Cloudflare redirects are rules you set up in Cloudflare that automatically send visitors from one URL to another before the request reaches your server.
Redirect Rules and Bulk Redirects execute before Cloudflare Rules
On a Cloudflare Free account, you get 10 Redirect Rules.
Redirect from HTTP to HTTPS
That rule forces all incoming HTTP traffic to use HTTPS by matching any request whose URL starts with https:// and permanently redirecting it to the same domain, path, and query string over https://.
| Incoming Requests | Wildcard pattern |
| Request URL | https://* |
| Target URL | https://${1} |
| Status Code | 301 |
| Preserve Query Strings | Yes |
Because it uses a 301 status code, browsers and search engines treat the HTTPS version as the permanent.
Custom Uploads Folder
I block direct access to wp-content, wp-admin, and wp-includes to reduce WordPress’s exposed attack surface.
Public assets are served through a separate, neutral path, while WordPress main folders stay locked down behind firewall rules.
| Incoming Requests | Wildcard pattern |
| Request URL | https://example.com/wp-content/uploads/* |
| Target URL | https://example.com/assets/${1} |
| Status Code | 301 |
Make sure you keep that redirect active for a year since:
- Old URLs indexed by search engines
- Cached URLs in browsers, CDNs, emails, and social posts
I removed after a year since continued requests to the old uploads path are likely to be bots, scrapers, or stale automated scans.
You can learn more about changing default media upload directory here.
Removing Query Strings
A query string is the part of a URL that comes after the ?, used to pass extra information to a website
https://example.com/page?utm_source=google&utm_campaign=spring
What query strings are used for
- Tracking (analytics, ads, email links)
- Filtering or sorting content
- Pagination (
?page=2) - Cache-busting (
style.css?ver=123) - APIs / forms (passing data)
I don’t have any forms on my website. The search works in a static way, and pretty much everything is handled by scripts on the client side. I’m also working locally so most query strings hitting my site are unnecessary and often come from bots.
This is the Cloudflare Bulk redirect to remove all query strings.
| Incoming Requests | Custom Filter Expression |
| URI Full Contains | ? |
| Redirect Type | Dynamic |
| Expression | http.request.uri.path |
| Status Code | 301 |
I’ve been using it this way for quite a while and, honestly, I hadn’t really thought much about query strings until now. Looking at it again, I think it probably makes sense to handle them properly with Cloudflare rules instead.
Redirect Bots to Correct Sitemaps
I use WordPress sitemaps customized via MU-Plugins. Some bots attempt to access sitemap.xml or sitemaps.xml and fail to locate the correct sitemap.
This is what you should to redirect those requests to the proper sitemap.
| Incoming Requests | Custom Filter Expression |
| URI Path Starts with | /sitemap |
| Redirect Type | Static |
| Expression | https://example.org/wp-sitemap.xml |
| Status Code | 301 |
Redirect File Extensions
The other day, I created an MU-Plugin to convert all images to WebP and apply the changes directly in the database.
I also wrote a bulk redirect rule to handle the updates:
| Incoming Requests | Wildcard pattern |
| Request URL | https://example.org/assets/*.png |
| Target URL | https://example.org/assets/${1}.webp |
| Status Code | 301 |
| Preserve Query Strings | Yes |
What Cloudflare Bulk Redirects is Missing
Cloudflare Bulk Redirects do not provide per-rule hit counts.
In other words, Cloudflare does not tell you:
- how many times a specific bulk redirect rule fired
- which old URL is still being requested
- whether a given redirect is only hit by bots or real users
Bulk Redirects are intentionally simple and fast: they match and redirect at the edge, but no analytics are attached to individual rules.
Manuel Campos
I'm a WordPress enthusiast. I document my journey and provide actionable insights to help you navigate the ever-evolving world of WordPress."
