LearnDash + Cloudflare Settings

Do you use Cloudflare with LearnDash? If so, you might be wondering which Cloudflare settings to use so that your LearnDash site functions optimally.

Aggressive caching can cause issues with LearnDash sites, and Cloudflare uses caching as one method of improving performance. We’ve already discussed how to setup WP Rocket with LearnDash, but now let’s talk about the best Cloudflare settings for LearnDash.

Almost all of these recommendations come from what we use on ldx.training. We host that site with Kinsta & also use Cloudflare.

NOTE
Admittedly, there are some settings that I don’t fully understand. I will provide you with what is currently working for me on ldx.training, but that doesn’t mean it’s the best option for you. Any option I didn’t fully understand, I either left at the default, or did some research and followed the advice of someone smarter than me.

We only included settings for the free version of Cloudflare. We don’t use any paid options and therefore can’t comment on them.

Quick Note about Hosting + Cloudflare

Some hosts (Kinsta & SiteGround, to name a few) include Cloudflare integration as part of their offering. If you choose to use your host’s Cloudflare integration, you will be limited in the control of these settings. Your host will set up Cloudflare with its recommended settings, and you can’t change them.

However, you don’t have to use a host’s Cloudflare integration. You can set up a Cloudflare account on your own, which gives you full control over the settings. This is what I recommend.

SSL/TLS

For the SSL/TLS setting in Cloudflare, I prefer Full (strict). However, this might depend on who you’re hosting with, what type of SSL/TLS certificate your host uses, how they have implemented it, or if you’re using a third-party SSL/TLS certificate.

I encourage you to reach out to your web host, tell them you’re using Cloudflare, and ask which Cloudflare SSL/TLS setting they recommend.

If you’re having trouble choosing a host, we have an excellent article on LearnDash hosting here.

Security

There are several Cloudflare security settings to consider:

Web Application Firewall (WAF)

I don’t use Cloudflare’s WAF so I can’t make any recommendations at this time.

It could be useful if you want to block traffic from an entire country, like Russia, China, North Korea, etc. This would prevent any traffic (including bots) from those countries of ever hitting your server.

Bots

I keep Bot Fight Mode set to OFF. I would only consider enabling this if you feel like you’re getting a ton of bot traffic. This might be the case on really inexpensive hosting providers. I highly recommend investing in quality hosting, which will make this a moot point.

One valuable member of the LearnDash Facebook group uses a DigitalOcean VPS and he said he gets tons of hits from bots. He turned this feature ON and he said it has helped keep bots off his server. (see comments here)

DDoS Protection

This is the same as above. I don’t have any rules setup here, and you shouldn’t need any unless you are under attack or at an increased risk for a DDoS attack.

Settings

These are the general security settings. I believe I kept them all at the default setting, which is what Cloudflare recommends when you set up an account.

• Security Level: Medium
• Challenge Passage: 30 minutes
• Browser Integrity Check: ✅
• Privacy Pass Support: ✅

Speed > Optimization

• Auto-minify: JavaScript: ✅
• Auto-minify: CSS: ✅
• Auto-minify: HTML: ✅
• Brotli: ✅
• Early Hints: ❌
• Rocket Loader™: ❌
  I have heard anecdotal information about this causing issues with sites that use a lot of JavaScript. Most LearnDash sites would fall in this category.
• Mobile: These settings are optional and entirely up to you. They shouldn’t impact LearnDash in any way.

WP Rocket explicitly states in their documentation to disable Rocket Loader™ and enable minification (auto-minify) for all assets.

NOTE
If you use the FacetWP plugin, disable auto-minify for HTML.

Automatic Platform Optimization (APO) for WordPress

This is a premium service and we have not tested it with any of our WordPress sites, let alone a LearnDash site. It could be awesome. It could cause a lot of issues for your LearnDash site. We just don’t know.

If you decide to give it a shot, I’d love to hear your feedback in the comments. I’ll give you credit in the article and can help spread useful info to the community.

Caching

It’s important to note that Cloudflare only caches static assets. This includes CSS files, JavaScript files, images, and fonts, along with a handful of other file extensions. Cloudflare does not cache entire pages of content by default (although with page rules and other pro features, this is possible).

WP Rocket, on the other hand, does cache entire pages, thus why it’s important to exclude LearnDash pages from WP Rocket’s cache, whereas you don’t need to worry about that for Cloudflare.

Caching Configuration

WP Rocket’s documentation recommends both of these options.

• Caching Level: Standard
• Browser Cache TTL: 1 year

Crawler Hints: I currently have this set to OFF, but it sounds like it’d be a good thing to enable. It shouldn’t affect anything with LearnDash, and will likely only reduce the amount of bot/crawler traffic hitting your server, which is a good thing.

The only potential downside I see is if you update content very frequently (every day or multiple times per day) and you notice that Google isn’t crawling your changes as quickly as you’d like them to.

• Always Online™: ✅
• Development Mode: Only enable this if you are a developer and know what you are doing.

Tiered Cache

I have Argo Tiered Cache set to OFF, but this is another thing that might be worth experimenting with. Would love to hear your experience in the comments if you’ve tried it.

Rules

Page Rules

I use the following two page rules on most WordPress sites, regardless of LearnDash. These help with improved security for your admin area & login page, and make sure no performance enhancements are done in your admin area, which could break things.

yoursite.com/wp-admin*
Security Level: High
Cache Level: Bypass
Disable Performance

yoursite.com/wp-login.php
Security Level: High
Cache Level: Bypass

Settings

I believe these are all the default settings. You shouldn’t have to change any of them.

• Normalization type: Cloudflare
• Normalize incoming URLs: ✅
• Normalize URLs to origin: ❌

Network

• HTTP/2: ✅
• HTTP/3 (with QUIC): ✅
• 0-RTT Connection Resumption: ✅
• IPv6 Compatibility: ✅
• gRPC: ❌
• WebSockets: ✅
• Onion Routing: ✅
• Pseudo IPv4: Off
• IP Geolocation: ✅
• Maximum Upload Size: 100MB (but this could depend on what you’re doing on your site. You might want to adjust it for your specific needs.)

Scrape Shield

• Email Address Obfuscation: ✅
• Server-side Excludes: ✅
• Hotlink Protection: ❌ (but you could definitely turn this on if you have noticed problems with other sites using images from your server)