Quantum Ink

Writing about the future as it unfolds.

WordPress site on DirectAdmin with Cloudflare configured correctly

Cloudflare + WordPress on DirectAdmin: Correct Setup Without Breaking Admin

, , , ,

Series: WordPress Performance on DirectAdmin (Rocky Linux 9)

Phase 6: Caching & CDN Strategy — Part 22 of 30

Cloudflare + WordPress on DirectAdmin: Correct Setup Without Breaking Admin

Integrating Cloudflare with WordPress on DirectAdmin (Rocky Linux 9) offers significant performance and security benefits. However, improper configuration—especially with aggressive caching or proxy settings—can cause issues such as broken WordPress admin access, login problems, or missing client IP addresses in logs. This article provides a reliable, stepwise method for implementing Cloudflare in a DirectAdmin-managed environment without disrupting administrative functionality.

Preparation and Prerequisites

  • Ensure you have root or sudo access to your Rocky Linux 9 server.
  • DirectAdmin is installed and managing your WordPress site.
  • DNS for your domain is (or will be) pointed to Cloudflare’s nameservers.
  • Familiarity with your site’s stack (Apache or NGINX, with PHP-FPM).

Checklist: Before You Switch DNS to Cloudflare

  • Backup your WordPress site and database (no downtime required):
sudo -u <user> wp db export ~/wp-backup.sql
sudo tar czf ~/wp-files-backup.tar.gz /home/<user>/domains/<domain>/public_html
  • Check for hardcoded IPs or domain names in wp-config.php and .htaccess.
  • Update WordPress, plugins, and themes to current versions.
  • Ensure you have direct server access (not just via the FQDN or panel domain).

Step 1: Add Your Domain to Cloudflare

  1. Log in to Cloudflare and add your domain.
  2. Let Cloudflare scan DNS records; verify all A, AAAA, MX, and CNAME records are correct.
  3. Set the main A record for your domain to “Proxied” (orange cloud).
  4. Switch your registrar’s nameservers to those provided by Cloudflare.
  5. Wait for DNS propagation (use dig or nslookup to confirm):
dig +short NS yourdomain.tld

Step 2: Fix Client IP Detection in DirectAdmin

When proxied, Cloudflare hides the original client IP. For accurate logs and application logic, Apache/NGINX and PHP-FPM must be configured to fetch the real IP from CF-Connecting-IP or X-Forwarded-For.

Apache (mod_remoteip)

  1. Install mod_remoteip (usually present, but verify):
sudo dnf install httpd mod_remoteip
  1. Edit the DirectAdmin Apache template used for your site. For per-domain tuning, copy and edit:
sudo cp /usr/local/directadmin/data/templates/custom/httpd-php-fpm.conf /usr/local/directadmin/data/templates/custom/httpd-php-fpm.conf.custom
  1. Add before CustomLog lines in the template:
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 127.0.0.1 ::1 <your_server_ip> 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22

(Update these IP blocks regularly from Cloudflare’s official list.)

  1. Rebuild web server configs and reload Apache:
sudo /usr/local/directadmin/custombuild/build rewrite_confs
sudo systemctl reload httpd

NGINX (set_real_ip_from)

  1. Edit the NGINX custom template for your domain:
sudo cp /usr/local/directadmin/data/templates/nginx_server.conf /usr/local/directadmin/data/templates/custom/nginx_server.conf
  1. Add inside the http or server block:
set_real_ip_from 127.0.0.1;
set_real_ip_from ::1;
/* Repeat for each Cloudflare IP range */
set_real_ip_from 173.245.48.0/20;
/* ... */
real_ip_header CF-Connecting-IP;
real_ip_recursive on;
  1. Rebuild configs and reload NGINX:
sudo /usr/local/directadmin/custombuild/build rewrite_confs
sudo systemctl reload nginx

Step 3: Secure the WordPress Admin (wp-admin/wp-login)

Cloudflare’s default caching and “Always Online” can break WordPress admin. To prevent this, create a Cloudflare “Page Rule” or “Cache Rule” to:

  • Disable caching for example.com/wp-admin/* and example.com/wp-login.php.
  • Optionally, restrict countries or IPs able to access /wp-login.php using Cloudflare Firewall Rules.

