Published
Updated

Our WordPress experts frequently give talks about speed optimizing WordPress, so it’s only natural that we get plenty of speed optimization related questions from WordPress users and developers alike. Cloudflare pops up occasionally in the discussion with some people and when they hear our answer they’re often surprised.

In our experience Cloudflare slows down a WordPress site more often than not. It also comes with a security risk, so we decided that we should write a blog post about our experiences.

Cloudflare sells their service with the idea that a website should route their traffic through Cloudflare’s servers instead of receiving the visitors directly to the website and the server it’s hosted on. According to Cloudflare this increases the security, performance, and reliability of the site.

In addition to these improvements they collect data that helps developers better understand what is happening on the site in question. All of these improvements are true to an extent, but the benefits are usually rather marginal and thus not worth the additional hassle. These improvements do also have a flip side that you won’t find in the marketing materials.

Performance Improvements Only for Sites Without Existing HTTP Level Caching

Cloudflare’s performance claim is based on them having servers all over the world. When a site is connected to Cloudflare, the visitors of the site are being connected to one of Cloudflare’s servers close to their location. They offer HTTP level caching from their servers, which means the visitor can load the site from the server that is closer to them than the original server where the site is hosted at is.

This benefit this provides is dependent on a couple of factors:

  • Does the site have HTTP level caching enabled already?
  • Does Cloudflare have servers that are closer to the visitors by a distance that has any significant impact, and is their server and network faster than other HTTP level caching?
  • How much of the traffic is being served from the HTTP cache?

Seravo has provided HTTP level caching as a standard feature for its customers since 2014 in every webhosting plan. These days most other providers have implemented at least some level of HTTP caching in their environments, provided they are making an effort to keep up with modern practices and technologies, such as NGINX and Varnish. Cloudflare might have a significant performance impact on a site that is hosted by a provider whose servers have no HTTP level caching, but in that case activating Cloudflare is not really solving the underlying problem.

If a WordPress page has been recorded in a HTTP level cache it can be served lightning fast by the HTTP caching server with a load time of just approximately 1-5 milliseconds. The arrival of the cached data to the visitor depends on the size of the web page, as well as the speed and latency of the network connection. Cloudflare has servers all over the world, thus the latency is always small. We made some measurements from a laptop in our Tampere office and you can see the latency measurements in the table below.

Server locationLatency
Tampere11 ms
Helsinki7 ms
Stockholm15 ms
Germany32 ms
Central USA126 ms

As you can see here, the latency significantly increases only when crossing over to another continent. For this reason Seravo customers can choose from multiple server locations. If the customer has their main market for example in the United States, they can choose for their site to be deployed to our cluster there, assuming that GDPR or any other priorities are not preventing the use of that location.

However, latency resulting from geographical distance is not a straightforward truth in itself. Latency is influenced by network settings, the speed of the “handshake” of a TCP/IP connection when forming the connection and of course the speed of the visitors internet access. Imagine the difference between a reliable fiber connection in a corporate office and that of your mobile phone in a moving car. The distance in itself is not necessarily relevant if the most important factor in mitigating high latency, the multiplication of the latency, is taken care of correctly.

Multiplying latency means that each element, image and file from the site is loaded individually instead of loading the whole page over a single connection in a compressed manner – and thus multiplying the latency with each request being made over an individual connection. Make sure to use HTTP/2 protocol to ensure a compressed single connection based data transfer, which eliminates the problem of multiplying latency. Seravo has been providing HTTP/2 as a standard feature for all our customers since 2016, and even before that we deployed a similar connection improvement technology with SPDY.

During our measurements we also discovered that while Cloudflare does redirect the traffic to their closest server from the visitors perspective and they serve the site from their HTTP cache, the load speed is still being directly related to the visitor’s distance from the original server. We measured that a site using Cloudflare had a latency of 10 milliseconds when measured from Finland and 160 milliseconds when measured from USA. Therefore, if you use Cloudflare, make sure to measure and test that you’re actually getting a low latency from all over the world, since that is the only true advantage of Cloudflare.

The last question, which incidentally might be the most important one, is how much of the site is actually stored in the HTTP cache? For example it’s typical for a WooCommerce store to not make use of HTTP level caching at all, because each customer has a cookie stored in their browser to ensure they get shown pages and content tailored specifically for them.

