CDN Explained: How Content Delivery Networks Work and When They Actually Help

The CDN Request Flow: From DNS to Edge to Your Visitor's Screen

Most people imagine a CDN as a simple copy service — "your files live in multiple places." That description is technically accurate but operationally useless. Understanding the actual request flow reveals where the performance gain comes from and why certain types of content cannot be cached.

Here is what happens when a visitor in London requests an image from your site, which is hosted on a US server with Cloudflare in front of it:

The critical insight is in step 3. Everything that makes a CDN valuable happens at that cache lookup. A CDN with a 95% hit ratio is transformatively different from one with a 40% hit ratio. The hit ratio depends almost entirely on what you are serving — static assets with long TTLs hit consistently; dynamically generated pages with session-specific content hit rarely or never.

The TTFB comparison table below shows what geographic distribution actually means in numbers. These are real round-trip times measured from various regions to a Dallas-based origin, versus the same request served from Cloudflare edge nodes:

The origin TTFB figures above are network latency only — they do not include server processing time. Add your typical PHP execution time (50-500ms depending on hosting quality) and the without-CDN numbers get worse. The cached CDN numbers remain unchanged regardless of origin processing time, because the origin is never involved.

CDN Cache Mechanics: HIT, MISS, TTL, and How Browser Cache Interacts

Cache behavior at the CDN layer is governed by HTTP headers your server sends with every response. Understanding these headers is the difference between a CDN that works and one that silently does nothing. I have seen sites where the CDN was "set up correctly" but every response had Cache-Control: no-store — the CDN was dutifully passing through every request to origin and caching nothing.

The states a cached resource can be in at any edge node:

• HIT — Cached copy exists and TTL has not expired. Served immediately from edge. Origin never contacted.
• MISS — No cached copy exists (first request to this edge node). Origin pull required. Copy stored after retrieval.
• EXPIRED — Cached copy exists but TTL has elapsed. Edge sends a conditional request (If-None-Match or If-Modified-Since) to origin. If unchanged, origin returns 304 Not Modified and TTL resets. If changed, new content is fetched and cached.
• BYPASS — Cache bypass rule triggered. Common causes: Set-Cookie response header, Authorization request header, explicit bypass rules in CDN configuration, or presence of WooCommerce session cookies.
• REVALIDATED — TTL expired but conditional check confirmed content unchanged. Served from cache after verification.
• DYNAMIC (Cloudflare-specific) — CDN determined content is not cacheable (HTML response without explicit cache headers, for example).

Cache-Control headers work at two distinct levels — the CDN and the browser — and you can set them independently. The s-maxage directive applies only to shared caches (CDNs, reverse proxies). The max-age directive applies to both. If you set Cache-Control: max-age=3600, s-maxage=86400, the CDN caches for 24 hours but the browser caches for 1 hour. This is useful when you want aggressive CDN caching but shorter browser caches so users get updates within an hour after you clear the CDN.

How Browser Cache and CDN Cache Interact

A request from a returning visitor hits the browser cache first. If the browser has a valid cached copy (max-age not expired), it never makes a network request at all — neither to the CDN nor to origin. If the browser's TTL has expired, it makes a request to the CDN. If the CDN has a valid cached copy, the visitor gets a fast CDN response without the origin being contacted. Only when both browser cache and CDN cache are expired or absent does the request reach origin.

This layered model means that a returning visitor who loaded your site 2 hours ago on a max-age=7200 (2 hour) cache will get all assets from browser cache instantly — zero network requests. A new visitor or one on a fresh browser gets assets from CDN cache in 10-30ms. An edge node that has never cached an asset gets it from origin in 100-600ms and caches it for all subsequent visitors in that region. These three tiers compound: once an asset is cached in the CDN, every visitor globally benefits without touching your origin.

The interaction between page cache layers (browser, CDN, page cache, object cache, OPcache) is explored in detail on the cache explainer page — understanding all four layers is necessary for diagnosing why TTFB is slow even after adding a CDN.

CDN Benefits vs Reality: What Changes and What Does Not

CDN marketing is relentlessly positive. "Speed up your site globally." "Cut load times by 50%." These claims are true for specific assets under specific conditions. They are misleading when applied to the site as a whole — particularly for WordPress sites with significant dynamic content. Here is an honest breakdown.

