How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
Support FAQ
A CDN can make a WordPress site faster by serving static assets and suitable public pages from edge locations instead of sending every request to PHP, the database, and the web server. It can also reduce bandwidth, protect the origin from spikes, and place security controls in front of common WordPress attack paths.
The difficult part is that WordPress sites are rarely just static pages. A single installation may include anonymous blog posts, logged-in editors, preview pages, comments, search, REST API endpoints, AJAX handlers, WooCommerce carts, membership content, and plugins that add their own cookies or query strings. A good CDN setup treats those routes differently.
The safest planning step is to group requests by behavior.
Static assets are usually the easiest win. Files under themes, plugins, uploads, fonts, images, CSS, and JavaScript can often be cached for a long time, especially when filenames or query strings change during deployment. Image-heavy WordPress sites often see large bandwidth reductions from asset caching and image optimisation.
Anonymous public pages are the next opportunity. Blog posts, category pages, landing pages, and documentation pages may be cacheable if they do not vary by visitor. These pages are more sensitive than static assets because they are generated by WordPress and may change when editors publish, update menus, moderate comments, or change widgets.
Logged-in and state-changing routes need caution. Admin pages, previews, checkout, cart, account pages, form submissions, comment posting, REST writes, and AJAX actions should normally bypass shared cache. Some read-only API responses can be cached, but only when the response does not include private data and the cache key includes every attribute that changes the response.
For assets, use clear freshness headers and avoid unnecessary variation. If a file is fingerprinted or versioned, it can usually have a long lifetime. If a site uses query strings for asset versions, decide whether the CDN should include those query strings in the cache key. Ignoring all query strings can improve reuse, but it can also serve old assets if the query string is the version signal.
For public HTML, decide how content becomes fresh again. Options include short TTLs, purge on publish, cache tags, stale-while-revalidate, or a combination. The right answer depends on editorial workflow. A news site may need rapid purges. A brochure site may tolerate a short delay. A store may need product, price, and stock updates handled carefully.
Cookies are central to WordPress caching. The presence of login, session, cart, comment author, preview, consent, or plugin cookies may mean the response varies or should bypass cache. Do not assume every cookie matters, though. Analytics and tracking cookies often create cache fragmentation if they are included unnecessarily. The goal is to vary on meaningful state, not on every header the browser sends.
WordPress publishing changes often need a purge workflow. Updating one post may also change the home page, category archive, author archive, XML sitemap, RSS feed, related posts, and navigation blocks. Purging only the edited URL can leave stale surrounding pages.
Many caching plugins can trigger CDN purges, but plugins differ in how they discover related URLs and how they handle failures. Test the full editorial path: publish, update, unpublish, schedule, change a menu, approve a comment, update a product, and roll back a mistake. Editors should not need to understand CDN internals during normal publishing.
Avoid using full-site purges as the default. They are simple, but they can create a wave of cache misses that sends many requests back to WordPress at once. Targeted purges, cache tags, and sensible TTLs are usually safer.
The most serious failure is caching private content. This can happen when logged-in pages, account pages, carts, or personalised fragments are stored in a shared cache. The fix is route-specific bypass plus careful handling of cookies and response headers.
Another common problem is a redirect loop. WordPress, the origin web server, and the CDN must agree on the canonical scheme and host. If the CDN connects to the origin over HTTP while WordPress believes HTTPS is required, or if proxy headers are missing, users may bounce between redirects.
Plugin conflicts are also common. Security plugins, page cache plugins, image plugins, multilingual plugins, and ecommerce plugins may all change headers, cookies, redirects, or HTML. When diagnosing a CDN issue, capture the request and response headers at the browser, the edge, and the origin. Guessing from the plugin list is slow and unreliable.
Cache fragmentation can quietly reduce the benefit. Varying on full user agent, all cookies, every query string, or unnecessary headers may produce thousands of cache entries for one page. The site appears cache-enabled but still sends too much traffic to PHP.
WordPress attracts automated scanning for login pages, XML-RPC, vulnerable plugins, exposed backups, upload paths, and admin endpoints. A CDN can help by applying rate limits, bot controls, WAF rules, method restrictions, upload limits, and known-bad path blocks before the origin sees the request.
Do not leave the origin open if the CDN is meant to be the front door. Restrict origin access with firewall rules, authenticated origin requests, trusted proxy headers, and correct TLS validation. Otherwise attackers can bypass edge controls by connecting directly.
Security rules should be tuned around legitimate WordPress behavior. Admin users, editors, webhook providers, payment callbacks, search crawlers, and API clients may look different from ordinary page visitors. Blocking too broadly can break publishing or checkout.
Measure user experience and origin relief together. Useful signals include cache hit ratio, byte hit ratio, time to first byte, Core Web Vitals, origin requests, PHP response time, database load, bandwidth, 4xx and 5xx rates, purge frequency, and security rule actions.
Test as different users: anonymous visitor, logged-in subscriber, editor, administrator, customer with an empty cart, customer with a populated cart, and mobile visitor. Test from multiple regions if the audience is geographically broad.
A good WordPress CDN setup is route-aware. It accelerates assets and safe public pages, avoids shared caching for private flows, gives editors predictable freshness, and keeps enough logs to explain whether a request was served from cache, bypassed, blocked, purged, or forwarded to the origin.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Misuse explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2026 ABN 76 619 930 826 All rights reserved.