If you are looking to add the best Cloudflare page rules for your WordPress website, then you are in the right place!
What these page rules will do are:
- Save Bandwidth
- Improve Security
- Bypass WordPress Admin Caching
- Prevent Spam Bots Collecting Email Addresses
- and much more!
Do note, however, that Cloudflare free accounts only give you three different page rules, we will list the priority ones first in this tutorial.
As well as Page Rules though, don’t forget to configure the other settings in your Cloudflare dashboard and to use Firewalls rules to block bots from hitting your site excessively and consuming resources.
Rule 1. Secure the WordPress Admin and Bypass Cache
In your WordPress Admin Dashboard, you should have a few settings which we can combine in a single page rule. What we will do he is; set the security level to high and bypass Cloudflare’s cache (as there is no need to cache the admin area). We should also disable Cloudflare apps and performance features (such as minify, Rocket Loader, Mirage, Polish, etc…). We only want to speed these things up on the frontend, which is why we are disabling this in the admin backend.
So, for your page URL, you should use this:
Your page rules will end up looking like this:
2. Decrease Bandwidth Of WP Uploads
So, WordPress upload files do not change very often, there isn’t really a need to have to cache them as often which saves a lot of bandwidth. We can achieve this by setting Edge Cache TTL to a month. If you need to update certain files or directories before a month; you can always purge the cache for individual files within Cloudflare.
So with these rules, your page URL would become:
With your page rules looking something like this:
3. Stop Bots From Collecting Your Email
What this page rule will do is hide your email address from bots (so they don’t get used to spam you). The email address will still be fully visible within your website to humans though. The general rule here is enabling email obfuscation on any page that contains your email address which will, in turn, prevent your spam. You can also turn it on globally in Cloudflare’s Scrape Shield settings and then change this to be on any page.
Let’s say you only have a visible email address on the contact page, then we can simply add this page rule URL:
And your page rule settings would look as follows:
4. Don’t Cache Preview Pages
This simply will bypass Cloudflare’s cache if it’s in a preview page of a page or post. This helps especially when updating a live website, on a preview page you don’t want to see a cached version when performing updates right?
<code class="language-HTML"> yourwebsite.com/*preview=true* <code>
And your page rule settings would look as follows:
5. Forward XMLRPC URLs
What this page rule will do is significantly improve the security of hackers using XMLRPC for their attacks. This forwards requests from your xmlrpc.php file to any URL on your site, i.e. your homepage.
Your Page URL will become:
And your page rule settings will look as follows:
6. Make Important Pages Always Online
As it says, Always Online will keep your most important pages online if your server goes down and can be turned on for the most important pages of your website. As an example, this could be your homepage, contact page, portfolio page and so on...). So what this does is that if anything was to happen to your WordPress website, your most important pages will remain visible.
To do this, set your Page URL to:
Then your page rules will look like this:
7. eCommerce Sites And Dynamic Content Using AJAX
eCommerce websites include dynamic content (which shouldn't be cached) but you still want to cache everything else. A good solution is to cache the entire page, but bypass the cache for dynamic (eCommerce) elements like AJAX requests. To achieve this, it requires using 2 separate page rules.
The first-page rule bypasses cache for AJAX requests:
This will result in something as per the below:
The second rule we will be adding caches everything else. When ordering page rules, make sure the AJAX rule is before the Cache Everything rule. In other words, this page rule should be ordered last.
Which will result in the below:
8. A Rule to Force HTTPS connections
This forces all visitors to connect to your website through HTTPS. This means that all visits through HTTP will redirect to the HTTPS version.
This can be added as follows:
The page rules will look as follows:
However, since there is already an option, you can simply enable this in your Cloudflare dashboard under SSL/TLS → Edge Certificates → Always Use HTTPS. This saves you from having to use one of your 3-page rules which is why we mentioned this one last.
So there you have it, you now know which Cloudflare page rules to implement on your WordPress website. In the beginning, we said that the first three page rules were the most important. However, this depends on the type of website that you have, so essentially, not every site is going to have the same page rule settings which are quite evident when it comes to whether you have a standalone blog WordPress website or an eCommerce website.
This should give you a general idea of what you should be adding and how your website can be optimised with Cloudflare. If you've not used Cloudflare and want to know the benefits it can provide to your website, we would recommend reading this post: 4 Reasons to Use a CDN for WordPress
Remember though, in this tutorial, we have only gone through the Page Rules we can use to optimise your WordPress website, there are other rules in which we are going to list below:
Additional Cloudflare Tweaks To Improve WordPress Speed
Rocket Loader is a great additional to improve page speed. However, if you are using WP Rocket plugin, then it might not be beneficial to use this setting. What we would test this with GTMetrix and compare the statistics with both options (enabled/disabled).
