I too believe this is such a fundamental weakness of cloudlfare. Its frustrating, its a security risk and its time consuming. I am on the $20 pm plan, but am now actively seeking an alternative to cloudflare because of this serious security flaw in cloudflare. Caching an admin bar for a wordpress site gives instant access to the admin username. This fast tracks a hack. Since cloudflare claims to improve security it defies logic that this basic necessity is out of the reach of 95% of users.
This is not really a flaw with Cloudflare at all. Cloudflare does not cache the admin bar by default, the only reason you would see if cached is if you have implemented a cache everything page rule. If you have, then you should bypass the cache for the wp-admin area and not browse your site logged in, as it will then cache the admin bar. (alternatively, you can disable the admin bar all together…)
I have had to custom CSS the admin bar , but thats time consuming too , because we have a site that has 4 staff editing it all day every day.
Its just a basic functionality that should be included.
Any platform trying to sell added security and performance should include an easy workaround for such a fundamental issue that affects every WordPress user.
What cloudflare is effectively saying is use us and you have a choice:
- Add significant workload: or
- Leave a gaping security hole: or
- Pay us a ton of money every month for a basic fundamental feature.
We will have to agree to strongly disagree.
There is a product request in to have the feature moved down to pro
while I see what you are saying, most users here do not use cache everything - and especially not with WordPress.
Exactly. And people creating websites do have to set aside time to understand what exactly they’re getting in to. If they need help, there is support, plenty of how-to guides or can ask the community to help.
The Admin bar may be cached, but the cookie isn’t. Anybody who’s not logged in and tries to click on something won’t have Admin privileges to make changes.
You can also also disable the Admin bar:
Now I just use Workers and the accompanying plugin to cache for non-cookie users: