Cloudflare is one of the best CDN providers in the industry.
And their page rules are a necessity for webmasters who want to secure their sites and improve their performance 10 fold.
In this guide, you will learn about 10 crucial Cloudflare page rules for WordPress sites + how to set them up and use them correctly.
Without further ado, let’s get started!
Table of Contents
- What Are Cloudflare Page Rules? And Why Should You Bother Setting Them Up Correctly?
- Cloudflare Page Rules – Glossary of Important Terms
- How to Set up Cloudflare With WordPress Site (Quick Tutorial)?
- 8 Cloudflare Page Rules for WordPress You Need to Enable Today
- #1- Always Use HTTPS
- #2- Make Important Pages Always Online
- #3- Secure WordPress Admin and Bypass Cache
- #4- Stop Bots From Collecting Your Emails (Email Obfuscation)
- #5- Don’t Cache Preview Pages
- #6- Forward XMLRPC URL’s
- #7- Decrease Bandwidth of WP-Uploads
- #8- eCommerce Sites and Dynamic Content Using AJAX
- #9- Don’t Cache Your Login Page
- Which Cloudflare Page Rules are the Most Important (For Free Users Only)?
- Some Other Cloudflare Speed Enhancement Features Worth Exploring
- WP Hostings Comes with In-build Cloudflare Add-on
- Final Words
- Cloudflare Page Rules FAQ
What Are Cloudflare Page Rules? And Why Should You Bother Setting Them Up Correctly?
Cloudflare page rules are specific settings and values you can apply to either individual URLs, or to a specific URL pattern that references your domain.
Don’t get confused with all the tech talk, it’s actually really simple.
Use the page rules dashboard to instruct Cloudflare how it should behave on your site so you get increased performance, security, and peace of mind in knowing you’ve made your site significantly better.
Cloudflare Page Rules – Glossary of Important Terms
The article below is fairly technical, but don’t be scared!
All you need to do is read carefully this glossary of terms so you can understand what you’re reading.
- Always Online – this feature keeps a small part of your site always online and served from cache, even when the rest of your site is down. Excellent for keeping your crucial service pages always accessible.
- Browser Integrity Check – this setting looks for common HTTP headers malicious bots use, and then denies them access to your site so they can’t crawl and waste your server/hosting resources.
- Disable Performance – your wp-admin should be exempt from Cloudflare rules and other features. “Disable Performance” feature deactivates Mirage, Polish, Rocket Loader and auto minify, without disabling them for the end-users on the front-end of your website.
- Edge Cache TTL – this is the time Cloudflare’s edge servers cache your page before they go to your server to fetch a fresh copy. Feel free to increase this time interval for pages that are not updated as frequently.
- Email Obfuscation – this setting helps you obfuscate (write in gibberish) your email for spambots crawling your site, while displaying it normally to your human visitors.
- Security Level – Cloudflare gives IP addresses a threat score of 0-100. You can create page rules to give a higher security threshold to your WordPress admin area than to some other part of your site.
- Cache Level – determines how much caching is done by Cloudflare.
- Asterisk (*) – used in Cloudflare page rules URLs to match certain patterns. For instance, for technumero.com/wp-admin* as my URL, I can set the caching level to aggressive. That means all URLs with /wp-admin/ (and everything after) would be cached aggressively. Of course, I’d never do that as the wp-admin area should never be cached. You’ll learn more about it below!
How to Set up Cloudflare With WordPress Site (Quick Tutorial)?
It’s easy to connect Cloudflare with WordPress, and here are the steps:
First, go to Cloudflare.com and click on the “Sign Up” button in the menu.
Second, add in your email address and password. Click on “Create Account”
Third, pick the “Cloudflare for Infrastructure” plan.
That’s the content delivery network plan most webmasters need.
Fourth, add in your target website URL.
Fifth, pick a FREE Cloudflare plan which is located right below the 3 paid ones.
The sixth and final step, change your name servers from your current hosts’ to Cloudflare name servers.
This is a must or otherwise, Cloudflare won’t work properly.
And that’s it. Once inside the Cloudflare dashboard head on over to the “Page Rules” section and start making those bad boys.
Pro tip: Setting up Cloudflare With WP Rocket
If you’re not using WP Rocket to speed up your site, then I don’t know why? You probably haven’t heard of it, right?
If that’s the case, make sure you read this WP Rocket review for more info.
But for you WP Rocket users, did you know you can connect WP Rocket with Cloudflare Content Delivery Network directly within your WordPress dashboard?
Yes, it’s true, and here are the steps.
First, inside the WP Rocket dashboard go to “Add-ons” and enable Cloudflare.
Then click on “Modify Options”
Second, add in your Cloudflare credentials
- Global API key;
- Account email;
- Zone ID;
These settings are all to be found inside your Cloudflare dashboard.
There isn’t room for it here, so please click here for a detailed tutorial on how to connect WP Rocket and Cloudflare.
Some other things to change here:
- Development Mode – use this feature if you’re making a lot of code changes on your website.
- Optimal Settings – this activates optimal Cloudflare settings, i.e., minification and aggressive caching, while also deactivating Rocket Loader which can speed up a site, but very often ends up breaking it.
- Relative Protocol – oftentimes when users download files from your website, those turn out to have no content in them. Leave “Relative Protocol” off to prevent this from happening.
- Clear All Cloudflare Cache Files – do this only after you’ve finished configuring everything else.
8 Cloudflare Page Rules for WordPress You Need to Enable Today
Even though you can write and add up to 125-page rules, the 8 below will be beneficial and essential for 99% of all WordPress sites.
#1- Always Use HTTPS
This first Cloudflare page rule forces all your visitors to access your domain via a secure, HTTPS connection.
Here’s the pattern below you need to use on your site and one recommended by Cloudflare in this Youtube tutorial.
The two asterisks symbols before and after your domain name serve to tell Cloudflare that all variations of your site + subdomains and subfolders should be served over a secure connection to your visitors.
Forcing visitors to browse your site through a secure connection is a must for any site owner in 2022, but it needn’t be done through a page rule.
You can also enable it within the SSL/TSL settings in the Cloudflare dashboard.
That way you can preserve that one-page rule slot to use it towards something else (remember, you get limited page rules on a Cloudflare free account- more on that later)
#2- Make Important Pages Always Online
Always online page rule is very useful if you have a shaky server (a typical sign of a bad host; you should switch to something better i.e., Cloudways), your site goes down regularly, and you have pages that need to be kept online at all times.
This page rule forces Cloudflare to serve your crucial pages from the cache in the event your site blacks out for any meaningful time duration.
Recommended pages to enable this page rule on are your homepage, terms of service, contact, hire me page, about us page…
#3- Secure WordPress Admin and Bypass Cache
For your wp-admin area, you need to create a rule that’s a combo of several important settings.
First, set the security level to high.
Then, bypass cache (WordPress admin area should never be cached, as you always want to have the most current version).
Finally, disable the Cloudflare app and performance features (minification, Polish, Mirage, Rocket Loader…)
These are not needed for your wp-admin dashboard as they can only be used to speed up your website’s frontend.
#4- Stop Bots From Collecting Your Emails (Email Obfuscation)
Set this Cloudflare page rule to prevent bots from scraping your email address and excessive spam from hitting your inbox.
It works by masking/obfuscating your email address for automated bots, while still keeping it visible to regular site visitors.
This is the rule:
Note: You can enable this page rule either for specific pages where you have your email address listed (for example contact and about pages) or for the entire domain using the Scrape Shield settings.
Warning: using the Scrape Shield settings will trigger “email-decode.min.js” error in the GTmetrix website speed test tool, but you can easily not pay attention to it as it won’t slow down your site at all.
