Blog

Cloudflare + WordPress: Page Rules, APO, and WAF Best Practices

September 4, 2025 Jonathan Turner No comments yet

a computer monitor sitting on top of a desk cloudflare dashboard page rules settings wordpress backend - AI Bud

WordPress is one of the most widely used content management systems (CMS) in the world, powering more than 40% of all websites. While its flexibility and extensibility provide a strong foundation for online content, it lacks in performance and security features out of the box. That’s where Cloudflare comes in. Combining WordPress with Cloudflare’s tools such as Page Rules, Automatic Platform Optimization (APO), and the Web Application Firewall (WAF) can vastly improve site speed, reliability, and safety. This article covers best practices in configuring Cloudflare with WordPress to maximize both performance and security.

Why Use Cloudflare with WordPress?

Cloudflare acts as a content delivery network (CDN) and reverse proxy that sits between your WordPress site and its visitors. With its global network, it can cache static assets near your visitors and protect against malicious traffic before it ever reaches your server. The benefits include:

Reduced Server Load: Static content is served from Cloudflare’s edge servers instead of PHP rendering pages repeatedly.
DDoS Protection: Cloudflare’s WAF helps mitigate brute force attempts and volumetric attacks.
Faster Load Times: By reducing latency and leveraging caching, pages load quicker across the globe.

1. Page Rules Best Practices

Page Rules are among the most powerful yet underutilized features in Cloudflare. They allow you to tailor Cloudflare’s behavior on a per-URL basis. Here are recommended Page Rules to implement for a WordPress site:

Secure the Admin Area
Set a rule for example.com/wp-admin/* to turn off caching and enable security features like Browser Integrity Check and Always Use HTTPS.
- Settings: Cache Level: Bypass; Security Level: High; Always Use HTTPS: On
Improve Performance on Static Content
Set a rule for example.com/wp-content/uploads/* to cache everything longer and use Edge Cache TTL.
- Settings: Cache Level: Cache Everything; Edge Cache TTL: A month
Redirect www to non-www or vice versa
Consistent URLs improve SEO. For example, redirect www.example.com/* to example.com/$1.
- Settings: Forwarding URL (301 Redirect)

It is important to keep in mind that Cloudflare only allows three free Page Rules. Prioritize the most impactful ones or consider upgrading your plan for more flexibility.

turned on MacBook Air on desk developer toolswordpress backendsite building - AI Bud

2. Automatic Platform Optimization (APO)

Launched in October 2020, Cloudflare’s Automatic Platform Optimization for WordPress (APO) is a game-changer. Traditional CDNs focus on static content, but APO goes a step further by caching the HTML of dynamic pages.

Key Benefits of APO:

Full HTML Caching: Unlike regular Cloudflare caching, APO caches your full WordPress pages at the edge.
Smart Purging: When your content updates via WordPress admin, APO can automatically clear the cache for only the modified URLs.
Mobile Optimization: Separate caching for mobile and desktop devices delivers optimal rendering experiences.

Enabling APO is straightforward. After connecting your WordPress site to Cloudflare using the official Cloudflare plugin, you can activate APO in the dashboard with a single click. Make sure that the plugin is updated and that your domain is active on Cloudflare.

Best Practices for APO:

Always use a supported plugin or API connection to enable cache purge on post update.
Test your site thoroughly after enabling APO to ensure dynamic content behaves correctly.
If you use a membership site or eCommerce functionality, exclude pages like /cart, /checkout, or user dashboards using Page Rules or plugin configurations.

Note: APO is most effective on mostly-static WordPress sites, such as blogs, news outlets, or portfolios, but is configurable with some effort for more dynamic uses.

3. Web Application Firewall (WAF) Best Practices

Cloudflare’s WAF is a critical tool in defending your WordPress website against malicious activity. WAF rulesets are purpose-built to mitigate common threats like SQL injection, cross-site scripting (XSS), and XML-RPC attacks.

pink and silver padlock on black computer keyboard wordfence waf cloudflare firewall rules website security - AI Bud

Recommended WAF Rulesets:

Enable OWASP Rules: The OWASP Core Rule Set offers solid protection against many known threats (SQLi, XSS, etc.).
Enable Cloudflare Managed Rules for WordPress: These rules are specifically designed to protect WordPress installations from common attacks.
Block xmlrpc.php: Unless it is used for something specific like Jetpack, xmlrpc.php is a frequent target for brute forcing and DDoS attacks.
Rate Limiting: Use custom rules to limit the rate of logins and POST requests to the /wp-login.php page.

Custom Firewall Rules

Advanced users can create Firewall Rules within Cloudflare to restrict access to specific IP ranges, headers, methods, or countries. For example:

(http.request.uri.path eq "/wp-login.php" and not ip.src in {YOUR.IP.HERE})

This will block all login attempts except from your own IP. This is particularly powerful for reducing login-based attacks.

4. Additional Optimization Tips

To get the most out of Cloudflare and WordPress, consider the following performance and safety enhancements:

Enable HTTP/3: Offers better performance for users on supported browsers with lower latency.
Use Brotli Compression: Better than GZIP in most scenarios for compressing text-based content.
Set a Minimum TLS Version: TLS 1.2 is the current best practice for both security and speed.
Enable Rocket Loader (Optional): Speeds up page rendering by optimizing JavaScript loading.

You should also regularly review analytics offered by Cloudflare, such as request patterns, threats blocked, and performance metrics. This data helps to adjust your configurations over time.

5. Compatibility and Plugin Considerations

Some WordPress plugins may conflict with Cloudflare’s caching layers, especially those that handle page optimization or security (e.g., caching plugins like WP Super Cache, W3 Total Cache, or security plugins like Wordfence).

Recommendations:

If using Cloudflare APO, disable all server-side full-page caching.
Don’t enable JavaScript or CSS minification in both WordPress plugins and Cloudflare. Choose one to avoid conflicts.
Use the Cloudflare plugin to manage automatic cache purges and API-level functions.

Conclusion

The combination of Cloudflare and WordPress offers one of the best configurations for a fast, secure, and scalable website. By utilizing Cloudflare’s features strategically—Page Rules to customize behavior, APO for HTML-level caching, and WAF for attack prevention—you can significantly elevate the quality and resilience of your WordPress website.

However, effective implementation requires careful planning and frequent testing to make sure essential content remains dynamic while benefiting from performance enhancements. By following the best practices outlined in this guide, website administrators can maintain a seamless user experience with optimal uptime and page response speed.

The digital ecosystem continues to evolve, and staying ahead requires the right combination of tools and knowledge—Cloudflare with WordPress is a strong start.