CDN Types Explained: Pull, Push, Reverse Proxy, Image CDN, Video CDN

The term "CDN" covers five distinct architectures that work differently, serve different content types, and have different operational implications. Most WordPress owners only need a pull CDN or reverse proxy CDN, but understanding all five clarifies when you would reach for each one.

Pull CDN: The Default for Most Sites

A pull CDN is configured by pointing your asset URLs (or your entire domain via DNS proxy) at the CDN. When a visitor requests an asset the edge has not seen before, the edge "pulls" it from your origin, caches it, and returns it. Every subsequent request for that asset from that region is served from cache. You never manually upload anything. The cache fills automatically as real visitors request real assets. The downside: cache cold-start means the first visitor to request any new asset after a deploy or purge hits origin directly. For high-traffic sites this is negligible — the cache warms within minutes. For low-traffic sites, cold starts happen more frequently.

Push CDN: Manual Control, Best for Large Static Files

A push CDN requires you to upload files to CDN storage yourself. You control exactly what is on the CDN and when it is there. There is no origin pull because there is no origin — the CDN storage is the origin. This is the correct architecture for software download sites, large media archives, or video game asset distribution where files are gigabytes in size, change infrequently, and cannot be dynamically fetched. Push CDNs are operationally more complex — you need to manage uploads and deletions explicitly — but they give complete control and avoid any origin load. BunnyCDN storage zones are a common push CDN implementation.

Reverse Proxy CDN: Full-Site Acceleration and Protection

A reverse proxy CDN (like Cloudflare in proxy mode) sits in front of your entire domain. All HTTP traffic — static and dynamic — routes through the CDN's network. This provides static asset caching, DDoS protection, WAF filtering, SSL termination, HTTP/2 and HTTP/3 delivery, and (with APO) full-page HTML caching. Your origin IP is hidden behind the CDN's anycast addresses. This is the architecture most businesses should use because the security benefits compound with the performance benefits at no additional complexity. The tradeoff: you lose direct visibility into visitor IPs (the CDN adds a Cf-Connecting-IP header containing the real visitor IP), and CDN configuration mistakes affect your entire site.

Image CDN: Real-Time Transformation

An image CDN does more than deliver images fast — it transforms them at delivery time. Request the same source image with different URL parameters and get different sizes, formats, and quality levels. A single product.jpg source file can be delivered as 400px WebP at 80% quality for mobile, 800px AVIF at 90% quality for desktop, and 200px WebP thumbnail for a grid — all from one uploaded file, all handled at the CDN edge, not at your server. Cloudflare Polish and Mirage, imgix, and Cloudinary are image CDN services. For sites with hundreds of product images or editorial photography, image CDNs eliminate the need for WordPress to generate and store multiple image sizes.

Dynamic vs Static Content: The WooCommerce Problem Most Guides Ignore

Static content is any response that is identical for every visitor. An image is the clearest example — every visitor gets the same bytes. A CDN can cache it perfectly. Dynamic content is any response generated specifically for the requesting user — a cart page showing items you added, an account dashboard, a checkout flow. A CDN cannot cache these because the response differs per visitor.

The practical breakdown for a typical WordPress site:

• Cacheable by CDN without any special configuration: Images (JPEG, WebP, PNG, GIF), CSS files, JavaScript files, web fonts (WOFF2, WOFF), PDFs, static video files, sitemap.xml, robots.txt.
• Cacheable by CDN with full-page cache enabled (APO or plugin): Blog post pages, static pages (About, Contact), product pages (WooCommerce) for unauthenticated visitors with no cart.
• Not cacheable by CDN under any configuration: Cart page, checkout page, account pages, order confirmation, any page showing session-specific content, admin area, REST API responses with authentication.

The WooCommerce Cache Bypass Reality

WooCommerce sets cookies as soon as a visitor interacts with the store. The standard session cookie (woocommerce_cart_hash, woocommerce_items_in_cart, wp_woocommerce_session) signals to CDNs that the user has session state. Most CDNs, including Cloudflare, automatically bypass cache for requests that contain these cookies. The result: a visitor who has added a product to their cart gets no CDN caching on any subsequent page load until the session cookie expires.

This has real implications for cache hit ratio calculations. A WooCommerce store with active shoppers might measure an overall 35-50% CDN hit ratio — the first visit to product pages hits cache, but return visits with cart cookies bypass cache completely. Compare this to a blog with no user state, which routinely achieves 90-97% hit ratios. The CDN still delivers static assets (images, CSS) fast for these bypass requests — the HTML response just bypasses cache and hits origin.

Logged-In WordPress Users

When a WordPress user is logged in, WordPress sets a wordpress_logged_in_* cookie. Standard CDN configurations bypass cache for all requests carrying this cookie. This means: your logged-in editors, administrators, and registered users never benefit from HTML page caching. For most content sites, this is acceptable because editors are a small fraction of traffic. For membership sites or course platforms where most users are logged in, CDN HTML caching provides almost no benefit. The solution is serving personalized content via JavaScript after page load (edge-side includes or client-side personalization), allowing the HTML shell to be cached while dynamic elements load asynchronously.

Cloudflare Deep Dive: Proxy Mode, DNS-Only, APO, and WAF Integration

Cloudflare dominates CDN search traffic for a reason: it is the only provider with a genuinely useful free tier that includes not just CDN but also DDoS protection, WAF, and (with APO) full-page WordPress caching. Google associates Cloudflare heavily with CDN queries because it is the de facto starting point for anyone looking to add CDN to a WordPress site without spending money. This section covers what Cloudflare actually does under the hood.

Proxy Mode vs DNS-Only Mode

Cloudflare offers two modes for any DNS record, controlled by the orange/grey cloud toggle in the DNS dashboard:

SSL/TLS Encryption Modes

Cloudflare's SSL/TLS mode controls how the Cloudflare-to-origin connection is secured. Never leave this at "Flexible" in production:

• Off: No HTTPS to origin. HTTP only. Never use this.
• Flexible: HTTPS from visitor to Cloudflare; HTTP from Cloudflare to origin. Your origin does not need a certificate, but the origin connection is unencrypted. This is how phishing sites bypass the "I installed Cloudflare for free SSL" misconception. Avoid.
• Full: HTTPS end-to-end. Cloudflare validates that a certificate exists on your origin, but does not validate it is trusted. A self-signed certificate works. Use this if you cannot install a valid cert on your origin.
• Full (strict): HTTPS end-to-end. Cloudflare validates that your origin has a valid, trusted certificate — either from a public CA or from a Cloudflare Origin Certificate (free, 15-year validity). Use this always when possible.

APO: How Cloudflare Caches WordPress HTML Pages

Automatic Platform Optimization is a Cloudflare Worker that intercepts WordPress page requests and serves them from edge cache. The Worker detects WordPress via cookies and URL patterns, applies bypass rules for authenticated users and WooCommerce cart pages, and caches the HTML response at the edge with a 30-minute TTL. When you publish or update content in WordPress, a WordPress plugin (the Cloudflare plugin) triggers an immediate cache purge for that specific URL. The result: visitors get sub-50ms HTML responses from the nearest Cloudflare PoP rather than waiting for PHP to execute at your origin.

WAF Integration and How It Combines with CDN

Cloudflare's WAF runs at the edge, before traffic reaches your origin. Requests matching WAF rules (SQL injection patterns, XSS payloads, known bot signatures, vulnerability scanners) are blocked or challenged at the CDN layer. This means your origin server never processes malicious requests — they are dropped before they reach your server's network stack. On the free plan, Cloudflare provides managed rulesets from the OWASP Top 10. On Pro and above, you get the Cloudflare Managed Ruleset with thousands of signatures updated automatically. The WAF and CDN use the same edge infrastructure — adding WAF protection does not add latency because requests are already terminating at the edge for CDN purposes.

For most WordPress sites, the free plan is sufficient. The Pro plan makes sense if you need custom WAF rules, Cloudflare image optimization (Polish + Mirage), or want APO included without paying the add-on fee. Business tier is primarily relevant for compliance-sensitive sites needing custom SSL certificates or enterprise-level support SLAs. The SSL certificates guide covers Cloudflare's origin certificate setup in detail.

