Looking to add the best Cloudflare page rules for WordPress?
Many of these page rules were taken directly from Cloudflare’s Page Rule YouTube tutorial. They can help you save bandwidth, improve security, bypass Cloudflare’s caching where it’s not needed (eg. your admin area), and even prevent spam bots from collecting your email address.
You should get familiar with how asterisks work and setting definitions in case you want to add page rules of your own. Cloudflare lets you reorder page rules to give certain ones priority over others. Since free accounts only give you 3 page rules, I would add #2, #5, and #7 in most cases.
Here are the recommended page rules for WordPress:
1. Always Use HTTPS
The first page rule forces all visitors to connect to your website through HTTPS.
The pattern below is the one you want to use and is recommended in Cloudflare’s page rules YouTube tutorial. The two asterisks make sure that no matter what variation of your website is entered (whether before or after), all visits through HTTP will redirect to the HTTPS version.
Alternatively, you can enable this in your Cloudflare dashboard under SSL/TLS → Edge Certificates → Always Use HTTPS. This saves you from having to use one of your 3 page rules.
If your WordPress site is not using SSL, you can use the same pattern only with opportunistic encryption (instead of Always Use HTTPS). Opportunistic encyption allows users to access your website over an encrypted TLS channel. However, this shouldn’t be used a a replacement for adding SSL. So if your website is using SSL, only use the first “Always Use HTTPS” page rule.
2. Secure The WordPress Admin And Bypass Cache
Your WordPress Admin should have a few settings which are combined into 1 page rule. This sets the security level to high and bypasses Cloudflare’s cache (the admin area should never be cached). It also disables Cloudflare apps and performance features (minify, Rocket Loader, Mirage, Polish) inside the admin since these are only used to speed up the frontend of your site.
3. Don’t Cache Preview Pages
This simply bypasses Cloudflare’s cache if it’s a preview of a page/post.
4. Forward XMLRPC URLs
This page rule improves security against hackers using XMLRPC for attacks. This forwards requests from your xmlrpc.php file to any URL on your site (you can just use your homepage).
Disabling trackbacks/pingbacks in the WordPress Discussion settings also provides an additional layer of security against these attacks (and it can also saves server resources).
5. Decrease Bandwidth Of WP Uploads
Since items in your WordPress uploads file do not change frequently, you don’t have to cache them as often which saves bandwidth by setting Edge Cache TTL to a month. If you need to update certain files/directories before a month, you can purge the individual files in Cloudflare.
In this page rule and future ones in this post, the browser cache TTL is set to a day. This sets the expiration time for resources cached in a visitor’s browser, an item often shown in GTmetrix.
6. Make Important Pages Always Online
Always Online keeps your most important pages online if your server goes down and can be turned on for your most important pages (homepage, contact, terms of service, etc). So in case anything happens with your WordPress site, at least your most important pages will still be up.
7. Stop Bots From Collecting Your Email
This page rule enables email obfuscation on your contact page which hides your email address from bots (so they don’t send you spam). The email address will still be visible to humans. You should enable email obfuscation on any page that contains your email address to prevent spam, or turn it on globally in Cloudflare’s Scrape Shield settings. You can change this to be any page.
You can enable email obfuscation globally in your Cloudflare Scrape Shield settings, but this usually results in a GTmetrix error (email-decode.min.js). That’s why email obfuscation should only be enabled on pages showing your email address using Cloudflare’s page rules. The only time you should enable this globally is if you list your email address on your entire website (eg. your footer) and want to prevent spam. The GTmetrix error shouldn’t impact load times much.
8. eCommerce Sites And Dynamic Content Using AJAX
eCommerce websites include dynamic content (which shouldn’t be cached) but you still want to cache everything else. A good solution is to cache the entire page, but bypass the cache for dynamic (eCommerce) elements like AJAX requests. This requires using 2 separate page rules.
