Wordpress logged in users and the admin interface

← Blocking bruteforce attempts on Asterisk with fail2ban | posts | Setting up MySQL replication via SSL →

Last year I setup a Varnish instance in front of a wordpress site so that it would be able to cope with a tsunami of requests.

For that I used the most common VCLs that you can find on google for wordpress that mainly just clear all cookies except for the wp-admin and wp-login pages.

That worked out pretty well, except that our users now were locked out of the "admin" interface on normal pages. By that I mean that they were getting served cached pages even though they were logged in.

Here's how I turned that situation around today. I've added the first block in vcl_recv:

if (req.http.Cookie ~ "(comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in)") {
  return (pass);
}

# Make sure the above block is before the one below. We don't want to clear
# out cookies for logged in users.

# Drop any cookies sent to Wordpress.
if (!(req.url ~ "wp-(login|admin)")) {
  unset req.http.cookie;
}

I got that trick from the page about Nginx here:

https://codex.wordpress.org/Nginx#W3_Total_Cache_Rules

Now users of the site will be able to visit pages once logged in and see the admin bar on top, and also the "Edit" links inside pages.