For last few days, WordPress community has been abuzz about the recently found security hole in the most popular cache plugin. The security issue found in the W3 Total cache plugin, leaves the database open for exposure.
W3 Total cache is the most downloaded plugin in the WordPress directory with a star rating of 4.6! The cache plugin is used to improve the performance and speed of the site.
I have been using this plugin for last 10 months or so. This is the first time, the security hole has been found that leaves all the cache files publicly downloadable.
W3 Total Cache Vulnerability
Jason A. Donenfeld, who found about the vulnerability, posted a detailed run-down of security issues in his entry:
Unfortunately, it’s frequently incorrectly deployed. When I set it up by going to the WordPress panel and choosing “add plugin” and selecting the plugin from the WordPress Plugin Catalog (or whatever),
it left two avenues of attack open:
1) Directory listings were enabled on the cache directory, which means anyone could easily recursively download all the database cache keys, and extract ones containing sensitive information, such as password hashes. A simple google search of “inurl:wp-content/plugins/w3tc/dbcache” and maybe some other magic reveals this wasn’t just an issue for me. As W3 Total Cache already futzes with the .htaccess file, I see no reason for it not to add “Options -Indexes” to it upon installation. I haven’t read any W3 documentation, so it’s possible this is a known and documented misconfiguration, but maybe not.
2) Even with directory listings off, cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable. Again, it seems odd that “deny from all” isn’t added to the .htaccess file.
Update the W3 Total Cache plugin
W3 Edge, the company behind the most used cache plugin pushed an upgrade that is supposed to close up this security hole. The revision that fixes this is Version 0.9.2.5. According to the plugin author this version:
Fixed security issue that can occur if using database caching to disk. If using database caching to disk with a web server with directory listing or web accessible wp-content/w3tc/dbcache/* directories. This patch works for all hosting environments / types where PHP is properly configured, i.e. .htaccess modifications (or other web server configuration changes) are not necessary to ensure proper security. Empty the database cache after performing the update if you use database caching to disk.
Go ahead and update the W3 total cache and be sure to check the other plugins are up-to date. Once you have updated, commit yourself to keep all the files, themes & plugins up to date in the future.
Now while you’re logged into WordPress and have updated all the plugins & themes, go ahead and take a backup of your WordPress site. The only way to make sure your blog is safe is to have a backup (on daily or weekly basis). I am using Backup Buddy plugin to backup my WordPress sites; it works very well with just any WordPress website.