Security Plugin(s) renders wp-rocket useless

[SeparateReality]

Not sure how many Security Plugins use that "feature" this way, but it would be very easy to avoid this pitfall and lessen support requests (like we had one):

WP Cerber has a feature called "Stop exposing user details" (nouserpages_bylogin in code). The way they implemented it renders WP Rocket useless.

The feature sets - via add_filter('author_link'…) - all author pages queried via get_author_posts_url() to the SITE-URL.

WP-Rocket uses get_author_posts_url() to delete the author page of the post from the cache in rocket_clean_post().

However, due to the WP Cerber feature this adds the SITE-URL to the $purge_urls array.
Means that every time a post is changed (product, order,...), the entire site cache is deleted.

A simple check (something like get_author_posts_url() != SITE-URL) or alike would avoid this drama.

Regards,
Thomas

[piotrbak]

Hello @SeparateReality and thanks for creating the issue.

[piotrbak]

Acceptance Criteria

• Don't clear the whole cache when Author Link is set to Site URL (possible relation Elementor templates clearing cache in full #5848)
• Clear Author pages correctly when they're set default
• Clear Author pages correctly when they're custom but not Site URL
• No regressions in rocket_clean_post in any of the above scenarios

[jeawhanlee]

Reproduce the problem ✅

I was able to reproduce the problem with WP Cerber

Identify the root cause ✅

As stated in the issue.

Scope a solution ✅

We will do a check to add author url to list of urls to purge only if it is not the same as site_url() in

wp-rocket/inc/common/purge.php

Line 135 in 408433f

$purge_urls[] = get_author_posts_url( $post->post_author );

$author_url = get_author_posts_url( $post->post_author );

if ( site_url() !== $author_url ) {
  // Add the author page.
  $purge_urls[] = get_author_posts_url( $author_url );
}

Update test too.

Estimate the effort ✅

[S]