CDN and Shield
In short
Every SuperSpace site sits behind an edge layer powered by Bunny. It has two parts:
- CDN — caches your site's files at edge locations around the world so visitors load pages faster and your origin handles less traffic.
- Shield — a security layer (Web Application Firewall, DDoS mitigation, bot detection and rate limiting) that filters malicious traffic before it ever reaches your site.
You manage both from your site's dashboard, under the CDN and Shield sections in the left sidebar.
This page explains what the edge layer does and what you can control. For the step-by-step tasks, follow the linked how-to guides.
The edge layer
When someone visits your site, their request first reaches Bunny's edge — a global network of servers close to your visitors — before it ever touches the server your WordPress site runs on (the origin). The CDN caches and serves content from the edge; Shield inspects and filters traffic at the same edge.
CDN is automatic; Shield depends on your plan
The CDN is enabled automatically based on your hosting plan — there's nothing to switch on. Shield is included on plans that offer it; on plans that don't, the Shield section shows a "Shield isn't included in your plan" card with an Upgrade plan link instead of the controls.
CDN (caching)
Open a site, then in the left sidebar open CDN. It has two tabs: Caching and Edge Rules.
The Caching tab is where you tune how the CDN stores and serves your files. The top-right Purge Cache button clears the entire cached copy for the site at once — useful after a big content change. Purging means visitors may briefly hit your origin while the cache rebuilds.
If the CDN isn't active yet
If a site's CDN hasn't been provisioned, the Caching tab shows a "CDN is not active for this site" message. CDN is enabled automatically based on your hosting plan, so this usually resolves on its own once provisioning completes.
The Caching tab groups settings into three cards:
| Card | What it controls |
|---|---|
| General | Smart Cache (caches requests by file type for full-site acceleration), Cache expiration time (how long the edge keeps files before re-fetching from your origin), Browser cache expiration time (how long visitors' browsers keep files), Query string sort, and Cache error response. |
| Vary Cache | Which request attributes store their own separate cached copy — for example browser WebP/AVIF support, Cookie value, Desktop / Mobile, Request hostname, URL query string, and User country code. Also includes Strip response cookies and Optimize for large object delivery. |
| Stale Cache | Serve a stale cached file While origin offline (when your server is unreachable) and While updating (serve the old copy while fetching a fresh one in the background). |
Vary cache multiplies your cached copies
Each attribute you enable under Vary Cache becomes part of the cache key, so every combination stores its own cached file. Enable only what your content actually varies on — turning on more than you need lowers your cache hit rate.
Expiration presets
Cache and browser expiration are chosen from presets ranging from 1 minute up to 1 year. The cache expiration default, "Respect origin Cache-Control", honours the caching headers your site already sends; the browser default, "Match server cache expiration", mirrors the edge setting.
Edge rules
The Edge Rules tab lets you define custom rules that act on requests at the edge — for example forcing HTTPS, redirecting URLs, or overriding cache behaviour for specific paths. See Managing edge rules for how to create and order them.
Custom domains over the CDN
When you connect a custom domain to a site, SuperSpace adds it as a hostname on the site's Bunny pull zone, so traffic for that domain is served through the same CDN. A free SSL certificate is then issued for the hostname automatically once its DNS points at SuperSpace, and HTTPS is enforced for it.
See Adding a domain to a site for the step-by-step flow.
Shield (security)
Open a site, then in the left sidebar open Shield. The section has these pages:
| Page | What it does |
|---|---|
| Overview | Shows Shield status, the current WAF mode (Block or Log only), and a chart of activity over the Last 28 Days. This is also where you Activate Shield for a site or Deactivate Shield. |
| WAF | The Web Application Firewall: turn it on/off, choose its execution mode, tune rule sensitivity, control allowed protocols, and manage rules (see below). |
| Bot Detection | Detect and challenge automated traffic. |
| Rate Limits | Limit how many requests a visitor can make in a given window. |
| Access Lists | Your own allow/block lists, plus Bunny's curated threat lists. |
| Security Events | A log of what Shield has blocked, challenged, or logged. |
For the common tasks across these pages, see the Shield guides.
Activating Shield
On a plan that includes Shield, a new site shows "Shield isn't active for this site" with an Activate Shield button. Activating it turns on WAF, DDoS, bot and rate-limit protection at the edge. Deactivating Shield (from the Overview page) removes all of that protection.
The WAF
The WAF (Web Application Firewall) page is the heart of Shield. A few things worth understanding:
- Execution mode decides what the WAF does when a rule matches. Log only records the hit without affecting the visitor — useful while you're tuning rules — while Block actually stops the request. The current mode is also shown on the Overview page.
- Rule sensitivity is chosen from presets — Low, Medium, High, Extreme — or you can pick Custom levels. Higher sensitivity catches more but is more likely to flag legitimate traffic.
- The WAF page has two rule tabs: Managed Rules (Bunny's built-in rule sets, which you can set to disabled or log-only) and Custom Rules (your own rules, which you can create, edit, and delete).
Start in Log only when tuning
If you're worried about blocking real visitors, run the WAF in Log only mode first, watch the Security Events page to see what would have been blocked, then switch to Block once you're confident.
Access lists
Shield has two kinds of lists, and they work differently:
- Access lists are lists you create to allow or block traffic. Each list holds entries — by IP, CIDR range, ASN, country, organization, or JA4 fingerprint — and you choose what action applies to them.
- Curated lists are threat catalogues maintained by Bunny (such as VPN providers, datacenters, TOR exit nodes, and botnets). You can't edit their contents; you only choose whether each is enabled and what action to take. The Curated tab is visible on every Shield tier, but individual lists are gated by tier: a list available on your current tier is interactive, while a list that needs a higher tier shows as a locked row with an upgrade prompt.
Rate limits
Rate-limit rules cap how many requests a visitor can make within a time window before they're blocked. They're created and edited on the Rate Limits page.
Timeframe limits depend on your Shield tier
On the lower Shield tier, the rate-limit time window is capped (a longer window is rejected). If a rate-limit save doesn't take effect, the dashboard surfaces the reason — typically a prompt to upgrade for longer timeframe windows.
Premium-only features
Some Shield features require the higher (premium) Shield tier. On plans without it, these appear as a disabled control or an upgrade prompt rather than working settings:
- Bot Detection
- Realtime Threat Intelligence (a WAF setting)
The higher-tier curated threat lists under Access Lists are also gated this way — those individual lists show as locked rows with an upgrade prompt until you're on a tier that includes them (see Access lists above).
Reviewing what Shield did
The Overview page summarises the last 28 days: DDoS attacks mitigated, WAF rules triggered, and bot activity. For the detail, the Security Events page lists individual events in a table with columns for Time, Severity (Critical, Warning, or Notice), Rule ID, Country, Method, and Status.
Tracking down a false positive
If legitimate traffic is being blocked, the Security Events page is where you identify the offending rule by its Rule ID. Once you know which rule it is, adjust it on the Managed Rules or Custom Rules tab — disable it or set it to log-only.
Managing the edge programmatically
Everything above is also available over the SuperSpace REST API, so you can automate caching and security config. See the CDN API and Shield API references.
A request to read the current cache config looks like this:
curl -H "Authorization: Bearer $SUPERSPACE_TOKEN" -H "X-Auth-Account: $ACCOUNT_ID" \
https://control.superspace.nl/api/sites/$SITE_ID/cdn/caching
Shield API access follows the same plan gate
The Shield API is subject to the same plan-tier gating as the dashboard — premium features and an inactive Shield zone behave the same way over the API as they do in the UI.