33 Comments

  1. Luke Cavanagh

    That issue is already fixed in the forked community version though.
    https://github.com/szepeviktor/fix-w3tc/pull/81

    Report

  2. Jesse

    One of the worst maintained, most buggy, and most problematic plugins in the history of WordPress. How W3TC wasn’t banned YEARS ago is one of the true mysteries behind wordpress.org.

    The author, Frederick Townes, doesn’t even seem to grasp basic understanding of PHP or Opcache, which he has refused to support in lieu of (dead) APC for the past several years…

    Report

  3. peter malick

    There’s another vulnerability that I haven’t seen reported, and that is the W3 Total Cache credit card vulnerability.

    I purchased W3 2 years ago. Before it was set to renew, I tried to cancel the subscription. Email, support requests, phone calls… crickets.

    My credit card was charged and I successfully disputed the charge. Fast forward to this past Monday. A year later, and they charged my card again!!

    I am mystified as to how this company can even claim to be operational. They do not respond to any contact, and the last post on their blog is from 2014.

    Report

  4. M Asif Rahman

    I can’t immediately change to other plugin, like WP Super Cache does not handle mobile cache or page with string properly even after setting it up. And other plugin had some other issue. So, right now I needed W3TC to work. I found the fix-w3tc project in github, tested few approach, and after multiple test, shared my best find method here.

    Report

  5. ManagedWPHosting

    For anyone needing time to switch plugins, or anyone who really needs W3TC but needs to make it secure .. this small plugin will stop all access to the W3 total Cache (Version 0.9.4.1) XSS support page,

    just install (preferably as mu-plugin) and you are all done.
    https://github.com/ramonfincken/w3tc_deny_supportpage Instructions are in the README.md file

    W3TC will continue to cache your site, and you will have some “breathing time” to search for an alternative caching plugin.

    Note: I still think it is time that W3Edge releases a fix for this and many other things as well (PHP 7 support for instance).

    Report

  6. eduardo

    QUICK FIX:

    FTP to your site and rename (or delete)

    wp-content/plugins/w3-total-cache/inc/options/support/form.php

    Report

  7. Ryan Hellyer

    My advice: Don’t install massive plugins, particularly when they’re doing something fundamentally quite basic like caching. The best caching plugins contain very little code.

    Report

    • Ryan Hellyer

      One more bit of advice: The primary purpose of most of these caching plugins for WordPress is to do static page caching. Static page caching is better off done further up the stack. If you can, use something like Nginx or Varnish to handle your page caching, then install a cache purge plugin. This is much more efficient and will give you significantly better performance than any of these basic static page caching plugins ever could. Plus, they’re likely to be less buggy too.

      Report

      • krko

        You are right but, and it’s a huge but, if people are finding w3tc settings confusing they’ll get lost with Varnish vcl. Besides, Varnish is only really applicable on VPS or dedicated servers where you have control over what you install. For managed or shared hosting the only real solution is a plugin. If your managed hosting is any good though, they’ll do the caching for you.

        Report

      • Ryan Hellyer

        Yeah, it’s unfortunately not viable for most people.

        Although as you pointed out, the WordPress specific managed hosts often provide these sorts of services. But those are also quite expensive, so again not viable for many people.

        Report

      • Luke Cavanagh

        Most managed WP hosting will most likely be using Varnish for server side static caching.

        Report

  8. willc

    This part is too vague:

    According to Zerial, in order to exploit the vulnerability, an administrator or user with sufficient permissions must have an active session.

    What does that mean, exactly? The exploit can only work on targeting logged-in admin? The exploit can only work to target other users if there is an admin who has logged in?

    Report

    • ManagedWPHosting

      yes, only a logged in aministrator level user who visits a specific W3TC support page (or whos’e hacked computer visits this page).

      So .. this does not apply to regular subscribers, authors, editors etc…

      Report

  9. Thierry Ouellet

    Thanks for the article. Would you recommend any other caching module then like WP Rocket? I am using W3 Total Cache on more than 50 clients websites…

    Report

  10. Ash Scott

    They have updated the official plugin anyway, and I believe this fixes it too: https://wordpress.org/plugins/w3-total-cache/

    Report

    • Bianca

      Indeed they updated the plugin. However this update seems to have some unwanted side effects to it (see the support section).

      Report

    • Chumba

      Did you have any issues with the update? There are lots of users complaining and I am afraid to move foward…

      Report

      • Bianca

        To be perfectly honest, after reading the support threads of the last 10 hours I decided to wait with the update and leave it deactivated for now.

        Not ready to write the plugin completely off just yet, but am definitely looking into other options as well. Just in case.

        Report

      • Chumba

        Thank you for the reply Bianca. We are also waiting and looking for other options. WP Rocket seems to be a good candidate.

        Unfortunatelly, we cannot turn the plugin off, since is handling the integration with our CDN.

        Report

  11. Alex de Borba

    After years and seen this plugin constantly raising security vulnerabilities quite often, I wonder why people still install it…

    Report

Comments are closed.

%d bloggers like this: