This post was originally published on Techucation, my blog at malcolmlow.com. Cross-posted here for the dev.to community.
My WordPress.com domain renewal notice came in at £16/year, with auto-renew switched off and the expiry only a couple of days away. That is a fine price for convenience, but the same name sits on Cloudflare Registrar at wholesale cost with no markup. This post walks through the move end to end, including the one step that quietly breaks things if you rush it, and lays out the real cost difference.
The short version: you do not "renew at Cloudflare". You transfer the domain to Cloudflare, which extends the registration by a year in the process. The saving is real, but the order of operations matters.
1. The cost case
Cloudflare Registrar charges exactly what the registry charges them, with zero markup, and bundles WHOIS privacy for free. Retail registrars add a margin on top. For a .net the difference looks like this:
| Item | WordPress.com | Cloudflare Registrar |
|---|---|---|
| .net renewal (1 yr) | £16 (approx US$20) | approx US$10.44 (at cost) |
| Markup | Retail margin | None (wholesale pass-through) |
| WHOIS privacy | Included | Included, free |
| Approx 5-year cost | approx US$100 | approx US$52 |
Figures are indicative for mid-2026. Because Cloudflare is at cost, your renewal tracks the registry wholesale rate, so it moves up if the registry (Verisign for
.net) raises prices. The trade-off: Cloudflare requires the domain to run on Cloudflare DNS.
2. The gotcha: transfer, not renew, and DNS moves first
Two things trip people up:
You cannot renew a domain at a registrar where it is not registered. To get Cloudflare pricing you transfer the domain in. A gTLD transfer (.com, .net, .org) automatically adds one year, so it replaces the renewal rather than stacking on top of it.
Cloudflare will not let you transfer the registration until the domain is already running on Cloudflare DNS. So the real sequence is DNS first, registrar second, with any redirect rebuilt in the middle so the site never goes dark.
Mind the expiry window. Do not start this within a few days of expiry and then walk away. A transfer left to auto-complete can take up to 5 days. If you are close to the date, expedite it (see step 6) rather than waiting out the clock.
3. Step by step
The full order of operations:
1 Unlock the domain at WordPress.com, get the EPP / auth code
2 Add the domain as a Free zone in Cloudflare
3 Stage the redirect in Cloudflare (before flipping nameservers)
4 Change nameservers at WordPress.com to Cloudflare's pair
5 Wait for the Cloudflare zone to go Active
6 Initiate the transfer in Cloudflare, paste the EPP code, pay
7 Approve / expedite the transfer on the WordPress.com side
8 Verify: registrar, new expiry, redirect, DNSSEC
Step 1. In WordPress.com under Upgrades > Domains, open the domain, turn off Transfer lock, then start the transfer-out flow far enough to reveal the EPP / auth code. Copy it. Do not let WordPress walk you all the way through its own wizard, you only want the code.
Step 2. In the Cloudflare dashboard, Add a domain, choose the Free plan. Cloudflare scans existing DNS and assigns you two nameservers like name.ns.cloudflare.com. Note them.
Step 3. If the domain is a redirect (common when it just points at another site of yours), rebuild that redirect in Cloudflare now while it sits idle. See section 4.
Step 4. Back at WordPress.com, switch the nameservers from WordPress to the two Cloudflare nameservers.
Step 5. Cloudflare flips the zone to Active once it sees the nameserver change, usually under an hour. The transfer option stays greyed out until then.
Step 6. Once Active, go to Domain Registration > Transfer Domains, select the domain, paste the EPP code, and pay the at-cost fee. This payment includes the added year.
Step 7. Watch for the confirmation from the losing registrar. WordPress.com surfaces a Transfer Management page with an Accept Transfer button. Clicking it skips the 5-day wait and completes the transfer in minutes.
Done: the registry should now show the registrar as Cloudflare, status Active, and the expiry rolled forward by a year.
4. The redirect-only trap
If your domain only exists to redirect to another site, the imported records (the host's A records and a couple of CNAMEs) become redundant once you build a Cloudflare Redirect Rule. Tempting to delete them all for a tidy zone. Here is the trap:
A Cloudflare Redirect Rule only fires on traffic that reaches Cloudflare's edge. Traffic only reaches the edge if the hostname resolves to a proxied record (orange cloud). Delete every record and the name resolves to nothing, so the redirect goes dark.
The fix is to keep one proxied placeholder for the rule to attach to:
| Type | Name | Value | Proxy |
|---|---|---|---|
| A | @ | 192.0.2.1 | Proxied |
| CNAME | www | @ | Proxied (only if you want www) |
| TXT | @ | "google-site-verification=..." | DNS only |
192.0.2.1 is a reserved TEST-NET address that never routes anywhere, which is exactly what you want: the proxy intercepts the request before that IP is ever used. Then a single Redirect Rule (Rules > Redirect Rules) handles the rest:
| Field | Setting |
|---|---|
| When (match) | hostname ends with example.net |
| Then (action) | 301 to https://example.com + path |
| Preserve query string | On |
Keep the TXT verification record as DNS only. It does not need to resolve to anything, it just needs to exist.
5. After the transfer
Three things to settle once the registrar shows Cloudflare:
Auto-renew. Optional, but turning it on (Domain Registration > your domain) means you never repeat the two-days-from-expiry scramble. If you leave it off, set yourself a reminder a few weeks before the date.
DNSSEC. Worth enabling for the added integrity protection. Because Cloudflare is now both your DNS and your registrar, the DS record is published to the registry automatically, so it activates without you touching the registrar by hand. Give it from a few minutes up to a couple of hours to show as signed at the registry.
Registrar lock. On by default at Cloudflare, so that one is already handled.
One caution with DNSSEC: once the DS record is published, do not move nameservers away from Cloudflare or disable DNSSEC out of order. Breaking the signature chain is the classic way to make a domain go dark, because validating resolvers will reject it. As long as DNS stays on Cloudflare, you are fine.
Net result
Same domain, half the renewal cost, a year added, and the registrar consolidated with your DNS. The only part that needs care is the DNS-first ordering and not over-deleting the redirect records. Everything else is a few clicks and a short wait.
Top comments (0)