How To Create Cloudflare Page Rules For WordPress

by Sunny Hoi

By using Cloudflare’s Page Rules, you can improve the security and performance of your WordPress site. This guide teaches you how to achieve this by presenting eight beneficial Page Rules that I personally use on my WordPress site.

1. Consistent Enforcement of HTTPS

To ensure that your site visitors alway connect securely via HTTPS, create a Page Rule in Cloudflare’s dashboard:


Add the setting: ‘Always Use HTTPS

Hit ‘Save and Deploy

The asterisk before and after your domain ensures anything referring to your URL will be forced over HTTPS.

Make sure that this rule is on top of your page (Number 1). Reorder if needed.

An image depicting a Cloudflare Page Rule which enables consistent enforcement of HTTPS on a site.


2. Canonical header

Avoid duplicate content issues that could hurt your search page ranking by defining a canonical version of your domain utilizing 301 redirects.

If you would like to set the root as the canonical version, utilize a Page Rule that includes:*

Add the setting: ‘Forwarding URL‘ and ‘301 Permanent Redirect

Add your URL in the below box: ‘$1

Hit ‘Save and Deploy

301 redirects will pass the ranking power to the redirected pages.

An image illustrating a Cloudflare Page Rule which enables the canonical header for the root.

If the domain has an asterisk (*) before the domain: ** and you would like to match it, use $2 instead of $1.

An image illustrating a Cloudflare Page Rule which enables the canonical header for an asterisk (*) before the domain.

3. URL redirect to another page

You can also use your domain to refer to WordPress blog categories or numerous social media pages.

For example, create a Page Rule that consists of the following: ‘‘, add the setting ‘Forwarding URL‘,  ‘302 Temporary Redirect‘, and ‘‘ Remember to hit ‘Save and Deploy‘.

An image indicating a Cloudflare Page Rule which allows a site URL serve as a forwarding URL.

4. Protecting the wp-login and wp-admin pages

The WordPress wp-login and wp-admin pages have diverse security and performance needs than your public exposed pages. Thus, it would be a good idea to create page rules for these sorts of WordPress pages.

To target your login page, use an asterisk (*) at the end of your domain’s URL:*

Set the security level to ‘High‘.

Hit ‘Save and Deploy.‘ This will increase your WordPress site’s security.

Security level determines how high a user’s threat score has to be prior to the user facing a challenge page.

An image pointing to a Cloudflare Page Rule which enhances the security of the site’s wp-login page.

Also, don’t forget the WordPress wp-admin section: yourdomain/wp-admin*

Add in the following settings:

Security Level‘ and ‘High‘. This, of course, enhances the WordPress site’s security.

To make sure that the admin area works flawlessly, set ‘Cache Level’ to ‘Bypass‘. Hence, Cloudflare will not cache any of the content within the targeted WordPress area.

Also ‘Disable Apps‘ and ‘Disable Performance‘ since they could cause potential issues with the wp-admin area.

An image showing a Cloudflare Page Rule improving the security of the site’s wp-admin section.

5. Apply an additional layer of protection to the WordPress xmlrpc.php file

A 301 permanent redirect also permits you to apply another layer of protection by forwarding all requests to the vulnerable WordPress xmlrpc.php file to an URL of your choice.

An image exemplifying a Cloudflare Page Rule which adds an additional layer of protection for the vulnerable WordPress xmlrpc.php file.

6. Decrease the amount of bandwidth the server uses

Cloudflare Page rules can also decrease the amount of bandwidth your server uses. For example, you can target all of your WordPress site’s content in the uploads area:*

Add in the following settings:

Edge Cache TTL‘ to ‘a month

Edge Cache TTL tells Cloudflare the frequency of having to request fresh content from your server. Since items in the uploads file do not change often, you can afford to set a edge cache TTL of one month. This conveys that Cloudflare will merely request a fresh copy from your site after one month has passed. If something was to alter, the purge feature located in the Caching section of Cloudflare’s dashboard grants you the capability of triggering a refresh.

Browser Cache TTL’ to ‘a day

Browser Cache TTL tells your visitor’s browser how often it ought to try to request new content from Cloudflare. Generally, 4 hours is sufficient.

Cache Level‘ to ‘Cache Everything

Hit ‘Save and Deploy

An image epitomizing a Cloudflare Page Rule which decreases the amount of bandwidth a server uses.

7. Making sure that critical sections of your WordPress site remain available if thed server were to go down

There may be particular areas of your site that are critical to your enterprise. Such pages include a disclaimer policy, a privacy policy, a terms of service section, an about us page, and a contact us page. For these kinds of pages, you should make sure that they are always available regardless of the server’s status.

As for these pages, you should apply the following rules:

Set ‘Browser Cache TTL‘ to ‘a day‘.

Set ‘Always Online‘ and click ‘On‘.

With these settings, Cloudflare will serve pages from the cache so your WordPress site’s visitors will always see your content regardless if the webpage was down or not.

The ‘Cache Level‘ should be set to ‘Cache Everything‘.

Set ‘Edge Cache TTL‘ to ‘a month

An image displaying a Cloudflare Page Rule which ensures that a critical section of a site remains available regardless of the server’s status.

8. Block malicious harvesters and bots from obtaining site’s emails by enabling Email Obfuscation

You should hinder malicious bots from adding your email to their spam list by enabling ‘Email Obfuscation’ on public exposed pages that comprise an email address.

Email Obfuscation permits email addresses to become unattainable by bots while keeping them visible to your real visitors.

An image presenting a Cloudflare Page Rule using the Email Obfuscation feature which prevents malicious bots from obtaining an email address from a specific page of a WordPress site.

Related Posts