8 Useful Cloudflare Page Rules For WordPress Sites

Looking to add the best Cloudflare page rules for WordPress?

Many of these page rules were taken directly from Cloudflare’s Page Rule YouTube tutorial. They can help you save bandwidth, improve security, bypass Cloudflare’s caching where it’s not needed (eg. your admin area), and even prevent spam bots from collecting your email address.

You should get familiar with how asterisks work and setting definitions in case you want to add page rules of your own. Cloudflare lets you reorder page rules to give certain ones priority over others. Since free accounts only give you 3 page rules, I would add #2, #5, and #7 in most cases.

Finally, don’t forget to configure other settings in your Cloudflare dashboard and to use Firewalls rules to block bad bots from hitting your site excessively and consuming resources.




1. Always Use HTTPS

The first page rule forces all visitors to connect to your website through HTTPS.

The pattern below is the one you want to use and is recommended in Cloudflare’s page rules YouTube tutorial. The two asterisks make sure that no matter what variation of your website is entered (whether before or after), all visits through HTTP will redirect to the HTTPS version.



Alternatively, you can enable this in your Cloudflare dashboard under SSL/TLS → Edge Certificates → Always Use HTTPS. This saves you from having to use one of your 3 page rules.

If your WordPress site is not using SSL, you can use the same pattern only with opportunistic encryption (instead of Always Use HTTPS). Opportunistic encyption allows users to access your website over an encrypted TLS channel. However, this shouldn’t be used a a replacement for adding SSL. So if your website is using SSL, only use the first “Always Use HTTPS” page rule.



2. Secure The WordPress Admin And Bypass Cache

Your WordPress Admin should have a few settings which are combined into 1 page rule. This sets the security level to high and bypasses Cloudflare’s cache (the admin area should never be cached). It also disables Cloudflare apps and performance features (minify, Rocket Loader, Mirage, Polish) inside the admin since these are only used to speed up the frontend of your site.




3. Don’t Cache Preview Pages

This simply bypasses Cloudflare’s cache if it’s a preview of a page/post.




4. Forward XMLRPC URLs

This page rule improves security against hackers using XMLRPC for attacks. This forwards requests from your xmlrpc.php file to any URL on your site (you can just use your homepage).



Disabling trackbacks/pingbacks in the WordPress Discussion settings also provides an additional layer of security against these attacks (and it can also saves server resources).



5. Decrease Bandwidth Of WP Uploads

Since items in your WordPress uploads file do not change frequently, you don’t have to cache them as often which saves bandwidth by setting Edge Cache TTL to a month. If you need to update certain files/directories before a month, you can purge the individual files in Cloudflare.

In this page rule and future ones in this post, the browser cache TTL is set to a day. This sets the expiration time for resources cached in a visitor’s browser, an item often shown in GTmetrix.




6. Make Important Pages Always Online

Always Online keeps your most important pages online if your server goes down and can be turned on for your most important pages (homepage, contact, terms of service, etc). So in case anything happens with your WordPress site, at least your most important pages will still be up.




7. Stop Bots From Collecting Your Email

This page rule enables email obfuscation on your contact page which hides your email address from bots (so they don’t send you spam). The email address will still be visible to humans. You should enable email obfuscation on any page that contains your email address to prevent spam, or turn it on globally in Cloudflare’s Scrape Shield settings. You can change this to be any page.



You can enable email obfuscation globally in your Cloudflare Scrape Shield settings, but this usually results in a GTmetrix error (email-decode.min.js). That’s why email obfuscation should only be enabled on pages showing your email address using Cloudflare’s page rules. The only time you should enable this globally is if you list your email address on your entire website (eg. your footer) and want to prevent spam. The GTmetrix error shouldn’t impact load times much.





8. eCommerce Sites And Dynamic Content Using AJAX

Disclaimer: I don’t personally have a WooCommerce website – these page rule recommendations are strictly from Cloudflare’s eCommerce best practices tutorial.

eCommerce websites include dynamic content (which shouldn’t be cached) but you still want to cache everything else. A good solution is to cache the entire page, but bypass the cache for dynamic (eCommerce) elements like AJAX requests. This requires using 2 separate page rules.

The first page rule bypasses cache for AJAX requests:



The second page rule caches everything else. When ordering page rules, make sure the AJAX rule is before the Cache Everything rule. In other words, this page rule should be ordered last.




