Developers: please read this article before installing any security, backup, or caching plugins for your AccessAlly membership site.
If you’re looking for hosting for your AccessAlly site see our recommendations.
Security, backups, and caching are all extremely important functions for a membership site. Unfortunately, it can be difficult to choose between using a plugin or your server’s built-in capabilities.
Since not all plugins and servers are built the same, what’s considered “good practice” for one server might be frowned on by another. And, while using the server’s functionality is usually recommended over a plugin, this is not always the case (some servers, for example, have notoriously bad caching. In this case, a caching plugin would be preferable).
Just be aware of the warning signs that appear when your business has outgrown the security tools you’re using.
ARTICLE CONTENT:
Evaluation Criteria
To help in your decision, use the following as your evaluation criteria:
- PERFORMANCE: Does it slow down the site? (This is especially important for backups – when a backup operation is underway, does the site slow down?)
- STORAGE: Does the plugin you’re using clog up the site with junk? Does it duplicate files on your server (taking up valuable storage)? Here, you’ll want to look for the “free space” measure on your server.
- CONSISTENCY: Does the tool always perform as required, or does it fail sometimes?
- FLEXIBILITY: Does the tool allow customization? Well-built tools know the world is full of exceptions, so they allow for certain files / use cases to be whitelisted.
- DISCONNECT: Does the tool block communication from CRM to server, which results in missed signals and can restrict users’ access to your site?
Use these criteria when determining the best course of action for the following functions:
Website Backups
Ideally, site backups should be done on the server level by your host. Please confirm with your host on the following items:
- The frequency of backups
- How to restore backups
If your host does recommend a secondary backup plugin, be selective with the solutions you choose. Evaluate the options against the following considerations:
- Ease of use: Backups are most needed when bad things happen. The restore must be easy (can be done without complicated operations) and complete (full revert to the restore point, including files and database). The Gold standard here is the WPEngine backup points.
- Flexibility: A backup can be triggered when needed. It’s also good to have the option to backup / restore only file or database.
Backup & Caching Plugins to avoid:
- Updraft (older versions)
- WP DB Backup
- WP DB Manager
- BackupWordPress
Recommended backup plugins:
- VaultPress
- BackupBuddy
- Updraft Plus
Anti-Spam Plugins
How to Exclude AccessAlly Pages from Caching
Page caching can dramatically speed up your WordPress site, but certain AccessAlly pages must never be cached. Caching these pages causes [02002] errors, failed transactions, and login issues that block your sales.
⚠️ Critical: If you use caching plugins or server-level caching, you MUST exclude AccessAlly order forms, login pages, and checkout pages from caching. Failure to do this will block sales and cause customer login issues.
Which Pages Must NOT Be Cached
The following AccessAlly pages must always be excluded from caching:
- Order forms – Any page with AccessAlly order forms or buy buttons
- Login pages – Your custom login page or WordPress /wp-login.php
- Checkout pages – Pages with payment forms
- Member dashboard – Pages with dynamic user content
- Course progress pages – Pages showing user-specific progress
- Protected content pages – Pages with conditional content based on tags/purchases
- Go to WP Rocket Settings
- In WordPress admin, go to Settings → WP Rocket
- Navigate to Advanced Rules
- Click the “Advanced Rules” tab
- Find the “Never Cache URL(s)” section
- Add exclusion patterns
- Add each of these URLs (one per line):
/accessally-order/(.*) /order-form/(.*) /checkout/ /login/ /register/ /my-account/(.*) - Save settings
- Click “Save Changes”
- Clear your cache (WP Rocket → “Clear Cache” button)
- Test an order form to ensure [02002] errors are gone
- Go to Performance → Page Cache in WordPress admin
- Scroll to “Never cache the following pages”
- Add these page paths: (one per line)
/order/* /login/ /register/ /checkout/ /cart/ /my-account/ - Save settings
- Clear all caches and test your order forms
- Go to Settings → WP Super Cache
- Click the “Advanced” tab
- Scroll to “Rejected URLs” section
- Add these URLs (one per line):
/order-form/ /login/ /logout/ /my-account/ /checkout/ - Click “Save Changes”
- Clear all caches
- Go to LiteSpeed Cache → Page Optimization
- Scroll to “URI Excludes” section
- Add each AccessAlly page URL pattern on a new line:
/order/* /login/ /register/ /my-account/* /checkout/ - Save changes
- Clear cache and test
- Go to WP Fastest Cache → Settings
- Scroll to “Exclude Pages”
- Add these URL patterns (one per line):
