How to Publish a Site with Cloudflare

—>Download this Guide

About this guideThis document walks complete beginners through publishing a free website using Cloudflare Pages, from creating an account to going live. It also includes a dedicated security section covering passwords, multi-factor authentication, and protecting your site from unauthorised access.

Part 1

Getting Set Up

Cloudflare Pages is a free hosting service that publishes your website files to Cloudflare’s global network. It connects to GitHub (where your files are stored) and automatically updates your live site whenever you make a change.

What you will need

  • A free GitHub account — github.com (this stores your website files)
  • A free Cloudflare account — cloudflare.com (this publishes your site)
  • A web browser — no other software is needed
  • About 15 minutes

Why GitHub?Cloudflare Pages reads your files from GitHub and publishes them. You edit files on GitHub; Cloudflare handles the rest. Both are free.

1

Create a GitHub account

Go to github.com and click Sign up. Choose a username and verify your email. GitHub is where your website files will live.

2

Create your first repository

A repository is a folder that holds your website files. Click the green New button on your dashboard (or visit github.com/new). Give it any name you like, such as my-website. Set it to Public and click Create repository.

3

Add your homepage file

Inside your new repository, click creating a new file. Name it exactly:

index.html

Paste the following starter code into the editor:

<!DOCTYPE html>
<html>
  <head>
    <title>My Website</title>
  </head>
  <body>
    <h1>Hello from Cloudflare!</h1>
    <p>Welcome to my website.</p>
  </body>
</html>

Scroll down and click Commit changes to save the file.

4

Create a Cloudflare account

Go to cloudflare.com and click Sign up. Create a free account and verify your email. No credit card is required for Cloudflare Pages.

5

Go to Cloudflare Pages

Once logged in to the Cloudflare dashboard, click Workers & Pages in the left sidebar. Click the Pages tab at the top, then click Create a project.

6

Connect to GitHub

Choose Connect to Git. Cloudflare will ask permission to access your GitHub account. Click Authorize Cloudflare Pages. A browser pop-up may appear — make sure pop-ups are not blocked in your browser.

Note: You only need to authorise this connection once. After that, all your GitHub repositories are available to Cloudflare Pages.
7

Select your repository

You will see a list of your GitHub repositories. Find the one you created (e.g. my-website) and click Begin setup.

8

Configure build settings

On the setup screen you will see fields for Build command and Build output directory. Leave both of these completely blank — they are only needed for advanced frameworks like React. Scroll down and click Save and Deploy.

Important: For a plain HTML website you do not need any build settings. Leaving them blank tells Cloudflare to publish your files exactly as they are.
9

Wait for deployment

Cloudflare shows a progress screen while your site is being deployed. It usually takes under 30 seconds. A green checkmark confirms your site is live.

10

Visit your live site

Your site is now live at a free address that looks like:

https://my-website.pages.dev

The exact address is shown on the success screen. Click it to view your site. Share this link with anyone — it works like any other website on the internet.

11

Making updates

To edit your site, go back to GitHub, click your index.html file, then click the pencil icon to edit. Commit your changes and Cloudflare automatically detects the update and re-deploys your site within seconds. No further action is needed.

12

Add a custom domain (optional)

If you own or purchase a domain name (for example, myname.com), you can connect it to your site for free. In your Cloudflare Pages project, click Custom domains, then Set up a custom domain and follow the on-screen instructions. Cloudflare handles the security certificate automatically.

Cost: Domain registration typically costs £8–12 per year from providers such as Namecheap or Google Domains. Cloudflare Pages hosting itself remains free.

Part 2

Security

Your Cloudflare and GitHub accounts are the keys to your website. If someone gains access, they can alter or delete your site. The steps below protect your accounts and, where needed, the content of the site itself.

2.1 — Strong Passwords

Your password is your first line of defence. A weak password can be guessed or cracked in seconds by automated tools.

What makes a strong password:

  • At least 16 characters long
  • A mix of uppercase letters, lowercase letters, numbers, and symbols
  • Not based on personal information such as your name, birthday, or pet’s name
  • Unique to each account — never reused across different websites

Use a password manager:

A password manager creates and stores long, random passwords for every account. You only need to remember one master password. Recommended free options:

  • Bitwarden (bitwarden.com) — free, open-source, works on all devices. Recommended for beginners.
  • 1Password — paid but polished, popular with professionals
  • KeePass — free, stores passwords locally on your device

Recommendation: Use Bitwarden. It is free, installs as a browser extension, and will generate strong unique passwords for both your GitHub and Cloudflare accounts automatically.

2.2 — Multi-Factor Authentication (MFA)

Multi-factor authentication — also called two-factor authentication or 2FA — adds a second check when you log in. Even if someone steals your password, they still cannot access your account without this second factor.

