Caching WordPress Using Cloudflare – Speed Boost
Website speed directly impacts search rankings, user experience, and conversions. Google’s Core Web Vitals require Largest Contentful Paint (LCP) under 2.5 seconds, Interaction to Next Paint (INP) under 200 milliseconds, and Cumulative Layout Shift (CLS) under 0.1. Many WordPress sites fail these benchmarks due to slow server response times and inefficient caching—problems that Caching WordPress Using Cloudflare solves effectively.
Cloudflare’s testing data shows a 72% reduction in Time to First Byte (TTFB) and page load time improvements of 70-300% when configured correctly. With WordPress powering 43.6% of all websites globally as of early 2026 (W3Techs), proper caching configuration matters more than ever. This guide covers the proper way to set up Caching WordPress Using Cloudflare—including Cache Rules (since Cloudflare page rules are deprecated), Cloudflare APO WordPress setup, and the best Cloudflare settings for WordPress that actually work in 2026.
Table of Contents
Why WordPress Sites Struggle with Speed
WordPress powers over 43% of all websites on the internet, with more than 587 million sites running on the platform as of early 2026 (WPZOOM). However, its dynamic nature creates inherent performance challenges. Every page request typically requires PHP execution, database queries, and server processing—even when the content hasn’t changed. On shared hosting, this means slow response times during traffic spikes and inconsistent performance for visitors in different geographic locations.
The solution is caching: storing static copies of pages so they can be served instantly without regenerating each time. But WordPress caching is complicated by dynamic elements like logged-in user states, shopping carts, comment forms, and the admin dashboard—areas that must never be cached. If you are working to improve your overall SEO and site rankings, proper caching is foundational.
This is where Caching WordPress Using Cloudflare becomes powerful. Cloudflare’s global network spans over 330 cities across 120+ countries, allowing cached content to be served from locations geographically close to visitors. This dramatically reduces latency while your origin server handles only truly dynamic requests.
Common Caching Mistakes That Break WordPress
I have seen countless WordPress sites with broken caching configurations. When Caching WordPress Using Cloudflare goes wrong, the most common problems include:
Caching the admin dashboard: When wp-admin gets cached, you see outdated content in your dashboard, cannot save changes, or worse—visitors might see admin interfaces. I have encountered cases where the wp-login.php page was cached with login credentials visible to subsequent visitors.
Admin bar appearing for logged-out visitors: This happens when a logged-in admin’s page view gets cached and served to everyone. Beyond looking unprofessional, it exposes information about your WordPress installation.
Stacking “Cache Everything” rules with APO: Cloudflare APO WordPress already handles HTML caching. Adding manual cache-everything rules on top creates conflicts, stale pages, and broken AJAX endpoints. As one CDN comparison noted (TechITEZ, December 2025), overlapping rules can cause double caching or bypass important paths entirely.
Not accounting for WooCommerce: Shopping carts, checkout pages, and my-account areas require session-specific data. Caching these pages means customers see other users’ carts or cannot complete purchases. With WooCommerce powering over 33% of ecommerce sites globally (Store Leads, March 2025), this is a widespread issue. If you are running an online store, make sure your GA4 ecommerce tracking continues to work properly after implementing caching.
Using deprecated Page Rules: Cloudflare deprecated Page Rules starting in July 2024 for new Free plan accounts. As of January 2025, existing accounts can no longer create new Page Rules on any plan. Existing rules will be automatically migrated during 2025 or beyond, but new implementations should use Cloudflare cache rules WordPress configurations for better flexibility and control.
What Proper Cloudflare Caching Looks Like
When Cloudflare caching is configured correctly for WordPress, you achieve several outcomes simultaneously: public pages load instantly from Cloudflare’s edge network, visitors worldwide experience consistent sub-second TTFB, your origin server handles minimal load (only dynamic requests), the admin dashboard remains private and functional, logged-in users see personalized content, and WooCommerce carts work perfectly.
Cloudflare’s published testing data shows that APO can reduce TTFB by 72%, First Contentful Paint by 23%, and Speed Index by 13% for desktop users at the 90th percentile. Real-world implementations often see TTFB drop from 500ms+ to under 100ms, with cache hit rates improving from 30% to over 90% when HTML caching is properly enabled. One detailed implementation report (BetterLink Blog, December 2025) confirmed a 90% reduction in server load after correctly configuring cache rules.
Guide to Caching WordPress Using Cloudflare: Step-by-Step Setup
Understanding the Basics of Caching with Cloudflare
By default, Cloudflare caches static assets like images, CSS, and JavaScript, but not HTML. For WordPress, this means your pages are still generated by your origin server on every request. To cache HTML (the actual page content), you need either Automatic Platform Optimization (APO) or manual Cache Rules.
Two key concepts to understand for effective WordPress speed optimization Cloudflare:
Edge Cache TTL: How long Cloudflare’s servers keep a cached copy before requesting fresh content from your origin. Longer TTLs reduce origin load but mean changes take longer to appear. With APO, content is cached for 30 days and automatically invalidated within 30 seconds of content changes in WordPress.
Browser Cache TTL: How long visitors’ browsers keep cached resources. This reduces repeat requests but also delays when visitors see updates. Setting this to one month or higher resolves the “Serve static assets with an efficient cache policy” warning in PageSpeed Insights.
Option 1: Cloudflare APO WordPress (Recommended for Most Sites)
Cloudflare’s Automatic Platform Optimization is the easiest and most effective way to implement Caching WordPress Using Cloudflare. APO uses Cloudflare Workers and Workers KV to intelligently cache HTML at the edge while automatically handling dynamic content exclusions.
What Cloudflare APO WordPress does:
APO caches static HTML copies of your pages across Cloudflare’s 330+ global data centers using its Workers KV distributed storage. Unlike traditional CDNs that cache per edge server on the first visit, APO distributes the cache instantly across all locations. It automatically bypasses cache for logged-in users (detecting WordPress cookies), caches third-party fonts at the edge, automatically purges cache when you update content through WordPress (within 30 seconds), and handles all the complex cookie-based exclusions that cause problems with manual configurations.
APO setup steps:
1. Install the official Cloudflare WordPress plugin (version 4.12.8 or later is recommended—Cloudflare resumed active plugin maintenance in September 2025 after a period of minimal updates).
2. Create an API token in your Cloudflare dashboard under My Profile > API Tokens. Use the WordPress template for minimal permissions or create a custom token with Zone:Read and Cache Purge:Write. Avoid using the Global API Key for security reasons.
3. In WordPress, go to Settings > Cloudflare and authenticate with your API token.
4. Enable “Automatic Platform Optimization” in the plugin settings.
5. For Free plan users, APO costs $5/month per site (unlimited subdomains, no traffic caps). It is included free with Pro, Business, and Enterprise plans.
Important: When using APO, do not create additional “Cache Everything” rules. APO handles HTML caching automatically—stacking rules causes conflicts and can result in caching WooCommerce sessions or admin pages. The Cloudflare APO post-launch report confirmed that the most common user issues stem from conflicting cache rules.
APO compatibility note: APO does not support WordPress multisite installations. For sites using responsive design (the same HTML for all devices), APO works seamlessly. However, sites with plugins that serve different markup for mobile browsers may experience issues because APO caches the same HTML version for all visitors. Check the Cloudflare APO documentation for the list of supported plugins and cookie-based bypass rules.
Option 2: Cloudflare Cache Rules WordPress Setup
If you prefer not to use APO, or need more granular control, manual Cloudflare cache rules WordPress configurations provide an alternative approach. Cache Rules replaced the deprecated Page Rules system and offer more flexibility with expression-based filtering. The key difference: “Eligible for cache” in Cache Rules is equivalent to “Cache Everything” in the old Page Rules.
The strategy: Create a bypass rule first (highest priority) to exclude dynamic areas, then create a caching rule for everything else. Cache Rules evaluate in order, with the first matching rule taking precedence.
Step-by-Step Cache Rules Configuration
Rule 1: Bypass Cache for Admin and Dynamic Pages (Create This First)
Navigate to your Cloudflare dashboard > Select your domain > Caching > Cache Rules > Create Rule.
