Bypass wp backend caching with custom login URL

Hi. I’ve used a plugin to change my wp-admin URL to something else for improved security. When I’m setting up a rule in Cloudflare to bypass caching of my WordPress backend, should I use …/wp-admin/* or “my custom login URL”/*?


Cloudflare would not by default cache your admin or login pages, so I’d assume you want to bypass cache because you have a ‘cache-everything’ page rule in place. If this is the case, you need to avoid caching on both your admin and login pages, so you need page rules for /wp-admin* and for your /custom-login-page.

If you want (or need) to save one page rule, you might want to consider naming your custom login page to a name beginning with wp-, then adding a page rule for /wp-* with settings unrelated to caching, such as security level, always use HTTPS etc. It would cover both (as well as other WordPress paths that must not be cached, such as./wp-json*), without affecting the caching of static files under /wp-content/*.This page rule must be placed before the ‘cache everything’ rule.


Hi, and thank you for your reply.

The rules I have today are based on a page-speed guide from ages ago.

  1.* Cache Level: Cache Everything
  2. Cache Level: Bypass (with asterisk before and afterpreview=true but the forum editor removes them for some reason)
  3.* Cache Level: Bypass

So if I change my custom login to wp-something, change the last rule to* Cache Level: Bypass, and move it before the Cache Everything rule, I should be good regarding caching rules?

I’ve set the security level in the CF security settings but wasn’t aware this was set by rules? Is it something worth looking into?

I believe I’ve set force SSL through an app or cPanel, maybe both (I don’t remember at the moment).

Yes, I’d think so. With your current order, the cache everything rules would never be triggered, as only one page rule is applied to any given request.

The security level in the Dashboard applies to the whole zone. With a page rule, you can set a different security level for a specific path. So you could have “medium” as security level for your zone, and (with a page rule) “high” as security level for your admin/login pages.

Awesome, thanks again. Should I put the cache everything rule at the bottom, even after the “priview=true” bypass rule?

Yes. The idea is that when a request starts with /wp-, and in your case preview=true, it would trigger the bypass rule, while all other requests won’t match (and therefore will skip) those rules, and will instead trigger the cache-everything one.

If I may ask one more question: Won’t the page rule set to bypass the cache for everything that begins with /wp-* also prevent caching of the files under /wp-content similar to how it does to wp-admin and mu custom login name (wp-something)? From what I understand from your first post, the files under /wp-content should be cached, right?

This is my current setting (so we’re on the same page)

  1.* Bypass cache
  2. preview=true asterisk Bypass cache
  3.* Cache Everything

Sorry if this is a stupid question; maybe I’m misunderstanding how the bypass works.

You’re right, somehow I got distracted mid-thread, sorry about that. You should not use “cache level: bypass” for /wp-*.

The original suggestion stands, where for /wp-* you’d use any non-cache setting (such as security level, always use HTTPS etc.) This way, you’d have every path beginning with /wp-* avoiding the cache-everything rule.

But since you are not using “cache-level: bypass”, Cloudflare will apply its default caching behavior, which is to not cache dynamic content (such as php/html from /wp-admin, /wp-json, /wp-your-login-page, etc.), while caching static content, such as images and fonts from /wp-content.

I’m not sure I understand what you mean.

My goal is simple: to cache everything that should be cached but not my wp backend. Maybe it is better if you write the rules as to how I can achieve this?

1 Like

Here’s what i have in one of my WP sites. (Second rule is irrelevant to our discussion, so I redacted it)

First rule sets the exception to the “cache everything” setting of the last rule. But it does not do so by setting “cache level: bypass”. Instead, it has other settings. This way, the cache level for any path beginning with /wp- will be Standard, which is set in the Dashboard>Caching>Configuration>Cache Level. And the standard cache behavior in Cloudflare is that dynamic content is not cached, but static files are.

BTW, I have a post on that site that explains in a lot more detail what’s been discussed here. It may help you, though I’m just back after a few months away from all things related to website admin, and I’m not familiar yet with the new Cache Rules, which may be used now instead of Page Rules.

I just realized I should turn off every page rule until I have the time to fully understand how they work and not just set them based on a random page speed post. I guess I’ll have to save that for a (really) rainy day. Thanks anyway.

1 Like