Cache and CDN Configuration

Overview

Caching improves site performance but can cause issues with authentication pages. This guide configures caching plugins and CDNs to work seamlessly with Attributes User Access while maintaining optimal performance.

Why Auth Pages Shouldn’t Be Cached

The Problem

What happens if login page cached:

❌ User A logs in → Page cached with logged-in state
❌ User B visits same page → Sees User A's session
❌ Security breach! User B has access to User A's account

❌ Login form cached → Form shows old CSRF tokens
❌ Form submissions fail
❌ Users can't login

Pages that MUST NOT be cached:

✗ Login pages

✗ Registration pages

✗ User dashboards

✗ Account/profile pages

✗ Checkout pages (WooCommerce)

✗ Any page with user-specific content

WP Rocket Configuration

Recommended Settings

Step 1: Exclude pages from caching

WP Rocket → Cache → Advanced Rules

Never Cache URL(s):

/login

/login/(.*)

/register

/register/(.*)

/my-account

/my-account/(.*)

/dashboard

/dashboard/(.*)

/user-profile

/wp-admin/(.*)

Use regex for flexibility:

/login.* ← Matches /login, /login/, /login/reset, etc.

/account.* ← Matches anything starting with /account

Step 2: Never cache cookies

WP Rocket → Cache → Advanced Rules

Never Cache Cookies:

wordpress_logged_in_*

wordpress_sec_*

wp_woocommerce_session_*

attrua_session_*

comment_author_*

What this does:

If visitor has any of these cookies → Don’t serve cached page

This ensures logged-in users always get fresh content

Step 3: Exclude query strings

WP Rocket → Cache → Advanced Rules

Never Cache Query String(s):

action

redirect_to

loggedout

reauth

Step 4: JavaScript optimization

WP Rocket → File Optimization

JavaScript Files:

Exclude from defer/minification:

/wp-includes/js/jquery/jquery.min.js

/plugins/attributes-user-access-pro/assets/js/login.js

/plugins/attributes-user-access-pro/assets/js/2fa.js

These scripts critical for login functionality

W3 Total Cache Configuration

Page Cache Settings

Step 1: Basic cache exclusions

Performance → Page Cache → Advanced

Never cache the following pages:

/login/

/register/

/my-account/

/dashboard/

/user-profile/

/wp-admin/

Step 2: Disable cache for logged-in users

Performance → Page Cache

Don’t cache pages for logged in users:

☑ Enabled

This is CRITICAL for user-specific content

Step 3: Cookie groups

Performance → Page Cache → Advanced

Rejected cookies:

wordpress_logged_in_

wordpress_sec_

attrua_session_

Browser Cache Settings

Prevent login page browser caching:

Performance → Browser Cache

Security Headers:

For /login/ pages:

Cache-Control: no-cache, no-store, must-revalidate

Pragma: no-cache

Expires: 0

WP Super Cache Configuration

Recommended Settings

Step 1: Advanced tab

Settings → WP Super Cache → Advanced

Don’t cache pages with GET parameters:

☑ Enabled

Don’t cache pages for logged in users:

☑ Enabled

Don’t cache pages for known users:

☑ Enabled

Step 2: Rejected strings

Settings → WP Super Cache → Advanced

Rejected User Agents:

(Leave default)

Rejected URLs:

/login

/register

/my-account

/dashboard

/user-profile

/wp-admin

Step 3: Rejected cookies

Rejected Cookies:

wordpress_logged_in_

comment_author_

wp_woocommerce_session_

attrua_session_

LiteSpeed Cache Configuration

For LiteSpeed servers

Step 1: Cache exclusions

LiteSpeed Cache → Cache → Excludes

Do Not Cache URIs:

/login

/register

/my-account

/dashboard

/user-profile

/wp-admin

Step 2: Cookie exclusions

LiteSpeed Cache → Cache → Excludes

Do Not Cache Cookies:

wordpress_logged_in_

wordpress_sec_

attrua_session_

Step 3: User-specific content

LiteSpeed Cache → Cache

Cache Logged-in Users:

☐ Disabled (keep this OFF)

Private Cache URIs:

/my-account/

/dashboard/

/user-profile/

Cloudflare CDN Configuration

Page Rules Setup

Create page rules for auth pages: Rule 1: Bypass cache for login

Rule URL: yoursite.com/login

Settings:

