Yes, WP Ghost works seamlessly with Cloudflare, and the two are a strong combination. Cloudflare protects your site at the DNS and network edge (CDN, DDoS mitigation, cloud WAF, SSL, IP masking), while WP Ghost protects at the application level (hide WordPress paths, 7G/8G firewall, brute force protection, 2FA, security headers). There are no conflicts, you get Cloudflare’s edge filtering plus WP Ghost’s server-level hack prevention, a layered defense that is hard to beat. Because Cloudflare proxies your entire domain under your own URL, you usually do not need to configure CDN Mapping in WP Ghost, your path changes already cover Cloudflare-served URLs automatically.
Why Cloudflare Plus WP Ghost Works So Well
Cloudflare and WP Ghost operate at different layers of the request lifecycle. Cloudflare sits between the public internet and your hosting server, filtering traffic at the DNS and network level before it ever reaches your origin. WP Ghost sits inside your WordPress site, adding path security, firewall rules, and authentication hardening at the server and application level. The two plugins see different attack surfaces, so they protect against different threats without stepping on each other.
When a malicious request hits your site, Cloudflare’s WAF filters first, blocking obvious attacks (DDoS floods, SQL injection signatures, known bot IPs) at the edge. Whatever passes Cloudflare then hits WP Ghost’s server-level rewrite rules, where another layer of filtering happens, bot scans for default WordPress paths return 404, firewall rules reject injection payloads, and brute force protection rate-limits login attempts. Legitimate traffic passes through both layers with minimal overhead.
What Each Tool Handles
| Layer | Cloudflare | WP Ghost |
|---|---|---|
| CDN (static file delivery) | Yes (built-in, whole domain) | CDN Mapping (for third-party CDNs) |
| DDoS mitigation | Yes (free and paid tiers) | No (relies on Cloudflare or host) |
| Web Application Firewall | Yes (cloud-based, DNS level) | No (but has 7G/8G server-level firewall) |
| SSL / HTTPS | Yes (free universal SSL) | No (relies on hosting or Cloudflare) |
| Origin IP masking | Yes | No |
| Path security (hide wp-admin, wp-login, wp-content, etc.) | No | Yes |
| 7G/8G Firewall (server-level) | No | Yes |
| Brute force protection with reCAPTCHA | Basic (bot management rules) | Yes (4 reCAPTCHA types, 5 forms) |
| 2FA and Passkeys | No | Yes |
| Security Headers (HSTS, CSP, X-Frame-Options) | Via Transform Rules | Yes (one toggle, all 7 headers) |
| Country Blocking | Yes (paid tier) | Yes (Premium) |
Notice how little overlap there is, Cloudflare covers network-level protection, WP Ghost covers application-level hack prevention. The few overlapping features (country blocking, some security headers) can be handled by either tool.
Do You Need CDN Mapping for Cloudflare?
Usually no. Cloudflare is different from traditional CDNs like BunnyCDN, KeyCDN, or StackPath. Instead of serving assets from a separate subdomain (cdn.yourdomain.com), Cloudflare proxies your entire domain, so all traffic, including static assets, appears to come from yourdomain.com itself. This means WP Ghost’s standard path changes already apply to Cloudflare-served URLs without any extra configuration.
The exception is if your Cloudflare setup uses a dedicated CDN subdomain (for example, if you set up a custom asset domain or use Cloudflare’s Enterprise image resizing with a separate hostname). In that case, add the subdomain at WP Ghost > Mapping > CDN. For the default Cloudflare proxy setup, skip CDN Mapping. Details in the CDN URL Mapping guide.
Cloudflare Configuration Notes for WP Ghost
Use “Full (Strict)” SSL Mode
In your Cloudflare dashboard, go to SSL/TLS and set the encryption mode to Full (Strict). This ensures traffic is encrypted end to end, from the visitor to Cloudflare, and from Cloudflare to your origin server. Flexible SSL mode can cause redirect loops with WP Ghost’s path changes and is not recommended for any WordPress site.
