How To Set Up Page Rules In Cloudflare To Bypass Cache On Login URLs?
Caching speeds up your website. But it can cause real trouble on login pages. When Cloudflare caches a login URL, visitors may see stale forms, broken sessions, or even another user’s logged in screen. That is a problem you want to fix fast.
This guide shows you how to bypass cache on login URLs using Cloudflare. You will learn the exact steps, the right settings, and the smart way to handle the move to Cache Rules. Let us walk through it together.
In a Nutshell:
- Login pages should never be cached. Pages like
/wp-login.php,/wp-admin, and custom login URLs hold dynamic, user specific content. Caching them creates session errors and security risks. - Page Rules still work, but they are being phased out. Cloudflare is moving everyone to Cache Rules. New setups should use Cache Rules instead of Page Rules whenever possible.
- The “Bypass Cache” setting is your main tool. Whether you use Page Rules or Cache Rules, the goal is the same. You tell Cloudflare to skip the cache for login paths.
- Wildcards matter a lot. A pattern like
*example.com/wp-admin*covers the admin area and its subpages. Getting the wildcard right means full coverage. - Cookie based bypass protects logged in users. You can bypass cache when a login cookie is present. This keeps cached speed for visitors while keeping fresh pages for logged in users.
- Always test after setup. Use cache headers and your browser tools to confirm the bypass works before you trust it.
Why Login URLs Should Never Be Cached
Login URLs work differently from normal pages. They depend on sessions, tokens, and cookies that change for each visitor. When Cloudflare caches one of these pages, it stores a single copy and serves it to everyone.
This creates serious issues. A user might see a login form that never submits. Worse, one person could load another person’s logged in dashboard from the cache. That is a privacy and security failure.
Login pages also carry security tokens like CSRF protection. Cached tokens expire and break form submissions. So your login simply stops working. Bypassing cache on these URLs keeps each session private, fresh, and safe.
Understanding How Cloudflare Caching Works
Cloudflare sits between your visitors and your origin server. It stores copies of your files in data centers around the world. When someone visits your site, Cloudflare serves the cached copy from the nearest location. This makes pages load fast.
By default, Cloudflare caches static files like images, CSS, and JavaScript. It usually leaves dynamic HTML alone. But many users turn on “Cache Everything” to speed up their whole site. This is where login pages get caught in the cache.
Once you enable aggressive caching, you must add exceptions. Login URLs need to be excluded. Understanding this flow helps you see exactly why a bypass rule is needed and where it fits.
Page Rules Versus Cache Rules: What Changed
Cloudflare announced that Page Rules are now deprecated. They still work for now, and existing rules keep running. But Cloudflare plans to migrate everyone to modern Rules products. This migration is set for late 2025 or beyond, and Cloudflare handles it automatically.
Cache Rules are the replacement for the caching parts of Page Rules. They run on a newer engine called the Ruleset Engine. This engine gives you more fields, better matching, and easier debugging.
Here is the key difference. Page Rules use the first match wins logic. Cache Rules are stackable, so the last matching rule wins. Cache Rules also take precedence over Page Rules. If both set caching for the same path, the Cache Rule overrides the Page Rule.
What You Need Before You Start
A little preparation makes the whole process smooth. Gather these things first so you do not get stuck halfway through your setup.
You need an active Cloudflare account with your domain added and the DNS proxied through Cloudflare. Your domain must show the orange cloud in the DNS settings. Without the proxy, no caching rules apply.
You should also know your exact login URLs. For WordPress, these are usually /wp-login.php and /wp-admin. If you use a custom login URL, write it down now. Plugins like security tools often rename your login path.
Finally, check your plan. Free plans have limited Page Rules, while Cache Rules offer higher quotas. Knowing your limits helps you plan how many rules you can create.
Step By Step: Bypass Cache With Page Rules
Page Rules still work, so here is the classic method. Log into your Cloudflare dashboard and select your domain. Then open the Rules section and click on Page Rules.
Click Create Page Rule. In the URL field, enter your login pattern. For WordPress admin, type *yourdomain.com/wp-admin*. The wildcards at the start and end matter because they cover subpages and ignore the protocol.
Next, pick the setting Cache Level. From the dropdown, choose Bypass. This tells Cloudflare to skip cache for every URL that matches the pattern. Save and deploy the rule.
Repeat this for *yourdomain.com/wp-login.php*. You now have two rules protecting your login system. Each match forces a fresh response straight from your origin server.
Step By Step: Bypass Cache With Cache Rules
Cache Rules are the modern path, and Cloudflare recommends them for new setups. Open your dashboard, select your domain, and go to Caching, then Cache Rules. Click Create rule and give it a clear name like “Bypass Login Cache”.
Under When incoming requests match, choose Custom filter expression. You can use the simple builder or the editor. In the builder, set the field to URI Path, the operator to contains, and the value to /wp-admin.
For more paths, you can use the expression editor. Type something like (http.request.uri.path contains "/wp-admin") or (http.request.uri.path contains "/wp-login.php"). This single rule covers both login paths at once.
Then under Cache eligibility, select Bypass cache. Save and deploy. Cloudflare now skips the cache for any request matching those login paths.
Using Wildcards And Patterns The Right Way
Patterns control which URLs your rule catches. A small mistake here can leave login pages exposed or block the wrong content. So learning the pattern rules pays off.
In Page Rules, the asterisk acts as a wildcard. The pattern *example.com/wp-admin* matches any subdomain, any protocol, and all admin subpages. The leading asterisk handles www and other prefixes. The trailing asterisk handles deeper paths and query strings.
In Cache Rules, matching works on fields like URI Path. The path does not include the domain or protocol, which makes expressions cleaner. You match /wp-admin directly without worrying about http or https.
