Support » Plugin: Security Headers » Caching Plugin

  • Resolved martychc23


    Hi, is it possible to use security headers with a caching plugin? It seems whenever i enabled security headers it doesn’t seem to work when a caching plugin is enabled.

    I am testing it here


Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author SimonRWaters


    Yes, in most cases you can use it with a caching plugin.

    It would depend how the caching plugin works, whether they trigger the normal WordPress events or bypass it (say by rewriting the .htaccess file).

    Which caching plugin, and what precisely doesn’t work?

    Note also I’ve written elsewhere about how dreadful many caching plugins are from a security perspective. Most big WordPress hosts are using a reverse proxy in front of WordPress or a Content Distribution Network, these are are much more effective ways to scale up WordPress in the first instance.

    Thread Starter martychc23


    Hi Simon, i’ve found WP Fastest Cache and WP Super Cache don’t output the security headers. But Comet Cache does and outputs them correctly.

    Do you have a link to the article you wrote about the caching plugins security issue? Or information about using a reverse proxy or CDN instead of caching? I wasn’t aware that there was an alternative to using caching plugins. Thanks

    Plugin Author SimonRWaters


    It was throw away comment in announcement for this plugin.

    It does depend what you are doing but out of the box WordPress serves most pages from PHP, and renders the whole lot from scratch, this can result in a substantial effort per page, and typically a small server can only serve a few 10’s of requests a second without tuning.

    If the sites traffic is mostly static content, then you can serve it via a CDN, and put a short cache time in for all (public) pages. This primarily addresses the “thundering herd” problem. e.g. Too many people reading one blog post, or page, crushes your server.

    If you have more complex site, with lots of interactivity, then you may need to think about other optimisations.

    Deploying high profile site in the UK we used CloudFlare. They were excellent, and offer a free service, but you pay a lot for branded errors, and other fancy bits. But the host we used has a Varnish cache in front of their web servers already (Varnish is awesome, but not easy to deploy especially with HTTPS), so CloudFlare was more about stopping abuse than speed, although CDNs will cache static content close to the user and you can’t fool the speed of light when serving content internationally.

    Also one can look at other server level optimisations (APC is mentioned, but also PHP7) before jumping to plugins that try and poke deeply at the innards of WordPress, and add complexity in the application layer.

    I guess what I’m saying is look at the sections “Server-Side caching” and “Off loading”, server optimisations, browser caching etc before leaping straight to the plugins. They seem quick and easy to deploy, but they achieve it by poking .htaccess, and sticking half rendered content into the file system, and other messy tricks.

    Good Apache config can get Apache to do the caching Varnish would do, and get you from 10’s of pages a second to 100’s of pages a second, for most folk that is sufficient.

    Always measure every change when considering performance, I used to use Apache Benchmark (ab) for this.

    I’ll follow up with the cache plugins when I get some time, see if we can work with them better. I deliberately avoided “.htaccess” tweaks and the likes with the plugin as I wanted to stay “Web server” neutral, as the target market of people using hosted WordPress often means they have weird web servers (e.g. not Apache or NGINX), or weird configurations.

    Thread Starter martychc23


    wow, thanks a lot for the information. Never knew about a lot of the things you mentioned. Normally when you read wordpress optimisation tips they always say use a caching plugin, but don’t mention the alternatives. Although, i guess for the average user without your level of knowledge a caching plugin would be the simplest option.

    For now i will stick with Comet Cache as that is outputting all the security headers (and doesn’t use htacess), but will definitely look into the things you mentioned as that seems potentially a better option. Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Caching Plugin’ is closed to new replies.