W3 Total Cache is one of the most popular caching plugins for WordPress – and it’s mighty powerful at doing that!
However, in the last week, a hole in the plugin has been found the *could* make your database info viewable by people you really wouldn’t want seeing it…
The problems comes from how W3TC stores the cache of the database. As the plugin de-faulty stores the cache in the same place for each site, if ‘directory listings’ are enabled, anyone can freely browse and download them.
With these files, people could potentially harvest the site’s database cache keys and so have access to password hashes (NOT a good thing!).
But as the Hitch-Hicker’s Guide to the Planet says on the front (in large friendly pink letters) DON’T PANIC!
The people behind W3TC have already got a hotfix update and advise for other ways of protecting your WordPress site. There’s detailed explanations in the comment left by them on a post on the Threat Post blog.
I don’t actually use W3TC on the WP sites I look after, I use the Quick Cache plugin – which I prefer and seems to have lower server loads!
What’s your favorite WordPress cacheing plugin?
April says
I actually had to quit using W3 a while back becasue it caused a problem with some other things I was trying to do on one of my sites. I don’t remember exactly what it was, but as soon as I took it off, the site worked great.
James Cooper says
W3TC is a powerful beast, but can be too powerful for it’s own good sometimes! That’s why I prefer ‘Quick Cache’. I’ve never had a conflict issue with that plugin!
April says
I’ll have to try that one. Thanks!
Andrew says
They’ve actually released an update that fixes it already: http://wordpress.org/extend/plugins/w3-total-cache/changelog/
Updating the W3 Total Cached plugin and emptying the database cache should take care of the security hole.
James Cooper says
Thanks Andrew. Indeed, and that’s why I linked to Threat Post as they had direct info from the W3TC people! 🙂 I posted it on here to warn people who might not be up with all the latest web security things and point them in the direction of the solution…