WordPress with W3 Total Cache plugin? Should you worry?
On this year’s Christmas day, many WordPress users were quite unpleasantly surprised by a vulnerability in the popular W3 Total Cache plugin. The issue was a serious one, allowing the attacker to get access to sensible information from the WordPress database including password hashtags, usernames and much more. This meant that an experienced hacker could get full access to your site, download your personal information from it, change its looks, include malicious code, add backdoors for future access and much more bad things, you wouldn’t want to experience. Sounds scary? Not if you host with SiteGround!
W3 Total Cache vulnerability explained
The exploit is quite simple – there is a folder where W3 Total Cache stores its database cache. This folder should have permissions that block outside access to it. Only your plugin should be able to access this directory. Unfortunately, for some reason the folder has been left with permissions that allow everyone to browse through it. The problem gets even worse if you have directory listing enabled for this folder because the attacker can simply download the cache files. However, disabling directory listing doesn’t help either because it just makes it a little harder for the hacker to get to your files. Just a little though, because file names can be guessed since they are using standard naming logic.
What we did to secure the WordPress sites we host?
As usual SiteGround security team was on its guard even at Christmas. As soon as the vulnerability was officially announced at sucuri.com we worked out our own solution that was applied on a server level and preveneted possible intrusions through this WordPress plugin security hole. We patched our web servers to block all requests to the w3 unsecured folder. Thus your plugin continues to work correctly and your information remains safe at the same time.
What to do if you are not hosted by SiteGround?
The official patching solution suggests that you add an .htaccess file with “deny from all” in it, to the folder where W3 Total Cache stores its database cache – “/wp-content/w3tc/dbcache/“. So we highly recommend all w3 total cache users to apply the patch as soon as possible.
In conclusion, if you’re a SiteGround customer you can sit back and enjoy the holidays, we got you covered! If not, you should patch your site before all your information gets stollen… or you can simply transfer to us 🙂
