What you need to know about Cloudflare Error 521:
- Error 521 means Cloudflare reached your server's IP but your web server process isn't accepting connections on port 80 or 443
- The server machine itself may be online; it's the web server software that's the problem
- Four main causes: server is offline, Cloudflare IPs blocked by your firewall, SSL/TLS misconfiguration, resource overload
- Five fixes: check server status, whitelist Cloudflare IPs, correct SSL settings, review resource usage, disable Cloudflare temporarily
- WordPress has two extra checks: deactivate conflicting plugins and review security plugin firewall rules
- Set up uptime monitoring and automate your IP allowlist to stop it coming back
Your site is showing "521 web server is down" to every visitor. Cloudflare connected to your server's IP successfully, but nothing answered back on port 80 or 443. The web server process isn't running, or it's actively refusing the connection.
This Cloudflare error 521 is more specific than most Cloudflare errors. Here's what's happening and how to fix it.
What Is Cloudflare Error 521?
Error 521 means Cloudflare reached your origin server's IP address but your web server software refused the connection. The "Cloudflare web server is down" message is accurate: the network path works, the machine is reachable, but nothing is accepting HTTP or HTTPS traffic.
This server error 521 sits at a specific layer. The problem isn't Cloudflare's infrastructure. It's the web server process on your Cloudflare origin server.
What Causes Error 521 in Cloudflare?
Four things account for almost every 521 case. The Cloudflare origin server is reachable, but something between the incoming request and your web server process is breaking the connection.
Origin Server Is Offline or Unresponsive
The most straightforward cause: your web server process has crashed or stopped. Apache, Nginx, or whatever you're running isn't listening anymore. Cloudflare tries to reach your origin server, gets nothing back on port 80 or 443, and returns a server error 521. Always check server status first.
Firewall Blocking Cloudflare IP Addresses
Your server is running fine, but a Cloudflare firewall rule or OS-level firewall is blocking Cloudflare's IP ranges. If you've tightened rules recently, or a security plugin applied new restrictions, Cloudflare IP blocking is very likely the culprit. You need to whitelist Cloudflare IP ranges explicitly - the full list is at cloudflare.com/ips.
SSL/TLS Encryption Misconfiguration
A mismatch between the Cloudflare SSL TLS encryption mode and what your origin server supports causes connection refusals at the TLS handshake stage. If Cloudflare is set to Full (Strict) but your Cloudflare SSL certificate on the origin is self-signed or expired, the connection gets rejected before any content is exchanged. The Cloudflare SSL mode in your dashboard needs to match what your server actually has.
Server Resource Overload: CPU and RAM
Under extreme load, the web server process can stop accepting new connections even while technically still running. A server down checker might report the machine as up, but check server status at the process level and you'll see the service becoming unresponsive. Server resource usage at 100% CPU or exhausted RAM will do this reliably.
How to Fix Cloudflare Error 521
Five steps to fix error 521, in rough order of how often each one resolves the problem. Cloudflare error 521 almost always has a single root cause. Find it and the fix is usually quick. If you need to use Cloudflare disable at step five, it gets your site back up while you keep digging.
Step 1 - Check If Your Origin Server Is Running
SSH into your server and check whether the web server process is actually running:
systemctl status nginx
# or
systemctl status apache2If it's stopped, start it and test. If you can't SSH in at all, use a server down checker like UptimeRobot to confirm whether the Cloudflare origin server's machine is even responsive. This step alone clears a large share of 521s.
Step 2 - Whitelist Cloudflare IP Ranges
Check your Cloudflare firewall and OS firewall rules for anything causing Cloudflare IP blocking. Add Cloudflare's published IP ranges to your allowlist on ports 80 and 443:
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
ufw allow from $ip to any port 443
doneOnce you whitelist Cloudflare IP addresses, connection refusals from firewall rules stop immediately.
Step 3 - Fix SSL/TLS Encryption Settings
Open your Cloudflare dashboard and check the Cloudflare SSL mode under SSL/TLS. If it's set to Full (Strict), your origin needs a valid Cloudflare SSL certificate. Either install a proper cert on the server, or drop the Cloudflare SSL TLS mode to Full (not Strict) temporarily while you sort it out.