#5- Don’t Cache Preview Pages
This page rule simply bypasses Cloudflare’s cache for post/page previews. Page previews should not be cached as they’re not live on your website.
#6- Forward XMLRPC URL’s
This simple page rule instructs Cloudflare to forward requests from your xmlrpc.php file to any URL on your site (pick whichever you want, your site’s homepage is a good choice).
That way you’re protected against hackers using XMLRPC for brute-force DDoS attacks on websites.
#7- Decrease Bandwidth of WP-Uploads
Because items in your WordPress upload file don’t change as often, they don’t need to be cached as often.
So you need to set Edge Cache TL to empty, once per month, thus saving precious bandwidth.
However, you also need to take precautions so your site’s visitors don’t see stale info that takes a whole month to refresh.
That’s why you need to set Browser Cache TTL to a day.
This sets a 24-h expiration timeframe for resources stored in visitors browsers (note: it sounds complicated, but it’s really not. Just look at the image below)
#8- eCommerce Sites and Dynamic Content Using AJAX
eCommerce sites are replete with dynamic content that should never be cached.
However, you still want and need to cache other parts of the site.
The optimal solution is to cache all static elements while bypassing dynamic elements served over AJAX.
You can set this up easily using a combination of 2 Cloudflare page rules.
The first one bypasses the cache for AJAX:
The second rule instructs Cloudflare to cache everything else on your site.
#9- Don’t Cache Your Login Page
This is an important Cloudflare page rule, which will prevent CF to cache your login URL i.e. wp-login.php. Similar to the previous rule, you have to setup the Cache level setting to Bypass.
Which Cloudflare Page Rules are the Most Important (For Free Users Only)?
The max number of Cloudflare page rules you can have is 125. Way more than you’ll ever need unless you run an enterprise-level site with millions of pages.
But, free Cloudflare users are severely handicapped because they can only use 3-page rules without paying a dime for them.
So, out of these 8-page rules listed here, which ones’ are the most important?
- Secure The WordPress Admin And Bypass Cache- Protect wp-admin from hacker, make your wp-admin run smoothly, and prevent outdated cache versions from confusing you in your work.
- Decrease Bandwidth of WP Uploads – improve site speed and performance with this simple page rule.
- Stop Bots From Collecting Your Email (Email Obfuscation) – make your life easier by preventing those spammers from getting a hold of your email address.
Forcing users to connect via HTTPS is also a very important page rule, but it can be achieved within the SSL/TLS settings, thus sparing you of having to use a page rule on it.
Note: these 3 rules are great and all, but using all 8 Cloudflare page rules listed here can make your site more successful in the SERPs, and your life as a webmaster way easier.
I strongly suggest you buy the additional 5 Cloudflare page rules (costs $5) so you have a full set of 8.
Some Other Cloudflare Speed Enhancement Features Worth Exploring
Cloudflare has some other exciting features that can help you get record-breaking speeds for your site.
Let’s quickly explore them below, shall we?
Cloudflare DNS is an enterprise-grade DNS service that offers advanced security with built-in DNSSEC and DDoS mitigation, unmatched response time, and supreme redundancy.
Don’t be confused with all the tech talk. It simply means hooking up your site with Cloudflare DNS will give you a secure and fast website that is always online with zero downtime. The free DNS from Cloudflare service is the fastest DNS hosting service in the world.
The best of all?
It’s FREE! And you can enable it right within the Cloudflare dashboard.
#2- Auto Minify
Minification reduces the size of your:
This makes every page only our site load faster. Here is our detailed guide on the minification of JS and CSS resources.
However, if you use WP Rocket on your site, you can use it to minify your code instead of Cloudflare.
According to Cloudflare:
“Brotli is a state of the art lossless compression format, supported by all major browsers. It is capable of achieving considerably better compression ratios than the ubiquitous gzip, and is rapidly gaining in popularity.”
