WP-Optimize also caches the $_server supervariable
Are you sure about that? If this was true far more disasters would have been observed.
Totally certain with confirmation from WP-Optimise themselves and extensive testing. The issue was noted with eg “WP Forms”. WP Forms have attempted a workaround but this does not function: https://wpforms.com/developers/how-to-store-the-non-cached-ip-address-into-a-hidden-field/:
From: WP-Optimize Support
Sent: 17 January 2025 09:43
Subject: Pre-sales question from GetWPO.Com
Hi!
Trust you’ve been great and your year is off to a great start.
Thinking about it again, it appears that you are right about the caching implementation in relation to $_SERVER variable.
Can you try excluding the page where you have your form displayed from caching? This can be done at WP-Optimize > Cache > Advanced settings.
Once done, clear all cache and perhaps run the cache preloader.
That should help keep $_SERVER dynamic for your visitors.
Let me know if that helps.
Kind regards,
Damilare.
The test strategy was as follows:
Clear the cache eg by saving a contact form page (disable exclusions and auto cache refresh in WP Optimize)
Use VPN of your choice to set the IP address to eg Paris or use a different system somewhere else (not a mobile since WP Optimise can be set to store a different set of pages for mobiles)
Access the contact form page and hit CtrlF5 to hard refresh the page to cache the page and the Paris IP address in the supervar
Set the VPN to “Off” and confirm the IP address was reported as being your IP address again
Submitted the form and take a look at the hidden user IP address field which will be the Paris IP address unless some other system or process cached the page in the few seconds between clearing the cache and you regenerating it
WP-Optimize caching the $_server supervariable is a relatively recent change and the impact is challenging to test for since many will simply clear the cache (directly or inadvertently via saving), then access the page themselves (which caches their IP address), then submit a form and yes, that will generate a positive test result. So the IP address will be correct for the first visitor to the page after the cache was cleared or the page was saved.
I’m not familiar with the WP-Optimize plugin, so I don’t think I can give you any advice on this matter. If WP-Optimize really caches the $_SERVER variable, that can be a severe security issue. You should report it in a responsible disclosure process.
Thanks for the reply Takayuki. WP-Optimize support have confirmed via email that they do cache the $_SERVER variable. Tests are also conclusive and replicable. I have asked them to view this as a bug and have brought the issue to their attention. They clearly not view this as being a security issue and the issue has been noted by other developers since at least Nov 2024: https://wpforms.com/developers/how-to-store-the-non-cached-ip-address-into-a-hidden-field/. There would appear to be little desire or capacity to change this, hence me looking for a caching / forms solution that functions as expended. I guess that Contact Form 7 would be similarly affected. The plugins team are now aware.
