Looking to add the best Cloudflare page rules for WordPress?
Many of these page rules were taken directly from Cloudflare’s Page Rule YouTube video. They can help you save bandwidth, improve security, bypass Cloudflare’s caching where it’s not needed (eg. your admin area), and even prevent spam bots from collecting your email address.
You should get familiar with how asterisks work and setting definitions in case you want to add page rules of your own. Cloudflare lets you reorder page rules to give certain ones priority over others. Since free accounts only give you 3 page rules, I would add #2, #5, and #7 in most cases.
1. Always Use HTTPS
The first page rule forces visitors to connect with HTTPS.
The pattern is recommended in Cloudflare’s page rules YouTube tutorial. The asterisks make sure no matter which variation is entered, all visits through HTTP will be redirected to HTTPS.
Alternatively, you can enable this in your Cloudflare dashboard under SSL/TLS → Edge Certificates → Always Use HTTPS. This saves you from having to use one of your 3 page rules.
If your WordPress site is not using SSL, you can use the same pattern only with opportunistic encryption (instead of Always Use HTTPS). Opportunistic encyption allows visitors to access your site over an encrypted TLS channel. However, it shouldn’t be used as an SSL replacement.
2. Secure The WordPress Admin And Bypass Cache
Your WordPress Admin should have a few settings which are combined into 1 page rule. This sets the security level to high and bypasses Cloudflare’s cache since the wp-admin area shouldn’t be cached. It also disables Cloudflare apps and performance features in the admin (minify, Rocket Loader, Mirage, Polish) since these should only used to speed up the frontend.
3. Don’t Cache Preview Pages
This bypasses Cloudflare’s cache on preview pages since you want to make sure you’re seeing the correct version.
4. Forward XMLRPC URLs
Attacks on XMLRPC are common, so this will forward requests from your xmlrpc.php file to any URL you choose (you can just use your homepage). This assumes you don’t need the Rest API and I would test your website after adding this rule, since some websites/plugins may need it.
Disabling trackbacks/pingbacks in the WordPress Discussion settings also provides an additional layer of security against these attacks (and can saves server resources as well).
5. Decrease Bandwidth Of WP Uploads
Since items in your WordPress uploads file don’t change frequently, you don’t have to cache them as often which saves bandwidth by setting Edge Cache TTL to a month. If you need to update certain files/directories before a month, you can purge the individual files in Cloudflare.
In this page rule (and the next one), browser cache TTL is set to a day.
6. Make Important Pages Always Online
Always Online keeps your most important pages online if your server goes down and can be turned on for your most important pages (homepage, contact, terms of service, etc). So in case anything happens with your WordPress site, at least your most important pages will still be up.
7. Enable Email Obfuscation On Contact Page Only
The problem with email obfuscation is it loads a JS file (email-decode.min.js) on every page which you may see in PageSpeed Insights. This is fine if your email appears sitewide like your footer, but isn’t ideal if you only list your email address on the contact page. In this case, you can set up a page rule to only use email obfuscation on a specific page. Email obfuscation will hide your email address from bots but it stays visible to humans, a nice feature to prevent spam.
8. eCommerce Sites And Dynamic Content Using AJAX
Disclaimer: this page rule is from Cloudflare’s eCommerce best practices tutorial. I don’t personally run any WooCommerce sites so use the page rule at your own risk.
eCommerce sites include dynamic content which shouldn’t be cached, but you still want to cache everything else. Cloudflare recommends bypassing cache for AJAX requests then using a cache everything page rule to cache everything else. This will require the next page rule, just make sure the ordering of the AJAX rule is before the cache everything rule which will be last.
9. Cache Everything
Cache everything is the most popular page rule.
But you should understand how it’s different than APO (purging, use of Workers KV storage, etc). I would rather spend the extra $5/mo on APO or if you don’t want to, you may want to use the Super Page Cache for Cloudflare plugin. Cache everything lets Cloudflare cache HTML which can make a large improvement when testing your site in tools like KeyCDN’s performance test.
Some articles suggest the cache everything page rule is a bad idea, so test it yourself and benchmark results in KeyCDN.
Page Rule Terms
- Browser Integrity Check – Cloudflare will try to deny spammers from accessing your website and challenges visitors with suspicious user agents often used by abusive bots.
- Browser Cache TTL – amount of time Cloudflare instructs a visitor’s browser to cache a resource. You can increase it for pages that aren’t updated frequently to save bandwidth.
- Disable Performance – disables auto minify, Rocket Loader, Mirage, and Polish. These are all great to speed up the frontend, but they should be disabled for your WordPress admin.
- Edge Cache TTL – time Cloudflare’s edge servers cache a resource before going to the origin server for a fresh copy. You can also increase this for pages not updated frequently.
- Email Obfuscation – prevents spam by hiding your email address to bots while remaining visible to visitors (only applies if you list your email address on your website). Enabling this on the contact page (and other pages showing your email) can help prevent spam.
- Security Level – Cloudflare assigns IP addresses a threat score of 0-100. Your page rules can be created to assign high security to WordPress admin and sensitive areas of your site.
- Cache Level – amount of caching done by Cloudflare (‘everything’ is most aggressive).
- Asterik (*) – used in page rule URLs to match certain parameters. For example, if I used https://onlinemediamasters.com/wp-admin* as my URL and set the security level to high, that means all URLs with /wp-admin/ (and anything after) would have high security levels.
Ensure Cloudflare Compatibility With Your Cache Plugin
In most cases, you will:
- Turn off Rocket Loader
- Set the Caching Level to Standard
- Set Browser Cache Expiration to 1 year
- Enable minify CSS/JS, but not always HTML
Cloudflare’s Page Rules YouTube Tutorial
I covered everything in here (except forwarding URLs), but you can watch the video:
Frequently Asked Questions
Which Cloudflare page rules are best for WordPress?
Caching everything and bypassing cache in wp-admin (as well as preview pages) are common page rules for WordPress. You can also use them to disable XML-RPC, use email obfuscation on specific pages, and keep important pages always online.
What do asterisks mean in Cloudflare page rules?
Asterisks serve as a wild card when using a URL in the page rule. For example, yourwebsite.com* would include any URL variation that comes after the asterisk.
Which Cloudflare page rule should I use for wp-admin?
The WordPress Admin should have a page rule that enforces a high security level, bypasses Cloudflare's cache, and disables apps + performance features in the admin area.
How do Cloudflare page rules improve security?
Page rules can force SSL, forward XMLRPC URL requests, and lets you use email obfuscation (to prevent spam bots from collecting your email) on single pages without having to worry about an email-decode error showing up in GTmetrix for your entire site.
How many Cloudflare page rules can I have?
You can add up to 3 page rules on Cloudflare's free plan, then $5/month for 5 more rules.
Have questions? Leave a comment and I’ll get back to you as soon as I can. Thanks for reading!