Cloudflare’s free tier protects millions of websites, but it has specific gaps that site owners should understand. This is not an argument against using it — for most small sites, Cloudflare Free is the best security upgrade available for zero cost. But it is important to know where the free tier stops.
What the free tier includes
| Feature | Free tier | What it does |
|---|---|---|
| DDoS protection | ✓ (unmetered) | Absorbs volumetric and protocol attacks |
| Universal SSL | ✓ | Free SSL certificate for your domain |
| DNS management | ✓ | Fast, reliable DNS hosting |
| CDN / caching | ✓ | Caches static assets at 330+ edge locations |
| Basic bot mitigation | ✓ | Blocks some automated threats |
| DNSSEC | ✓ | Protects against DNS spoofing |
| Page Rules (3) | ✓ | Basic URL-based rules for redirects/caching |
| Email obfuscation | ✓ | Obfuscates email addresses from scrapers |
| Hotlink protection | ✓ | Prevents other sites from hotlinking images |
| I’m Under Attack mode | ✓ | JavaScript challenge for all visitors |
| Analytics | ✓ (24h delay) | Basic traffic and security analytics |
What the free tier does NOT include
| Feature | Available on | Why it matters |
|---|---|---|
| Web Application Firewall (WAF) managed rules | Pro ($20/mo) | The biggest gap. Blocks SQL injection, XSS, and common WordPress attacks |
| Custom WAF rules | Pro+ | Only 5 free rules, limited complexity |
| Rate limiting | Pro+ | Prevents brute-force login and API abuse |
| Advanced bot management | Pro+ | Distinguishes good bots from bad bots |
| Image optimisation (Polish) | Pro | Automatic image compression and WebP conversion |
| Argo Smart Routing | Paid add-on | Faster routing through Cloudflare’s network |
| Load balancing | Paid add-on | Distributes traffic across origin servers |
| Real-time analytics | Pro | See traffic and threats immediately |
| Lossless image compression | Pro | Better image optimisation |
The WAF gap is the biggest one
The free tier’s biggest limitation for WordPress sites is the lack of managed WAF rules. Without them, Cloudflare is not inspecting application-layer attacks like:
- SQL injection attempts against WordPress plugins
- Cross-site scripting via comment forms or search
- Known WordPress plugin vulnerability exploits
- XML-RPC brute-force attacks (blocked partially, not fully)
What the free tier does block at the application layer
- Known malicious IPs (Cloudflare’s threat intelligence)
- Some common attack patterns (basic signature matching)
- Requests that match known bot fingerprints
What you need Pro for
The Pro plan ($20/month) adds OWASP-based managed rules that catch most WordPress-specific attacks. For a business-critical WordPress site, the Pro plan is worth it for the WAF alone. The rate limiting on Pro also helps with brute-force login attempts, which are common on WordPress.
Free tier with complementary protections
You can layer free protections to strengthen the free tier:
Cloudflare + Wordfence (free)
- Cloudflare handles DDoS, DNS, SSL, and basic edge filtering
- Wordfence (free) handles WordPress-specific WAF rules at the application level
- The combination covers most of what Cloudflare Pro provides for WAF
Cloudflare + fail2ban on the origin
- Cloudflare blocks volume attacks
- fail2ban on the origin server blocks repeated failed login attempts
- Works well for SSH and WordPress login protection
Cloudflare + security headers
Add security headers at the Cloudflare level (via Transform Rules, even on Free):
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()Note: Transform Rules are replacing Page Rules. Many security header configurations can be set via the new Rules engine.
SSL configuration
Cloudflare Free provides SSL, but the configuration matters:
| SSL mode | Risk |
|---|---|
| Off | No encryption — do not use |
| Flexible | Encrypts visitor→Cloudflare, but Cloudflare→origin is HTTP. Avoid for anything with logins |
| Full | Encrypts both legs, but does not validate the origin certificate (self-signed is accepted) |
| Full (Strict) | Encrypts both legs, validates origin certificate. Recommended |
For any WordPress site, set SSL to Full (Strict). Flexible SSL gives a false sense of security — the lock icon appears in the browser, but traffic between Cloudflare and your server is unencrypted.
DNS security
Cloudflare Free includes DNSSEC, which prevents DNS spoofing. It also hides your origin IP if all DNS records are proxied (orange cloud). To check if your origin IP is exposed:
dig A example.com +short
# If it returns a Cloudflare IP, your origin is hidden
# If it returns your server IP, the record is not proxiedUnproxied records (grey cloud) expose your origin server IP. Only leave records unproxied if you have a specific reason (custom mail server, non-HTTP services).
Practical recommendation
For small WordPress sites:
- Cloudflare Free + Wordfence Free + SSH hardening + daily backups
- Total monthly cost: $0
- Effective against 90% of automated attacks
For business WordPress sites:
- Cloudflare Pro ($20/month) + backups + monitoring
- WAF managed rules cover plugin vulnerability exploits
- Rate limiting blocks brute-force attacks before they reach WordPress
- Worth the premium if downtime costs more than $20
Cloudflare Free is excellent, but call it what it is: a strong perimeter with a blind spot at the application layer. Fill that gap with a WordPress security plugin or upgrade to Pro.