Edge Rules

74 rules. One click.
No guesswork.

Bunny doesn't cache HTML automatically, it needs pull zone rules to know what to cache, what to bypass, and how to handle every WordPress request safely. This plugin writes all of them.

74
Total rules
9
Categories
40+
Bypass rules
1
Click to deploy
How Bunny edge rules work

A condition and
an action. That's it.

Every Bunny edge rule is built from the same two parts: a trigger condition that matches something about the request, and an action that runs when it matches. The power comes from having the right 74 rules, in the right order, covering every WordPress scenario.

Runs at the edge — rules execute inside Bunny's network before a request reaches your origin server
Multiple conditions — URL patterns, cookie names, request headers, remote IP, or response status can all be used as triggers
Chainable actions — a single rule can bypass cache and disable WAF and add a header in one operation
Deployed via API — this plugin writes all 74 rules to your pull zone through Bunny's API, tracked by GUID
Anatomy of a Bunny edge rule
IF
Trigger condition
What the rule matches on, URL path, cookie, header, IP address, or response code. Multiple conditions can be joined with AND / OR logic.
THEN
Primary action
What happens when the condition matches, cache the response, bypass cache, redirect, override TTL, add or remove headers, disable WAF, or force SSL.
ALSO
Extra actions (optional)
Additional actions on the same match. One rule can bypass cache and disable WAF simultaneously, no need for two separate rules.
// Rule 02 — WP admin: bypass cache + disable WAF IF URL path matches /wp-admin/* THEN Override cache TTL → 0 (bypass) ALSO Disable Shield WAF → true
Complete ruleset

Every rule, every category.

Click any category to expand. Rules are listed in deploy order, earlier rules take priority over later ones.

WP Bunny Connector — Edge Ruleset 74 rules across 9 categories
Core WordPress 10 rules Slots 01–10
01
Force SSLHTTP → HTTPS permanent redirect
Core
02
Disable Shield & WAF — WP adminCookie: wpbc_role present on wp-admin/*
Bypass
03
Disable Shield & WAF — REST APIPath: /wp-json/* bypasses WAF inspection
Bypass
04
Bypass cache — logged-in usersCookie: wordpress_logged_in_*
Bypass
05
Bypass cache — WP admin pathsURL: /wp-admin/*, /wp-login.php
Bypass
06
Bypass cache — POST requestsMethod: POST, forms, AJAX, submissions
Bypass
07
Bypass cache — WP-CronURL: /wp-cron.php, always hits origin
Bypass
08
Bypass cache — Search resultsQuery string: ?s= present
Bypass
09
Bypass cache — RSS/Atom feedsURL: /feed/*, /feed, ?feed=*
Bypass
10
Bypass cache — REST API requestsURL: /wp-json/*, always fetch fresh
Bypass
HTML Caching 2 rules Slots 11–12
11
Cache HTML — anonymous visitorsAll GET requests that haven't matched a bypass rule above
Cache
12
Override cache TTL — HTML pagesSets TTL for cached HTML responses (configurable)
Cache
Ecommerce 18 rules Slots 13–30
13
Bypass — Cart pageURL: cart page ID from plugin settings
Bypass
14
Bypass — Checkout pageURL: checkout page ID from plugin settings
Bypass
15
Bypass — Order confirmationURL: order-received slug
Bypass
16
Bypass — Cart cookie presentCookie: session/cart cookie from active platform
Bypass
17
Bypass — AJAX endpointsURL: /wp-admin/admin-ajax.php, all ecommerce AJAX
Bypass
18–30
Bypass — Additional ecommerce pagesAccount, returns, my-orders, product AJAX, and platform-specific paths across 6 supported platforms
Bypass
Membership 13 rules Slots 31–43
31
Bypass — Member dashboardURL: member dashboard page ID from plugin settings
Bypass
32
Bypass — Registration pageURL: registration/signup page ID
Bypass
33
Bypass — Login pageURL: custom login page ID from plugin settings
Bypass
34
Bypass — Account/profile pageURL: profile and account edit pages
Bypass
35–43
Bypass — Membership-specific pathsThank-you, invoice, restriction, and gating pages across 13 supported membership plugins
Bypass
LMS 9 rules Slots 44–52
44
Bypass — Student dashboardURL: student dashboard page ID from LMS settings
Bypass
45
Bypass — Course enrollmentURL: enrollment/checkout page from LMS settings
Bypass
46
Bypass — Quiz and lesson pagesURL slugs: /quiz/*, /lesson/* (active LMS slug)
Bypass
47–52
Bypass — LMS-specific pathsCertificate, profile, order, and progress pages across 9 supported LMS plugins
Bypass
Booking & Events 6 rules Slots 53–58
53–54
Bypass — Booking confirmation pagesThank-you and confirmation page IDs from booking plugin settings
Bypass
55–56
Bypass — Event registrationRegistration and RSVP pages from events plugin settings
Bypass
57–58
Bypass — Appointment portalsCustomer-facing appointment management pages
Bypass
Static & Performance 8 rules Slots 59–66
59
Long TTL — CSS and JSExtension: .css, .js, 1-year cache TTL
Cache
60
Long TTL — ImagesExtension: .jpg, .jpeg, .png, .gif, .webp, .avif, .svg
Cache
61
Long TTL — FontsExtension: .woff, .woff2, .ttf, .eot
Cache
62
Ignore query strings — static filesStrips ?ver= and cache-busting QS from static asset URLs
Cache
63
CORS headers — static assetsAdds Access-Control-Allow-Origin for font/asset cross-origin requests
Header
64–66
Additional static file rulesVideo files, documents, and media with appropriate TTLs
Cache
Security Headers 4 rules Slots 67–70
67
HSTS headerStrict-Transport-Security: max-age=31536000; includeSubDomains
Header
68
X-Frame-Options headerPrevents clickjacking by disallowing iframe embedding
Header
69
X-Content-Type-Options headernosniff, prevents MIME-type sniffing attacks
Header
70
Referrer-Policy headerControls referrer information sent with requests
Header
WAF / Trusted IPs 4 rules Slots 71–74
71–74
Trusted IP whitelist — WAF bypassUp to 5 IPs/CIDRs per rule, auto-batched from your whitelist. Bypasses Bunny Shield inspection for payment gateways, office networks, staging IPs.
Optional
Rule execution order