Enable Brotli in Cloudflare speed settings to maximally compass your web pages so they can be served much faster than with normal gzip compression.
#4- Rocket Loader
This makes the page load time significantly shorter as once the HTML is loaded the page is immediately usable and Java loads in the background unobserved by web users.
#5- HTTP 3 (With Quick Technology)
Use this newest protocol to speed up HTTP requests and load your website even faster than when using HTTP2, which used to be the best and fastest.
Note: enabling this feature will only affect those clients that connect with your site using HTTP 3, and will not affect adversely those connecting with HTTP 1.1 and HTTP 2.
Enable this feature to prevent other websites from embedding your images. This will save you bandwidth but at the cost of backlinking opportunities.
What do I mean?
I mean that if you have excellent images on your site and someone takes them, you could send them a gentle email remainder asking for attribution with a link back to your site.
With Cloudflare Hotlink enabled, they won’t be able to take your images, and you won’t have an excuse to ask them for a link.
#7- Automatic Platform Optimization for WordPress
Automatic Platform Optimization for WordPress caches third-party fonts and delivers your website from Cloudflare’s edge network.
That way you get the benefits of a static site without any changes to how you run your website.
This makes your website load significantly faster with TTFB performance largely improved.
Learn more about it here!
WP Hostings Comes with In-build Cloudflare Add-on
Because of the immense popularity of Cloudflare and the significant impact, it makes on your website even as a free service nowadays many dominant hosting provides integrate Cloudflare as a free/paid add-on with their hosting.
Most of them offer a one-click Cloudflare page rules setup right from the hosting dashboard. It is so integrated that you do not have to have an account with Cloudflare.
Here is the list of WordPress Hosting providers that offers Cloudflare as a free Add-on
- Bluehost WordPress Hosting – try it on 65% discount or read out full Bluehost review.
- A2Hosting – avail 66% discount
- HostArmada – upto 75% discount – Our In-deptn HostArmada reivew.
Do you now know why Cloudflare page rules are important for your website?
Yes, it’s not enough to just enable a free CDN and call it a day.
Cloudflare page rules help a ton.
They make your site:
- More secure;
- Faster on the backend;
- Faster on the frontend for Google and the end users.
Having Cloudflare page rules for your WordPress blog strategically deployed will over time turn to an SEO advantage for you.
Because, as your visitors get better service on your blog, they’ll be happier, spread the word, and send you word-of-mouth traffic which is so valuable nowadays with the insane competition we’re all facing in the SERPS.
In SEO, every little bit helps, and Cloudflare page rules help a ton.
You may also like to read…
- 7 Best Free CDN Providers for WordPress Website
- Fastest CDN Services for WordPress – Reviewed & Compared
- 11 Best Free DNS Hosting Services – (Updated Edition)
Cloudflare Page Rules FAQ
What is Cloudflare Page Rule Block?
Setting a page rule instructs Cloudflare to do X whenever a certain URL pattern triggers the rule. You can block desired pages that match that pattern by adding them in the “bypass section” of said page rule. Bottom line– first you set the rule, and then you define the exceptions.
What is Cloudflare Page Rules Wildcard?
Cloudflare Page rule Wildcard are the asterisk (*), that can be used as a wildcard. Page rules with an asterisk will match any URL beginning/ending with.
For example, yoursite.com/wp-* will match with,
yoursite.com/wp-include or any other URL contains yoursite.com/wp- in the beginning.
What are the Best Cloudflare Rules for Speeding up WordPress Sites?
Not caching wp-admin area; (page rule #3);
Not caching preview pages; (page rule #5);
Decreasing bandwidth of content uploads (page rule #7).
Read more details in the article.
What is Cloudflare WordPress HTML Caching?
Customers of all Cloudflare plans can cache the HTML elements of their sites.
But those who purchase Business and Premium plans also have the option to cache HTML on Cloudflare Edge, further increasing the speed the page loads.