If you run a WordPress blog, Cloudflare is one of the highest-leverage free tools you can add. It sits between your visitors and your server, caches pages so your origin never gets hammered, and lets you add security headers in seconds — no plugin required. In this guide you will configure Cache Rules and Security Headers via Cloudflare Transform Rules, then verify everything with a single terminal command.
Prerequisites
- A WordPress site with Cloudflare already proxying traffic (orange cloud in DNS)
- Access to the Cloudflare dashboard for your domain
- curl or any HTTP client for testing
Why Cloudflare Caching Matters
By default, Cloudflare proxies your traffic but does not cache HTML pages. Every visitor hits your PHP/WordPress stack directly. After enabling cache rules, Cloudflare serves cached HTML from its global edge — the server load drops to near zero for repeat visitors and page load time improves dramatically.
Without caching, every request returns CF-Cache-Status: DYNAMIC. After our rule, repeat requests return CF-Cache-Status: HIT and are served in under 200 ms from the nearest Cloudflare PoP.
Step 1: Create a Cache Rule
Navigate to Rules → Overview → Cache Rules → Create rule.
Set the rule to All incoming requests, then switch to Edit expression and paste the filter below. It caches everything except the admin panel, login page, and sessions for logged-in users:
(http.host eq "yourdomain.com"
and not starts_with(http.request.uri.path, "/wp-admin")
and not starts_with(http.request.uri.path, "/wp-login")
and not starts_with(http.request.uri.path, "/login")
and not http.cookie contains "wordpress_logged_in")
Replace yourdomain.com with your actual domain.
Under Then, configure:
- Cache eligibility: Eligible for cache
- Edge TTL: Ignore cache-control header → 2 hours
- Browser TTL: Override origin → 1 hour
Click Deploy. Cloudflare may warn that the rule might not match — ignore it and deploy anyway if your DNS is already proxied.
Step 2: Add Security Headers
Navigate to Rules → Overview → Create rule → Response Header Transform Rule.
Name the rule Security Headers, select All incoming requests, then add four headers using Set static for each:
-
Strict-Transport-Security→max-age=31536000; includeSubDomains -
X-Content-Type-Options→nosniff -
X-Frame-Options→SAMEORIGIN -
Referrer-Policy→strict-origin-when-cross-origin
Deploy the rule. These headers protect against MIME-type sniffing, clickjacking, and referrer leakage — all common vulnerabilities flagged by security scanners.
Step 3: Verify Everything
Run this single curl command to check both caching and security headers at once:
curl -sI https://yourdomain.com | grep -E "CF-Cache-Status|Strict-Transport|X-Content|X-Frame|Referrer"
Expected output after a second request (first request primes the cache):
CF-Cache-Status: HIT
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
You can also verify with Python:
import requests
r = requests.get("https://yourdomain.com")
for h in ["CF-Cache-Status", "Strict-Transport-Security",
"X-Content-Type-Options", "X-Frame-Options", "Referrer-Policy"]:
print(f"{h}: {r.headers.get(h, 'MISSING')}")
Results
After applying both rules to kalyna.pro, here is the before/after comparison:
- CF-Cache-Status: DYNAMIC → HIT
- Response time (repeat visits): ~280ms → ~160ms
- Security headers: 0 of 4 → 4 of 4
- Origin server load: every request → only cache misses
What’s Next
- Enable Auto Minify (Speed → Optimization) for JS, CSS, and HTML
- Turn on Brotli compression in Speed settings
- Check SSL/TLS → Full (strict) mode is enabled
- Run a PageSpeed Insights test to verify Core Web Vitals
Cloudflare’s free plan covers everything in this guide. No plugins, no server access — just a few rules in the dashboard and your WordPress site is faster and more secure.
Originally published at kalyna.pro
Top comments (0)