Bypass rules always
run before cache rules.

Bunny evaluates edge rules in slot order, top to bottom. The rule sequence is intentional, all bypass conditions are checked before the HTML cache rule at slot 11. This guarantees that logged-in users, cart sessions, and admin paths can never be served cached HTML.

Slots 01–10 are bypass-first — every core WordPress bypass condition is evaluated before anything gets cached
Slot 11 is the HTML cache gate — only requests that passed all bypass checks reach this rule
Ecommerce and membership slots run after — catching plugin-specific bypass cases that core rules don't cover
Static and security rules run last — applying performance and header rules to everything that reaches them
Request evaluation — example: logged-in user
01–10
Core bypass rules evaluated
Slots 01–10
Rule 04 matches, cookie wordpress_logged_in_* is present on this request.
→ Cache TTL overridden to 0. Request bypasses edge cache.
11
HTML cache rule
Slot 11
Not reached, request was already bypassed at slot 04.
Not reached
59–66
Static file rules
Slots 59–66
Not reached, only applies to static file extensions (.css, .js, images).
Not reached
67–74
Security + WAF rules
Slots 67–74
Not reached, security headers apply to responses, not this bypassed request.
Not reached
Request forwarded to origin. WordPress generates the response normally.
Deploy system

One click. No duplicates.
Safe to redeploy anytime.

Every rule is tracked by its Bunny GUID. When you redeploy, the plugin updates existing rules in place rather than creating new ones. Your other pull zone rules, ones not managed by this plugin, are never touched.

GUID tracking
Each rule's Bunny GUID is stored in the WordPress database. On redeploy, rules are updated via PATCH, not re-created via POST. No duplicates, ever.
Non-destructive
Rules not managed by this plugin, custom rules you've added in the Bunny dashboard, are untouched. The plugin only manages rules it created.
Enable / disable per rule
Toggle individual rules on or off in the Settings UI before deploying. Disabled rules are excluded from the API call entirely, not deployed as inactive.
Auto-detects active plugins
At deploy time, the plugin checks which ecommerce, membership, and LMS plugins are active. Only rules for installed plugins are deployed, no orphaned rules.
Deploying edge ruleset… Redeploy
Rule 01 — Force SSL updated (GUID: a1b2c3d)
Rule 02 — WAF bypass: wp-admin updated
Rule 04 — Bypass: logged-in users updated
Rule 11 — Cache HTML: anonymous visitors updated
Rule 13 — Bypass: cart page (WooCommerce detected)
Rule 14 — Bypass: checkout page (WooCommerce detected)
Rules 44–52 — LMS: no LMS plugin detected, skipped
Rules 71–74 — WAF whitelist: disabled, skipped
Rules 67–70 — Security headers updated
58
Updated
16
Skipped
0
Created new
0
Duplicates

74 rules, deployed in
one click.

Free on WordPress.org. Connect your Bunny API key, hit Deploy, and your pull zone is configured correctly for WordPress, in under a minute.

Free forever · GPL-2.0+ · WordPress.org · Tested up to WordPress 7.0

This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.

Accept All Accept Required Only