The 8 Best Cloudflare Page Rules For Any WordPress Site

If you are looking to add the best Cloudflare page rules for your WordPress website, then you are in the right place!

What these page rules will do are:

  • Save Bandwidth
  • Improve Security
  • Bypass WordPress Admin Caching
  • Prevent Spam Bots Collecting Email Addresses
  • and much more!

Do note, however, that Cloudflare free accounts only give you three different page rules, we will list the priority ones first in this tutorial.

As well as Page Rules though, don’t forget to configure the other settings in your Cloudflare dashboard and to use Firewalls rules to block bots from hitting your site excessively and consuming resources.

Rule 1. Secure the WordPress Admin and Bypass Cache

In your WordPress Admin Dashboard, you should have a few settings which we can combine in a single page rule. What we will do he is; set the security level to high and bypass Cloudflare’s cache (as there is no need to cache the admin area). We should also disable Cloudflare apps and performance features (such as minify, Rocket Loader, Mirage, Polish, etc…). We only want to speed these things up on the frontend, which is why we are disabling this in the admin backend.

So, for your page URL, you should use this:


yourwebsite.com/wp-admin*

Your page rules will end up looking like this:

2. Decrease Bandwidth Of WP Uploads

So, WordPress upload files do not change very often, there isn’t really a need to have to cache them as often which saves a lot of bandwidth. We can achieve this by setting Edge Cache TTL to a month. If you need to update certain files or directories before a month; you can always purge the cache for individual files within Cloudflare.

We are also going to be setting the browser cache TTL is set to a day. This sets the expiration time for resources cached in a visitor’s browser, an item often shown in GTmetrix.

So with these rules, your page URL would become:


yourwebsite.com/wp-content/uploads*

With your page rules looking something like this:

3. Stop Bots From Collecting Your Email

What this page rule will do is hide your email address from bots (so they don’t get used to spam you). The email address will still be fully visible within your website to humans though. The general rule here is enabling email obfuscation on any page that contains your email address which will, in turn, prevent your spam. You can also turn it on globally in Cloudflare’s Scrape Shield settings and then change this to be on any page.

Let’s say you only have a visible email address on the contact page, then we can simply add this page rule URL:


yourwebsite.com/contact

And your page rule settings would look as follows:

4. Don’t Cache Preview Pages

This simply will bypass Cloudflare’s cache if it’s in a preview page of a page or post. This helps especially when updating a live website, on a preview page you don’t want to see a cached version when performing updates right?

Page URL:

<code class="language-HTML">
yourwebsite.com/*preview=true*
<code>

And your page rule settings would look as follows:

5. Forward XMLRPC URLs

What this page rule will do is significantly improve the security of hackers using XMLRPC for their attacks. This forwards requests from your xmlrpc.php file to any URL on your site, i.e. your homepage.

Your Page URL will become:


yourwebsite.com/xmlrpc.php*

And your page rule settings will look as follows:

6. Make Important Pages Always Online

As it says, Always Online will keep your most important pages online if your server goes down and can be turned on for the most important pages of your website. As an example, this could be your homepage, contact page, portfolio page and so on...). So what this does is that if anything was to happen to your WordPress website, your most important pages will remain visible.

To do this, set your Page URL to:


yourwebsite.com/url-of-important-page

Then your page rules will look like this:

7. eCommerce Sites And Dynamic Content Using AJAX

eCommerce websites include dynamic content (which shouldn't be cached) but you still want to cache everything else. A good solution is to cache the entire page, but bypass the cache for dynamic (eCommerce) elements like AJAX requests. To achieve this, it requires using 2 separate page rules.

The first-page rule bypasses cache for AJAX requests:


yourwebsite.com/ajax*

This will result in something as per the below:

The second rule we will be adding caches everything else. When ordering page rules, make sure the AJAX rule is before the Cache Everything rule. In other words, this page rule should be ordered last.


yourwebsite.com/*

Which will result in the below:

8. A Rule to Force HTTPS connections

This forces all visitors to connect to your website through HTTPS. This means that all visits through HTTP will redirect to the HTTPS version.

