Despite of not knowing the capabilities of the origin host/server of ecwid provider, in terms of a W3TC, and despite this might be a question for StackExchange forums, but from my experience with, you would have to make sure and enable:
- configure web server (Apache or Nginx or some other) → PHP tuning + PHP-OPCache (Zend)
- Page Cache: Disk
- Browser cache (configure per need)
- Database cache: Memcached
- Object cache: Redis
- exclude cookie cache and pages like cart/account/checkout at W3TC due to the WooCommerce (if not by default)
Despite all of that, there is an option to use Page Rules and set Cache Level: Cache Everything and Origin Cache Control: On.
But, you still might end-up having cached webpage of a logged-in “admin user” and other normal visitors could end up seeing exactly that HTML webpage cached → this is not good.
Even the cached logged-in user (on some product/category?) and registered customers who might end-up having the same products - different than which they selected - in their cart, etc.
To solve this at Cloudflare end, the only thing which comes to my mind right now would be to use the feature called Bypass Cache on Cookie on a Page Rule (which requires at least a Business plan).
More about it here:
Otherwise, but again Business plan, using APO for WordPress:
Bypass Cache on Cookie (Business and Enterprise plans only) — APO applies custom bypass cookies in addition to the default list.
Or, I might be wrong about this, and if you purchase a Pro plan and enable APO, this is obviously working? → I haven’t tested it yet, but as far as I see wp/wordpress/woocommerce at the list from below link:
Reference topic:
But, if so, Pro plan + APO and without W3TC plugin → you cannot use W3TC with APO in combination as far as I know from my question back a year ago? - maybe something has been done?:
Otherwise, if your client’s website/webshop has got a lot of “normal web traffic”, think about getting a better origin host/server which could handle all that (cpu, ram, nvme ssd, dedicated 1gbps link, bandwidth).
Use tips how to block bad bots and bad ASNs, or even requests from specific countries at Cloudflare using Firewall Rules/IP Access Rules, configure security options, enable WAF and Managed Rules (requires Pro plan), have captcha at checkout/registration page and I believe you are good to go.
Enable optimizations like Polish and Mirage → requires Pro plan.
- including available options like Brotli, HTTP/2, HTTP/3, 0-RTT, Rocket Loader, Auto Minfiy …