CDN and SEO: How Edge Delivery Affects Core Web Vitals and Crawl Efficiency

A CDN affects SEO in three distinct ways: it directly improves Core Web Vitals metrics (which are Google ranking signals), it reduces TTFB (which is a component of LCP), and it can improve crawl efficiency by reducing origin server load during Googlebot crawls. The effect varies significantly depending on your content type and where Google's crawlers originate.

Core Web Vitals Impact

Cloudflare's global network is not just close to your visitors — it is also close to Google's web crawlers. Googlebot crawls from US-based IP addresses (primarily Mountain View, CA). For a US-hosted site, a CDN does not change Googlebot's experience much. For a European-hosted site, Cloudflare's US PoPs may serve Googlebot faster than the European origin could. But more importantly, the field data Google uses for Core Web Vitals (via Chrome User Experience Report / CrUX) reflects real user experiences — and real users are geographically distributed. If your audience is international, CDN improvements to their experience directly improve your CrUX scores.

The metric-level breakdown:

• LCP (Largest Contentful Paint): Usually the hero image or header image. CDN delivery dramatically reduces image fetch time for distant visitors. A London visitor waiting 600ms for a Dallas-hosted hero image versus 20ms from a CDN edge sees their LCP drop by ~580ms. This is where CDN has the largest SEO impact on a typical blog or product page.
• TTFB (indirect LCP component): TTFB is not directly a Core Web Vitals metric, but it is one of the LCP subparts. A CDN with full-page caching (APO) reduces TTFB from 200-600ms (PHP execution) to 20-40ms (cached HTML from edge). This compresses into a meaningfully faster LCP.
• INP (Interaction to Next Paint): CDN delivery does not affect INP. INP measures main thread responsiveness to user interaction — that is a JavaScript execution problem, not a delivery problem. Delivering your JavaScript from a CDN 20ms faster does not change how long the main thread takes to process it.
• CLS (Cumulative Layout Shift): CDN delivery does not affect CLS. CLS measures visual stability — elements shifting after load. That is a CSS, image dimension, and font loading problem, not a delivery problem.

Crawl Efficiency

Googlebot respects server-side Cache-Control headers. A response with Cache-Control: max-age=86400 tells Googlebot it may cache that resource for 24 hours without re-fetching. When Googlebot re-crawls the page, it can skip fetching already-cached resources. CDN delivery means Googlebot's resource requests (images, CSS, JS) are served from edge cache without loading your origin, which is particularly relevant if your origin is on shared hosting with CPU limits. A CDN-accelerated site under Googlebot crawl is a site that handles the crawl budget more efficiently — the crawl completes faster, and origin CPU limits are less likely to cause 429 or 503 errors that pause Googlebot's crawl.

How to Set Up a CDN for WordPress: Cloudflare Free Setup, WP Rocket, and W3TC

WordPress CDN setup has three distinct approaches with different capability levels. The right choice depends on what you are trying to achieve and what plugins you already use.

Option 1: Cloudflare DNS Proxy (Free, Recommended Starting Point)

This covers the basics: static asset CDN, DDoS protection, basic WAF, SSL at edge. It does not cache WordPress HTML pages without APO.

1. Create a free Cloudflare account and add your domain.
2. Cloudflare scans your existing DNS records. Review and confirm they are correct.
3. Update your domain's nameservers at your registrar to Cloudflare's nameservers (e.g., ada.ns.cloudflare.com and cole.ns.cloudflare.com).
4. Wait for nameserver propagation — typically 30 minutes, up to 24 hours.
5. In Cloudflare > SSL/TLS > Overview, set encryption mode to Full (strict). If your origin has no SSL certificate, install one first (cPanel AutoSSL or Certbot on VPS).
6. Enable Always Use HTTPS under SSL/TLS > Edge Certificates.
7. Enable Automatic HTTPS Rewrites — this fixes mixed content warnings caused by hardcoded HTTP asset URLs.
8. Under Speed > Optimization, enable Auto Minify (JS, CSS, HTML) and Brotli compression.

