Unauthenticated visitors see the WordPress admin toolbar

Application Security SSL / TLS
1

What is the name of the domain?

N/A

What is the error number?

N/A

What is the error message?

N/A

What is the issue you’re encountering

Unauthenticated visitors (in incognito/private‐browsing mode) can see the WordPress admin (the admin website) toolbar at the top of every page—even when not logged in. The toolbar only disappears when I enable Cloudflare Development Mode.

What steps have you taken to resolve the issue?

Bypass cache for admin page and login page

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

Disable Cloudflare Development Mode.
Visit (website) in a private/incognito window.
Observe that the WP admin toolbar is visible at the top without logging in.
Enable Development Mode again — toolbar immediately hides.

2

Whatever your cache rule you’ve set up for this, it needs to /not/ trigger for logged in users with WordPress cookies:

Screenshot 2025-06-09 at 9.11.47 PM
Screenshot 2025-06-09 at 9.11.47 PM1452×550 19.5 KB

3 Likes
3

Hi, thanks again for all your help!

I’ve set up three Page Rules:

https://*.domain.com/wp-admin → Cache Level: **Bypass**
https://domain.com/wp-login.php → Cache Level: **Bypass**
https://domain.com/ → Cache Level: **Cache Everything**

For the Cache Rule, my expression is:

(not starts_with(http.request.full_uri, "/wp-login")
 and not starts_with(http.request.full_uri, "/wp-admin")
 and not http.cookie contains "wp-"
 and not http.cookie contains "wordpress"
 and not http.cookie contains "woocommerce")
  1. Does that look correct?
  2. Under Cache eligibility, should I select “Eligible for cache” (so all matching front-end hits get cached) or “Bypass cache”?

Thanks again for confirming!

1 Like
4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.