WordPress Plugin v1.0

WPAdmin
CloudFront CDN

Complete documentation for integrating Amazon CloudFront with your WordPress site — how the plugin works, setup guide, and answers to common questions.

1 How the Plugin Works

WPAdmin CloudFront CDN integrates Amazon CloudFront with your WordPress site by rewriting the URLs of static assets — images, CSS, JavaScript, fonts, and documents — so they are served from CloudFront's global edge network instead of your origin server.

URL Rewriting in Action

When a visitor loads a page, the plugin intercepts the final HTML and replaces your site domain with your CloudFront domain:

Beforehttps://yoursite.com/wp-content/uploads/photo.jpg
Afterhttps://d1234abc.cloudfront.net/wp-content/uploads/photo.jpg

What Gets Rewritten

Three independently togglable categories:

Media files — Images (JPG, PNG, GIF, WebP, AVIF, SVG), videos, audio, fonts, PDFs, and documents found in img tags, srcset, CSS url(), and post content.

CSS files — Stylesheets enqueued via wp_enqueue_style() and <link> tags in the HTML output.

JavaScript files — Scripts enqueued via wp_enqueue_script() and <script> tags in the HTML output.

Two-Layer Rewriting Pipeline

Layer 1 — WordPress Filters: Hooks into style_loader_src, script_loader_src, wp_get_attachment_url, wp_calculate_image_srcset, and the_content to rewrite URLs as WordPress generates them.

Layer 2 — Output Buffer: Captures the entire HTML page and applies regex-based replacement to catch URLs added by page builders, custom themes, or hardcoded templates that bypass standard hooks.

2 Getting Started

Enter your AWS credentials in the AWS Credentials tab and test the connection.

Configure CDN settings (cache policy, TLS version, price class, compression) in the CDN Settings tab.

Either enter an existing CloudFront distribution, or click "Create CloudFront Distribution" in the Distribution tab.

(Optional) Set up a custom CDN domain and request an SSL certificate in the SSL Certificate tab.

Configure page and keyword exclusions in the Exclusions tab.

Enable CloudFront from the General tab, save, and verify URLs are being rewritten.

3 AWS Credentials Setup

Log in to the AWS Console and navigate to IAM (Identity and Access Management).

Create a new IAM user with Programmatic access enabled.

Attach these AWS managed policies:
CloudFrontFullAccess
AWSCertificateManagerFullAccess

Copy the Access Key ID and Secret Access Key into the plugin's AWS Credentials tab.

Security Best Practices Never use root AWS credentials. Use a dedicated IAM user with minimal permissions. Rotate access keys periodically.

4 Creating a Distribution

Option A: Plugin-Created Distribution

Go to the Distribution tab and click "Create CloudFront Distribution". The plugin creates a distribution using your current CDN settings, with your WordPress site as the origin. If a custom domain and SSL certificate are configured, they are attached automatically.

Option B: Existing Distribution

Enter the Distribution ID (e.g., E1A2B3C4D5E6F7) and the CloudFront domain (e.g., d1234abc.cloudfront.net) in the Distribution tab. Ensure the distribution origin matches your WordPress domain.

5 Custom Domain & SSL

Use a branded domain like cdn.yoursite.com instead of the default *.cloudfront.net domain.

Go to the SSL Certificate tab and request a certificate for your custom domain.

Add the DNS CNAME validation record displayed by AWS to your domain's DNS.

Wait for the certificate status to become "ISSUED" (typically 5–30 minutes).

In the Distribution tab, enter your custom domain and enable "Use Custom Domain".

Create a CNAME DNS record pointing your custom domain to the CloudFront *.cloudfront.net domain.

Important SSL certificates for CloudFront must be in us-east-1 (N. Virginia). The plugin handles this automatically.

6 CDN Settings Explained

Cache Policy

Controls how CloudFront caches objects. "Caching Optimized" is the recommended default with sensible TTLs and query string handling. "Caching Disabled" passes all requests through without caching — use only for testing.

TLS Version

The minimum TLS protocol viewers must use. TLSv1.2 2021 is recommended for the strongest security. Older versions exist for legacy browser compatibility.

Price Class

All Edge Locations — Best performance globally, highest cost. Price Class 200 — US, Canada, Europe, Asia, Middle East, Africa. Price Class 100 — US, Canada, Europe only, lowest cost.

