Problems with WordPress and Amazon CloudFront

Screenshot of Amazon CloudFront cache behaviour showing a number of headers

Here’s a fun story. When I originally moved this blog to Amazon Lightsail five years ago, I followed the recommended best practice and installed the AWS for WordPress plugin. I used that to set up an Amazon CloudFront distribution to manage the site’s cache. For several years, everything worked great. Then in September 2022, AWS abandoned the plugin and removed it from WordPress.org. As far as I can tell, they provided no information for users to tell them what to do without it. I continued to use the plugin for sometime, even though this is generally seen as pretty bad security since it’s no longer receiving updates. A few months back, I got tired of my Security scanner blaring at me about this discontinued plugin and deactivated it. The CloudFront distribution still existed and my site continued to work as intended, so I figured it was safe to delete.

As you might guess, there have been consequences. I noticed recently that my site was sometimes caching things too aggressively. I’d write a new blog post and tell Rodd to check it out, but he’d still be seeing the old one for some time. I’m far from a CloudFront expert, but I’ve been looking at my distribution behaviour settings and comparing them to current best practices. This site, for example, recommends using “Origin” for your cache key. My plugin-created distro however uses “Cloudfront-Forwarded-Proto,” “CloudFront-is-Tablet-Viewer,” “CloudFront-is-Mobile-Viewer,” “CloudFront-is-Desktop-Viewer,” and “Host.” For object caching, my distribution had “Use origin cache headers” selected instead of a custom option. Without any documentation from AWS on how their plugin actually worked, all I can theorise is that it must’ve set some sort of header that CloudFront was using, and by deleting the plugin, I’ve mucked up that behaviour.

So what to do? For the meantime, I’ve changed the default behaviour object caching to have a default TTL of 5 minutes. I’ll see if that helps the situation at all. Otherwise I’m going to either have to look at my backups and see if I can reverse-engineer what the plugin was doing, or else figure out how to modify my distribution to work properly without it. Ugh.