28 Dec

2012

WordPress with W3 Total Cache plugin? Should you worry?

W3 Total Cache Christmas Vulnerability

On this year’s Christmas day, many WordPress users were quite unpleasantly surprised by a vulnerability in the popular W3 Total Cache plugin. The issue was a serious one, allowing the attacker to get access to sensible information from the WordPress database including password hashtags, usernames and much more. This meant that an experienced hacker could get full access to your site, download your personal information from it, change its looks, include malicious code, add backdoors for future access and much more bad things, you wouldn’t want to experience. Sounds scary? Not if you host with SiteGround!

W3 Total Cache vulnerability explained

The exploit is quite simple – there is a folder where W3 Total Cache stores its database cache. This folder should have permissions that block outside access to it. Only your plugin should be able to access this directory. Unfortunately, for some reason the folder has been left with permissions that allow everyone to browse through it. The problem gets even worse if you have directory listing enabled for this folder because the attacker can simply download the cache files. However, disabling directory listing doesn’t help either because it just makes it a little harder for the hacker to get to your files. Just a little though, because file names can be guessed since they are using standard naming logic.

What we did to secure the WordPress sites we host?

As usual SiteGround security team was on its guard even at Christmas. As soon as the vulnerability was officially announced at sucuri.com we worked out our own solution that was applied on a server level and preveneted possible intrusions through this WordPress plugin security hole. We patched our web servers to block all requests to the w3 unsecured folder. Thus your plugin continues to work correctly and your information remains safe at the same time.

What to do if you are not hosted by SiteGround?

The official patching solution suggests that you add an .htaccess file with “deny from all” in it, to the folder where W3 Total Cache stores its database cache – “/wp-content/w3tc/dbcache/“. So we highly recommend all w3 total cache users to apply the patch as soon as possible.

In conclusion, if you’re a SiteGround customer you can sit back and enjoy the holidays, we got you covered! If not, you should patch your site before all your information gets stollen… or you can simply transfer to us :)

Author: Hristo Pandjarov

Product Development - Technical

Enthusiastic about all Open Source applications you can think of, but mostly about Joomla and WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

Comments (3):

  1. Ana1 Love says:

    Gr8 job Siteground, once again, I rest assured that my website is secure thanks to you.

    Regards,
    Ana1

  2. Chad says:

    You guys rock! Thank you for keeping our blogs secure.

  3. Frank Miller MD says:

    I just started buying hosting with SiteGround on basis of web recommendations and one online friend/consultant. I had spent nearly a year fruitlessly dealing with another national better known web hosting service. I was totally new to the WordPress of hosting, blogging and WordPress and suffered a tookit hack attack on my blog-site and it got blacklisted by Google as a dangerous site. I had never heard of these things and naively thought WP was invulnerable, Dumb I know but what did I know? I worked with the hosting service, had the blog santized, followed the hosting service’s recommendation to retain an independent WP specialist security firm that was/is quite good and spent three times what the site originally cost me. I could only achieve temporary ‘clean’ status of my blog and it would get hacked/disabled again, infected with the suspicious tookit worm/toolkit week after week repetitively. I would test it when I started to learn from WordPress’ site’s tutorials on these issues as it was apparently a widespread issue affecting scads of WP sites worldwide. I would log on to my own site-blog as if I were a reader and get these disheartening message from Norton’s or Google that it was a ‘dangerous’ site, ‘infected,’ etc. and I gave up. I consulted yet another security site who had the courage to inform me that my so-called great and highly recommended web hosting service was derelict, did not protect their shared account like SiteGround does and they recommended I just shut the site down, have it all erased, taken down and ‘disappear it.’ I did so resigning myself to looking on the whole thing as a bitter medical school type “learning experience.” [I am a physician…]. The independent web security service earned their money in superlative fashion by an outright recommendation to work with and switch to SiteGround citing their in-house security measure. I looked over SiteGround, researched them on the Net and decided to take the plunge and I have been very grateful for finding them. Their service including tutorials for a novice in this web world at least [ I am not entirely ignorant of computer issues as I have been working with OS’s my primary interest…since the days of my first computer an original TRS-80 “Trash 80″ Radio Shack Model I from 1979 ] have been superb and their live service has been wonderful as I still ran into a few glitches of my own making. I cannot recommend this company highly enough.

Favorite Tweets

Facebook