At this point, all static assets serve from Cloudflare edge. WordPress HTML pages bypass CDN and go to origin. TTFB is unchanged; image/CSS/JS delivery is significantly faster for distant visitors.

Option 2: Cloudflare APO (Full-Page WordPress Caching)

APO is the upgrade that makes Cloudflare genuinely transformative for WordPress. Enable it from the Cloudflare dashboard under Speed > Optimization > Automatic Platform Optimization. It requires installing the official Cloudflare WordPress plugin, which handles cache purge on publish.

# Install and configure Cloudflare plugin
wp plugin install cloudflare --activate

# Verify APO is active
wp cloudflare status

# Manually purge cache (useful after bulk updates)
wp cloudflare purge-cache

Option 3: WP Rocket + Any CDN (Pull Zone)

WP Rocket is the most reliable WordPress caching plugin and integrates with any CDN that supports pull zones (BunnyCDN, KeyCDN, Cloudflare, RocketCDN). The CDN integration works via URL rewriting: WP Rocket rewrites your static asset URLs from https://yourdomain.com/wp-content/uploads/image.jpg to https://cdn.yourdomain.com/wp-content/uploads/image.jpg. The CDN subdomain serves assets from its edge cache. WP Rocket's page cache generates static HTML files; the CDN delivers your other assets.

# Check cache status header
curl -sI https://cdn.yourdomain.com/wp-content/themes/yourtheme/style.css \
  | grep -i "cf-cache-status\|x-cache\|cdn-cache"

# Expected output for Cloudflare:
# cf-cache-status: HIT

# Expected output for BunnyCDN:
# cdn-cache: HIT

Cache Purge Verification After Deploy

After any site update, verify your CDN cache cleared correctly. The most common failure mode I have encountered is a deploy that updates JavaScript or CSS but the CDN continues serving the cached old version because the purge failed silently.

# 1. Check CSS version header (look for Last-Modified or ETag change)
curl -sI https://yourdomain.com/wp-content/themes/yourtheme/style.css

# 2. Force cache bypass to compare origin vs CDN responses
curl -sI https://yourdomain.com/page-url/ \
  -H "Cache-Control: no-cache" \
  -H "Pragma: no-cache"

# 3. Verify CF-Cache-Status after purge (should be MISS, then HIT on next request)
curl -sI https://yourdomain.com/wp-content/uploads/hero.webp \
  | grep cf-cache-status
# First request after purge: MISS
# Second request: HIT

CDN Provider Comparison: Cloudflare, BunnyCDN, KeyCDN, Fastly, AWS CloudFront

The CDN market is dominated by Cloudflare for WordPress users and AWS CloudFront for enterprise workloads. Between those extremes, BunnyCDN and KeyCDN offer compelling pricing for pure asset delivery without the full reverse-proxy feature set. Here is a practical comparison based on what WordPress site operators actually care about:

Cloudflare: The Right Choice for Most WordPress Sites

Cloudflare wins on the zero-friction factor. Add your domain, change nameservers, get CDN, DDoS protection, WAF, and free SSL in one step at zero cost. No credit card. No CDN subdomain configuration. No URL rewriting in your WordPress settings. The reverse proxy architecture means every asset automatically routes through CDN without any plugin configuration. The free tier is not a stripped-down trial — it is production-quality infrastructure that handles enterprise-scale traffic. I recommend starting with Cloudflare free for any new WordPress site, then evaluating whether Pro features are worth the upgrade after seeing your analytics.

BunnyCDN: Best Value for High-Volume Static Asset Delivery

If you are running a site with thousands of product images or user-generated content where you need pure asset delivery without the full reverse-proxy overhead, BunnyCDN at $0.005-0.01/GB is the cheapest quality option. Their Bunny Optimizer applies real-time image optimization similar to Cloudflare Polish. BunnyCDN is not a reverse proxy — you use it with URL rewriting (point your CDN subdomain at a BunnyCDN pull zone). It integrates cleanly with WP Rocket and LiteSpeed Cache. For a site serving 500GB/month of images, the cost difference between Cloudflare Pro and BunnyCDN is significant.

