Beware of negative caching
December 3rd, 2009 by Michael Hampton
Advisory: WordPress users who use caching plugins should check to ensure that the caching plugin does not cache error pages. This behavior violates Internet standards and may cause users to be blocked from your site. This issue may also affect caches external to WordPress, such as squid and ISA, and content distribution networks such as Akamai. See below for details.
In the last 24 hours I’ve received complaints from Bad Behavior users that legitimate requests are being blocked. These users are using WordPress caching systems. In each case, the caching system was inappropriately caching the blocked page which was served to an illegitimate request. The caching system would then serve the blocked page to subsequent legitimate requests.
To be perfectly clear, this is a problem with the cache, not with Bad Behavior. The HTTP standard, RFC 2616, explicitly prohibits caches from “negative caching,” or storing the types of 4xx error pages which Bad Behavior serves to illegitimate requests. (The only cacheable error is 410, and Bad Behavior does not use this error.)
Currently I know of two WordPress caches which have this problem: Hyper Cache and W3 Total Cache. There is currently no workaround; to resolve the problem, either Bad Behavior or the caching plugin must be disabled.
In the case of Hyper Cache, you can replace it with WP Super Cache, which does not have this problem. There is no comparable replacement for W3 Total Cache; it’s otherwise an excellent product which combines many different techniques to speed up your site.
Other WordPress caches may be affected as well. If you don’t see your favorite caching plugin listed below, leave a comment and I’ll test it for this issue.
Current test results with Bad Behavior 2.0.33 and WordPress 2.8.6:
Batcache 1.0 = OK
Hyper Cache 2.6.3 = Broken
W3 Total Cache 0.8.5 = Broken
WP Super Cache 0.9.8 = OK
With respect to external caches and content distribution networks, normally these do not engage in negative caching. However it is possible to configure them to cache error responses. When this functionality is used, it should be limited to caching 404 and 410 errors.
Finally, the development roadmap includes features which will let Bad Behavior communicate to other plugins whether it has approved or blocked a request. If you want to support this feature along with future Bad Behavior development, consider becoming a sustaining contributor.
Dave Says
I was one of those who wrote in. I moved to Super Cache and it seems to be much better. Hyper Cache apparently was also not serving updated pages to Firefox users. Ack. Cacheing is difficult to implement, it seems…
Well, I was stunned by the speed of response and the accuracy of the diagnosis, and am pretty impressed overall..
Dec 4th, 2009 at 12:53 am
Sue Says
Curious to see if the 1 Blog Cacher has the problem. It’s the one I use and am quite satisfied with it.
http://1-blog-cacher.javier-garcia.com/
Dec 4th, 2009 at 3:01 pm
Michael Hampton Says
I hadn’t looked at 1 Blog Cacher since it hadn’t been updated in the plugin repository in two whole years and appeared to be abandoned. You’re probably the last person still using it, but I’ll check it out later.
Dec 4th, 2009 at 3:08 pm
Frederick Townes Says
W3TC now supports Bad Behavior in v0.8.5.2
Mar 14th, 2010 at 12:08 pm