9 Cloudflare Page Rules For WordPress Sites (But Most Sites Only Need 3 Of Them)

Cloudflare page rules wordpress

https://support.cloudflare.com/hc/en-us/articles/218411427#h_18YTlvNlZET4Poljeih3TJ

Looking to add the best Cloudflare page rules for WordPress?

Many of these page rules were taken directly from Cloudflare’s Page Rule YouTube video. They can help you save bandwidth, improve security, bypass Cloudflare’s caching where it’s not needed (eg. your admin area), and even prevent spam bots from collecting your email address.

You should get familiar with how asterisks work and setting definitions in case you want to add page rules of your own. Cloudflare lets you reorder page rules to give certain ones priority over others. Since free accounts only give you 3 page rules, I would add #2, #5, and #7 in most cases.

Finally, don’t forget to configure other settings in your Cloudflare dashboard and to use Firewalls rules to block bad bots from hitting your site excessively and consuming resources.

Cloudflare page rules for wordpress

 

1. Always Use HTTPS

The first page rule forces visitors to connect with HTTPS.

The pattern is recommended in Cloudflare’s page rules YouTube tutorial. The asterisks make sure no matter which variation is entered, all visits through HTTP will be redirected to HTTPS.

https://*yourwebsite.com/*

Cloudflare always use https page rule

Alternatively, you can enable this in your Cloudflare dashboard under SSL/TLS → Edge Certificates → Always Use HTTPS. This saves you from having to use one of your 3 page rules.

If your WordPress site is not using SSL, you can use the same pattern only with opportunistic encryption (instead of Always Use HTTPS). Opportunistic encyption allows visitors to access your site over an encrypted TLS channel. However, it shouldn’t be used as an SSL replacement.

Cloudflare opportunistic encryption page rule

 

2. Secure The WordPress Admin And Bypass Cache

Your WordPress Admin should have a few settings which are combined into 1 page rule. This sets the security level to high and bypasses Cloudflare’s cache since the wp-admin area shouldn’t be cached. It also disables Cloudflare apps and performance features in the admin (minify, Rocket Loader, Mirage, Polish) since these should only used to speed up the frontend.

yourwebsite.com/wp-admin*

Cloudflare wordpress admin page rule

 

3. Don’t Cache Preview Pages

This bypasses Cloudflare’s cache on preview pages since you want to make sure you’re seeing the correct version.

yourwebsite.com/*preview=true*

Cloudflare wordpress preview page rule

 

4. Forward XMLRPC URLs

Attacks on XMLRPC are common, so this will forward requests from your xmlrpc.php file to any URL you choose (you can just use your homepage). This assumes you don’t need the Rest API and I would test your website after adding this rule, since some websites/plugins may need it.

yourwebsite.com/xmlrpc.php*

Cloudflare xmlrpc page rule

Disabling trackbacks/pingbacks in the WordPress Discussion settings also provides an additional layer of security against these attacks (and can saves server resources as well).

Disable trackbacks pingbacks wordpress

 

5. Decrease Bandwidth Of WP Uploads

Since items in your WordPress uploads file don’t change frequently, you don’t have to cache them as often which saves bandwidth by setting Edge Cache TTL to a month. If you need to update certain files/directories before a month, you can purge the individual files in Cloudflare.

In this page rule (and the next one), browser cache TTL is set to a day.

yourwebsite.com/wp-content/uploads*

Cloudflare wp uploads page rule

 

6. Make Important Pages Always Online

Always Online keeps your most important pages online if your server goes down and can be turned on for your most important pages (homepage, contact, terms of service, etc). So in case anything happens with your WordPress site, at least your most important pages will still be up.

yourwebsite.com/important-page

Cloudflare always online page rule

 

7. Enable Email Obfuscation On Contact Page Only

The problem with email obfuscation is it loads a JS file (email-decode.min.js) on every page which you may see in PageSpeed Insights. This is fine if your email appears sitewide like your footer, but isn’t ideal if you only list your email address on the contact page. In this case, you can set up a page rule to only use email obfuscation on a specific page. Email obfuscation will hide your email address from bots but it stays visible to humans, a nice feature to prevent spam.

Cloudflare email obfuscation psi

yourwebsite.com/contact

Cloudflare email obfuscation page rule

 

8. eCommerce Sites And Dynamic Content Using AJAX

Disclaimer: this page rule is from Cloudflare’s eCommerce best practices tutorial. I don’t personally run any WooCommerce sites so use the page rule at your own risk.

eCommerce sites include dynamic content which shouldn’t be cached, but you still want to cache everything else. Cloudflare recommends bypassing cache for AJAX requests then using a cache everything page rule to cache everything else. This will require the next page rule, just make sure the ordering of the AJAX rule is before the cache everything rule which will be last.

yourwebsite.com/ajax*

Cloudflare dynamic content page rule

 

9. Cache Everything

Cache everything is the most popular page rule.