This can be added as follows:


http://*yourwebsite.com/*

The page rules will look as follows:

However, since there is already an option, you can simply enable this in your Cloudflare dashboard under SSL/TLS → Edge Certificates → Always Use HTTPS. This saves you from having to use one of your 3-page rules which is why we mentioned this one last.

Conclusion

So there you have it, you now know which Cloudflare page rules to implement on your WordPress website. In the beginning, we said that the first three page rules were the most important. However, this depends on the type of website that you have, so essentially, not every site is going to have the same page rule settings which are quite evident when it comes to whether you have a standalone blog WordPress website or an eCommerce website.

This should give you a general idea of what you should be adding and how your website can be optimised with Cloudflare. If you've not used Cloudflare and want to know the benefits it can provide to your website, we would recommend reading this post: 4 Reasons to Use a CDN for WordPress

Remember though, in this tutorial, we have only gone through the Page Rules we can use to optimise your WordPress website, there are other rules in which we are going to list below:

Additional Cloudflare Tweaks To Improve WordPress Speed

Rocket Loader is a great additional to improve page speed. However, if you are using WP Rocket plugin, then it might not be beneficial to use this setting. What we would test this with GTMetrix and compare the statistics with both options (enabled/disabled).

If you have upgraded to Railgun, then this makes sure requests that cannot be served from Cloudflare's cache are still fast.

Hotlink Protection prevents people from copying/pasting images from your website to theirs (possibly resulting in bandwidth savings). Especially helpful for sites using high quality images or people who want to protect the images on their website.

What about if I'm using WP Rocket? What should I do then?

If you are using WP Rocket's amazing caching plugin, then you can add your Cloudflare credentials within the settings:

  • Global API key is found in your Cloudflare profile
  • Account email should be same email used in Cloudflare
  • Zone ID is found on the 'Overview' tab of your dashboard

Optimal Settings allows WP Rocket to configure your Cloudflare settings for better compatibility with their plugin. However, it also turns on email obfuscation (resulting in a GTmetrix error on every page) and disables Rocket Loader which may be useful for your site.

Fortunately, WP Rocket has recommendations for configuring Cloudflare such as:

  • Set Caching Level to 'Standard'.
  • Enable Auto Minify for JavaScript, CSS and HTML.
  • Disable Rocket Loader to prevent conflicts.
  • Set Browser Cache Expiration to '1 year'.

What do these Page Rules Terms mean?

  • Always Online - This means keeping a limited version of your site online if your server was to go down for any reason. This is usually used for your most important pages (eg. homepage, shop, contact page, etc...).
  • Browser Integrity Check - This attempts to deny spammers from accessing your website and challenges visitors with a suspicious user agent commonly used by abusive bots.
  • Browser Cache TTL - This time Cloudflare instructs a visitor's browser to cache a resource. You can increase this for pages that aren't updated frequently to save on bandwidth.
  • Disable Performance - This turns off auto minify, Rocket Loader, Mirage, and Polish. These are great to speed up pages, but they should be disabled for your WordPress Admin area.
  • Edge Cache TTL - This time Cloudflare's edge servers cache a resource before going to the origin server for a fresh copy. You can also increase this for pages not updated frequently.
  • Email Obfuscation - This prevents spam by hiding your email address to bots while remaining visible to visitors. You would only use this if your email address is publically displayed on your website
  • Enabling this on the contact page (and other pages showing your email) can help prevent spam.
  • Security Level - By using this, Cloudflare assigns IP addresses a threat score of 0-100. Page rules can be created to assign high security to WordPress admin and sensitive areas of your site.
  • Cache Level - The amount of caching done by Cloudflare ('everything' is most aggressive option for this).
  • Asterik (*) - This is used in page rule URLs to match certain parameters. For example, if I used silvawebdesigns.com/wp-admin* as my URL, then I set the security level to high, that means all URLs with that contain anything with /wp-admin/ would have a high security level.

Do you have any questions?

Here we answer some of the most commonly asked questions regarding the setup of Cloudflare.