Name: “Bypass WordPress Admin and Dynamic”
Use the Expression Builder or paste this expression:
(starts_with(http.request.uri.path, "/wp-admin")) or (starts_with(http.request.uri.path, "/wp-login")) or (http.request.uri.path contains "/wp-json/") or (http.request.uri.path contains "xmlrpc.php") or (http.cookie contains "wordpress_logged_in_") or (http.cookie contains "wp-") or (http.cookie contains "comment_") or (http.request.uri.path contains "/feed") or (http.request.uri.query contains "preview=true")
Then setting: Bypass cache
Rule 2: Cache Static Content (Create This Second)
Create another rule with lower priority:
Name: “Cache WordPress Static Assets”
Expression:
(starts_with(http.request.uri.path, "/wp-content/uploads")) or (starts_with(http.request.uri.path, "/wp-content/themes")) or (starts_with(http.request.uri.path, "/wp-includes"))
Then settings: Eligible for cache, Edge TTL: 1 month, Browser TTL: 1 day
Rule 3: Cache HTML Pages (Optional – Only If Not Using APO)
If you want to cache HTML without APO, this is where the real WordPress speed optimization Cloudflare happens:
Name: “Cache WordPress Pages”
Expression:
(ends_with(http.request.uri.path, "/")) and (not starts_with(http.request.uri.path, "/wp-")) and (not http.cookie contains "wordpress_logged_in_") and (not http.cookie contains "woocommerce_") and (not http.cookie contains "wp-")
Then settings: Eligible for cache, Edge TTL: 1 week. For the Edge TTL, select “Ignore cache-control header and use this TTL” to force Cloudflare to cache HTML even when your WordPress server sends no-cache headers.
WooCommerce and Dynamic Content Considerations
WooCommerce sites require additional exclusions when setting up Cloudflare cache rules WordPress. Add these to your bypass rule expression:
(http.cookie contains "woocommerce_cart_hash") or (http.cookie contains "woocommerce_items_in_cart") or (http.request.uri.path contains "/cart") or (http.request.uri.path contains "/checkout") or (http.request.uri.path contains "/my-account")
For membership sites, add cookies for your membership plugin. For multilingual sites using WPML or Polylang, ensure language cookies are excluded from caching. Understanding how caching interacts with your ecommerce setup is essential, especially when tracking conversions through tools like GA4. Businesses looking at the broader landscape of online selling should also explore the top ecommerce trends reshaping online shopping in 2026.
Verifying Your Cache Configuration
After setting up your cache configuration, verify it is working correctly:
Check response headers: Open browser DevTools (F12), go to the Network tab, reload a page, and look for the cf-cache-status header. Values mean: HIT (served from cache), MISS (fetched from origin, now cached), DYNAMIC (not eligible for caching), BYPASS (excluded by rule).
For APO specifically: Look for the cf-apo-via header, which indicates content was served through Cloudflare APO WordPress. Additionally, check for the cf-edge-cache: cache,platform=wordpress header in your origin’s response, which confirms APO is properly connected.
Test logged-out vs logged-in: Open an incognito window (logged out) and verify pages show cf-cache-status: HIT. Then log in and verify the same pages show BYPASS or DYNAMIC.
Test from multiple locations: Use KeyCDN’s Performance Test to measure TTFB from 10 global locations. All locations should show similar, fast TTFB when caching works correctly. You should see consistent sub-100ms TTFB globally if HTML caching is active.
Best Cloudflare Settings for WordPress Performance
Beyond caching, these additional settings represent the best Cloudflare settings for WordPress performance:
| Setting | Location | Recommended Value | Why |
|---|---|---|---|
| SSL/TLS Mode | SSL/TLS > Overview | Full (Strict) | Encrypts connection between Cloudflare and origin. For help setting up the certificate, see the Cloudflare Origin Certificate guide |
| Always Use HTTPS | SSL/TLS > Edge Certificates | On | Redirects HTTP to HTTPS, enables HTTP/2 |
| TLS 1.3 | SSL/TLS > Edge Certificates | On | Faster, more secure TLS handshakes |
| Brotli Compression | Speed > Optimization | On | Better compression than gzip (15-20% smaller) |
| Early Hints | Speed > Optimization | On | Preloads critical resources via 103 status code |
| 0-RTT Connection Resumption | Network | On | Faster reconnection for returning visitors |
| HTTP/3 (QUIC) | Network | On | Faster connections on modern browsers |
| Tiered Cache | Caching > Tiered Cache | Smart Tiered Caching | Reduces origin requests by routing cache misses through upper-tier data centers first |
| Browser Cache TTL | Caching > Configuration | 1 month | Resolves “efficient cache policy” PageSpeed warning |
| Argo Smart Routing | Traffic > Argo | On (paid add-on) | Faster routing for global audiences |
| Automatic Signed Exchanges | Speed > Optimization | On (Pro+ or APO) | Enables Google search prefetching, improves LCP |
Image Optimization: If on a paid plan, enable Polish (image compression) and Mirage (lazy loading for mobile). However, disable these for wp-admin using your bypass rule to avoid issues with the media library. On Free plans, rely on WordPress-level image optimization plugins instead.
Cloudflare Zaraz: Consider using Cloudflare Zaraz to manage third-party scripts (analytics, marketing pixels, chat widgets) at the edge rather than loading them in the browser. This reduces JavaScript execution time and directly improves INP scores.
WordPress Speed Optimization: Beyond Caching
Caching WordPress Using Cloudflare dramatically improves TTFB and LCP, but passing all Core Web Vitals requires additional WordPress speed optimization. Since INP replaced FID as a Core Web Vital in March 2024, responsiveness optimization has become more critical.
LCP (Largest Contentful Paint) – Target: Under 2.5 seconds: Use WebP or AVIF image formats for 25-35% better compression. Add fetchpriority="high" to your hero image. Preload critical fonts. Generate critical CSS for above-the-fold content. Plugins like WP Rocket, FlyingPress, or LiteSpeed Cache automate much of this. Enabling Automatic Signed Exchanges (SXGs) in Cloudflare also helps by allowing Google to prefetch your pages directly from search results.
INP (Interaction to Next Paint) – Target: Under 200ms: Defer non-critical JavaScript. Remove unused plugins—each adds JavaScript, CSS, and database queries. Move heavy computations to Web Workers. Break up long tasks by splitting JavaScript into smaller chunks. Audit JavaScript execution time in Chrome DevTools. Cloudflare Zaraz can significantly help here by offloading third-party scripts from the browser. Sites with poor INP scores exceeding 300ms saw more severe ranking impacts during Google’s December 2025 core update.
CLS (Cumulative Layout Shift) – Target: Under 0.1: Always specify width and height attributes on images. Reserve space for ads and embeds before they load. Preload fonts to prevent layout shifts from font swapping. Use lightweight, well-coded themes like GeneratePress, Kadence, or Astra.
Origin server performance still matters: Use PHP 8.2 or higher, implement object caching with Redis or Memcached, choose quality managed WordPress hosting, and keep WordPress core, themes, and plugins updated. The hosting stack matters because cache misses still hit your origin—a well-tuned PHP and database layer remains essential. For deeper SEO improvements, make sure you are also avoiding common SEO myths that could hurt your rankings.
Security Best Practices
Proper caching requires security awareness. Misconfigured caching can expose sensitive data. Follow these practices:
Always use Full (Strict) SSL mode—never “Flexible” which leaves the origin connection unencrypted. For guidance on setting up the required certificate, follow the Cloudflare Origin Certificate setup guide. Enable HSTS (HTTP Strict Transport Security) for additional protection. Block or challenge requests to xmlrpc.php unless you specifically need it—it is a common attack vector. Consider IP whitelisting or additional authentication for wp-admin access. Use Cloudflare’s WAF (Web Application Firewall) rules on paid plans for WordPress-specific protection.
If you are managing cloud infrastructure, you might also benefit from understanding how to set up a private VPN on AWS for secure admin access to your server. Ensuring your site is properly secured alongside caching is also covered in my guide on website security and SEO essentials.
FAQ: Caching WordPress Using Cloudflare
What is the best cache setting for Cloudflare?
For most WordPress sites, Cloudflare APO WordPress provides the best balance of performance and reliability. It caches HTML intelligently while automatically handling all the edge cases (logged-in users, previews, admin) that cause problems with manual setups. If you prefer manual configuration, use Cloudflare cache rules WordPress with “Eligible for cache” for static assets and explicit bypass rules for dynamic content. Set Browser Cache TTL to one month and Edge Cache TTL to one week for HTML or one month for static assets.
Should I use APO or manual Cache Rules?
Use APO if: you want simple, reliable configuration; you are on Cloudflare Free plan ($5/month add-on); you want automatic cache purging within 30 seconds when updating content; and you do not need highly customized caching logic.
Use manual Cache Rules if: you need granular control over what gets cached; you have complex multisite or multilingual setups (APO does not support multisite); you want to avoid the APO cost; or you have specific requirements APO does not address.
Do not use both simultaneously—they conflict and can cause stale admin pages, broken previews, and cached WooCommerce carts.
Are Cloudflare Page Rules still supported?
Cloudflare page rules are deprecated. As of January 2025, no accounts on any plan can create new Page Rules. Existing rules continue to function and will be automatically migrated to the new Rules products during 2025 or beyond—Cloudflare will notify you before any changes. For new implementations, use Cache Rules which offer more flexibility with expression-based filtering. The “Eligible for cache” setting in Cache Rules is equivalent to “Cache Everything” in Page Rules. Cloudflare has committed to running migration with wildcards in place, in small chunks, and separately for all 37 Page Rules types.
