Varnish + CloudFlare + MaxCDN = me confused!

Recently migrated my active site over to DreamPress. Kudos to the DH support team for helping me maintain my sanity as the site continually crashed until it was dialed in.

Things are snappy now, but I want to make things even snappier. Also, when I run my site ( through, it replies, “sort of.”

I have tested turning plugins on and off and retesting, but with no luck. So now I’m thinking that there may be something that needs to be tweaked with my “other” environments: CloudFlare and MaxCDN.

Was hoping that someone may have recommendations for configuring the 3 to work together nicely. I’m not sure what settings I should have for expiring headers on either MaxCDN nor CloudFlare.

Anyone have any thoughts?

On MaxCDN, my PullZone has these settings under Cache Control:
Default Cache Time: 1 day
Override Cache-Control Header: No Override

On CloudFlare, the following:
Performance Profile: CDN+Basic Optimizations
Caching Level: Aggressive
Minimum Expire TTL: 1 day
RocketLoader: off

Thanks for any help that people can provide.

Ok, so I started going through EVERY plugin and deactivating it and running things through and potentially found a plugin that was causing things to not cache properly. This was not on my list of initial tests.

Looks like “Chap Secure Password Login” was preventing varnish caches. I will be contacting the plugin author to let them know.

I took a look at

It’s using PHP Sessions:

So what that does is tell PHP that every user is unique and special and gets their own PHP sessions… which means no caching. And sadly it’s doing that every time the plugin_loaded() function is run, which means… basically all the time.

It would be better if they only ran that on the wp-login page.

Thanks for looking into that. Varnish now seems to be relatively happy on my site with that plugin disabled.

Is there an “easy” way to figure out if a particular plugin is using PHP Sessions?
What to look for in the code?


Not without reading the code, so easy is reaaaally subjective :slight_smile:

Via the shell, I run this:

 grep -Ri "PHPSESSID" ./wp-content/plugins ; grep -Ri "session_start" ./wp-content/plugins ; grep -Ri "start_session" ./wp-content/plugins
 grep -Ri "PHPSESSID" ./wp-content/themes/ACTIVETHEME ; grep -Ri "session_start" ./wp-content/themes/ACTIVETHEME ; grep -Ri "start_session" ./wp-content/themes/ACTIVETHEME

Basically I look for anything that calls PHPSESSID, session_start, or start_session. The trick there is sometimes it’s okay to use PHPSESSID or PHP Sessions, and sometimes it’s not. Like you’ll see WordPress SEO and DreamObjects both use it, but they both use it properly.

If that plugin was only calling the sessions on the wp-login page (which is not super easy to do - ) then it would be just fine :slight_smile: So a lot of it’s conditional.

One of the things DH pays me to do is review plugins, I’m kinda used to them ebing weird.

Very cool! Thanks for sharing!