What is BFCache and How It Works
Back/Forward Cache (bfcache) is an advanced feature of modern web browsers that dramatically speeds up navigation between pages. Unlike traditional HTTP cache, which only stores responses to previous requests, bfcache retains a complete snapshot of the entire page in memory.
How It Works
When a user leaves a page, the browser doesn’t release its resources but instead:
- Pauses all running JavaScript code
- Saves the entire page state, including DOM and JavaScript heap
- Preserves all interactive elements and their current state
When navigating back/forward, the browser simply restores the saved snapshot—no network requests, no reloading, no script re-execution.
User Experience
BFCache significantly improves user experience:
Speed: Navigation is virtually instant—comparable to switching browser tabs.
State Preservation: All forms, scroll positions, and JavaScript states remain intact. The user returns exactly where they left off.
Data Savings: Eliminates unnecessary network requests, which is especially important on mobile devices with limited data plans.
According to Chrome statistics, back/forward navigations account for up to 10% of all desktop navigations and 20% on mobile. With active bfcache, billions of unnecessary requests could be eliminated daily.
Browser Support
Current Support
BFCache is supported in all major modern browsers:
- Chrome/Chromium – full support
- Firefox – full support
- Safari – full support
- Edge – full support (Chromium-based)
Unlike newer technologies such as the Speculation Rules API (supported only in Chromium), bfcache enjoys broad support across all browsers.
What Happens Without Support
If a browser doesn’t support bfcache (very rare in modern browsers), back/forward navigation behaves the traditional way:
- The page reloads from the server
- All scripts are re-executed
- Forms and states are reset
- The user experiences standard load times
WordPress and the no-store Problem
Default WordPress Behavior
By default, WordPress blocks bfcache for logged-in users by sending the HTTP header:
Cache-Control: no-cache, no-store, must-revalidate, privateThe no-store directive explicitly forbids storing the page in any cache, including bfcache.
Reasons for the Security Measure
This restriction was introduced to protect privacy in the following scenario:
- An administrator logs in on a shared computer
- They work with sensitive data (API keys, user details)
- They log out of WordPress
- Another user accesses the computer
- They press the back button and view sensitive data from the cache
Performance Impact
This security measure has a significant negative performance impact:
- Every back/forward navigation triggers a full reload from the server
- Loss of form and JavaScript application state
- Slow navigation, especially in WordPress admin
- Frustrating experience on slow connections or shared hosting
No-cache BFCache Plugin: The Solution
How the Plugin Works
The No-cache BFCache plugin elegantly resolves the conflict between security and performance through several mechanisms:
1. Conditional Removal of no-store
The plugin removes the no-store directive from HTTP headers, but only under these conditions:
- The user has JavaScript enabled
- “Remember Me” was checked during login
- The
privatedirective is retained to prevent proxy caching
2. Session Token System
On login:
- A random “bfcache session token” is generated
- The token is saved as a cookie
wordpress_bfcache_session_{COOKIEHASH} - The cookie is not HTTP-only, so JavaScript can read it
On each authenticated page:
- The token is injected into the HTML
- A JavaScript script compares the HTML token to the one in the cookie
3. Automatic Invalidation
When returning to a cached page:
- The script checks if the tokens match
- If they don’t match (user logged out), the page is cleared and reloaded
- Uses the
pageshowevent for bfcache and regular load for HTTP cache
Why Use the Plugin
Dramatic navigation speed-up:
- Instant navigation in WordPress admin
- Faster browsing for logged-in users
- Preservation of form and JavaScript app states
Better User Experience:
- Eliminates data loss during navigation
- Smoother content management workflow
- Increased productivity for administrators
Technical Advantages:
- Reduced server load
- Bandwidth savings
- Improved Core Web Vitals metrics
Security Aspects
Remaining Risks
Despite the plugin’s advanced protections, theoretical risks remain:
Vulnerability Window:
- A short time between logout and token check
- Risk applies only to shared computers
- An attacker must act very quickly (within seconds)
JavaScript Dependency:
- If JavaScript is disabled after login, invalidation won’t work
- The plugin addresses this by retaining
no-storefor JS-disabled users
Plugin Safeguards
Multiple Layers of Protection:
- Session token validation
- Opt-in via “Remember Me” checkbox
- Preservation of the
privatedirective - Additional cache-control directives (
no-cache,max-age=0,must-revalidate)
User Choice:
- Sparkle emoji (✨) next to “Remember Me” highlights the feature
- Users actively choose between speed and maximum security
- Option to globally disable the opt-in mechanism
Plugin Benefits
Performance Gains
Measurable Improvement:
- Navigation times drop from seconds to milliseconds
- 100% elimination of network traffic for cached pages
- Zero CPU load when restoring from cache
Wider Impact:
- Improved site speed scores
- Positive impact on SEO metrics
- Better user satisfaction ratings
Practical Advantages
For Administrators:
- Faster content management
- Preservation of unfinished forms
- Smoother workflow
For End Users:
- Faster navigation on membership sites
- Better experience in online stores (WooCommerce)
- Cart state preservation
Compatibility
The plugin is designed with future WordPress core integration in mind and is compatible with:
- All modern browsers
- Existing plugins and themes
- Various hosting environments
Conclusion
The No-cache BFCache plugin represents a major step forward in WordPress performance optimization. It elegantly resolves the long-standing conflict between security and speed, giving users the choice between maximum protection and optimal performance