What do asterisks do in page rules?
Asterisks serve as a wild card when using a URL in the page rule. For example, yourwebsite.com* would include any URL variation that comes after the asterisk. If you use *yourwebsite.com* as an example, this would include anything before or after, in this scenario, it would also include sub-domains.

What is best Page Rule for the WP Admin?
The WordPress Admin should have a page rule that enforces a high-security level, bypasses Cloudflare's cache, and disables apps + performance features in the admin area. Since WordPress security isn't the greatest since it's so commonly used these days, this would be one of the main priorities of our website.

How can page rules improve speed?
What Page Rules will do is help with decreasing the bandwidth used by the WP Upload area, set a higher Edge Cache TTL and it will cache any dynamic content with the right page rules. On the other hand, if you are looking to simply improve your page speed results (i.e. GTMetrix), configuring Cloudflare's speed tab in the options dashboard is the way forward.

How can page rules improve security?
With Page Rules, this can force SSL, forward XMLRPC URL requests, and lets you use email obfuscation (to prevent spam bots from collecting your email) on single pages without having to worry about an email-decode error showing up in GTmetrix for your entire site.

How many page rules can I have?
You can add up to 3-page rules on Cloudflare's free plan, it will then cost you $5/month for 5 more rules. You can find out more about Cloudflare's pricing if you do wish to upgrade here.


And that finally wraps everything up! If you have any questions about these page rules then don't hesitate to get in touch, we'd love to help you. If you have any better implementations, then we are all ears, let us know.

Drop us a comment below if this has helped and as always; thanks for reading! 🙂

 

Nathan da Silva - Profile

Posted by: Nathan da Silva

Nathan is the Founder of Silva Web Designs. He is passionate about web development, website design and basically anything digital related. His main expertise is with WordPress, Magento, Shopify as well as many other frameworks. Whether you need responsive design, SEO, speed optimisation or anything else in the world of digital then get in touch. If you would like to work with Nathan, simply drop him an email at [email protected]

It’s good to share

4 Reasons to Use a CDN for WordPress

The Internet and any client has a need for speed; that much everyone already knows. But why is this so important for your WordPress site, and why should you use a CDN for WordPress to help with your site’s loading times?

You’ve probably seen the 3 second loading time chart many times. It, and countless charts just like it, are everywhere.

There’s a reason for that though – page loading time can massively affect conversions; it’s as simple as that. And what are most WordPress sites aimed at, ultimately? I know that my sites are all focused on somehow making money. Whether they’re affiliate sites or service-based websites, they’re all aimed at converting!

If loading times affect conversions, then fixing issues with speed is a good thing to do.

Here are four reasons that you may want to use a CDN for WordPress sites that you build or manage.

1. Your Site Will Load Faster with a CDN

This is one of the strongest selling points of setting up a CDN for WordPress.

One of the biggest speed killers for your website is distance. Specifically, the distance between your hosting server and the visitor’s browser. Whilst the size of your page makes a real difference, the distance the content has to travel can definitely be the largest bottleneck in website loading speeds.

Ideally, your visitor needs to be as physically close to the hosting server as possible.

Unfortunately, setting up a hosting server at a location which is physically close to any one particular visitor is all but impossible — unless you are setting up a CDN, that is.

The very idea of a Content Delivery Network (CDN) is exactly that. A CDN’s primary purpose is to set up as many servers as possible in different geographical locations, such that anybody who hits the service is as physically close as possible to one of the locations.

Have a look at the following image from CloudFlare which explains the concept perfectly, this shows the Cloudflare network powered by 165 data centers around the world:-

You can see that there are many CDN server points. In this manner, all visitors, in any location in the world, are always served content from a location which is (relatively speaking) near to them.

Hosting static content on a CDN network is the closest you can get to creating a global hosting setup for your website.

2. Your Website Will be Safer with a CDN

The next reason why a CDN is essential for your website is security.

Did you know that more than 51% of the web’s traffic actually comes from bots rather than humans?

The worst thing about it is that above 29% of web traffic comes from malicious bots.

That means your website is constantly under a deluge of bad bot traffic. If you’ve ever taken a look at analytics data, or used a security plugin like WordFence, you’re already aware of this fact.

