Cloudflare Edge Engineering for Locked-Down WordPress

Across a portfolio of WordPress sites with restrictive admin policies (read-only WPCode, KSES filtering on inline scripts, role-capped Custom Code, Cloudflare WAF rules blocking admin script POSTs), I started solving "I can't ship this from inside WordPress" problems at the Cloudflare edge instead.

Three patterns I've shipped to production:

GTM injection via Cloudflare Snippets — when WordPress refuses to let tracking scripts through (KSES strips them, WPCode is read-only, Custom Code blocks <script> tags), edge-injecting GTM via HTMLRewriter on the Snippets free tier (25/zone) bypasses the CMS entirely. Tracking lives at the edge, gets purged at the edge, never touches the database.

HTTP Link preload via CF Transform Rules — when the theme/WPCode path is blocked but you need to preload fonts or hero images for LCP, a Cloudflare Response Header Transform Rule injects the Link: </font.woff2>; rel=preload; as=font header at the edge.

Targeted WAF skip rules for admin script POSTs — narrow /wp-admin/* skip rules that allow legitimate script-tag POSTs through without disabling the WAF site-wide.

Stack: Cloudflare (Snippets, Transform Rules, WAF, Cache Rules), HTMLRewriter API, edge-side scripting.

Outcome: Shipped GTM tracking, performance optimizations, and admin functionality on sites where the WordPress admin path was effectively locked. Zero plugin overhead, zero CMS modifications, all reversible at the edge.

Tags: Cloudflare, edge computing, WordPress, GTM, performance, HTMLRewriter, WAF