Fastly: Instant Purge Matters for News and eCommerce

Fastly's instant purge (sub-150ms globally via surrogate keys) is genuinely best-in-class. For a news site that publishes dozens of articles per day or a WooCommerce store that updates product availability in real time, the ability to purge a specific page from every edge node in 150ms is operationally important. Fastly is expensive for small sites ($0.12/GB) and requires configuration via VCL (Varnish Configuration Language), which has a higher operational complexity than Cloudflare's UI-driven setup. It is the right choice for development teams building on top of the CDN as infrastructure.

CDN Troubleshooting: Stale Cache, Header Inspection, Cache Poisoning

CDN problems fall into four categories: stale content being served after updates, cache bypass not working when it should, cache not working when it should be caching, and cache poisoning. Here is how to diagnose each.

Diagnosing Stale Content

Symptom: you deployed an update but visitors (or you) still see old CSS or JavaScript. The CDN is serving a cached copy that TTL has not expired on yet.

# Step 1: Check the cache status header
curl -sI https://yourdomain.com/path/to/asset.js | grep -i "cf-cache\|age\|last-modified"

# 'Age: 14400' means this response has been cached for 14400 seconds (4 hours)
# 'cf-cache-status: HIT' confirms it is coming from CDN cache, not origin

# Step 2: Check what the origin is serving (bypass CDN with direct IP)
# First find your origin IP from hosting panel, then:
curl -sI --resolve "yourdomain.com:443:ORIGIN.IP.HERE" \
  https://yourdomain.com/path/to/asset.js | grep "last-modified\|etag"

# If origin etag differs from CDN etag, CDN is serving stale content

# Step 3: Purge and verify
# Via Cloudflare API:
curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/purge_cache" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"files":["https://yourdomain.com/path/to/asset.js"]}'

Diagnosing Cache Bypass (CDN Not Caching When It Should)

Symptom: every request shows CF-Cache-Status: BYPASS or MISS even for static assets. Common causes and diagnostics:

# Check response headers for bypass reasons
curl -sI https://yourdomain.com/image.webp

# Common bypass indicators:
# Set-Cookie: [anything] — response is setting a cookie
# Cache-Control: no-store — origin is explicitly forbidding caching
# Authorization: [in request] — authenticated request bypasses cache
# CF-Cache-Status: BYPASS — Cloudflare cache rule or cookie bypass active

# Check if WooCommerce session cookies are present in your test
# browser (they cause Cloudflare to bypass cache for authenticated sessions)
curl -sI https://yourdomain.com/product/sample/ \
  --cookie "woocommerce_cart_hash=ANYTHING"
# If this shows BYPASS but without the cookie shows HIT, WooCommerce bypass is working correctly

Cache Poisoning: What It Is and How to Prevent It

Cache poisoning is when an attacker manipulates a CDN into caching a malicious response and serving it to all subsequent visitors. It happens when CDNs cache responses that differ based on request headers but do not vary on those headers. For example: a CDN caches GET /search?q=normal and returns it to a visitor who requested GET /search?q=, because the CDN treated both URLs as the same cache key. Prevention: ensure your origin sends Vary: Accept-Encoding for compressed content, never cache user-input-reflected responses, and configure CDN cache key rules to include any query parameters that affect page content.

CDN Myths Debunked

These are the most persistent CDN misconceptions I encounter when reviewing hosting setups:

Where to Go Next

Understanding CDN naturally leads to two adjacent topics. The caching layers guide covers how browser cache, CDN cache, page cache (WP Rocket, LiteSpeed), object cache (Redis), and PHP OPcache work together — and how to diagnose which layer is the bottleneck when performance is still slow despite a CDN. The TTFB guide explains the full request lifecycle including the server processing phases that a CDN cannot shorten for uncached dynamic requests — understanding these phases explains exactly why a CDN alone does not fix a slow origin server. For security, web hosting security threats covers what Cloudflare's WAF blocks and what it cannot help with at the application layer. If you are evaluating which managed VPS hosting option to pair with Cloudflare for the best overall performance, the managed VPS guide covers origin server quality in depth.