Cloudflare sits between the visitor and your server. Static files are cached on 300+ data centers around the world. DDoS attacks are filtered before reaching your server. And the basic plan is free.
Setup
Create an account on cloudflare.com, add your domain, change nameservers at your registrar. Cloudflare scans your DNS records automatically. The whole process takes maybe ten minutes, plus the wait for DNS propagation.
What you get for free
CDN for static files (images, CSS, JS). SSL certificate. DDoS protection that handles most attacks. Basic firewall rules. Analytics. That's generous for a free service.
Page Rules
Three free page rules. Use one to cache everything on wp-content/uploads (Cache Everything with Edge Cache TTL). This reduces the load on your server significantly. Use another to exclude wp-admin from cache (bypass).
APO: Automatic Platform Optimization
5 USD per month. Caching specifically optimized for WordPress. Entire HTML pages are cached at the edge, not just static files. We've seen TTFB go from 800 ms to under 50 ms with APO enabled. It's the best single performance investment you can make for five dollars.
Pitfalls
Caching logged-in users' pages can produce odd results (one user sees another's dashboard). Make sure wp-admin and pages with cookies are excluded. Rocket Loader (which is sometimes on by default) can conflict with inline JavaScript. Turn it off if the site behaves strangely.
For the vast majority of WordPress sites, Cloudflare is a no-brainer. Free, quick to set up, noticeable difference.