How MFA works:

After entering your password you are asked for a second piece of proof. This is usually one of:

  • An authenticator app code — a 6-digit number that changes every 30 seconds (most secure and recommended)
  • A text message code sent to your phone — less secure but better than no MFA
  • A hardware security key plugged into your device — the most secure option

Setting up MFA on Cloudflare:

  • Log in to Cloudflare and click your profile icon in the top-right corner
  • Go to My Profile, then click the Authentication tab
  • Under Two-Factor Authentication, click Manage
  • Choose Mobile app authentication and scan the QR code with your authenticator app
  • Enter the 6-digit code shown in the app to confirm, then click Next to complete setup

Tip: Store your recovery codes (shown during setup) in a safe place — they are the only way back in if you lose access to your phone. See section 2.5 for more on this.

Setting up MFA on GitHub:

  • Log in to GitHub and click your profile photo in the top-right corner
  • Go to Settings, then Password and authentication
  • Under Two-factor authentication, click Enable
  • Choose Authenticator app (recommended) or SMS
  • Scan the QR code with your authenticator app, then enter the 6-digit code to confirm
  • Save your recovery codes somewhere safe before finishing

Note: GitHub now requires two-factor authentication for all accounts that push code. You may be prompted to set this up automatically the next time you log in.

Recommended authenticator apps:

  • Aegis Authenticator (Android) — free, open-source, supports encrypted backups
  • Raivo OTP (iOS) — free, clean interface, iCloud backup
  • Google Authenticator — free, widely supported, available on both platforms
  • Authy — free, syncs across devices, good for beginners

2.3 — Password Protecting Your Website

By default, your published website is visible to everyone on the internet. If you want to restrict access — for example, for a private portfolio, internal tool, or work-in-progress site — Cloudflare provides a built-in way to add a password requirement.

Using Cloudflare Access (free):

Cloudflare Access is a feature built into your free Cloudflare account that lets you control who can view your site. Visitors must authenticate before they can see any content.

  • Go to your Cloudflare Pages project in the dashboard
  • Click Settings, then scroll to the Access section
  • Under Enable access policy, click Manage
  • You will be taken to Cloudflare Access. Click Add an application, then choose Self-hosted
  • Give it a name and enter your website domain or .pages.dev address
  • Set the policy to One-time PIN or Email — visitors enter their email address and receive a login code
  • Save and enable — visitors will now see an authentication prompt before reaching your site

Simple alternative: For very light, informal privacy (not true security), some beginners add a JavaScript password prompt directly in their HTML. This is easy to bypass and should not be used for sensitive content, but it works fine for keeping casual visitors out.

2.4 — HTTPS and SSL Certificates

HTTPS encrypts the connection between your visitor’s browser and your website. It prevents others from intercepting or tampering with data in transit. Without it, browsers display security warnings that discourage visitors.

Cloudflare Pages enables HTTPS automatically on every site it hosts, including both your .pages.dev address and any custom domain you connect. You do not need to configure anything.

What to check: When visiting your site, look for a padlock icon in the browser address bar. This confirms HTTPS is active. If you see a warning instead, check that your domain DNS settings are correctly pointed to Cloudflare.

2.5 — Recovery Codes and Account Recovery

Recovery codes are emergency backup codes generated when you set up MFA. If you lose your phone or authenticator app, these codes are the only way back into your account.

Best practices for recovery codes:

  • Download or copy your recovery codes immediately when MFA is set up on each platform
  • Store them in at least two separate places — for example, a printed copy in a drawer and a copy in your password manager
  • Do not store them only on your phone — if you lose the phone, you lose both the MFA codes and the recovery codes
  • Both GitHub and Cloudflare let you regenerate recovery codes in your security settings — do this if you believe your codes have been seen by someone else

2.6 — General Security Habits

  • Keep your operating system and browser up to date — security patches are released regularly
  • Never share your login credentials with anyone, even someone claiming to be from Cloudflare or GitHub support. Neither company will ever ask for your password.
  • Be cautious of phishing emails that look like they come from Cloudflare or GitHub but ask you to log in via a link. Always navigate directly to the website instead of clicking email links.
  • Review connected apps in both your GitHub and Cloudflare settings periodically and remove any you no longer use
  • Log out of your accounts when using a shared or public computer
  • Check that the URL in your browser bar is cloudflare.com or github.com before entering your password — phishing sites often use very similar-looking addresses

Quick Reference: Security Checklist

Security action GitHub Cloudflare
Use a strong, unique password
Enable MFA (two-factor authentication) Required Recommended
Save recovery codes somewhere safe
HTTPS on published site Automatic Automatic
Password-protect your website content Not built-in Built-in (free)
Review connected third-party apps Periodic Periodic

Cloudflare Pages Guide · For Beginners