia (Central Europe) using a slow Internet connection, I notice that the LiteSpeed version is a bit slower. It’s still fast, but APO is a bit faster.
A difference I think is important:
Even as an experienced, advanced WordPress user (almost a decade now), I find it too complicated to configure LiteSpeed to update only changes. That is: to not have to purge all the cache when a comment is added or an article published (i.e. to update only the “latest comments” widget). Cloudflare WordPress APO does this automatically, without a glitch.
Oh, and since this April, LiteSpeed’s Memcached object cache is not working. About once a year, on average, LiteSpeed update messes something up. Nothing major, LiteSpeed is still great, but that’s still a bit frustrating. Redis object caching works, and it’s better, but it’s not secure for shared/reseller hosting environments.
Now let’s take a look at the load tests. I tested from Australia and from the USA, with the hosting server in the USA:
As you can see, page load times for visitors near the hosting server are a bit longer (slower) with Cloudflare Pro + WordPress APO, compared to LiteSpeed. But, they are a lot better (faster) for visitors who are far away from the hosting server (on another continent).
For the bike.bikegremlin.com website, it is important to provide good performance for visitors from all around the world:
Note 1:
See chapter 9.2. Huge CLS problem with mobile phones.
I believe a person’s place of birth and residence shouldn’t be a limiting factor, and I try to make my websites reflect this philosophy.
8. Conclusion
Note:
Before accepting any statements in this “Conclusion,” see chapter 9.2. Huge CLS problem with mobile phones.
- Cloudflare WordPress APO provides a real CDN service (unlike Cloudflare’s free plan).
- Cloudflare Pro provides additional security and speed.
- The biggest improvement is seen by visitors on a different continent from the hosting server’s location.
- Cache invalidation (refreshing upon content changes) works flawlessly, unlike LiteSpeed.
Is it worth it? Should you buy only the $5 WordPress APO or dish out $20 for the Pro?
In my opinion, LiteSpeed works wonderfully. Put it behind the free Cloudflare service and configure it.
Once (if ever) your website starts making enough money to justify the $20 monthly cost, go straight for the Cloudflare Pro. Yes, APO does speed things up, but you can achieve 90% of that by using LiteSpeed and the free Cloudflare service. Once you need extra speed and extra security, go with the Pro. 🙂
In other words: maybe my websites are super-optimized, but I haven’t seen any huge gains with Cloudflare Pro and APO compared to LiteSpeed, yet I’d be lying if I said they aren’t a bit better.
Of course, always use high-quality web hosting that enables Cloudflare Railgun integration.
9. Trouble(shooting)
9.1. Firewall problem (working “too well” 🙂 )
I ran into a problem when updating custom HTML WordPress widgets. Cloudflare Pro WordPress websites are the only ones affected.
I solved the problem (explained in the link below) and updated this tutorial to prevent myself or anyone else reading this from running into the same problem.
Update:
Solving the WordPress widget update problem with Cloudflare Pro
9.2. Huge CLS problem with mobile phones
Desktop results were very good, but mobile results were bad. The biggest problem was huge CLS (Content Layout Shift) while loading pages:
As you can see, LiteSpeed sorts this out a lot better. I couldn’t solve this problem in a few weeks. That’s why I decided to cancel the Cloudflare paid subscription. I saw no use for paying the Cloudflare Pro fee – those extra $20 are not justified for my use case. Not without a well-functioning CDN that APO delivers (but, apparently, doesn’t handle the page load optimizations properly).
So I went back to using the free LiteSpeed + free Cloudflare Railgun. Yes, the LiteSpeed plugin has problems with every 3rd update or so. Yes, it is annoying, and I have to test every functionality I can think of. Still, I can make that one work – unlike Cloudflare’s WordPress APO.
Guess I should give LiteSpeed QUIC.cloud a test after all. 🙂
If you have any questions (or additions and corrections), please use the BikeGremlin forum:
www.bikegremlin.net
Last updated:
Originally published:
“Serbia (Central Europe)”
To quote (from memory) someone, “How do you know you are in Central Europe? People get mad when you call them Eastern Europeans” 😉 (for the record, as a fellow Central/Eastern European, so do I XD)
“Even as an experienced, advanced WordPress user (almost a decade now), I find it too complicated to configure LiteSpeed to update only changes. That is: to not have to purge all the cache when a comment is added or an article published (i.e. to update only the “latest comments” widget). Cloudflare WordPress APO does this automatically, without a glitch.”
I am a bit confused here, could you please help me understand..
If there is an update on the website, the Litespeed cache plugin behavior is such that all cache is purged, implying.. what exactly? Cache being recreated for all pages, leading to a spike in CPU/IO resources, and a potential warning/ban from your hosting provider?
Also, based on this article and https://io.bikegremlin.com/7303/wordpress-caching/ were I using Cloudflare Free, am I correct to think that you would still recommend the LS cache plugin as long as the hosting providers uses LS?
