Kinsta includes a free Cloudflare integration on all plans. Rather than running a separate Cloudflare account, Kinsta proxies every domain through Cloudflare’s enterprise network automatically - so once enabled, your site benefits from CDN caching, DDoS protection, and free SSL at no additional cost. Here is how to enable it on a domain that already exists in your account, verify the setup is working, and fix common issues that come up during activation.
What Does Kinsta’s Cloudflare Integration Include?
Before going through the steps, it helps to know what you are enabling. Kinsta’s built-in Cloudflare integration includes: For the broader account, security, and domain context, the Kinsta account and domain management guide covers how this Cloudflare integration fits with the rest of MyKinsta.
- Enterprise-tier CDN - Static assets are cached across Cloudflare’s global network and served from the nearest location to each visitor.
- Free SSL certificates - Cloudflare automatically issues and renews SSL for every domain, including wildcard subdomains.
- DDoS protection - Cloudflare filters and absorbs volumetric attacks before they reach your Kinsta server.
- HTTP/2 and HTTP/3 support - Both protocols are enabled automatically, which improves load times for visitors on modern browsers.
- Argo Smart Routing - Traffic is routed through Cloudflare’s optimised network paths rather than the public internet, reducing latency for visitors who are geographically far from Kinsta’s data centers.
All of this is included in every Kinsta plan at no extra cost.
Step 1 - Start Cloudflare Domain Configuration in MyKinsta
.png)
Log into your MyKinsta account and navigate to Sites > Your Site > Domains. You will see each domain currently attached to that site. Next to the domain you want to configure, click the Get Cloudflare button. This opens the Cloudflare domain configuration modal, which walks you through the remaining steps.
If the domain is already pointing to your Kinsta site IP, verification is skipped and you can move straight to Step 3. If not, proceed to Step 2.
Step 2 - Verify Domain Ownership
If your domain is not yet pointing to Kinsta, you need to verify that you own it before Kinsta adds it to Cloudflare’s network. Kinsta provides you with two DNS TXT records. Log into your domain registrar or DNS provider and add both records exactly as shown.
The records are typically formatted as:
Type: TXT
Hostname: the value provided by Kinsta (usually a Cloudflare custom-hostname string)
Value: a unique verification string provided in the modal
Once added, return to MyKinsta and click OK, I’ve Done It. Kinsta and Cloudflare check for the records in the background. DNS propagation can take anywhere from a few minutes up to 24 hours depending on your provider’s TTL settings. You do not need to wait on the page.
Note: the verification hostname will include a string like kinstavalidation or a Cloudflare custom-hostname UUID. This is normal - it is the token Cloudflare uses to confirm your domain is authorised for the custom hostname system Kinsta uses internally.
Step 3 - Point Your Domain to Kinsta
Once domain ownership is verified, MyKinsta displays the Point Your Domain to Kinsta modal with a Site IP Address. This is the Cloudflare edge IP assigned to your Kinsta site - not a bare server IP. All traffic routed to this address passes through the Cloudflare network before reaching your Kinsta server.
Go to your DNS provider and update the A record for your root domain to point to that IP address. If you want the www subdomain to go through Cloudflare as well - which is recommended - update the A record for www to the same IP.
Once your DNS change propagates, return to MyKinsta and click OK, I’ve Done It. Kinsta confirms when the domain is successfully using the Cloudflare integration.
What Happens to Your SSL Certificate
This is the question most site owners have before enabling the integration, especially when a Let’s Encrypt certificate is already in place. Here is what actually happens:
Once the Kinsta Cloudflare integration is active, Cloudflare issues a new SSL certificate for your domain at the edge level. Visitors connect to Cloudflare over HTTPS, and Cloudflare connects to your Kinsta origin server using a separate Kinsta-issued origin certificate. Your existing Let’s Encrypt certificate is no longer the one visitors see - the Cloudflare-issued certificate replaces it at the browser level.
The transition happens automatically. You do not need to delete your existing certificate or take any action. The padlock in the browser will show a certificate issued by Cloudflare, Inc. after the integration is live - this is expected and correct.
One edge case: if your domain’s Let’s Encrypt certificate was issued through Kinsta’s own SSL provisioning and has an upcoming renewal date, Kinsta will not renew it after the Cloudflare integration takes over. The Cloudflare certificate renews automatically instead. You can verify the current certificate type in the Domains tab in MyKinsta.
Kinsta Cloudflare and Full (Strict) SSL Mode
Kinsta’s Cloudflare integration uses Cloudflare’s Full (Strict) SSL mode by default. This means Cloudflare validates the origin certificate on your Kinsta server - not just any certificate, but one with a valid CA signature. Kinsta provisions a valid origin certificate automatically, so Full (Strict) works out of the box without any manual configuration.