/order-* /checkout* /login* /logout /my-account /cart - Save settings
- Clear all cache
- Go to Settings → WP Super Cache
- Click the “Advanced” tab
- Find “Accepted Filenames & Rejected URIs” section
- Add these paths (one per line) to “Rejected URLs”:
/order-form/ /checkout/ /login/ /logout/ /my-account/ - Click “Save Settings”
- Clear your cache
- Go to LiteSpeed Cache → Cache → Excludes
- In the “Do Not Cache URIs” field, add these paths (one per line):
/order-form/ /checkout/ /login/ /my-account/ /cart/ - Click “Save Changes”
- Purge all caches
- Go to Settings → WP Super Cache
- Click the “Advanced” tab
- Scroll to “Rejected URLs” section
- Add these patterns (one per line):
/order/ /checkout/ /cart/ /login/ /register/ /account/ - Click “Save Settings”
- Clear all caches
- Go to Performance → Page Cache
- Scroll to “Never cache the following pages”
- Add your order form URLs (one per line):
/order/* /checkout/* /purchase/* /buy/* /login/ /register/ /my-account/* - Save settings
- Empty all caches
- Go to Settings → WP Super Cache
- Click the “Advanced” tab
- Scroll to “Rejected URLs”
- Add patterns to reject:
/order/ /checkout/ /purchase/ /buy/ /login/ /register/ /my-account/ - Click “Save Settings”
- Delete cache
- Go to LiteSpeed Cache → Cache
- Click the “Excludes” tab
- In “Do Not Cache URIs”, add:
/order /checkout /purchase /buy /login /register /my-account - Save changes
- Purge all caches
- Log in to Cloudflare dashboard
- Go to Caching → Configuration
- Scroll to “Cache Rules”
- Create a new rule: “Bypass cache if URL path starts with /order/”
- Repeat for all dynamic paths: /checkout/, /buy/, /login/, /register/
- WP Engine: Contact support to exclude URLs from page cache
- Kinsta: Add exclusions via MyKinsta dashboard
- Flywheel: Managed WordPress handles this automatically
- SiteGround: Use SG Optimizer plugin to exclude URLs
- Clear all caches (plugin cache, browser cache, CDN cache)
- Open your order form in a private/incognito browser window
- Try to complete a purchase
- Verify you don’t get [02002] errors
- Check browser developer tools (F12 → Network tab) – order form should show “Cache: MISS” or “no-cache” headers
- Clear your browser cache completely
- Test in a private/incognito window
- Try a different browser
- If using Cloudflare, click “Purge Everything”
- Wait 5-10 minutes for purge to complete
- Test again
- You might have BOTH a caching plugin AND server-level caching
- Check with your hosting provider if they have server-level caching enabled
- Exclude URLs from ALL caching layers
- Use developer tools to check HTTP headers
- Press F12 → Network tab → Reload order form
- Click on the page request
- Look for headers like
Cache-Control: no-cacheorX-Cache: MISS - If you see
X-Cache: HIT, the page is still being cached - Some caching plugins add rules to .htaccess
- Make sure there are no conflicting cache rules
- Consult with a developer if unsure
- ✅ Identify all dynamic pages before enabling caching:
- Order forms (all AccessAlly order form pages)
- Login/registration pages
- User account pages
- Checkout pages
- Any page with forms that process payments
- ✅ Configure cache exclusions first, then enable caching
- ✅ Test order forms after enabling caching
- ✅ Test logged-in user experience (content access, downloads)
- ✅ Keep caching plugins updated
- ✅ Don’t use aggressive caching settings (like “cache everything”)
- Cache static pages: Sales pages, blog posts, static content
- Don’t cache dynamic pages: Order forms, login, user dashboards, protected content
- Use object caching: Redis or Memcached for database queries
- Use CDN caching: For images, CSS, JavaScript – but NOT HTML pages with forms
- Set appropriate cache expiration: 1-7 days for most content
- CleanTalk – the custom contact form protection feature causes issues with AccessAlly order form fields and AccessAlly coupon codes. We recommend turning custom contact form protection off if using CleanTalk.
- In the top bar of your WordPress Site, hover over CleanTalk.
- Hover over AntiSpam, select Settings
- Select Advanced Settings (this is a link midway on the settings page)
- Turn Custom contact form protection from On to Off
- Save your changes
- How frequently your cache is cleared by the host (it may be on a schedule)
- Whether it is possible for you to clear manually in the event you are making real time changes
- AccessAlly: all files in /wp-content/uploads/accessally-scripts/
- ProgressAlly: all files in /wp-content/progressally-css/
- PopupAlly Pro: all files in /wp-content/popupally-pro-scripts/
- When users are logged in, no page is cached. This is usually the case, but there are some hosts that do not always do this properly (GoDaddy is one well-known example).
- Page with timers / countdowns should be excluded from the cache.
- WP Super Cache
- W3 Total Cache
- WP Cache
- WP Cachecom
- WP Fast Cache / WP Fastest Cache
- WP File Cache
- WP Rocket
- Hummingbird – the javascript modification settings may cause issues with buttons on AccessAlly order forms.
