WordPress APO Caching "Bot Verification" Page #563
Description
Confirmation
- My issue isn't already found on the issue tracker.
- I have replicated my issue using the latest version of the plugin and it is still present.
WordPress version
6.8.3
Cloudflare-WordPress version
4.13.0
PHP version
8.1.31
Expected result
Pages that include the Cache-Control: no-cache, no-store header should be skipped by APO and never served from the cache. The "Bot Verification" page should always result in a cf-cache-status: DYNAMIC or cf-cache-status: MISS.
Actual result
The "Bot Verification" page is being cached by APO, leading to stale or broken challenge pages for different users. The response headers show cf-cache-status: HIT even with the strict Cache-Control directive.
Steps to reproduce
Set up a WordPress installation with the Cloudflare plugin and APO enabled.
Enable a security measure or plugin that triggers a reCAPTCHA or "Bot Verification" page (e.g., during login, on certain contact forms, or via a security firewall rule).
Access the page that triggers the reCAPTCHA.
Examine the HTTP response headers for the reCAPTCHA/Bot Verification page. The page correctly includes the header: Cache-Control: no-cache, no-store, max-age=0, must-revalidate.
Observe that the page is still being served from the APO cache for the next visitor (indicated by the cf-cache-status: HIT header).
Additional factoids
The "Bot Verification" page, which contains a reCAPTCHA challenge, is being incorrectly cached by WordPress APO (Automatic Platform Optimization) despite including the necessary cache-control headers. This is preventing the page from functioning correctly for subsequent users.
We have temporarily disabled APO. We plan to re-enable it once the issue is resolved because the speed improvement was absolutely incredible!
Our website, [Amagicsoft], had its 'Bot Verification' page screenshots incorrectly indexed by Google for a period of time.
References
No response