Serious and urgent vulnerability in W3 Total Cache

Today a serious vulnerability was detected in the famous W3 Total Cache plugin which may compromise the security of your website

To make matters worse it turns out that the plugin has not been updated for more than 6 months and without even giving premium support, something unacceptable in such an important plugin, with millions of active users. [19659003] The vulnerability detected, according to explained in Zerial has a vulnerability of type XSS (Cross-Site Scripting) that allows to obtain administrator credentials.

To be able to exploit the vulnerability the administrator or a user with enough permissions must have an active session, the problem is in the "Support" section. When generating a support ticket, the system displays a form in which it assigns an "ID" as a hidden field. This value can be overwritten by setting the value via GET.

In this way, it is possible to exploit the vulnerability by injecting a payload of type "> .

 w3totalcache_xss-vulnerability "width =" 838 "height =" 446 "srcset =" https://ayudawp.com/wp-content/uploads/2016/09/w3totalcache_xss-vulnerability-840x447.png 840w, https: // ayudawp.com/wp-content/uploads/2016/09/w3totalcache_xss-vulnerabilidad-550x292.png 550w, https://ayudawp.com/wp-content/uploads/2016/09/w3totalcache_xss-vulnerabilidad-768x408.png 768w, https://ayudawp.com/wp-content/uploads/2016/09/w3totalcache_xss-vulnerabilidad.png 882w "sizes =" (max-width: 838px) 100vw, 838px "/> </p>
</p>
<h2><span id= Solutions to the vulnerability of W3 Total Cache

If you can do without the W3 Total Cache plugin I recommend you use another plugin that offers similar features For example, if you are hosted on SiteGround you can use 9022] SuperCacher which manages static cache, dynamic and memcached in a single click.

What you should not be leave your web without cache never.

] And if you do not want to stop using W3 Total Cache then it is urgent that you apply this guide to solve the problem as long as there is not a plugin update that solves the serious security problems:

  1. First of all do a backup of your WordPress .
  2. Save the W3 Total Cache settings and export the settings from the general plugin settings
  3. You can now deactivate your W3 Total Cache plugins administration page, but without deleting it or clicking on the uninstall link of the plugin.
  4. Now access the files of your WordPress installation and rename from cPanel or FTP to the folder wp-total- cache and change the name, for example to wp-total -cache-off Do not erase the folder, just rename it or WordPress will show all kinds of object cache, configuration and dependent plugins or Dropins errors. But mainly because for the next steps we need to continue there.
  5. Now you must download the version or fork created by M. Asif Rahman which solves the problem of W3 Total Cache and save it to your computer:
    Github: https://github.com/Asif2BD/W3-Total-Cache-Reloaded
    Direct download : https://github.com/Asif2BD/W3-Total-Cache-Reloaded/releases/download/0.9.4.5.2.1/w3-total-cache.zip
  6. Go back to your desktop WordPress, go to the page to add plugins and choose to upload new plugin.
  7. Locate the file recently downloaded from Github wp-total-cache.zip, upload and activate it.
  8. With the plugin already active visit the performance tab (Performance) and we will make some adjustments (see one by one):
    1. Go to Performance -> General Settings, check all settings and save.
    2. Go to Performance -> Dashboard, clear the cache.
  9. Go back to your site and see if everything is fine, and if you're sure, of course.

Summing up

Run! One of two, either you use another cache plugin or apply the patch as soon as possible. This type of vulnerabilities are exploited quickly, because they affect millions of users and there will always be some bastard willing to take advantage of it.

I recommend you look for another plugin, especially due to the lack of updates and support by W3 Total Cache

Note : On September 26 the plugin was updated after months without new features (finally) to correct the vulnerability: https://es.wordpress.org/plugins/w3-total -cache / changelog /

Loading …

may also help you:

Performance and optimization guides for WordPress

Dreamhost, server hosting company, has in its Wiki a couple of very interesting guides for any WordPress user.

The optimization guide the most interesting by far, tells us how properly configure the most common cache plugins, with or without FastCGI, for a better performance of our site, aiming the performances of each of them, alone or in conjunction with FastCGI. The winner in his tests is to use SuperCache without FastCGI, which wins by beating the other possible combinations.

The other, the performance guide does a review by those who recommended as the first steps after installing WordPress, as well as the recommended plugins for optimal performance. From how to manage spam to which cache plugin to choose. Very basic but interesting.

In any case it is a very interesting initiative, to be imitated by the other hosting providers (I hope).

Where is WordPress.com hosted? • WordPress Help

Among the details that have been commented this morning on WordCamp Spain and questions from the attendees at José Fontainhas is the fact that WordPress.com ]the reference in terms of load support, with more than 8 million blogs created, is housed in a structure of 1,200 dedicated servers, of which 230 are exclusively for databases.

They also rely on the plugin WP Supercache BatCache (at the server level) and own scripts to support the load.

I know this data will please you for the awesomeness.

WPTouch iPhone Theme and SuperCache • WordPress Help

 wptouch-iphone-theme "title =" wptouch-iphone-theme "width =" 320 "height =" 480 "class =" aligncenter size-full wp-image-4634 "/> </a></p>
<p> The other day <a href= recommended the WPTouch iPhone Theme plugin as one of the best ones to show a mobile version of our site to the most used devices: iPod Touch iPhone Android . Now, this plugin has one incompatibility with another: WP Supercache .and when Miguel asked me about this problem and I had never commented on the solution.

And that is WP Supercache bridges some WordPress features in terms of cache management, and that's why that you need additional configuration.