Remember that Cache Rules include query strings automatically in full URI matching. Add a trailing wildcard when needed. Test each pattern to confirm it covers exactly what you intend.
Bypassing Cache Based On Login Cookies
Sometimes you want to cache pages for guests but bypass cache for logged in users. Cookie based bypass solves this perfectly. WordPress sets a cookie like wordpress_logged_in_ when a user signs in.
In Cache Rules, create a rule with this expression: (http.cookie contains "wordpress_logged_in_"). Set the cache eligibility to Bypass cache. Now any visitor with that login cookie gets fresh, uncached pages.
Guests without the cookie still get fast cached content. This gives you the best of both worlds. Speed for the public and accuracy for logged in members.
This method shines on membership sites and stores. It keeps personalized content correct while keeping your homepage and posts cached. Just confirm the exact cookie name your platform uses before you build the rule.
Pros And Cons Of Page Rules Versus Cache Rules
Choosing between the two methods depends on your needs. Both can bypass cache on login URLs, but each has clear strengths and weaknesses. Here is a fair comparison.
Page Rules Pros: They are simple and beginner friendly. You set a URL pattern and pick a setting. The interface is easy to understand for new users who just want a quick fix.
Page Rules Cons: They are deprecated and limited in number. They use first match wins logic, which can confuse setups with many rules. They also lack the fine control of modern rules.
Cache Rules Pros: They offer higher limits, precise field matching, and easier debugging. They take precedence over Page Rules and use a modern engine. They are future proof.
Cache Rules Cons: The filter expressions feel more technical at first. New users may need time to learn the syntax. But the power is worth the small learning curve.
Testing If Your Cache Bypass Works
Building the rule is only half the job. You must confirm it actually works. Testing protects you from hidden caching errors that could break logins later.
Open your browser developer tools and go to the Network tab. Visit your login URL and click the request. Look at the response headers for a line called CF-Cache-Status. For a bypassed page, it should read BYPASS or DYNAMIC.
If it shows HIT, your rule is not working. A HIT means Cloudflare is still serving a cached copy. Check your pattern and rule order. Make sure no other rule with “Cache Everything” is overriding your bypass.
You can also use the Cloudflare Trace tool. It shows which rules apply to a request. This makes troubleshooting fast and clear.
Common Mistakes And How To Fix Them
Many users set up a bypass rule and still see cached login pages. Knowing the common errors helps you fix them quickly. Most problems come from rule order or wrong patterns.
The first mistake is rule order. In Page Rules, the first matching rule wins. If a broad “Cache Everything” rule sits above your bypass rule, it triggers first. Move your bypass rule to the top.
The second mistake is a wrong pattern. A missing wildcard can leave subpages cached. Double check that your pattern covers all login paths, including custom ones.
The third mistake is forgetting Cache Rules override Page Rules. If both exist, the Cache Rule wins. Keep your caching logic in one system to avoid conflicts and confusion.
Best Practices For Login Page Caching
A few smart habits keep your login system safe and fast over time. These practices apply whether you use Page Rules or Cache Rules. Follow them and you will avoid most caching headaches.
Always bypass cache on every login and admin path. Include forgot password and registration pages too, since they also use dynamic tokens. Leaving them cached can break the user flow.
Use cookie based bypass for logged in sessions on dynamic sites. This protects personalized content without slowing down public pages. It is the cleanest setup for stores and membership platforms.
Keep your rules documented and named clearly. Review them after any plugin or theme change that alters login URLs. Finally, purge your cache after editing rules so old cached copies clear out immediately.
Frequently Asked Questions
Does Cloudflare cache login pages by default?
No, Cloudflare does not cache dynamic HTML like login pages by default. It mainly caches static assets such as images and scripts. Problems appear only when you enable “Cache Everything” through a rule. That setting forces caching on all pages, including login URLs, which is why a bypass rule becomes necessary.
Should I use Page Rules or Cache Rules now?
You should use Cache Rules for any new setup. Cloudflare has deprecated Page Rules and plans to migrate everyone automatically. Cache Rules offer higher limits, better matching, and a modern engine. Existing Page Rules still work for now, so there is no urgent rush, but Cache Rules are the future safe choice.
What is the difference between Bypass and Cache Everything?
Cache Everything stores every page in Cloudflare’s cache, including dynamic ones. Bypass does the opposite and tells Cloudflare to skip the cache entirely for matching URLs. Login pages need Bypass so each request goes fresh to your origin server. This keeps sessions, tokens, and personalized content accurate.
How do I bypass cache only for logged in users?
Use a cookie based rule. Create a Cache Rule with the expression that checks for your login cookie, such as wordpress_logged_in_. Set it to Bypass cache. Visitors with the cookie get fresh pages, while guests still enjoy fast cached content. This is ideal for membership sites and online stores.
Why is my login page still cached after adding a rule?
The usual cause is rule order or a conflicting rule. A broad “Cache Everything” rule may run before your bypass rule. Cache Rules also override Page Rules. Check the CF-Cache-Status header to confirm the status. If it shows HIT, fix your pattern, reorder rules, and purge the cache.
Do custom login URLs need separate rules?
Yes. If a security plugin renames your login path, the default /wp-login.php rule will not catch it. You must create a rule for your exact custom URL. For example, if your login is /secure-login, add a bypass rule matching that path. Always confirm your real login URL before building any rule.
Hi, I’m Jessamine Rowell, the founder and voice behind ResizeMake (https://resizemake.com/), a space where I share my love for technology with the world. I write detailed and honest reviews on the latest tech products, gadgets, electronic devices, and trending Amazon items to help readers make smarter buying decisions.