If you use Cloudflare on a site that functions this way, you’re doubling the latency, because when the visitor is connected to Cloudflare, their server needs to fetch it from the original server to be able to server it to the visitor. That visitor then needs to wait while Cloudflare’s server and the site’s original server discuss and transfer data, instead of receiving the content they want directly and much faster from the original server.

WebPageTest Results

WebPageTest.org is an independent service for website speed and performance measurement that offers a variety of information about how your website loads and behaves, which is why we recommend it. Below you can find two different sets of measurements for a fast loading and slow loading website, one set is measured with Cloudflare activated and the other when it’s deactivated.

We set WebPageTest to measure the load times from their Amsterdam server, which should favour Cloudflare, as the sites are located in our servers in Finland. If measured directly from Finland we would have gotten an even faster result, so we decided to use Amsterdam as a neutral location to even out the playing field.

Despite the Amsterdam location for the measurements, you can see that the effect of Cloudflare on the load time was nonexistent or even negative. Especially on the slower site, a WooCommerce site with HTTP caching disabled, the extra routing by Cloudflare increased the load time. This kind of a site should focus on improving and optimizing the database and the code of the site. Cloudflare alone does not provide any additional benefits for them.

Fast site with Cloudflare
Fast site without Cloudflare
Slow site with Cloudflare
Slow site without Cloudflare

A Middleman Weakens Security

With Cloudflare activated on a site, the browser connects to Cloudflare’s servers when visitor types the URL into the address bar. The connection between them is protected by Cloudflare’s HTTPS encryption. Cloudflare’s server then decrypts the request and connects to the actual server where the website is located. The end user has not way to confirm whether their data is encrypted when that second connection is made to the origin server. The site owner must trust Cloudflare can keep their systems secure and to prevent data breaches. So far they’ve only had a single major incident, Cloudbleed.

Some organizations have restrictions on where unencrypted data can be exported to, in which case Cloudflare is not an option. They might decrypt the information in any of their server locations, resulting in unencrypted data being possibly handled in a country where it should not be handled.

As a middleman Cloudflare also potentially hides underlying faults and prevents useful information being logged. From an end user’s point of view the traffic might be HTTP/2 enabled and encrypted, but it might not actually be encrypted between Cloudflare and the origin server. It’s difficult to detect whether or not the traffic is encrypted in the end. Because all the traffic is routed through Cloudflare, it can also be far more difficult to investigate a security breach, as the logs are filled with Cloudflare’s IP addresses instead of the actual visitor’s IP address.

In their marketing materials Cloudflare explains how they filter traffic and protect websites from security threats and denial-of-service attacks. We haven’t been able to find any WordPress specific aspects from their filtering, which means that it probably does not protect against attacks on the software being used on the site.

On a network level the protection works, but network level denial-of-service attack prevention is in any case a standard feature these days with most networking equipment and data centre operators.

Who Uses Cloudflare?

Out of our customers only five are using Cloudflare. If your site is hosted with us and you want to use Cloudflare there are no technical obstacles preventing the traffic being routed through Cloudflare. In some cases it might even prove beneficial, but the benefit needs to be measured and proven, instead of relying on a gut feeling and marketing materials, as we’ve shown here.

When Vierityspalkki, a popular Finnish blog covering web technologies, trends and the industry in general, pitted 33 different Finnish digital agencies against each other in the load speed of their own sites, none of the top 10 agencies were using Cloudflare. If the goal is a website that loads as fast as possible you should focus your efforts on the website and its host, not Cloudflare.

What Should You Focus On?

Generally a WordPress site’s performance bottleneck is either the database or bad code. Neither of these will become a bottleneck if you hire a quality web development agency and premium hosting with a provider such as Seravo.

We have ditched marketing jargon and focus on developing a service that truly, based on data and facts, benefits the customers using our WordPress optimized hosting platform. Our feature set was designed and is constantly improved with the focus of giving developers and site owners the easiest and most reliable experience when it comes to hosting and upkeep. WordPress isn’t without its quirks and problems, but with Seravo you can get the best out of your WordPress. We also provide sustainable, carbon negative Green Hosting.

As a Seravo customer you also support WordPress and open source communities and development. One of the best places to get advice and insight into WordPress and speed optimizing websites is the WordPress community. Come say hello if you see us at a WordCamp or any other open source event, and don’t forget to sign up for our developer newsletter to get articles just like this directly to your inbox!

Do you want to receive articles just like this directly to your inbox? Subscribe to our developer newsletter and stay ahead of the competition with the latest and greatest WordPress development tricks, tools and techniques.