- Check with your host to see if they offer caching at the server level
- All in One WP Security & Firewall
- Wordfence
- Sucuri
- All SSL Plugins – this should be installed on the server level by your host. Please confirm with them on the process to get that installed.**
- CDN powered by Fastly
- iThemes Security
- Cloudflare
- On-demand custom operations may not work
- The login form password reset functionality may not work
💡 Why? These pages use dynamic content that changes based on the logged-in user. Caching them causes errors like [02002], prevents purchases, or shows the wrong content to users.
How to Exclude AccessAlly Pages from Caching
Method 1: WP Rocket (Most Popular)
WP Rocket is one of the most popular caching plugins. Here’s how to exclude AccessAlly pages:
W3 Total Cache
WP Super Cache
LiteSpeed Cache
WP Fastest Cache
WP Super Cache
LiteSpeed Cache
WP Super Cache
Option 2: W3 Total Cache
Option 3: WP Super Cache
Option 4: LiteSpeed Cache
Option 5: Server-Level Caching (Cloudflare, etc.)
If you’re using server-level caching or a CDN like Cloudflare:
Cloudflare:
Other CDNs/Hosting:
How to Test If Caching Is Fixed
After excluding your order forms from cache:
Troubleshooting: [02002] Error Persists
If you’re still getting [02002] errors after excluding pages from cache:
1. Check Browser Cache
2. Check CDN Cache
3. Check Multiple Caching Layers
4. Verify Page Exclusions
5. Check .htaccess Rules
Prevention Checklist: Before Installing Caching
To avoid caching issues from the start:
Recommended Caching Strategy for AccessAlly Sites
Best practice:
Need Help with Caching Configuration? Caching configuration can be complex. If you’re not comfortable editing these settings, consider hiring a WordPress developer or contacting your hosting provider’s support team for assistance.
💡 Pro Tip: The performance benefit of caching is most important for high-traffic public pages. It’s safer to be conservative and exclude more pages than necessary, rather than risk caching dynamic content and breaking functionality.
Here are the steps to turn CleanTalk custom contact form protection off.
Caching Plugins
Most hosts have built in caching at the server level, so the use of a caching plugin may not be required.
Please check with your host on your cache settings. Two specific settings to know include:
Some caching plugins can cause issues with versioning of the site and display items inaccurately.
If your host suggests that you DO use a plugin to assist with site caching, be sure to exclude AccessAlly. Then, remember to clear your plugin cache and server cache when you are making changes that you want to view/make live immediately.
If using Flywheel hosting it may block tracking cookies. You’ll need to contact Flywheel and ask them to add paths to your caching exclusions (ignore the extra characters)
^/~access/*
^/accessallyref/*
Anything falling after those paths on your site will not be cached after this. It takes about 5 minutes to ask for this via Flywheel chat.
If you’re experiencing issues and you have hosting through WPEngine our best recommendation is to reach out to them to ask them to turn off the cache site-wide.
Caching Specifics for Your Membership Site
There are a couple different considerations for caching a membership site built with AccessAlly:
When styling is updated in AccessAlly / PopupAlly Pro, it is recommended to manually flush / clear the cache. If clients prefer not to do that, then they should whitelist the styling files:
Page cache: some pages just shouldn’t be cached
Some Caching plugins to avoid:
Recommended caching plugins:
Security Plugins
Always approach security plugins with caution. Most hosts will have plugin recommendations that match their server settings and they can recommend the best solution for you.
After choosing a security plugin, always look to whitelist or make exceptions for the CRM system and server to communicate.
Also, know that security plugins should be regularly updated as vulnerabilities are often patched and pushed out.
Security plugins to avoid:
Security plugins to consider
NOTE: You will need to review the plugin settings to allow the CRM to communicate with the server and back to the CRM. This may require you to whitelist IPs of these tools within the security plugin as the communication must be permitted to run a membership site:
Captcha Login Plugins
While it may be tempting to install a WordPress captcha login plugin, which asks people to enter numbers and letters or show that they’re not a robot, these plugins can interfere with AccessAlly.
It can create a poor login experience for clients when you install a captcha login plugin, which is why we don’t recommend them. Captcha plugins also don’t increase the security of your site enough to warrant the poor user experience they can cause. Here are a few ways that these plugins can prevent clients from accessing their courses:
Please consider these issues before installing a captcha plugin!
Siteground Hosting Related
The SiteGround Speed Optimizer plugin can cause issues with CommunityAlly group posts. We recommend deactivating this plugin.
SiteGround antibot AI may mistakenly flag AccessAlly webhooks as bots.
This can be found on your CRM webhook logs. These will return a 200 or 202 code. And, appears as .well-known/sgcaptcha
If this issue affects your site, new members will appear in your CRM system moving through automations – but, new members will not appear as users in your AccessAlly site.
We recommend reaching out to SiteGround to have this feature disabled or to have SiteGround resolve the flagging issue.