Object Compression

When enabled, CloudFront automatically compresses text-based files (CSS, JS, HTML, XML, JSON) using gzip or Brotli, reducing transfer sizes by 60–80%. Highly recommended.

7 Excluding Pages & Assets

Page Exclusions

Assets on excluded pages are served from your origin. Enter one path per line with optional wildcards:

/checkout — WooCommerce checkout
/my-account/* — User account pages
/cart — Shopping cart
/wp-admin/* — Admin (excluded by default)

CSS / JS Keyword Exclusions

If a CSS or JS URL contains any listed keyword (case-insensitive), it won't be rewritten:

admin — Admin scripts/styles
customizer — WordPress Customizer
recaptcha — Google reCAPTCHA
stripe — Payment gateway scripts
elementor-editor — Page builder editor

8 Sub-folder & Sub-domain Sites

Sub-folder Installs

If WordPress is at https://example.com/blog/, the plugin preserves the path:

Beforehttps://example.com/blog/wp-content/uploads/photo.jpg
Afterhttps://d1234abc.cloudfront.net/blog/wp-content/uploads/photo.jpg

When creating a distribution via the plugin, the Origin Path is set automatically. For existing distributions, configure the origin path in the AWS Console.

Sub-domain Sites

Sub-domain installs (e.g., https://blog.example.com/) work without special configuration. The plugin uses the full sub-domain as the origin.

9 Cache Invalidation

Use the Tools tab to force CloudFront to fetch fresh files. Common patterns:

/* — Invalidate everything (counts as 1 path)
/wp-content/uploads/* — All uploaded media
/wp-content/themes/* — All theme assets
/wp-content/uploads/2025/01/photo.jpg — Specific file
Pricing The first 1,000 invalidation paths per month are free. Additional paths cost $0.005 each. Using /* counts as one path.

? Frequently Asked Questions

Does this plugin create AWS resources automatically?+
Only when you explicitly click "Create CloudFront Distribution" or "Request SSL Certificate". No resources are created automatically. Standard AWS pricing applies.
Will my site break if CloudFront goes down?+
CloudFront has a 99.9% availability SLA, so outages are extremely rare. If issues occur, disable the plugin from the General tab to instantly revert to serving from your origin. The plugin only rewrites URLs — it never modifies server files.
Is this compatible with caching plugins?+
Yes. The plugin operates at the URL level and is compatible with WP Super Cache, W3 Total Cache, WP Rocket, LiteSpeed Cache, and others. Purge your page cache after toggling CloudFront so cached pages contain the correct URLs.
Does it work with WooCommerce?+
Yes. Exclude /checkout, /cart, and /my-account in the Exclusions tab to avoid issues with payment or session scripts. Product images and theme assets will be served via CloudFront.
Does this work with WordPress Multisite?+
The plugin supports both sub-domain and sub-folder Multisite installations. Each site can have its own configuration. The plugin auto-detects the installation type.
How much does CloudFront cost?+
AWS offers a free tier: 1 TB transfer and 10M requests/month for 12 months. After that, pricing starts around $0.085/GB and varies by region. Lower the Price Class setting to reduce costs.
Why is an SSL certificate required for a custom domain?+
CloudFront requires SSL for any CNAME you attach. Without it, HTTPS would fail. ACM provides free certificates. They must be issued in us-east-1, which the plugin handles automatically.
How long does SSL DNS validation take?+
Usually 5–30 minutes after adding the CNAME record. In rare cases with slow DNS propagation, up to 72 hours. Check status anytime via the SSL Certificate tab.
Images aren't loading after enabling — what do I do?+
Verify your distribution is "Deployed" in the AWS Console. Check that the origin domain matches your site. For sub-folder installs, confirm the origin path. Use browser DevTools (F12 → Network) to inspect 403/502 errors on CDN URLs.
Can I serve only images and keep CSS/JS on my server?+
Yes. Toggle Media, CSS, and JS rewriting independently in the General tab.
Does disabling or uninstalling the plugin remove AWS resources?+
No. Your CloudFront distribution, certificates, and all AWS resources remain in your account. Manage them directly through the AWS Console.
How do I verify CloudFront is working?+
View your page source and look for your CDN domain in asset URLs. In browser DevTools → Network tab, CloudFront responses include headers like X-Cache: Hit from cloudfront.