If you use WP Cache or the internal WordPress cache, there's no problem, just you have to add "iPhone" as a "user agent" that can "see" the site live, but WP Supercache serves static HTML and you will not see it most of the time. If you use WP Supercache in the "half-on" mode, which is how to use WP Cache, you can add the new ' user agent ' in the plugin options and it will work, but if you use the ' full-mode 'no.

The solution is to modify the rules that WP Supercache adds to the file' .htaccess ', incorporating the exception we want. For example, for readers who visit our blog with an iPhone to see the live version and not the "cached" we would have to add this line:

[code] RewriteCond% {HTTP_USER_AGENT}! ^. + IPhone [/code]

With what the Supercache section in '.htaccess' would look like this:

[code] # BEGIN WPSuperCache

RewriteEngine On
RewriteBase /
AddDefaultCharset UTF-8
RewriteCond% { REQUEST_URI}! ^. * [^/] $
RewriteCond% {REQUEST_URI}! ^. * //. * $
RewriteCond% {REQUEST_METHOD}! = POST
RewriteCond% {QUERY_STRING}!. * = . *
RewriteCond% {HTTP: Cookie}! ^. * (Comment_author_ | wordpress | wp-postpass _). * $
RewriteCond% {HTTP_USER_AGENT}! ^. + IPhone
RewriteCond% {HTTP: Accept -Encoding} gzip
RewriteCond% {DOCUMENT_ROOT} / wp-content / cache / supercache /% {HTTP_HOST} / $ 1 / index.html.gz -f
RewriteRule ^ (. *) / Wp-content / cache /supercache/%{HTTP_HOST}/$1/index.html.gz [L]

RewriteCond% {REQUEST_URI}! ^. * [^/] $
RewriteCond% {REQUEST_URI}! ^. * //. $
RewriteCond% {REQUEST_METHOD}! = POST
RewriteCond % {QUERY_STRING}!. * =. *
RewriteCond% {HTTP: Cookie}! ^. * (Comment_author_ | wordpress | wp-postpass _). * $
RewriteCond% {HTTP_USER_AGENT}! ^. + IPhone
RewriteCond% {DOCUMENT_ROOT} / wp-content / cache / supercache /% {HTTP_HOST} / $ 1 / index.html -f
RewriteRule ^ (. *) / Wp-content / cache / supercache /% {HTTP_HOST} /$1/index.html [L]

# END WPSuperCache [/code]

You can also add the exceptions for iPod or Android if you want or you think it's convenient:

[code] RewriteCond% {HTTP_USER_AGENT}! ^. + iPod [/code]

[code] RewriteCond% {HTTP_USER_AGENT}! ^. + Android [/code]

Have you cache and iPhonee well!

NOTICE : This post is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

Problem WP Supercache 0.9.2

It seems that the recently released version of WP Supercache 0.9.2 is giving problems . There is already a patch although it is supposed to be reviewed in a few hours.

The entry Problem WP Supercache 0.9.2 published it first Fernando Tellado in WordPress Help . Do not copy content, do not say anything good about you to your readers.

Do I use Cache or No?

There are many times that this issue arises in forums and it is not easy to answer because each situation is different . The cache plugins are very useful but not necessary at all times, and in some situations they can even be counterproductive.

Let's see their advantages and disadvantages …

Advantages of the Cache Plugins

] Basically what they do is make copies of the content of your blog in static HTML pages that are what your blog will serve instead of the original content, so that is not done even a single PHP request to the server everything loads faster to not have to serve each visit all the content, and that's good.

On the other hand, the current plugins with WP-Cache or WP SuperCache do not leave your blog dead but is refreshed every time you post a new post or someone writes a comment .

They are very useful if your blog receives a lot of traffic and the resources of your server are not unlimited and they are especially vital, in fact indispensable, if you receive a barrage of unexpected visits by a " wiggle " or similar. In those cases, only one cache system will keep your blog online .

Disadvantages of the Cache Plugins

Its virtue is also its disadvantage, since when serving static pages will not update properly active content of your blog such as rss feeds that show, rotating banners, social network updates or random images, all those virginities of modern WordPress themes.

Also, although most allow filtering agents (allow to pass through the cache to certain services such as bots), there are online revenue systems (Backlinks, Text Links Ads, Linklift, for example) that will not work properly if you have active cache and can unsubscribe from the service blog … and stop receiving revenue for that service.

What is my advice? since you always have a cache plugin installed and active, or not working, waiting for it to be needed . If your server is able to serve your blog in a reasonable time most of the time is not necessary to serve static pages, let your blog show in all its glory. And only if you see that you receive a trackback of social aggregators type menéame put it in march in anticipation of disasters .

NOTICE : this publication is two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

Batcache, new cache plugin on scene

Andy Skelton a developer well known to all WordPress buffs just published a cache plugin that enters the competition of WP-Cache SuperCache and others.

Batcache is not as exhaustive as SuperCache but it serves as leftovers for large temporary traffic flows, avoiding CPU overload and too many requests to the database and , consequently, avoiding problems with your hosting provider.

What this plugin does is serve pages with a few minutes old to your readers so that does not recharge the blog to each new visit . Maybe the recent visitor does not see a very new comment but when he participates, he will refresh the page. With this you get a much faster load of the blog since there is a very high percentage of pages that are served that are old, stored in memory (Memcached). Actually this is how most cache plugins work, but with some difference that I detail right away.

One Batcache difference with the rest is that, still, has no configuration page that allows you to remove from the cache the home page or comments (usual in the other plugins), but this also makes it easier to use. But what distinguishes him most is that does not use a file-based cache – the rest store html versions of your pages – but the memory cache not requiring disk space. This can be a great virtue as there are hosting servers that do not get along with the cahe plugins that require storage folders with write permissions.

In any case it may be worth it download it test and see if it really speeds up the load of a blog so much.