Page Rule Terms

  • Always Online – keeps a limited version of your site online if your server goes down. Usually used for your most important pages (eg. terms of service, privacy policy, etc).
  • Browser Integrity Check – attempts to deny spammers from accessing your website and challenges visitors with a suspicious user agents commonly used by abusive bots.
  • Browser Cache TTL – time Cloudflare instructs a visitor’s browser to cache a resource. You can increase this for pages that aren’t updated frequently to save on bandwidth.
  • Disable Performance – turns off auto minify, Rocket Loader, Mirage, and Polish. These are great to speed up pages, but they should be disabled for your WordPress admin.
  • Edge Cache TTL – time Cloudflare’s edge servers cache a resource before going to origin server for a fresh copy. You can also increase this for pages not updated frequently.
  • Email Obfuscation – prevents spam by hiding your email address to bots while remaining visible to visitors (only applies if you list your email address on your website). Enabling this on the contact page (and other pages showing your email) can help prevent spam.
  • Security Level – Cloudflare assigns IP addresses a threat score of 0-100. Page rules can be created to assign high security to WordPress admin and sensitive areas of your site.
  • Cache Level – amount of caching done by Cloudflare (‘everything’ is most aggressive).
  • Asterik (*) – used in page rule URLs to match certain parameters. For example, if I used onlinemediamasters.com/wp-admin* as my URL, then I set the security level to high, that means all URLs with /wp-admin/ (and anything after) would have a high security level.


Additional Cloudflare Tweaks To Improve WordPress Speed

Rocket Loader – even though WP Rocket recommends leaving this off for better compatibility, I would still test it out since it can speed up JavaScript files. Just be sure to check your website for errors and measure the impact on the JavaScript speeds in your GTmetrix waterfall report.


Railgun – makes sure requests that cannot be served from Cloudflare’s cache are still fast.


Hotlink Protection – prevents people from copying/pasting images from your website to theirs (possibly resulting in bandwidth savings). Especially helpful for sites using high quality images.



Enabling Cloudflare Compatibility In WP Rocket

If you’re using WP Rocket, add your Cloudflare credentials in the settings:

  • Global API key is found in your Cloudflare profile
  • Account email should be same email used in Cloudflare
  • Zone ID is found on the “Overview” tab of your dashboard

Optimal Settings allows WP Rocket to configure your Cloudflare settings for better compatibility with their plugin. However, it also turns on email obfuscation (resulting in a GTmetrix error on every page) and disables Rocket Loader which may be useful for your site.

WP Rocket also has recommendations for configuring Cloudflare:

  • Set Caching Level to Standard”.
  • Enable Auto Minify for JavaScript, CSS and HTML.
  • Disable Rocket Loader to prevent conflicts.
  • Set Browser Cache Expiration to 1 year”.


Remember to activate the Cloudflare add-on:


I personally don’t use Cloudflare’s WordPress plugin since it has horrible reviews.


Cloudflare’s Page Rules YouTube Tutorial

I covered everything in here (except forwarding URLs), but you can watch the video:



Frequently Asked Questions

What do asterisks do in page rules?

Asterisks serve as a wild card when using a URL in the page rule. For example, yourwebsite.com* would include any URL variation that comes after the asterisk.

hich page rule is best for the WP Admin?

The WordPress Admin should have a page rule that enforces a high security level, bypasses Cloudflare's cache, and disables apps + performance features in the admin area.

How can page rules improve speed?

Page rules can help with decreasing bandwidth used by the WP Uploads area, setting a higher Edge Cache TTL, and caching dynamic content. However, if you're looking to improve GTmetrix, configuring Cloudflare's speed tab in the dashboard is the best way.

How can page rules improve security?

Page rules can force SSL, forward XMLRPC URL requests, and lets you use email obfuscation (to prevent spam bots from collecting your email) on single pages without having to worry about an email-decode error showing up in GTmetrix for your entire site.

How many page rules can I have?

You can add up to 3 page rules on Cloudflare's free plan, then $5/month for 5 more rules.

Have questions about these Cloudflare page rules, or have ideas of your own? Leave a comment below and I will get back to you as soon as I can. Otherwise, thanks for reading!

See Also: How I Got 100% GTmetrix Scores


About Tom Dupuis

Tom Dupuis writes WordPress speed and SEO tutorials out of his apartment in Denver, Colorado. In his spare time, he plays Rocket League and watches murder documentaries. Read his bio to learn 50 random and disturbing things about him.

13 thoughts on “8 Useful Cloudflare Page Rules For WordPress Sites

  1. Thanks for the article. Just a note, I keep seeing Railgun mentioned. That is only available for Business and Enterprise plans.

    1. Yes, it matters. If you use https://mysite.com/ the rule only applies to that exact URL. But if you use *https://mysite.com* you have an asterisk before and after the URL, so it would apply to the entire site.

      The only reason you would use a * before the URL is to make sure the rule applies to all www/non-www and http/https versions so you would use *mysite.com to do this. The 2nd * makes sure all URLs after the * are included which would include your entire site, since all content on your site includes that URL.

      Hope that helps. They’re basically used to apply rules to your full site, or certain sections of your site.

Leave a Reply

Your email address will not be published.