Cloudflare WAF + LSCache Security
Cloudflare and LSCache solve different problems: Cloudflare blocks bad traffic at the edge, while LSCache serves cached HTML quickly at the origin. This page shows how to configure both so security rules don't break caching, and caching doesn't leak personalized content.
Responsibilities by Layer
| Layer | Owns | Notes |
|---|---|---|
| Cloudflare edge | WAF, bot controls, rate limits, IP reputation | Stop bad traffic before it reaches PHP |
| Origin web server | file access rules, optional ModSecurity, firewall | Cheap filtering close to the kernel/web server |
| LSCache (WordPress) | page cache + exclusions + ESI (if used) | Ensure cache is safe for WordPress session behavior |
Cloudflare Baseline (WordPress-Safe)
Recommended starting point:
- Enable managed WAF rules.
- Protect login attempts (rate limit or challenge on POSTs to
wp-login.php). - Block
/xmlrpc.phpif you do not use it. - Avoid broad blocks of
/wp-json/.
Example WAF expressions (Cloudflare expression language):
http.request.uri.path eq "/xmlrpc.php"
http.request.uri.path eq "/wp-login.php" and http.request.method eq "POST"
Do not cache or block /wp-json/ broadly. Gutenberg and many plugins rely on REST endpoints.
LSCache Exclusions (Minimum)
Make sure LSCache does not cache transactional or authenticated pages.
Exclude pages/paths:
/wp-admin//wp-login.php/cart/,/checkout/,/my-account/
Bypass caching when these cookies are present:
wordpress_logged_in_wp_woocommerce_session_woocommerce_cart_hash
If you use ESI for WooCommerce, keep fragments small (mini-cart count, account widget) and verify no leakage across sessions.
Verification (Headers)
Public page should show cache hits after warm:
curl -I https://example.com/ | grep -iE 'cf-cache-status|x-litespeed-cache'
Checkout should bypass:
curl -I https://example.com/checkout/ | grep -iE 'cf-cache-status|x-litespeed-cache'
Common Failure Modes
| Symptom | Likely Cause | Fix |
|---|---|---|
| Users see cached content when logged in | Cookie bypass missing | Add bypass for wordpress_logged_in_ and Woo session cookies |
| Cart/checkout breaks | Transactional routes cached | Exclude cart/checkout/account and retest checkout end-to-end |
| Legit users blocked | Over-aggressive WAF/rate limits | Start with challenge/rate limit, review events, tune thresholds |
| Double challenges at login | Multiple layers limiting login | Pick one layer for login protections (edge preferred) |