But you should understand how it’s different than APO (purging, use of Workers KV storage, etc). I would rather spend the extra $5/mo on APO or if you don’t want to, you may want to use the Super Page Cache for Cloudflare plugin. Cache everything lets Cloudflare cache HTML which can make a large improvement when testing your site in tools like KeyCDN’s performance test.

Some articles suggest the cache everything page rule is a bad idea, so test it yourself and benchmark results in KeyCDN.

yourwebsite.com/*

Cloudflare cache everything page rule

Keycdn-performance-test
Caching HTML can significantly improve TTFB in multiple global locations

 

Page Rule Terms

  • Always Online – keeps a limited version of your site online if your server goes down. Usually used for your most important pages (eg. terms of service, privacy policy, etc).
  • Browser Integrity Check – Cloudflare will try to deny spammers from accessing your website and challenges visitors with suspicious user agents often used by abusive bots.
  • Browser Cache TTL – amount of time Cloudflare instructs a visitor’s browser to cache a resource. You can increase it for pages that aren’t updated frequently to save bandwidth.
  • Disable Performance – disables auto minify, Rocket Loader, Mirage, and Polish. These are all great to speed up the frontend, but they should be disabled for your WordPress admin.
  • Edge Cache TTL – time Cloudflare’s edge servers cache a resource before going to the origin server for a fresh copy. You can also increase this for pages not updated frequently.
  • Email Obfuscation – prevents spam by hiding your email address to bots while remaining visible to visitors (only applies if you list your email address on your website). Enabling this on the contact page (and other pages showing your email) can help prevent spam.
  • Security Level – Cloudflare assigns IP addresses a threat score of 0-100. Your page rules can be created to assign high security to WordPress admin and sensitive areas of your site.
  • Cache Level – amount of caching done by Cloudflare (‘everything’ is most aggressive).
  • Asterik (*) – used in page rule URLs to match certain parameters. For example, if I used https://onlinemediamasters.com/wp-admin* as my URL and set the security level to high, that means all URLs with /wp-admin/ (and anything after) would have high security levels.

 

Ensure Cloudflare Compatibility With Your Cache Plugin

WP Rocket, FlyingPress, LiteSpeed Cache and most other cache plugins have documentation to ensure compatibility as well as their recommended Cloudflare settings. Make sure you check it!

In most cases, you will:

  • Turn off Rocket Loader
  • Set the Caching Level to Standard
  • Set Browser Cache Expiration to 1 year
  • Enable minify CSS/JS, but not always HTML

Wp rocket cloudflare settings

 

Cloudflare’s Page Rules YouTube Tutorial

I covered everything in here (except forwarding URLs), but you can watch the video:

 

Frequently Asked Questions

Which Cloudflare page rules are best for WordPress?

Caching everything and bypassing cache in wp-admin (as well as preview pages) are common page rules for WordPress. You can also use them to disable XML-RPC, use email obfuscation on specific pages, and keep important pages always online.

What do asterisks mean in Cloudflare page rules?

Asterisks serve as a wild card when using a URL in the page rule. For example, yourwebsite.com* would include any URL variation that comes after the asterisk.

Which Cloudflare page rule should I use for wp-admin?

The WordPress Admin should have a page rule that enforces a high security level, bypasses Cloudflare's cache, and disables apps + performance features in the admin area.

How do Cloudflare page rules improve security?

Page rules can force SSL, forward XMLRPC URL requests, and lets you use email obfuscation (to prevent spam bots from collecting your email) on single pages without having to worry about an email-decode error showing up in GTmetrix for your entire site.

How many Cloudflare page rules can I have?

You can add up to 3 page rules on Cloudflare's free plan, then $5/month for 5 more rules.

Have questions? Leave a comment and I’ll get back to you as soon as I can. Thanks for reading!

Cheers,
Tom

You Might Also Like:

11 thoughts on “9 Cloudflare Page Rules For WordPress Sites (But Most Sites Only Need 3 Of Them)”

  1. Thanks for the article. Just a note, I keep seeing Railgun mentioned. That is only available for Business and Enterprise plans.

    Reply
    • Yes, it matters. If you use https://mysite.com/ the rule only applies to that exact URL. But if you use *https://mysite.com* you have an asterisk before and after the URL, so it would apply to the entire site.

      The only reason you would use a * before the URL is to make sure the rule applies to all www/non-www and http/https versions so you would use *mysite.com to do this. The 2nd * makes sure all URLs after the * are included which would include your entire site, since all content on your site includes that URL.

      Hope that helps. They’re basically used to apply rules to your full site, or certain sections of your site.

      Reply

Leave a Comment