You cannot change the SSL mode from Full (Strict) to Flexible or Full within the Kinsta Cloudflare integration. The setting is locked. This is intentional - Flexible SSL mode would allow an unencrypted connection between Cloudflare and your origin server, which is a security risk Kinsta does not support.
If you see a 525 (SSL Handshake Failed) or 526 (Invalid SSL Certificate) error after enabling the integration, it usually means the origin certificate on your Kinsta server has expired or was not provisioned correctly. Go to Sites > Your Site > Tools in MyKinsta and use the Force HTTPS Renewal option to regenerate it.
After Setup: What to Expect
Once enabled, a Cloudflare badge appears next to the domain in your MyKinsta Domains section. SSL is issued automatically by Cloudflare - no manual certificate configuration is needed.
Visitors to your site are now served through Cloudflare’s edge network. Static content is cached globally, dynamic WordPress pages are served from your Kinsta server, and the Cloudflare layer handles DDoS filtering and SSL termination upstream.
Purging Cache from the Kinsta Cloudflare Panel
Once the integration is active, Cloudflare caches static assets (images, CSS, JavaScript, fonts) at the edge. If you update a static asset - a new logo image, a revised CSS file - you may need to purge the cache so visitors see the updated version rather than the cached copy.
In MyKinsta, go to Sites > Your Site > Tools and click Clear Kinsta Cache. This clears both Kinsta’s server-side cache and triggers a Cloudflare edge cache purge for your domain. You do not need to log into a Cloudflare account to do this - the entire cache management for the Kinsta integration runs through MyKinsta.
Note that full-page HTML is not cached by Cloudflare in the default Kinsta configuration - only static assets are. This means dynamic WordPress pages (posts, pages, WooCommerce products) are always served fresh from your Kinsta server, with only the static files delivered from Cloudflare’s edge.
How to Verify the Integration Is Working
Once you have clicked OK, I’ve Done It and DNS has propagated, check these three things to confirm the integration is active:
- MyKinsta badge - A Cloudflare icon appears next to the domain in Sites > Domains. If it is still showing a warning, DNS has not fully propagated yet.
- Response headers - In your browser DevTools (Network tab), load your site and look for the
cf-rayheader in the response. Its presence confirms traffic is passing through Cloudflare. - SSL certificate issuer - Click the padlock in your browser and check the certificate. It should be issued by Cloudflare, Inc., not Let’s Encrypt or another authority.
Troubleshooting Common Issues
A few problems come up regularly when enabling the Kinsta Cloudflare integration on an existing domain.
The “Get Cloudflare” button is not visible: This usually means the domain was added to your Kinsta site but was not set as the primary domain. Check that the domain appears correctly in the Domains tab. If you recently added it, wait a minute and refresh the page.
Verification is stuck or keeps failing: The TXT records may not have propagated yet, or they may have been entered with extra spaces or incorrect formatting. Use a DNS lookup tool such as dnschecker.org to confirm the TXT record is visible globally before clicking OK, I’ve Done It again.
SSL errors after enabling Cloudflare: If you see an SSL error on your site immediately after enabling the integration, check whether your origin server has a valid SSL certificate installed. Kinsta provisions origin certificates automatically, but if the domain was previously using a Let’s Encrypt certificate that has now expired, you may need to force an SSL renewal in MyKinsta under Sites > Your Site > Tools.
You already have this domain in a personal Cloudflare account: If the domain is currently proxied through a personal or agency Cloudflare account, you must remove it from that account first. Go to your Cloudflare dashboard, find the domain, and either delete it or set the DNS records to DNS-only (grey cloud). Two Cloudflare proxy layers on the same domain will cause a DNS loop and the integration will not work. After removing the domain from your personal account, restart the setup process in MyKinsta.
Final Word: How to Enable Kinsta’s Cloudflare Integration
Enabling the Cloudflare integration on an existing domain in Kinsta takes three steps and typically completes within a few minutes once DNS propagates. The integration brings enterprise CDN, DDoS protection, and automatic SSL at no additional cost - making it one of the most straightforward performance improvements available within the MyKinsta dashboard. If your domain uses multiple wildcard A records, there are additional DNS steps to complete before verification can proceed. If this is part of a client handover, see our guide on transferring the Kinsta account to your client once the configuration is complete. To measure the server-side impact of the integration, use the Kinsta APM tool to compare PHP transaction times before and after enabling Cloudflare.