• Cache Level: Bypass

• Disable Security

• Disable Apps

• Browser Cache TTL: Respect Existing Headers

Rule 2: Bypass for my-account

Rule URL: yoursite.com/my-account

Settings:

• Cache Level: Bypass

Rule 3: Bypass for wp-admin

Rule URL: yoursite.com/wp-admin

Settings:

• Cache Level: Bypass

Cloudflare Caching Rules

Caching → Configuration

Browser Cache TTL: Respect Existing Headers

This lets WordPress control cache headers

for login pages

Security Settings

Firewall Rules:

For login pages, consider:

• Rate limiting (but allow legitimate attempts)

• Challenge bad bots

• Allow good bots (monitoring services)

• Whitelist office IPs

Other CDN Providers

StackPath/MaxCDN

Cache rules:

URL Rules:

/login* → Do Not Cache

/register* → Do Not Cache

/my-account* → Do Not Cache

/dashboard* → Do Not Cache

KeyCDN

Zone settings:

Ignore Query String: No (keep enabled)

Ignore Cookies: No (respect cookies)

Exclude URLs:

/login

/register

/my-account

/dashboard

Fastly

VCL Configuration:

<h1>In vcl_recv</h1>
if (req.url ~ "^/login" || 
    req.url ~ "^/register" || 
    req.url ~ "^/my-account" ||
    req.url ~ "^/dashboard") {
    return (pass); # Don't cache
}

<h1>If WordPress cookies present</h1>
if (req.http.Cookie ~ "wordpress_logged_in_") {
    return (pass); # Don't cache for logged-in users
}

Object Caching

Redis Configuration

Compatible with persistent object cache:

Attributes User Access works with:

• Redis Object Cache

• Memcached Object Cache

• APCu

What gets cached:

✓ User meta (improves performance)

✓ Plugin settings

✓ IP whitelist/blacklist

✓ Audit log queries (short TTL)

✗ Active sessions (stored separately)

✗ 2FA verification codes (security)

✗ Password reset tokens (security)

Configuration

Redis Object Cache plugin:

• Install Redis Object Cache plugin

• Activate plugin

• Settings → Redis → Enable Object Cache

• Test connection

• Flush cache

No special configuration needed for Attributes

Works automatically

Browser Caching

HTTP Headers for Auth Pages

Set correct cache headers:

// Add to functions.php or plugin
add_action('template_redirect', function() {
    if (is_page('login') || is_page('my-account')) {
        header('Cache-Control: no-cache, no-store, must-revalidate, max-age=0');
        header('Pragma: no-cache');
        header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');
    }
});

What these headers do:

Cache-Control: no-cache, no-store

→ Browser never caches page

must-revalidate

→ If browser does cache, always check for updates

max-age=0

→ Cache expires immediately

Pragma: no-cache

→ For old HTTP/1.0 clients

Expires: [past date]

→ Additional guarantee page expired

Testing Cache Configuration

Verification Steps

Checking Response Headers

Browser DevTools method:

• Press F12

• Go to Network tab

• Visit /login/

• Click on document request

• Go to Headers tab

• Check “Response Headers”

Look for:

Cache-Control: no-cache, no-store, must-revalidate

Expires: [past date]

Pragma: no-cache

If these present: ✓ Correctly configured

If missing: ✗ Cache plugin still caching

Common Caching Issues

Issue 1: Login Form Shows Old State

Symptoms:

• User logs out, login form still shows logged-in state

• Refresh required to see login form

Solution:

• Add login page to cache exclusions

• Clear CDN cache

• Check browser cache headers

• Test in incognito window

Issue 2: Users See Each Other’s Content

CRITICAL security issue! Immediate action:

• Disable cache plugin IMMEDIATELY

• Clear ALL caches

• Configure “Don’t cache for logged-in users”

• Add cookie exclusions

• Test thoroughly before re-enabling

Issue 3: AJAX Requests Cached

Symptoms:

• Login submissions don’t work

• Form shows “Please try again” repeatedly

• Console shows cached AJAX response

Solution:

Exclude AJAX endpoints:

/wp-admin/admin-ajax.php

/wp-json/attrua/v1/*

Add query string exceptions:

action=attrua_login

action=attrua_register

Best Practices