App for Cloudflare®

Unlock advanced Cloudflare features without being a network administrator or developer. Works with any Cloudflare plan (including Free), no Automatic Platform Optimization (APO) subscription needed.

• Cache HTML at network edge
• Preload JavaScript and CSS
• View/set all Cloudflare settings
• Fixes Cloudflare Flexible SSL redirect loops
• Fixes situation when IPs are coming through as Cloudflare IPs rather than user IPs
• Cloudflare web analytics support
• Cloudflare analytics on dashboard
• Purge cache
• Automatic image transformations (automatically serve AVIF/WebP versions to browsers that support them)
• Turnstile CAPTCHA system for registrations, logins, password reset, comments and/or third party plugins
• View Page rules, Cache rules, Firewall rules, IP Address rules, User Agent rules
• View Zero Trust Network Access setup
• View DMARC statistics
• Included tools: HTTP request trace, IP address details, domain details, WHOIS

Directly cache HTML App for Cloudflare® can automatically cache your HTML pages at Cloudflare data centers in 330+ cities. "Standard" WordPress caching plugins can’t escape the laws of physics because information can't travel faster than the speed of light (even if the page is cached, the cache exists on your physical origin server, which can be over 20,000 km from an end user). Caching content in Cloudflare data centers makes your website faster by putting your website cache closer to end-users (95% of the world's population is within 50ms of a Cloudflare data center). This can be done without Cloudflare Workers or even a Page Rule (done with a single Cache Rule on Cloudflare's side, and custom code in the plugin). Preload JavaScript and CSS Speed your site up by using the option that instructs browsers to preload JavaScript and CSS used to render the page being viewed. Can be used on its own, or in conjunction with Cloudflare's Early Hints function. Manage all Cloudflare settings All Cloudflare settings can be changed directly within your WordPress admin area. Includes Easy config function that will optimally set your Cloudflare zone settings for WordPress. Fixes Cloudflare Flexible SSL redirect loops Automatically fixes HTTPS redirect loops when using Cloudflare's Flexible SSL option (traffic between user and Cloudflare is encrypted, but traffic between Cloudflare and origin server is not). Handles user IP addresses Automatically handles the situation where your web server is passing Cloudflare IP addresses rather than the IP address of the user making the request. Turnstile CAPTCHA Cloudflare Turnstile CAPTCHA support for registration, login, password reset, comment forms, WooCommerce, Contact Form 7, HTML Forms, MetForm and/or WPForms. Single-click setup (done transparently via API call). Network analytics View network stats for your website directly within your WordPress admin area with a dashboard widget. View rules & firewall Quickly review your site's Cloudflare rules and firewall settings from within your WordPress admin area. Includes:

• Page rules
• Cache rules
• Firewall custom rules
• IP address rules
• User agent blocking

DMARC management Track third parties that are sending email on your behalf (for example an email provider you have authorized like Gmail or Outlook). You can also see unauthorized email senders or spammers sending email on behalf of your domain. Multisite network support You can have a network-wide Cloudflare API token that can be overridden on a per site basis. In the case where a multisite network operator has the site domains in a single Cloudflare account, they can allow the site users to use Cloudflare features for their individual site without disclosing the underlying API token. Additionally, a single Pro license for the main network site allows the media from all sites in the network to be stored in the cloud, within a single Cloudflare R2 bucket. Image Transformations Supports Cloudflare's Image Transformation service, which allows Media images to automatically be served in the best format that a browser supports (AVIF, WebP, etc). Additionally, smaller images can be automatically served to users on very slow network connections. No web server configuration required. Store media in the cloud [Premium] Easily and seamlessly store your WordPress media in the cloud with Cloudflare R2. This allows you to offload resources (both bandwidth and disk space) from your server. The first 10GB is free, and only costs $0.015 per GB thereafter (ex. if you had 100GB of media, it would cost $1.35 per month to store it in the cloud). Includes the ability to migrate existing media from local filesystem to R2 (or from R2 to local filesystem). Works with individual media, or all media in bulk (includes web-based migration as well as a shell/WP-CLI option). Automatically convert uploaded images to AVIF or WebP This is done with a free companion plugin, Image Shift (includes the ability to apply watermarks). Protect admin area [Premium] Utilize Zero Trust Network Access to authenticate users before they access your WordPress admin area. Manage rules & firewall [Premium] The premium version unlocks the ability to manage (create, delete, suspend and unsuspend) Cloudflare rules and firewall definitions. In addition to defining your own rules, you can deploy useful rules with a single click:

• Block traffic from certain countries (or Tor exit nodes widely used by spammers and hackers)
• Block AI scrapers & crawlers (block bots from scraping your content for AI applications like model training)
• Force a challenge before users can register (bot/spammer mitigation)
• Cache static content
• Automatically block the IP address(es) of spammers for a period of time

Backup & restore [Premium] You can backup and restore some of your most important Cloudflare configuration settings:

• Zero Trust Access Policies
• Firewall Rules
• Firewall IP Access Rules
• Firewall User Agent Blocking
• Page Rules
• Cache Rules

Backups can be restored to different zones (for example if you had extensive configuration for a zone, you could give another zone the same configuration through a backup restore). Other features

• API calls are done exclusively through API Tokens (with the minimum required permissions) and not a Global API Key. Global API Keys are an incredibly bad idea from a security standpoint.
• Ability to purge Cloudflare cache from WordPress admin (or via WP-CLI).
• Ability to copy Cloudflare zone settings from a different zone on the same Cloudflare account.
• Cached pages are automatically purged when a post/page is edited (just the necessary pages, not all pages). Stale content is not served to users.
• Ability to designate an individual admin user to manage settings (maybe you don't want all admins to have the ability to change things in Cloudflare).
• Ability to use WordPress filters to add your own logic to things (for example, maybe you don't want to cache a certain page or post for whatever reason).
• All JavaScript is native (no dependencies on jQuery or anything else).
• No third-party PHP libraries used (no dependencies on other libs).

From your WordPress dashboard

1. Navigate to "Plugins" -> Add New
2. Search for App for Cloudflare
3. Activate App for Cloudflare® from your Plugins area

Manual upload

1. Download App for Cloudflare®
2. Upload the app-for-cf directory to your /wp-content/plugins/ directory
3. Activate App for Cloudflare® from your Plugins area

1.9.9 (2026-02-17)

• Fixed issue where an admin of a site within a multisite network couldn't add a user manually when using Turnstile for registrations
• Added additional extensions to the Cache Rule for caching static content
• Added new Cloudflare setting (under Speed): Markdown for Agents
• Added app_for_cf_cache_times filter to change the default cache times for guest page caching

1.9.8 (2025-12-22)

• Added internal framework support for streaming R2 objects when copying from/to the local filesystem
• Added app_for_cf_purge_cache filter to control (or piggyback) cache purging
• Internal inet_pton() usage change (compatibility with a change in PHP 8.5.1, 8.4.16, 8.3.29, 8.2.30, 8.1.34)

1.9.7 (2025-12-09)

• Added the ability to copy Cloudflare zone settings from a different zone on the same Cloudflare account
• Fixed issue where ability to set multisite, network-wide API token was not visible
• Added the ability to see existing API token permissions in network admin (for multisite networks)

1.9.6.2 (2025-11-19)

• Added app_for_cf_guest_page_cacheable filter to allow third-party plugins to control page eligibility for guest page caching
• Added the ability to optionally add WordPress filters directly to wp-config.php file (for those that don't want to use a plugin or other mechanism to do add filters), this is done by adding a Closure object to $GLOBALS['filter_name'] within wp-config.php
• Updated charting library (Chart.js) to 4.5.1

1.9.6.1 (2025-10-17)

• Replaced JavaScript fade animations with CSS transitions
• Fixed issue with a missing method used to create a Turnstile widget

1.9.6 (2025-09-23)

• Added support for Cloudflare web analytics (requires two additional API permissions for your token (Account.Account Settings: Read & Account.Account Settings: Edit), for those upgrading from a previous version)
• Token permissions are automatically checked (requires an additional API permissions for your token (User.API Token: Read), for those upgrading from a previous version)
• Reworked admin navigation to have subsections
• Removed option: Speed -> Other -> Signed Exchanges (deprecated as of Oct 20, 2025)
• Removed option: Speed -> Other -> AMP Real URL (deprecated as of Oct 20, 2025)

1.9.5 (2025-09-08)

• Added the ability to purge cache via WP-CLI: wp app-for-cf purge-cache
• Added Turnstile support for WooCommerce
• Added Turnstile support for Contact Form 7
• Added Turnstile support for HTML Forms
• Added Turnstile support for MetForm
• Added Turnstile support for WPForms
• Enabling the Image Transformations option will automatically enable Image Transformations in Cloudflare for your zone
• Site URL can be overridden with the CLOUDFLARE_SITE_URL PHP named constant: define('CLOUDFLARE_SITE_URL', 'https://example.com');
• Fixed an issue with Image Transforms for sites that use subdirectories for WordPress installation (rather than root of the domain)
• Guest page caching works better with WooCommerce (checking for woocommerce_* cookies now)
• Removed option: Speed -> Image Optimization -> Mirage (deprecated as of Sept 15, 2025)

