If your users are seeing the Admin bar (in red below) please follow this guide to immediately remove it from cache.
Under a particular set of circumstances, a CDN will cache your Wordpress Admin Bar. This is unsightly and can create security risks due to your administrative username being viewable by end users. This guide will show why the Admin bar is being cached, and two ways to disable it quickly.
Purge Admin Bar from Cache
Right away let's go ahead and remove the Admin bar from cache. This will prevent any additional users from being able to load it inappropriately. You will need to avoid accessing your public facing pages while logged in as we take further access to prevent the Admin Bar from ever being cached.
- Navigate to your Stack
- Navigate to Sites > Website Domain > CDN
- Select Custom Purge
- In the Pop-up window select Purge by: Path
- In Input URLs paste: /wp-includes/css/admin-bar.min.css
- Click Purge Specified
Why is the Admin Bar cached?
If your integration meets all of the following criteria, your Admin Bar will be cached.
- Full Site Integration without WAF
- A logged in Admin user sends the first request to CDN after a page purge
- StackPath CDN caching settings are set to Specify CDN TTL
Under these conditions, your Origin will respond to the CDN's request to cache content with an HTML file referencing the Admin Bar asset, and the CDN will override the no-cache header normally attached to this page by your Origin. The CDN will then proceed to request the Admin Bar asset from your Origin and place it into cache. Any user that requests the same page subsequently will receive the cached request from the logged in administrator.
Prevent Caching of the Admin Bar
There are two options to prevent the caching of your Admin bar.
- The first modifies Wordpress settings to never use the admin bar on public pages.
- The second will modify your CDN settings to respect the correct Cache Control headers sent by your Origin, so your Admin Bar will retain its pre-CDN functionality.
Option 1: Disable Admin Bar in Wordpress
If you want to maintain your CDN configuration you can simply disable the Admin Bar. The Admin Bar will be disabled for all users, and will only display on wp-admin pages.
- Log into your Wordpress admin panel
- Click Add Plugins and search "Hide Admin Bar"
https://wordpress.org/plugins/hide-admin-bar/ - Install and Activate Hide Admin Bar
- Under CDN > Cache Settings > Purge Cache, select Purge Everything
For the same functionality but no plugin, you can add the following filter to /wp-includes/functions.php.add_filter('show_admin_bar', '__return_false');
Your Admin bar is now disabled. To re-enable the Admin Bar, simply disable the Hide Admin Bar plugin.
Option 2: Change Caching Policy to Origin Controlled
Wordpress, by default, will send a Cache-Control header to browsers that indicates to cache or not cache particular assets. We can use this to our advantage and tell the CDN to obey the same rules for it's caching policy. Changing your StackPath caching policy will prevent the Admin Bar from ever entering the CDN cache.
- Navigate to your Stack
- Navigate to Sites > Website Domain > CDN. The Cache Handling options are on this page.
- Change from Specify CDN TTL to Origin Controlled
7. Under Purge Cache, click Purge Everything
We always recommend WordPress sites to use WAF with a Full Site integration to avoid custom caching conflicts and provide additional security measures. If you are interested in setting up WAF to prevent these issues by default, navigate here to review how StackPath WAF works.
If you encounter any additional issues with Admin Bar caching, please contact our support.