This particular cause tends to appear after a certificate renewal or a dashboard change someone made and forgot about.
Step 4 - Inspect Server Resource Usage
If the web server process is running but still refusing connections, check server status at the resource level using ps or top.
Look for processes consuming abnormal resources. Cloudflare errors from resource overload tend to be intermittent rather than constant, which is a useful diagnostic clue. Restarting the problem process usually clears it if server resource usage is the culprit.
Step 5 - Disable Cloudflare Temporarily
If nothing above resolves it, use Cloudflare disable to route traffic directly to your origin. In your dashboard, go to Overview and click "Pause Cloudflare on Site." Running a Cloudflare cache purge at the same time rules out any caching layer involvement.
Fix Error 521 on WordPress Sites
A Cloudflare error 521 WordPress situation almost always comes from a plugin interfering with connections, rather than a server-level problem. Two things to check.
Deactivate Conflicting Plugins
Some caching and performance plugins interfere with Cloudflare at the connection level and produce Cloudflare errors that look like 521s. Unlike a true Cloudflare firewall issue, the block happens at the application layer inside WordPress. Deactivate all plugins and test. If the error clears, reactivate one by one. It's tedious, but this WordPress Cloudflare error pattern is common enough that it's always the first check.
Check Security Plugin Firewall Rules
Security plugins like Wordfence manage their own Cloudflare firewall-style rules at the application level. If Cloudflare IP blocking has been applied through one of these plugins, Cloudflare's IP ranges won't get through regardless of your server firewall settings. Check each plugin's IP allowlist and add the full ranges from cloudflare.com/ips. Once you whitelist Cloudflare IP addresses through the plugin as well, the connection restores.
How to Prevent Error 521 from Recurring
Set Up Server Uptime Monitoring
A server down checker alerts you within minutes of your web server going offline. Set up both an HTTP monitor and a port-level TCP check on 443 so you know immediately whether the issue is at the machine or process level. Check server status automatically, not from a visitor complaint.
Automate Cloudflare IP Allowlist Updates
Cloudflare updates its IP ranges periodically. If your firewall doesn't keep up, Cloudflare IP blocking can return. A cron job pulling the current list from cloudflare.com/ips and updating your rules automatically keeps the whitelist Cloudflare IP configuration current. Add a Cloudflare firewall review after any security plugin update and you've covered the two most common sources of recurring 521s.
Error 521 vs Other Cloudflare Errors
Cloudflare Error 520 vs Error 521
Cloudflare error 520 means the connection was established but the response came back empty or malformed. A 521 means the connection was refused before any response. With Cloudflare errors in the 520 range, the web server is running but misbehaving. With a 521, it's not responding at all.
Cloudflare Error 522 vs Error 521
Cloudflare error 522 is a TCP timeout: Cloudflare tried to connect and your server never responded within the window. A 521 is an active refusal. These Cloudflare errors look identical to visitors but have different root causes - a 522 points to an unreachable server, a 521 points to one that's actively rejecting the connection.
Cloudflare Error 521 FAQ
The questions below cover the most common confusion points around Cloudflare error 521. If you're landing here from a "521 web server is down" or "Cloudflare web server is down" page and aren't sure where to start, the first two answers are the quickest path forward.
Cloudflare error 521 means your web server process isn't accepting connections on port 80 or 443. Cloudflare reached the server machine successfully, but error 521 fires because the web server software refused the connection or wasn't listening. The machine being online doesn't mean the service is running.
Start with the web server process - confirm it's actually running. Then check firewall rules, SSL/TLS mode, and server resource usage in that order. To fix error 521 for good you need the root cause, not just a workaround.
The machine being up doesn't mean the web server process is. Cloudflare error 521 shows up when Cloudflare firewall rules block Cloudflare's IPs, when a Cloudflare SSL certificate mismatch kills the TLS handshake, or when the process is running but too overloaded to accept connections.
Server issue. Cloudflare error 521 means Cloudflare is working correctly. The Cloudflare errors in the 5xx range almost always point to origin problems, and 521 is about as origin-side as it gets.
Set up a server down checker that monitors the web server process directly, and automate your Cloudflare IP blocking allowlist to stay current with Cloudflare's published IP ranges. Those two steps cover the most common sources of repeat error 521 incidents.