1.9.4.3 (2025-08-25)

• Purging non-pretty post URLs even if pretty URLs are setup (handles permalinks being different based on the post status)
• Prioritize resources to be preloaded appropriately if third-party plugins use the wp_preload_resources hook to call specific resources out for preloading
• Fixed an issue that would prevent scheduled events from working in certain versions of PHP
• The backend mechanism for purging URLs from cache is more efficient

1.9.4.2 (2025-08-06)

• Made verbiage on button to create new API token a little more clear
• Automatically purge old URL for a post if the slug or date was edited on an existing post
• When purging the cache for attachments, don't assume the attachment URL is known (don't try to purge an invalid URL)
• Don't try to schedule a cron task to purge URLs if the URLs are unknown
• Delete any pending cron tasks for purging page caches if plugin is being deativated
• Set cache control policy for JSON endpoints so guest page caching doesn't cache those requests

1.9.4.1 (2025-07-03)

• Handle a situation where a third-party plugin is using a filter and turning a script or CSS URL into something unusable (not a string)
• Limit preloaded resources to a maximum of 10

1.9.4 (2025-07-01)

• Updated charting library (Chart.js) to 4.5.0
• Simplified internal function for converting IPs to/from binary representations
• Fixed issue where Purge Cache button in admin bar wouldn't work
• New option (Preload resources): automatically adds Link header that includes JavaScript and CSS URLs for the page (tells browsers to preload resources used by the page)

1.9.3.1 (2025-06-05)

• Fixed issue where guest page caching could by disabled, but not enabled
• Added support for Cache Rules that contain browser bypass TTL

1.9.3 (2025-06-02)

• All JavaScript rewritten to be native (no dependency on jQuery)
• Added support for Turnstile CAPTCHA for use on Registration, Login, Password Reset and/or Comment forms
• Purge cache option in admin bar displays icon, but not text when displayed on thin screens (for example, cell phones)
• Fixed cosmetic wrap issue on Settings page when site is within a multisite network

1.9.2 (2025-05-12)

• Cloudflare Image Transformation support for WordPress Media
• Updated charting library (Chart.js) to 4.4.9

1.9.1 (2025-03-26)

• Added new Cloudflare setting (under Security): AI Labyrinth

1.9.0 (2025-01-28)

• Updated charting library (Chart.js) to 4.4.7
• Added new Cloudflare setting (under Security): AI Bots
• Fixed issue where you couldn't uncheck the Only your user account option

1.8.8.1 (2024-11-07)

• When using guest page caching, decouple the purge cache mechanism from the HTTP request (the purge cache action is sent to WordPress' cron system)
• Updated charting library (Chart.js) to 4.4.6

1.8.8 (2024-09-30)

• Added new Cloudflare setting (under Speed): Speed Brain
• Easy Config enables Speed Brain
• Added support for setting SSL/TLS Encryption Mode to Strict (SSL-only origin pull) (for Enterprise zones)
• Added new Cloudflare setting (under SSL/TLS): Encrypted Client Hello
• Added new Cloudflare setting (under Security): Leaked credentials

1.8.7 (2024-08-28)

• Fixed issue with deleting a Page Cache rule (change to Cloudflare API)
• Updated charting library (Chart.js) to 4.4.4

1.8.6 (2024-08-02)

• Added new Cloudflare setting (under Security): Replace insecure JavaScript libraries
• New option: Purge cache button in admin bar
• Fixed issue where "Block IP address on spam flag in comment queue" option couldn't be unchecked
• New option: Convert uploaded media to WebP [Premium]

1.8.5 (2024-06-25)

• Removed Brotli compression setting (it's now always on in Cloudflare)
• Removed Minify settings (they have been deprecated and will be removed from Cloudflare soon)
• Removed Server-side Exclude setting (it has been deprecated and will be removed from Cloudflare soon)
• Added framework for new option to create Firewall Rule to block AI scrapers & crawlers
• Updated charting library (Chart.js) to 4.4.3

1.8.4 (2024-05-29)

• Added deprecation notice for Auto-Minify setting

1.8.3 (2024-03-12)

• When installing Pro plugin, replace the default activate plugin link with a link to enter license key (the plugin isn't "activated" in the traditional sense)
• Updated charting library (Chart.js) to 4.4.2

