Varnish with WordPress

I have moved my WordPress site (a small blog) onto a hosting platform with Varnish at its front. Varnish, rightly, won’t cache when cookies exist.

It looks like WordPress starts the session, even if it doesn’t need it. As such, it sets the PHPSESSID cookie, even though a var_dump() of $_SESSION is empty (when done at the end of index.php).

Is there a way to stop WordPress doing this? Perhaps with an existing or, indeed, custom plugin?

EDIT: Looking at it again, does the session get used for anything useful on the frontend of the site? Posting a comment seems to set other cookies. Can I just exclude PHPSESSID from Varnish?

I know W3 Total Cache works with Varnish but it’s a massive plugin and, despite spending a lot of time configuring it, performance was worse and things occasionally broke.

Solutions Collecting From Web of "Varnish with WordPress"

I gave it a punt and it seems to be OK. Below is my VCL. It basically unsets all cookies unless it’s wp-admin. This will only work for a very simple site.

# Specific to
if ( == "") {
        # Strip all cookies (the only one should be PHPSESSID) if not admin
        if ( ! bereq.url ~ "^/wp-admin/") {
                unset beresp.http.Set-Cookie;

We have a similar use-case to you, but we’re running Varnish on a multi-site WordPress site that runs four high-traffic news-sites.

Here’s the relevant excerpts from our VCL file.

# WordPress - admin, uploads and preview.
if (req.url ~ "^/wp/" || req.url ~ "^/wp-(login|admin)" || req.url ~ "^/wp-content/uploads/" || req.url ~ "&preview=true") {
    return (pass);
} else 
# Allow Editors to see an uncached version, and Users to see up-to-date comments.
if ( ~ "<our domain>" && req.http.Cookie ~ "wordpress_logged_in_") {
    return (pass);
} else 
# Password protected posts.
if (req.http.Cookie ~ "wp-postpass_") {
    return (pass);
unset req.http.cookie;

(NB: This is Varnish 4 VCL syntax, which is subtly different to Varnish 3.)