These bots are constantly probing your site for vulnerabilities. If you slip slightly in your security efforts, if you have not chosen a good WordPress host, or if you miss a WordPress security update or a plugin update, rest assured your site will soon be suffering the consequences.

Most CDNs are able to identify and block bad bots rapidly, making your site safer when plugged into a CDN. The collective knowledge gained by the network can be used to prevent attacks on your own sites.

3. Your Site is Protected Against Traffic Based Attacks with a CDN

I’m sure you’ve been stuck in traffic at least a few times in your life. I know I have. Getting stuck in traffic is a waste of productive time and money.

The same concept applies to your website.

However, it’s even worse when somebody purposely sends an overwhelming amount of traffic to your website.

In a Distributed Denial of Service (DDoS) attack, an army of compromised web servers or computers (or even IoT devices) are recruited to send so much traffic to your website, that your legitimate users unable to access it.

If your website is the lifeline of your business, a DDoS attack can literally bring your business to a standstill. Regardless of whether you’re on a shared hosting server or a dedicated server, your website won’t be able to keep up with the flood of traffic.

The same concept used by a CDN to make your website fast, can also work in your favour by absorbing malicious traffic over a global network of servers fronting your website.

Most CDN implementations use the concept of reverse proxy to serve your website. The reverse proxy will be the CDN server network.

This means that your website’s visitors will hit the CDN server closest to them before they hit your site’s actual server.

In this manner, any malicious traffic is intercepted before it actually gets to your server. CDNs have intelligent algorithms which are able to identify malicious DDoS traffic and kill it.

Incapsula, MaxCDN, KeyCDN, CloudFlare and most of the top players all have support for mitigating traffic-based attacks.

4. Faster Web Design and Development

When you’re creating a WordPress site which is meant to be fully optimised for performance, you’re going to have to perform a number of additional implementation steps.

You’ll be looking for an image optimisation plugin, a content minification and combination plugin, a static and dynamic content caching plugin, and other tools to fully optimise the WordPress website. While it may be possible that one or two plugins are able to actually serve most of your optimisation needs, you’ll still need to perform additional testing to ensure the plugins are able to operate correctly.

Personally, I’ve found that optimising with various plugins is a nightmare of epic proportions.

CDNs are actually able to perform all of the above mentioned optimisations in one fell swoop. Image optimisation, dynamic file compression, static and dynamic content caching are all built-in into the CDN.

Coupled with that, there are other optimisations such as Custom Content caching rules to fix any problems with specific plugins on your site.

Most of these performance optimisations are going to be hard to achieve with your typical WordPress plugin.

Such stuff as session reuse optimisation (particularly for HTTPS websites), TCP Connection pre-pooling and rapid purging all improve the optimisation.

Other improvements such as improving the SSL/TLS handshake process would not be something which the typical developer would be capable of optimising by themselves. Having this completely handled by the CDN gives a significant boost, particularly to HTTPS websites, which unfortunately take a hit in performance when enabling HTTPS.

All of these above optimisations decrease the design and development time with the website whilst pushing the performance envelope as far as it can get.

A CDN catering for all of the above will drastically reduce the time spent on optimisation.

Conclusion

Speed is typically the most obvious benefit of using a CDN that people will mention over and over again.

While the website loading speed is a critical component, and an essential justification for setting up a CDN, this should not be the only selling point.

The other points mentioned, particularly performance, security, protection and better optimisation are just as important as website loading speed.

At the moment, we use CloudFlare CDN for our web sites. We customise the settings for our clients to give their web sites the best possible results in terms on SEO and Site Speed.

 

Nathan da Silva - Profile

Posted by: Nathan da Silva

Nathan is the Founder of Silva Web Designs. He is passionate about web development, website design and basically anything digital related. His main expertise is with WordPress, Magento, Shopify as well as many other frameworks. Whether you need responsive design, SEO, speed optimisation or anything else in the world of digital then get in touch. If you would like to work with Nathan, simply drop him an email at [email protected]

It’s good to share