The first page rule bypasses cache for AJAX requests:
The second page rule caches everything else. When ordering page rules, make sure the AJAX rule is before the Cache Everything rule. In other words, this page rule should be ordered last.
Page Rule Terms
- Browser Integrity Check – attempts to deny spammers from accessing your website and challenges visitors with a suspicious user agents commonly used by abusive bots.
- Browser Cache TTL – time Cloudflare instructs a visitor’s browser to cache a resource. You can increase this for pages that aren’t updated frequently to save on bandwidth.
- Disable Performance – turns off auto minify, Rocket Loader, Mirage, and Polish. These are great to speed up pages, but they should be disabled for your WordPress admin.
- Edge Cache TTL – time Cloudflare’s edge servers cache a resource before going to origin server for a fresh copy. You can also increase this for pages not updated frequently.
- Email Obfuscation – prevents spam by hiding your email address to bots while remaining visible to visitors (only applies if you list your email address on your website). Enabling this on the contact page (and other pages showing your email) can help prevent spam.
- Security Level – Cloudflare assigns IP addresses a threat score of 0-100. Page rules can be created to assign high security to WordPress admin and sensitive areas of your site.
- Cache Level – amount of caching done by Cloudflare (‘everything’ is most aggressive).
- Asterik (*) – used in page rule URLs to match certain parameters. For example, if I used onlinemediamasters.com/wp-admin* as my URL, then I set the security level to high, that means all URLs with /wp-admin/ (and anything after) would have a high security level.
Additional Cloudflare Tweaks To Improve WordPress Speed
Railgun – makes sure requests that cannot be served from Cloudflare’s cache are still fast.
Hotlink Protection – prevents people from copying/pasting images from your website to theirs (possibly resulting in bandwidth savings). Especially helpful for sites using high quality images.
Enabling Cloudflare Compatibility In WP Rocket
If you’re using WP Rocket, add your Cloudflare credentials in the settings:
- Global API key is found in your Cloudflare profile
- Account email should be same email used in Cloudflare
- Zone ID is found on the “Overview” tab of your dashboard
Optimal Settings allows WP Rocket to configure your Cloudflare settings for better compatibility with their plugin. However, it also turns on email obfuscation (resulting in a GTmetrix error on every page) and disables Rocket Loader which may be useful for your site.
WP Rocket also has recommendations for configuring Cloudflare:
- Set Caching Level to “Standard”.
- Disable Rocket Loader to prevent conflicts.
- Set Browser Cache Expiration to “1 year”.
Remember to activate the Cloudflare add-on:
I personally don’t use Cloudflare’s WordPress plugin since it has horrible reviews.
Cloudflare’s Page Rules YouTube Tutorial
I covered everything in here (except forwarding URLs), but you can watch the video:
Frequently Asked Questions
🔶 What do asterisks do in page rules?
Asterisks serve as a wild card when using a URL in the page rule. For example, yourwebsite.com* would include any URL variation that comes after the asterisk.
🔶 Which page rule is best for the WP Admin?
The WordPress Admin should have a page rule that enforces a high security level, bypasses Cloudflare's cache, and disables apps + performance features in the admin area.
🔶 How can page rules improve speed?
Page rules can help with decreasing bandwidth used by the WP Uploads area, setting a higher Edge Cache TTL, and caching dynamic content. However, if you're looking to improve GTmetrix, configuring Cloudflare's speed tab in the dashboard is the best way.
🔶 How can page rules improve security?
Page rules can force SSL, forward XMLRPC URL requests, and lets you use email obfuscation (to prevent spam bots from collecting your email) on single pages without having to worry about an email-decode error showing up in GTmetrix for your entire site.
🔶 How many page rules can I have?
You can add up to 3 page rules on Cloudflare's free plan, then $5/month for 5 more rules.
Have questions about these Cloudflare page rules, or have ideas of your own? Leave a comment below and I will get back to you as soon as I can. Otherwise, thanks for reading!
See Also: How I Got 100% GTmetrix Scores