Enhancing the Security and Performance of WordPress

WordPress accounts for approximately 25% of all websites online today. Learn how Page Rules can optimize the user experience of your WordPress site with enhanced performance, security and reliability.

To purchase Page Rules, visit the Cloudflare dashboard.


In the above video you will learn how to:

  • Increase security and performance by enforcing secure domain connections
  • Protect your SEO by defining a canonical version of your domain
  • Ensure operational excellence in critical admin areas
  • Reduce bandwidth utilization and server load with advanced caching capabilities
  • Harden security to protect your users and site administrators from attack
  • Extend caching capabilities to serve more content from the cloud
  • Optimize performance with HTTP/2 and aggressive caching strategies
  • Enhance the reliability of critical domain assets with Always Online functionality

Video Transcript

WordPress is estimated to account for roughly 25% of all websites online today. With Page Rules you can customize Cloudflare to take the performance, security and reliability of your WordPress website to the next level.

Increase Security & Performance

With SSL your WordPress website not only benefits from increased security, but you also get the performance benefits of HTTP/2 and Server Push, potential SEO ranking boosts, and increased customer confidence through a little green lock.

While setting the SSL option within the Crypto section of Cloudflare enables your WordPress website to take advantage of SSL, Page Rules allows you to enforce all visitors to connect to your domain securely.

While setting the SSL option within the Crypto section of Cloudflare enables your WordPress website to take advantage of SSL, Page Rules allows you to enforce all visitors to connect to your domain securely.

With SSL enabled, create a Page Rule for HTTP that includes an asterisk before and after your domain, and select “Add a Setting” > Always Use HTTPS.

This URL pattern that includes HTTP, with an asterisk before and after your domain ensures that any subdomains, directories or query strings referencing your domain will be forced over HTTPS.

Once you click Save and Deploy, new and returning visitors attempting to connect to your domain over HTTP will be redirected to HTTPS. Keep in mind that this option should generally be the first rule you set in Page Rules. Unless you have a special case, be sure to reorder this rule to appear at the top of your set.

Standardize URL & Protect Your SEO

To maintain consistency when linking internally as well as avoid duplicate content penalties that can dilute your search ranking, Page Rules allows you to define the canonical version of your domain with 301 Forwarding.

If you want to define the root as the canonical version of your domain, create a Page Rule that includes the following:

Add your domain excluding the protocol scheme, which will cover both HTTP and HTTPS.

The Forwarding URL setting is selected with 301 - Permanent Redirect option. From an SEO standpoint, 301 redirects will pass the ranking power to the redirected page.

You’ll notice that my destination URL includes a secure protocol scheme and I’m using a $1 for the directory to match the asterisk in the URL pattern. 1 corresponds to the first asterisk in the URL string from left to right. If I had an asterisk before the domain and wanted to match it, I would use $2 instead of one.

Once I hit Save and Deploy, my URL will be redirecting accordingly.

User-Friendly URLs/URLs for Category Pages

With Page Rules, you can redirect URLs in a number of ways both internally and externally. In these 2 examples, I’m using 301 - Permanent Redirects to create a user-friendly URLs for a page that shows search results for a blog post category.

Using a 302 - Temporary Redirect, in the following 3 examples, I’m using my domain to redirect to various social media properties.

Ensure Proper Operations & Harden Security

Certain sections of WordPress, like the wp-login page and the wp-admin section, have different security and performance requirements than your public facing pages. Page Rules allows you to target these areas with very specific settings:

To properly target my login page, I’m using an asterisk at the end of the URL pattern to make sure this rule is triggered even when a query string is appended at the end of the URL. To increase security, I’ve set the Security Level to High. Security Level controls how high a client Threat Score must be before the client encounters a challenge page. Threat Scores are derived from our IP Reputation database and assigned to clients that attempt to connect to a resource on your domain.

In the next example I’m using an asterisk without the forward slash for the wp-admin area. This means I am not only targeting the wp-admin, but I’m also including any subdirectories and query strings as well. To increase security, I set the Security Level to High. To ensure smooth operations within my admin area I’ve set the Cache Level to Bypass so Cloudflare will not cache any of the content within this section. I’ve also disabled any Apps and Performance settings that may conflict with some of the unique functionality within this area.

Hackers have been known to use the XML-RPC function in WordPress for DDoS botnet and brute force attacks. A layered defense strategy against this vulnerability includes disabling trackbacks and ping back within the Discussion options and modifying your .htaccess file to block access to your xmlrpc.php file.

A 301 Forwarding rule with Page Rules allows you to apply an additional layer of protection by forwarding any requests to xmlrpc.php to a destination of your choice.

Increasing Performance While Decreasing Bandwidth Usage

By default, Cloudflare caches the most popular types of static assets. With Page Rules you can access advanced caching options that allow you to significantly reduce how much bandwidth your server uses. In this example I’m targeting all of the contents of my uploads area.

Edge Cache TTL instructs Cloudflare on how often to request new content from your server. Since items in my uploads folder will rarely change, I’ve set a very long Edge Cache TTL of a month. This means Cloudflare will only request a fresh copy of the assets from my server after an entire month as passed.

If a resource were to change in this area and I wanted to force a refresh before the set TTL time, the Purge Cache feature in the Caching section of the dashboard gives me the ability to force the refresh of a specific file or directory.

Browser Cache TTL instructs the user’s browser how often it should attempt to request new content from Cloudflare’s edge. Browser Cache TTL can be used in conjunction with aggressive cache settings to make sure your visitors are getting the content you intended on delivering. In general, 4 hours is a good default setting. In this example, I’ve set the TTL for an entire day since I’m not worried about the contents changing frequently.

Enhancing the Reliability of Important Pages

There may be certain areas on your domain that rarely change and are critical to your organization. For these types of pages I want to make sure they’re always available, regardless of what is going on with my server. For these sort of pages, I’ve applied the following rules:

By enabling Always Online, Cloudflare will serve pages from cache so visitors still see the content regardless if the origin server were to go down.

Browser Cache TTL has been set to 1 day. Since my pages are heavily reliant on static content, the Cache Level is set to Cache Everything to make sure that all of the content, including theHTMLis preserved in cache. Finally, I set an aggressive Edge Cache TTL to a week, which instructs Cloudflare to only request new versions of the content from my origin server after a month.

To avoid email harvesters and bots from adding my address their spam lists, I’ve enabled Email Obfuscation on public facing pages that include an email address. Email Obfuscation will encrypt email addresses on your web page from bots while keeping them visible to humans, resulting in no visible changes to your website for visitors.

Once enabled, while I can see the email address as a human visitor,when I view the source code I can see that the email is obfuscated, protected from malicious crawlers.


In this video you learned how Page Rules allows you to leverage Cloudflare’s powerful performance and security features to optimize your WordPress website.

The number of Page Rules available to your domain is limited by plan type. If you need more Page Rules, Cloudflare now offers you the ability to purchase more Page Rules a la carte. Be sure to visitor our plans page for more information at: www.cloudflare.com/plans