Cloudflare is a free CDN and DDoS-protection service that sits in front of your ipxcore cPanel account. Used right, it makes your site faster and harder to attack. Used wrong, it breaks email, fights with AutoSSL, and hides legitimate visitors behind a CAPTCHA. This article walks through the correct setup and the gotchas to avoid.
Decide: full mode or partial mode
Cloudflare offers two integration patterns. Pick one based on what matters most.
- Full mode (change nameservers): Cloudflare hosts your DNS. They proxy traffic to ipxcore for any record you mark with the orange cloud. Best for: sites that want maximum performance and bot-protection. Drawback: Cloudflare's DNS panel becomes the source of truth, not cPanel's Zone Editor.
- Partial mode / "CNAME setup" (Business plan and up): keep DNS at your registrar, point a CNAME at Cloudflare for individual hostnames. Best for: enterprise customers who need to keep DNS authoritative on their own infrastructure. Most ipxcore customers don't need this.
For 99% of customers, the right answer is full mode.
Setting up full mode (recommended)
- Sign up at cloudflare.com and add your domain. Cloudflare scans your existing DNS and imports it.
- Verify the imported DNS records. Make sure you see all your important records: A record for the apex domain, A or CNAME for
www, MX records for email (these are critical — if Cloudflare missed them, your mail will break), TXT records for SPF/DKIM/DMARC. - Set proxy status carefully. Cloudflare lets you choose orange-cloud (proxied) or grey-cloud (DNS only) for each record. Use:
- Orange cloud (proxied) for: apex (
@),www, any subdomain that serves web pages. - Grey cloud (DNS only) for:
mail,ftp,cpanel, MX records, and anything that isn't HTTP/HTTPS. Cloudflare can't proxy non-web traffic.
- Orange cloud (proxied) for: apex (
- Update your nameservers at your domain registrar to the two Cloudflare nameservers shown in the dashboard (something like
kirk.ns.cloudflare.comanduhura.ns.cloudflare.com). DNS propagation takes 5-60 minutes typically. - Wait for the dashboard to show "Active" — usually within an hour. You're live.
Critical: fix the AutoSSL conflict
cPanel's AutoSSL validates domain ownership by serving a token at http://yourdomain.com/.well-known/pki-validation/. When Cloudflare proxies the request, the validation traffic hits Cloudflare instead of your ipxcore server, and AutoSSL fails.
The fix:
- Before AutoSSL runs (every few hours, scheduled by cPanel), temporarily set the proxy status of
@andwwwto grey-cloud (DNS only). - Wait 5 minutes, then run AutoSSL manually from cPanel's SSL/TLS Status page.
- Once the certificate issues, set them back to orange-cloud.
An easier permanent fix: turn on Cloudflare's SSL/TLS → Edge Certificates → Always Use HTTPS, set SSL/TLS → Overview → Encryption mode to Full (strict), and use Cloudflare's own free Origin Certificate (15-year validity) on the cPanel side instead of AutoSSL. We can install the Origin Certificate for you — open a ticket.
Recommended Cloudflare settings
- SSL/TLS → Edge Certificates → Always Use HTTPS: ON
- SSL/TLS → Edge Certificates → Automatic HTTPS Rewrites: ON
- Speed → Optimization → Auto Minify: CSS and JS only (HTML can break some plugins)
- Speed → Optimization → Brotli: ON
- Caching → Configuration → Caching Level: Standard
- Caching → Configuration → Browser Cache TTL: 1 month
- Network → HTTP/3 (with QUIC): ON
- Network → 0-RTT Connection Resumption: ON
See real visitor IPs in your logs
By default, every request in your access logs shows Cloudflare's IP, not the real visitor's. To restore real IPs, enable mod_cloudflare on your account — open a ticket and we'll turn it on. After that, your logs and any IP-based plugins (Wordfence, security plugins) will see real visitor IPs again.
Common pitfalls
- "Too many redirects" error: happens when Cloudflare's SSL mode is set to Flexible while your origin redirects HTTP to HTTPS. Set Cloudflare SSL to Full or Full (strict).
- Email broken after switching: your MX records were marked orange-cloud (Cloudflare can't proxy mail). Set them grey-cloud.
- Visitors getting CAPTCHAs constantly: Cloudflare's security level is too aggressive. Lower it from "I'm Under Attack" to "Medium" or "Low" in Security → Settings.
- Stale content after publishing: Cloudflare caches HTML aggressively. Use the Purge Everything button after big content updates, or install a Cloudflare WordPress plugin to auto-purge on publish.