Cloudflare Steps:

  1. Go to Rules > Page Rules (or Cache Rules if available).
  2. Add rule: *yourdomain.tld/wp-admin/* —> Cache Level: Bypass
  3. Add rule: *yourdomain.tld/wp-login.php* —> Cache Level: Bypass
  4. Test by logging into /wp-admin and confirming no assets are cached (check response headers).

Step 4: Configure SSL and HTTPS Redirects

Cloudflare acts as a reverse proxy. It’s recommended to:

  • Set SSL/TLS mode in Cloudflare to “Full (strict)” if you have a valid certificate on the server.
  • Ensure your DirectAdmin user/domain has a valid certificate (Let’s Encrypt is typical):
sudo /usr/local/directadmin/scripts/letsencrypt.sh request_single <domain> 4096
  • In DirectAdmin, enable “Force SSL with https redirect” for the domain.
  • Avoid redirect loops: do not set up additional HTTP->HTTPS redirects in .htaccess or web server configs unless necessary; Cloudflare can handle this at the edge.

Step 5: Test Everything End-to-End

  • Check client IP detection in PHP: 
    sudo -u <user> wp eval 'echo $_SERVER["REMOTE_ADDR"];'

    Should show your actual IP, not Cloudflare’s.

  • Test admin login and navigation:
    • Login at /wp-login.php and browse /wp-admin/. No caching or stale content should appear.
  • Test front-end cache:
    • Use curl -I https://yourdomain.tld/ to inspect cf-cache-status headers.
    • Use k6 or wrk to load test and profile latency:
    wrk -t2 -c20 -d30s https://yourdomain.tld/
  • Monitor logs for errors:
    • sudo tail -f /var/log/httpd/access_log (or /var/log/nginx/access.log)
    • Check for correct client IPs and error codes.

Step 6: Optimize for Performance and Compatibility

  • Cloudflare Cache Settings:
    • Set cache level to “Standard” for the main site; use custom rules for exceptions.
    • Enable “Automatic Platform Optimization (APO)” for WordPress if on a paid plan.
  • DirectAdmin/PHP-FPM:
    • Review per-domain PHP-FPM pool tuning in /usr/local/directadmin/data/users/<user>/php-fpm73.conf (or php-fpmXX.conf):
    sudo nano /usr/local/directadmin/data/users/<user>/php-fpmXX.conf
# Tune pm.max_children, pm.max_requests, etc. as needed
  • Plugin Compatibility:
    • Disable any WordPress caching plugins (e.g., W3TC, WP Super Cache) if Cloudflare is the primary cache; avoid double-caching.

Troubleshooting

  • WordPress admin is blank or login fails:
    • Check for Cloudflare caching of admin URLs; ensure bypass rules are active.
  • Incorrect IP addresses in logs:
    • Review mod_remoteip/set_real_ip_from configuration and ensure Cloudflare IPs are current.
  • Redirect loops:
    • Check for duplicate HTTP->HTTPS redirects at the server and Cloudflare levels.

Summary Checklist

  • DNS: Proxy A record via Cloudflare.
  • Configure Apache or NGINX for real client IPs (mod_remoteip/set_real_ip_from).
  • Set Cloudflare rules to bypass cache for /wp-admin/* and /wp-login.php.
  • Enable HTTPS with “Full (strict)” SSL in Cloudflare and valid cert on DirectAdmin.
  • Test admin, front-end, and logs for correct behaviour.
  • Monitor and maintain Cloudflare IP lists and adjust caching as usage evolves.

Note: This article offers general technical guidance. Validate all configurations in a safe environment before applying them to production.

Previous: WordPress Caching Layers Explained: OPcache vs Redis vs Page Cache

Next: Why Page Cache Alone Is Not Enough for Logged-In Users

Smart reads for curious minds

We don’t spam! Read more in our privacy policy