Do I still need a WordPress caching plugin with Cloudflare?
Yes, they serve different purposes. Cloudflare caches at the edge (CDN level), while WordPress caching plugins like WP Rocket, LiteSpeed Cache, or W3 Total Cache handle origin-level optimizations: page caching for when requests reach your server (cache misses), database query caching, CSS/JS minification, and critical CSS generation. The Cloudflare APO documentation recommends testing whether keeping your server-side cache plugin active alongside APO improves results, as they operate at different layers and typically complement each other.
Why is my admin bar showing to logged-out visitors?
This happens when a logged-in user’s page view gets cached and served to everyone. The solution is ensuring your cache configuration properly bypasses when WordPress cookies are present. With Cloudflare APO WordPress, this is handled automatically. With manual Cache Rules, verify your bypass rule includes: (http.cookie contains "wordpress_logged_in_"). After fixing, purge all cached content from Cloudflare. As an additional safeguard, always browse your own site in incognito mode to see what visitors actually see.
How do I purge Cloudflare cache after updates?
With APO and the Cloudflare WordPress plugin: cache purges automatically within 30 seconds when you update posts, pages, or theme settings—this is one of APO’s key advantages and a major reason it is recommended over manual configurations.
Manual purge options: In the Cloudflare dashboard, go to Caching > Configuration > Purge Everything (clears entire cache) or use Custom Purge to clear specific URLs. You can also purge from the WordPress admin bar if the Cloudflare plugin is installed and connected. After major site changes (theme switch, permalink changes), always do a full cache purge.
How many data centers does Cloudflare have?
As of early 2026, Cloudflare operates data centers in over 330 cities across 120+ countries globally. This extensive network is what makes Caching WordPress Using Cloudflare so effective—your cached content is served from the location closest to each visitor, dramatically reducing latency regardless of where your origin server is hosted. With Smart Tiered Caching enabled, cache misses are routed through upper-tier data centers first, further reducing requests to your origin server.
Your Next Step
Proper Caching WordPress Using Cloudflare can transform a sluggish site into one that loads instantly for visitors worldwide. The key is choosing the right approach for your needs—Cloudflare APO WordPress for simplicity and reliability, or manual Cloudflare cache rules WordPress for granular control—and verifying the configuration works correctly before assuming you are done.
Start by testing your current site performance with PageSpeed Insights and KeyCDN’s global TTFB test. Implement caching following this guide, then retest to measure improvement. The difference should be immediately visible in both metrics and real-world user experience—expect TTFB to drop from 500ms to around 100ms and cache hit rates to climb above 90%. If you are also looking to boost your organic traffic, you might want to explore proven strategies for building free backlinks to pair your speed improvements with stronger authority signals.
Related reading:
- Cloudflare Origin Certificate: Complete Setup Guide
- Navigating SEO: My Personal Journey, 10 SEO Tips, and Tools to Boost Your Rankings
- How to Set Up a Private VPN on AWS: Ultimate Complete Guide
- 15 SEO Myths You Should Ignore in 2026
Sources: Cloudflare Blog APO Announcement, Cloudflare APO Post-Launch Report, Cloudflare Page Rules Migration Guide (2025), W3Techs WordPress Market Share (January 2026), WPZOOM WordPress Statistics (January 2026), Store Leads WooCommerce Market Report (March 2025), Google Search Central Core Web Vitals Documentation.
Husain Alhaboubi is Director of Digital Channels at Mobily, where he leads platform optimization, AI-powered customer engagement, and UI/UX strategy. With 20+ years of experience spanning eCommerce, IT infrastructure, and digital marketing, he previously drove a 225% revenue increase and 69% organic traffic growth as eCommerce Senior Manager at flyadeal, and managed enterprise IT operations — including data centers, ERP systems, and network security — as Group IT Manager at IPD Group.
Husain holds a BS in Information Systems from the University of Texas at Arlington and is certified in Google Ads, Google Analytics, and Semrush SEO. He writes from hands-on experience across both sides of digital business: the strategic (eCommerce, SEO, AI, digital transformation) and the technical (server administration, cloud computing, web development, networking, and security) — with a particular focus on the Saudi market and Vision 2030. Read his full resume →