Affiliate Disclosure: We may be compensated if you use our links to make a purchase. We are extremely selective in who we partner with & only recommend products we believe in. Our affiliate relationships do not influence our recommendations.
Do you use Cloudflare with LearnDash? If so, you might be wondering which Cloudflare settings to use so that your LearnDash site functions optimally.
Aggressive caching can cause issues with LearnDash sites, and Cloudflare uses caching as one method of improving performance. We’ve already discussed how to setup WP Rocket with LearnDash, but now let’s talk about the best Cloudflare settings for LearnDash.
Admittedly, there are some settings that I don’t fully understand. I will provide you with what is currently working for me on ldx.training, but that doesn’t mean it’s the best option for you. Any option I didn’t fully understand, I either left at the default, or did some research and followed the advice of someone smarter than me.
We only included settings for the free version of Cloudflare. We don’t use any paid options and therefore can’t comment on them.
Quick Note about Hosting + Cloudflare
Some hosts (Kinsta & SiteGround, to name a few) include Cloudflare integration as part of their offering. If you choose to use your host’s Cloudflare integration, you will be limited in the control of these settings. Your host will set up Cloudflare with its recommended settings, and you can’t change them.
However, you don’t have to use a host’s Cloudflare integration. You can set up a Cloudflare account on your own, which gives you full control over the settings. This is what I recommend.
For the SSL/TLS setting in Cloudflare, I prefer Full (strict). However, this might depend on who you’re hosting with, what type of SSL/TLS certificate your host uses, how they have implemented it, or if you’re using a third-party SSL/TLS certificate.
I encourage you to reach out to your web host, tell them you’re using Cloudflare, and ask which Cloudflare SSL/TLS setting they recommend.
If you’re having trouble choosing a host, we have an excellent article on LearnDash hosting here.
There are several Cloudflare security settings to consider:
Web Application Firewall (WAF)
I don’t use Cloudflare’s WAF so I can’t make any recommendations at this time.
It could be useful if you want to block traffic from an entire country, like Russia, China, North Korea, etc. This would prevent any traffic (including bots) from those countries of ever hitting your server.
I keep Bot Fight Mode set to OFF. I would only consider enabling this if you feel like you’re getting a ton of bot traffic. This might be the case on really inexpensive hosting providers. I highly recommend investing in quality hosting, which will make this a moot point.
One valuable member of the LearnDash Facebook group uses a DigitalOcean VPS and he said he gets tons of hits from bots. He turned this feature ON and he said it has helped keep bots off his server. (see comments here)
This is the same as above. I don’t have any rules setup here, and you shouldn’t need any unless you are under attack or at an increased risk for a DDoS attack.
These are the general security settings. I believe I kept them all at the default setting, which is what Cloudflare recommends when you set up an account.
- Security Level: Medium
- Challenge Passage: 30 minutes
- Browser Integrity Check: ✅
- Privacy Pass Support: ✅
Speed > Optimization
- Auto-minify: CSS: ✅
- Auto-minify: HTML: ✅
- Brotli: ✅
- Early Hints: ❌
- Rocket Loader™: ❌
- Mobile: These settings are optional and entirely up to you. They shouldn’t impact LearnDash in any way.
WP Rocket explicitly states in their documentation to disable Rocket Loader™ and enable minification (auto-minify) for all assets.
If you use the FacetWP plugin, disable auto-minify for HTML.
Automatic Platform Optimization (APO) for WordPress
This is a premium service and we have not tested it with any of our WordPress sites, let alone a LearnDash site. It could be awesome. It could cause a lot of issues for your LearnDash site. We just don’t know.
If you decide to give it a shot, I’d love to hear your feedback in the comments. I’ll give you credit in the article and can help spread useful info to the community.
WP Rocket, on the other hand, does cache entire pages, thus why it’s important to exclude LearnDash pages from WP Rocket’s cache, whereas you don’t need to worry about that for Cloudflare.
WP Rocket’s documentation recommends both of these options.
- Caching Level: Standard
- Browser Cache TTL: 1 year
Crawler Hints: I currently have this set to OFF, but it sounds like it’d be a good thing to enable. It shouldn’t affect anything with LearnDash, and will likely only reduce the amount of bot/crawler traffic hitting your server, which is a good thing.
The only potential downside I see is if you update content very frequently (every day or multiple times per day) and you notice that Google isn’t crawling your changes as quickly as you’d like them to.
- Always Online™: ✅
- Development Mode: Only enable this if you are a developer and know what you are doing.
I have Argo Tiered Cache set to OFF, but this is another thing that might be worth experimenting with. Would love to hear your experience in the comments if you’ve tried it.
I use the following two page rules on most WordPress sites, regardless of LearnDash. These help with improved security for your admin area & login page, and make sure no performance enhancements are done in your admin area, which could break things.
Security Level: High
Cache Level: Bypass
Security Level: High
Cache Level: Bypass
I believe these are all the default settings. You shouldn’t have to change any of them.
- Normalization type: Cloudflare
- Normalize incoming URLs: ✅
- Normalize URLs to origin: ❌
- HTTP/2: ✅
- HTTP/3 (with QUIC): ✅
- 0-RTT Connection Resumption: ✅
- IPv6 Compatibility: ✅
- gRPC: ❌
- WebSockets: ✅
- Onion Routing: ✅
- Pseudo IPv4: Off
- IP Geolocation: ✅
- Maximum Upload Size: 100MB (but this could depend on what you’re doing on your site. You might want to adjust it for your specific needs.)
- Email Address Obfuscation: ✅
- Server-side Excludes: ✅
- Hotlink Protection: ❌ (but you could definitely turn this on if you have noticed problems with other sites using images from your server)
NEW breakthrough solution allows you to IMMEDIATELY GROW student engagement and SELL more courses by creating a state of the art mobile application in 60 MINUTES OR LESS without ANY coding knowledge!
Proven and tested by over 1,000 LearnDash customers.Learn More →