Assuming the hosting wouldn’t be LS though, what would you recommend instead? My personal priorities being ease of setup / use and speed (a healthy balance of the two, I
d rather forego setting it up for like 30h just to get that extra 0,1 sec speed boost lol).
Specifically I’m wondering Super Page Cache for Cloudflare – can you share a bit more thoughts on how it compared to others? I tried searching on your blog but haven’t found anything else mentioning it other than this very article.. From what you mentioned in 7303 I guess I should try WP Fastest?
BTW, you mentioned https://wordpress.org/plugins/hyper-cache-extended/ but it seems it had no updates for 4 years, so that’s a no I guess..
===
Finally, a totally unrelated question, but have bike/parts prices in Serbia gone through the roof within the last 2 years as well? My friend is nagging me to get a road bike for years now, but apparently due to COVID? it’s already too late to get one on the cheap and it costs almost double of what it used to in early 2022.. :O (both bikes and parts)
Hi,
Love the joke. 🙂
Regarding LiteSpeed:
It often requires purging the entire cache to update changes on all the cached pages containing last-published-articles widgets for example.
My websites are reasonably optimized, so no huge load on the server when that happens, but still, it’s a total wipe to get it all working, for each comment.
Cloudflare seems to be able to do that better. Updating only the updated code parts. Though I’m yet to thoroughly test it all (6 months is a reasonable time for real-life testing).
With the free Cloudflare package, LiteSpeed is probably the best caching solution and I use it (and recommend it).
If LiteSpeed is not available – my first though is: it’s 2022, why use a setup without LiteSpeed for WordPress? 🙂
However, if that’s not possible for whichever reason, my first choice is WP Super Cache.
I had stopped using the Hyper Cache Extended – as noted in the article. Hadn’t worked well even while it was still being updated, for the latest WP version of the time.
Super Page Cache for Cloudflare practically emulates what CF WP APO does, but the plugin takes care of cache invalidation and all. I’ve had some minor hiccups – but who knows, maybe WP’s official plugin will also cause hiccups over the following months, years. If it works fine on your site, it’s probably the fastest option, with the simplest setup. It’s better than LiteSpeed actually.
Bikes, parts and service prices in Serbia have practically doubled since before “the flu.” And there’s been an ongoing parts shortage ever since. It’s bad. Globally as far as I can tell.
Thank you for your answer!
“it’s 2022, why use a setup without LiteSpeed for WordPress?”
I can think of the following reasons/situations:
-People (incl. me XD) are too cheap to use your recommended (or other premium) hostings, and so they use cheap or even free hosting that are usually powered by nginx.. (at least in Poland) – there are quite a few hosts doing LS here too but they tend not to be the cheapest
-A blog / woocommerce store becomes really popular (even with all the caching etc. it outgrows a single digit US dollar / mo. shared hosting), and people feel like they would like to have their blog on a VPS instead of paying more to their shared hosting provider (assuming there is a higher plan to choose to begin with, and they are not forcefully being kicked out) – without expert system administration skills, they would like to have an easy to setup and manage environment, so they use popular solutions like Webinoly, SlickStack or WordOps, all of which use nginx
I fail to see how a VPS is better or cheaper than a shared hosting plan. It’s a common myth/misconception.
Especially for those without system administration skills (meaning they’d have to pay for the VPS management).
I wrote about that here:
Is VPS better and faster than shared hosting?
For the sake of being technically correct:
In section 7 of this article I wrote:
“QUIC.cloud’s downside is that it requires you to use their DNS for it to work.”
Ivan Arnaudov (link to his website) was correct to point out this incorrectness. I sometimes use this “teaching method” of being (technically) incorrect deliberately, in order to better convey the essence. Besides, the article is too long already, and the main focus of it is Cloudflare Pro, not QUIC.cloud. That’s why I decided to address this “technicality” in a comment, instead of making the article even longer. So here it is:
Technically, you can use QUIC.cloud with Cloudflare’s DNS. However:
* You won’t be able to benefit from Cloudflare’s firewall (WAF) and DDoS protection – because to use QUIC.cloud with Cloudflare’s DNS, Cloudflare must be configured to work as a DNS only.
* It will still not work if you use a naked domain (i.e. no “www.”), which is very popular nowadays. You see, QUIC.cloud requires your DNS (if you don’t use their DNS) to use CNAME records – and one of the disadvantages of using a naked domain is that you can’t configure it using a CNAME record.
Correction – thank you Ivan: Cloudflare enables root (naked) domain CNAME flattening.
To be fair, QUIC.cloud offers some of its own firewall protection, but I’m not convinced it’s as good as Cloudflare’s (haven’t tested it personally, so take this with a grain of salt).
Also to add: LiteSpeed is very good (though every 3-4 months they publish a buggy update, that they patch a day or a week later – really annoying). So is QUIC.cloud. I’ll just go as far as to say that with the current service situation and prices, I prefer Cloudflare, with all the pros and cons of each solution taken into consideration. Your preference may differ and you won’t be too wrong if you choose LiteSpeed and QUIC.cloud.