Optimizing Drupal CMS with Page Rules

Drupal's enterprise-class CMS powers over 1 million websites including Weather.com, The Economist, Lady Gaga’s Official Website, and many more.

Learn how Page Rules allows you to optimize Drupal to enhance performance, increase scalability and harden security.

To purchase Page Rules, visit the Cloudflare dashboard.


In the above video you will learn how to:

  • Increase security and performance by enforcing secure domain connections
  • Protect your SEO by defining a canonical version of your domain
  • Ensure operational excellence in critical admin areas
  • Reduce bandwidth utilization and server load with advanced caching capabilities
  • Harden security to protect your users and site administrators from attack
  • Extend caching capabilities to serve more content from the cloud
  • Optimize performance with HTTP/2 and aggressive caching strategies
  • Enhance the reliability of critical domain assets with Always Online functionality

Video Transcript

Drupal's enterprise-class CMS powers over 1 million websites including The Economist, Weather.com, Lady Gaga’s Official Website, and many more. With Page Rules you can optimize Cloudflare for Drupal to increase response times, enhance scalability and harden security.

Increase Security & Performance

By enabling SSL for your Drupal website you will enhance the security through encryption, optimize performance with HTTP/2 and Server Push, potentially boost your SEO ranking in search results, and increase customer confidence through a little green lock.

While setting the SSL option within the Crypto section of Cloudflare enables your Drupal website to take advantage of SSL, Page Rules allows you to enforce all visitors to connect to your domain securely.

To accomplish this, once you’ve enabled any mode of SSL, create a Page Rule for HTTP that includes a asterisk before and after your domain, and select “Add a Setting” > Always Use HTTPS.

This URL pattern that includes HTTP, with an asterisk before and after your domain ensures that any subdomains, directories or query strings referencing your domain will be forced over HTTPS.

Once you click Save and Deploy, new and returning visitors attempting to connect to your domain over HTTP will be redirected to HTTPS. Keep in mind that this option should generally be the first rule you set in Page Rules. Unless you have a special case, be sure to reorder this rule to appear at the top of your set.

Standardize URL & Protect Your SEO

To maintain consistency when linking internally as well as avoid duplicate content penalties that can dilute your search ranking, Page Rules allows you to define the canonical version of your domain with 301 Forwarding.

If you want to define the root as the canonical version of your domain, create a Page Rule that includes the following:

Add your domain excluding the protocol scheme, which will cover both HTTP and HTTPS.

The Forwarding URL setting is selected with 301 - Permanent Redirect option. From an SEO standpoint, 301 redirects will pass the ranking power to the redirected page.

You’ll notice that my destination URL includes a secure protocol scheme and I’m using a $1 for the directory to match the asterisk in the URL pattern. 1 corresponds to the first asterisk in the URL string from left to right. If I had an asterisk before the domain and wanted to match it, I would use $2 instead of one.

Once I hit Save and Deploy, my URL will be redirecting accordingly.

User-Friendly URLs

With Page Rules, you can redirect URLs in a number of ways both internally and externally. In the following example I’m using 302 - Temporary Redirect to create a URL that may be more obvious to potential visitors. And in the following 3 examples I’m using my domain to redirect to various social media properties.

Ensure Proper Operations & Harden Security

Certain sections of Drupal, like the login and admin area, have different security and performance requirements than your public facing pages. Page Rules allows you to target these areas with very specific settings:

To protect my login area, I’m targeting the user directory with an asterisk without the forward slash. This pattern not only targets the user directory, but it also includes any subdirectories and query strings as well. To increase security, I’ve set the Security Level to High. Security Level controls how high a client Threat Score must be for a client will encounter a challenge page. Threat Scores are derived from our IP Reputation database and assigned to clients that attempt to connect to a resource on your domain.

In the next examples I’m targeting the admin and editing areas of Drupal. To increase security, I set the Security Level to High. To ensure smooth operations within my admin area I’ve set the Cache Level to Bypass so Cloudflare will not cache any of the content within this section. I’ve also disabled any Apps and Performance settings that may conflict with some of the unique functionality within this area.

Finally, to ensure that my cron tasks run properly, I’ve set Cache Level to Bypass for the cron directory.

Increasing Performance While Decreasing Bandwidth Usage

By default, Cloudflare caches the most popular types of static assets. With PageRulesyoucan access advanced caching options that allow you to significantly reduce how much bandwidth your server uses. In this example I’m targeting all of the contents of my sites/default/files* area.

Edge Cache TTL instructs Cloudflare on how often to request new content from your server. Since items in my sites/default/files* folder will rarely change, I’ve set a very long Edge Cache TTL of a month. This means Cloudflare will only request a fresh copy of the assets from my server after an entire month as passed.

If a resource were to change in this area and I wanted to force a refresh before the set TTL time, the Purge Cache feature in the Caching section of the dashboard gives me the ability to force the refresh of a specific file or directory.

Browser Cache TTL instructs the user’s browser how often it should attempt to request new content from Cloudflare’s edge. Browser Cache TTL can be used in conjunction with aggressive cache settings to make sure your visitors are getting the content you intended on delivering. In general, 4 hours is a good default setting. In this example I’ve set the TTL for an entire day since I’m not worried about the contents changing frequently.

Enhancing the Reliability of Important Pages

There may be certain areas on your domain that rarely change and are critical to your organization. For these types of pages I want to make sure they’re always available, regardless of what is going on with my server. For these sort of pages, I’ve applied the following rules:

By enabling Always Online, Cloudflare will serve pages from cache so visitors still see the content regardless if my origin server were to go down.

Browser Cache TTL has been set to 1 day. Since my pages are heavily reliant on static content, the Cache Level is set to Cache Everything to make sure that all of the content, including the HTML is preserved in cache. Finally, I set an aggressive Edge Cache TTL to a week, which instructs Cloudflare to only request new versions of the content from my origin server after a month.

To avoid email harvesters and bots from adding my address their spam lists, I’ve enabled Email Obfuscation on public facing pages that include an email address. Email Obfuscation will encrypt email addresses on your web page from bots while keeping them visible to humans, resulting in no visible changes to your website for visitors.

Once enabled, while I can see the email address as a human visitor, when I view the source code I can see that the email is obfuscated, protected from malicious crawlers.


In this video you learned how Page Rules allows you to leverage Cloudflare’s powerful performance and security features to optimize your Drupal website.

The number of Page Rules available to your domain is limited by plan type. If you need more Page Rules, Cloudflare now offers you the ability to purchase more Page Rules a la carte. Be sure to visitor our plans page for more information at: www.cloudflare.com/plans