If you have upgraded to Railgun, then this makes sure requests that cannot be served from Cloudflare's cache are still fast.
Hotlink Protection prevents people from copying/pasting images from your website to theirs (possibly resulting in bandwidth savings). Especially helpful for sites using high quality images or people who want to protect the images on their website.
What about if I'm using WP Rocket? What should I do then?
If you are using WP Rocket's amazing caching plugin, then you can add your Cloudflare credentials within the settings:
- Global API key is found in your Cloudflare profile
- Account email should be same email used in Cloudflare
- Zone ID is found on the 'Overview' tab of your dashboard
Optimal Settings allows WP Rocket to configure your Cloudflare settings for better compatibility with their plugin. However, it also turns on email obfuscation (resulting in a GTmetrix error on every page) and disables Rocket Loader which may be useful for your site.
Fortunately, WP Rocket has recommendations for configuring Cloudflare such as:
- Set Caching Level to 'Standard'.
- Disable Rocket Loader to prevent conflicts.
- Set Browser Cache Expiration to '1 year'.
What do these Page Rules Terms mean?
- Always Online - This means keeping a limited version of your site online if your server was to go down for any reason. This is usually used for your most important pages (eg. homepage, shop, contact page, etc...).
- Browser Integrity Check - This attempts to deny spammers from accessing your website and challenges visitors with a suspicious user agent commonly used by abusive bots.
- Browser Cache TTL - This time Cloudflare instructs a visitor's browser to cache a resource. You can increase this for pages that aren't updated frequently to save on bandwidth.
- Disable Performance - This turns off auto minify, Rocket Loader, Mirage, and Polish. These are great to speed up pages, but they should be disabled for your WordPress Admin area.
- Edge Cache TTL - This time Cloudflare's edge servers cache a resource before going to the origin server for a fresh copy. You can also increase this for pages not updated frequently.
- Email Obfuscation - This prevents spam by hiding your email address to bots while remaining visible to visitors. You would only use this if your email address is publically displayed on your website
- Enabling this on the contact page (and other pages showing your email) can help prevent spam.
- Security Level - By using this, Cloudflare assigns IP addresses a threat score of 0-100. Page rules can be created to assign high security to WordPress admin and sensitive areas of your site.
- Cache Level - The amount of caching done by Cloudflare ('everything' is most aggressive option for this).
- Asterik (*) - This is used in page rule URLs to match certain parameters. For example, if I used silvawebdesigns.com/wp-admin* as my URL, then I set the security level to high, that means all URLs with that contain anything with /wp-admin/ would have a high security level.
Do you have any questions?
Here we answer some of the most commonly asked questions regarding the setup of Cloudflare.
What do asterisks do in page rules?
Asterisks serve as a wild card when using a URL in the page rule. For example, yourwebsite.com* would include any URL variation that comes after the asterisk. If you use *yourwebsite.com* as an example, this would include anything before or after, in this scenario, it would also include sub-domains.
What is best Page Rule for the WP Admin?
The WordPress Admin should have a page rule that enforces a high-security level, bypasses Cloudflare's cache, and disables apps + performance features in the admin area. Since WordPress security isn't the greatest since it's so commonly used these days, this would be one of the main priorities of our website.
How can page rules improve speed?
What Page Rules will do is help with decreasing the bandwidth used by the WP Upload area, set a higher Edge Cache TTL and it will cache any dynamic content with the right page rules. On the other hand, if you are looking to simply improve your page speed results (i.e. GTMetrix), configuring Cloudflare's speed tab in the options dashboard is the way forward.
How can page rules improve security?
With Page Rules, this can force SSL, forward XMLRPC URL requests, and lets you use email obfuscation (to prevent spam bots from collecting your email) on single pages without having to worry about an email-decode error showing up in GTmetrix for your entire site.
How many page rules can I have?
You can add up to 3-page rules on Cloudflare's free plan, it will then cost you $5/month for 5 more rules. You can find out more about Cloudflare's pricing if you do wish to upgrade here.
And that finally wraps everything up! If you have any questions about these page rules then don't hesitate to get in touch, we'd love to help you. If you have any better implementations, then we are all ears, let us know.
Drop us a comment below if this has helped and as always; thanks for reading! 🙂