Enable “Restore Visitor IP” for Brute Force Protection
When traffic comes through Cloudflare, your origin server sees Cloudflare’s IPs, not the real visitor IP. WP Ghost handles this automatically by reading the CF-Connecting-IP header, so brute force protection, IP blacklisting, and Geo Security all work correctly with real visitor IPs. No manual configuration needed in most cases.
Cloudflare Cache and WP Ghost Path Changes
After changing paths in WP Ghost, purge Cloudflare cache so edge servers fetch fresh copies. Go to Cloudflare Dashboard > Caching > Configuration, and click Purge Everything. Without a cache purge, visitors may still see the old paths until Cloudflare’s TTL expires. This is a one-time step per path change.
Page Rules and Custom Paths
If you use Cloudflare Page Rules for caching or redirects, review them after changing WP Ghost paths. Rules that match /wp-admin/* or /wp-login.php won’t match your custom paths after WP Ghost is configured. Update the rules to match your custom path, or remove them if they are no longer needed.
Do You Still Need WP Ghost If You Have Cloudflare Pro?
Yes. Cloudflare’s cloud WAF catches known attack patterns at the network edge, but it does not hide your WordPress fingerprints. Bots scanning for /wp-login.php, /wp-admin, or /wp-content/plugins/ still get valid responses because Cloudflare does not know these URLs should be hidden. WP Ghost makes those paths invisible, so attacks never identify your site as WordPress in the first place. Cloudflare Pro filters known attacks, WP Ghost removes the target from view.
WP Ghost’s 115+ free features and 150+ premium features include path security, 2FA with passkeys, and application-level brute force protection that Cloudflare does not offer, even on paid tiers.
Frequently Asked Questions
Will WP Ghost and Cloudflare conflict with each other?
No. They operate at completely different layers (edge/DNS for Cloudflare, application/server for WP Ghost) and there is almost no feature overlap. Both run with default settings, no adjustments needed for basic compatibility.
Will brute force protection work correctly behind Cloudflare?
Yes. WP Ghost automatically detects the real visitor IP from Cloudflare’s CF-Connecting-IP header, so attempt counters, IP blocks, and Geo Security all work with the actual visitor IP rather than Cloudflare’s proxy IP. This means brute force attacks are tracked per real attacker, not per Cloudflare server.
Do I need Cloudflare’s WAF if I have WP Ghost’s firewall?
They complement each other. Cloudflare’s WAF runs at the DNS level and blocks attacks before they reach your server (useful for high-volume DDoS and obvious signatures). WP Ghost’s 7G/8G firewall runs at the server level and catches attacks that pass Cloudflare (deeper pattern matching, path-specific rules). Running both is defense in depth.
Does WP Ghost work with Cloudflare Page Rules?
Yes, with one caveat: update any Page Rules that match default WordPress paths (/wp-admin/*, /wp-login.php) to match your new custom paths after WP Ghost is configured. Otherwise the rules will not fire for logged-in traffic.
Should I use Cloudflare’s free plan or paid plan with WP Ghost?
Cloudflare’s free plan (CDN, free SSL, basic DDoS protection) is enough for most WordPress sites paired with WP Ghost. Paid plans add advanced WAF rules, bot management, image optimization, and analytics that are useful for high-traffic or high-risk sites. WP Ghost handles the prevention layer regardless of your Cloudflare tier.
Does WP Ghost work with Cloudflare Turnstile for bot mitigation?
WP Ghost uses Google reCAPTCHA (Math, V2, V3, Enterprise) for brute force protection on login, signup, and password forms. Turnstile is Cloudflare’s CAPTCHA alternative, and it runs at a different layer (Cloudflare’s edge, not in WP Ghost). Both can coexist, Turnstile filters at the network level, WP Ghost’s reCAPTCHA handles form submissions after they pass Cloudflare.
Does WP Ghost modify WordPress core files?
No. WP Ghost works through server rewrite rules (.htaccess on Apache, hidemywp.conf on Nginx) and WordPress hooks. No core files are modified, so Cloudflare’s integrity checks and Page Rules operate normally. Deactivating WP Ghost restores every default path instantly.