1.8.2 (2024-01-21)

• Fixed typo when installation is the primary site in a multisite network
• If API token can't be verified, present an error about it being an invalid API token immediately
• Changed wording of the "API tokens & keys" button
• Updated charting library (Chart.js) to 4.4.1
• A few custom actions are intended to execute last, so PHP_INT_MAX was used as the priority, however it was causing issues on certain servers so the priority was lowered (but still very high)

1.8.1 (2023-12-01)

• Cloudflare statistics charts on dashboard dynamically resize properly when resizing window
• Added ability for individual API calls to ignore multiple error codes instead of just one
• Existing media can be moved to/from R2 individually or in bulk [Premium]

1.8.0 (2023-11-13)

• The API calls necessary to build the Cloudflare settings page are now run in parallel (it's currently 10 API calls that were previously made sequentially). Viewing (and editing) settings is significantly faster now (it's as fast as the single slowest API call, rather than as slow as all 10 API calls added together).
• Raised timeout for Cloudflare API calls from 5 seconds to 15 seconds
• For multisite/network installations, there is a new settings page that allows you to set some network-side settings (for example the API token to use) across all sites without specifically setting it for each site. See Network Admin -> Settings -> Cloudflare
• If there's a multisite network API token set, an individual site can still override that API token (allows a situation where most sites are on a single Cloudflare account can use the network-side API token, but the ones that aren't can still specify a different one)
• Added info page about using R2 in a multisite setup (using a single bucket for all sites)
• Added sanity check (make sure it exists) when attempting to display an actioned template
• Added more sanity checks for unexpected Cloudflare API results
• The intel tools (IP address details, Domain details, WHOIS) can't be used (and are removed from the navigation) if a site doesn't have their own API token (in a scenario where they are using a default multisite network API token). This is because there is a very small monthly quota for API calls for the entire Cloudflare account/API token (around 100 per month).
• Fixed issue with HTTP Request Trace tool

1.7.7 (2023-11-03)

• Added link for info about why each Cloudflare token permission is needed
• Increased the number of URLs being purged per API call from 8 to 30
• Suppress API rate limit error message when using guest page caching and the backend is purging individual URLs from Cloudflare's cache (if there are a ton of posts being added at once, or edited quickly over and over, a site might hit rate limits after about 40 new posts/edits/comments in a single minute). Since it's not catastrophic if a cache purge didn't successfully run, we are just going to ignore the failure and let the cache expire on its own.
• Better handling of situation where Cloudflare API is down/unavailable
• Changed how menus are built (old method was deprecated in PHP 8.x)
• Removed "Security -> Privacy Pass Support" setting (it's been deprecated by Cloudflare and is no longer used)

1.7.6.1 (2023-10-25)

• Clean up some layout anomalies when using a right-to-left language
• The Cloudflare Fonts option ID has changed. This addresses that (it's what I get for giving the ability to toggle options that Cloudflare has deemed "beta"... they are subject to change).
• Added a sanity check so if future option IDs change, it won't throw an error (along with not being able to change them). Instead, that option won't change until the ID is updated.

1.7.6 (2023-10-22)

• Fixed issue where boolean settings wouldn't always be parsed to boolean values
• Fixed issue where HTTP Strict Transport Security (HSTS) settings wouldn't always be changeable
• Added support for Super Bot Fight Mode settings: Likely Automated, Definitely Automated, Verified Bots, Static Resource Protection, Optimize For WordPress, JavaScript Detections

1.7.5.1 (2023-10-21)

• Better handling of unexpected Cloudflare API changes

1.7.5 (2023-10-19)

• Fixed issue with modal confirmation dialog not scrolling when it goes off the screen (mainly an issue when enabling R2 for media from a mobile devices)
• Cloudflare made a change to the bot management API (but only for paid plans), this version addresses that.

1.7.4 (2023-10-12)

• Fixed issue where a settings page redirect would fail because WordPress had already output HTML in some cases
• Cosmetic clean-up here and there
• Notice in Media section about using/setting up R2 is dismissible
• Added support for new Cloudflare setting: Speed -> Optimization -> Content Optimization -> Cloudflare Fonts
• "Easy config" enables Cloudflare Fonts
• Settings that are deemed beta by Cloudflare, are shown with a beta label
• Better handling of cases where there's an error when making an API request

1.7.3 (2023-10-05)

• Initial release of App for Cloudflare® for WordPress. The WordPress version is kept in feature parity with the XenForo version. You can find the update changelog for older versions (if you are curious), over here.