W3 Total Cache high-risk XSS vulnerability

Just today, WP Media pointed us to a high-risk XSS vulnerability in W3 Total Cache (W3TC). This was a very popular WordPress plugin that has over 1 million active installs. Although it’s a very popular plugin, it hasn’t been updated in over six months. We stopped recommending it a while back for WP Rocket, a W3 Total Cache alternative that skyrocketed in use over the past few months.

We agree with Julio’s statement that when you need to explain to other people you haven’t abandoned your plugin, due to questions about that, the clock has already struck midnight.

XSS vulnerability

Let’s first explain what’s going on here:

XSS (short for Cross-Site Scripting) is a widespread vulnerability that affects many web applications. The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker while loading the page.
Source: Sucuri

That’s definitely not what you want your website to do, right? In this case, we are talking about W3TC being vulnerable to a XSS flaw, high risk rated. This one should be fixed asap. With nobody maintaining the plugin, that is a huge issue for the millions of sites that use the plugin.

Instead of waiting for a fix, we recommend disabling the plugin and using a W3 Total Cache alternative like the ones listed below.

W3 Total Cache alternatives

Luckily, there are more plugins you can use to optimize your site speed. And most work pretty well out-of-the-box. We have listed three speed optimization plugins for you as alternatives for W3 Total Cache.

  1. WP Rocket
    Our most-recommended speed optimization plugin. WP Rocket simply delivers speed improvement. It has a lot of options under the hood and works by simply clicking some checkboxes in their dashboard.
  2. WP Super Cache
    Made by Automattic, so it works flawlessly with WordPress. It’s a simple speed optimization plugin that helps a lot of WordPress sites. We have to add a note: it hasn’t been updated in five months as well. But all in all, it’s a nice, free WP Rocket or W3 Total Cache alternative.
  3. Comet Cache
    Formerly known as Zen Cache, formerly known as Quick Cache. If you change your name so often, you’re probably actively working on your plugin as well, right? Registration is needed.

Over to you

If you want your website to be safe and you are using W3 Total Cache, we recommend investing a few bucks in WP Rocket. It’ll be worth your while. If you don’t feel like investing that money in your website, feel free to switch to one of the other W3 Total Cache alternatives instead!

Update 09/26/2016
W3TC just committed an update to the repo. Please update any installation asap and then look at the presented W3 Total Cache alternatives. That way, the issue is fixed and you have time to investigate other options.

We’re using Sucuri’s Website Firewall at yoast.com, which eliminates the need for a separate speed plugin. But we have installed WP Rocket on some other sites with great results, so we’re happy to recommend them! 

Make Yoast SEO & Woo work together smoothly

  • Make your products stand out in Google
  • Get more buyers to your online store
  • Make products easier to find on your site
  • Have a cleaner XML sitemap & more
More info

27 Responses to W3 Total Cache high-risk XSS vulnerability

  1. racmonti
    racmonti  • 3 years ago

    Well I updated it in a client’s site and it crashed the site. It also crashed my own site when I tried to disable it to remove. This was on 10/4/16.

  2. waqar
    waqar  • 3 years ago

    W3 Total Cache says, it is updated.(in changelog)
    Is it really fixed the XSS vulnerability?
    Please Update us with your info, So we go with it.thanks

  3. Lisander
    Lisander  • 3 years ago

    Ok, thanks Michiel I understand. But you are right, the options are a bit much for me too actually. I’ll give one of these others a try to see which fits me best.

  4. Lisander
    Lisander  • 3 years ago

    So Michiel, you’re still not recommending it? Even after their last update?

    • Michiel Heijmans

      The thing with W3 Total Cache is and was that it’s just not for the average user. It has too many options and it’s too easy to screw up. A working, secure W3 Total Cache is awesome for people that know what they are doing. And that’s still a selected group of people. For all others, I recommend the other plugins mentioned above.

  5. Ann Marie Walts
    Ann Marie Walts  • 3 years ago

    I can totally vouch and recommend Sucuri Security. I was severely hacked 18 months ago, and have since rebuilt. I had 14 sites and my hard blogging work compromised. Sucuri, actually wrote a piece on the whole ordeal. “sucuri.net customers loftsalon”

    Their email support is excellent, too. I was very hesitant at first, because that, but it has been fine.

    I had tried another company before I had found them, and am so glad I can sleep at night now.

    Load times are good.

  6. Tom
    Tom  • 3 years ago

    Really insightful article – thank you.

    I’ve been a long time user of W3 Total cache and was disappointed to hear about these developments. Will take a look into Sucuri.

  7. Sanjay Sharma
    Sanjay Sharma  • 3 years ago

    Thank you very much for this useful information. Please keep it up.

  8. M Asif Rahman
    M Asif Rahman  • 3 years ago

    I can’t immediately change to other plugin, tested had separate issue in other plugin, like WP Super Cache does not handle mobile cache or page with string properly even after setting it up. And WP Rocket did not bring the result I need in past, could test them again, but need more time. So, right now I needed W3TC to work. I found the fix-w3tc project in github, tested few approach, and after multiple test, shared my best find method here – https://thetechjournal.com/how-to/fix-w3-total-cache-reloaded-vulnerability-wordpress.xhtml

    • Michiel Heijmans

      Thanks for your addition. I’m aware of the github fix, but would rather see the fix in repo, as most users probably don’t even know of the github continuation.

  9. Dan Smith
    Dan Smith  • 3 years ago

    Why use another plugin that hasn’t been updated in 5 months?

    • Michiel Heijmans

      Main reason: because it’s Automattic, really. But again, I’d use WP Rocket.

  10. Devendra
    Devendra  • 3 years ago

    Thank you for letting us know the issue! I have removed WP Total Cache and installed Super Cache. A general WordPress user has a tendency to install plugin that is most downloaded and rated. So I think, Yoast, being an authority in WordPress, should consider publishing a list of recommended WordPress plugins in other areas as well.

    Thanks again.

    • Michiel Heijmans

      That’s a nice idea. But I’d have to say upfront that we don’t test drive all the plugins in the repo (impossible). We do have some preferred ones, though :)

  11. janw.oostendorp
    janw.oostendorp  • 3 years ago

    Actually the last time the plugin was really updated was 10-dec-2014
    All commits after that only change the compatibility of the WP version.


    • Michiel Heijmans

      Scary, right.

  12. Agencja Marketingowa OzonMedia
    Agencja Marketingowa OzonMedia  • 3 years ago

    We use in their realizations of the plugin WP Super Cache and it is the most optimal solution. With emphatically we recommend this plugin to optimize WordPress;)

  13. Patrick Garde
    Patrick Garde  • 3 years ago

    Thanks, Michiel.

    I was using W3 Total Cache for our website. We’ll change immediately to WP Super Cache and also review WP Rocket’s paid plugin if it’s worth the cost.

    Thank you.

  14. Marianne
    Marianne  • 3 years ago

    Also, I tested Hyper Cache plugin on my parenting blog http://www.cocktailmarianne.com/ and the blog was hacked in two days, I activate Wordfence Premium Plugin, I hide WordPress login page, and I activated in 2 steps authentication, now the site is very secure

  15. FidoSysop
    FidoSysop  • 3 years ago

    I use WP Fastest Cache that works perfect and is simple to configure.

    • Rajkumar Kanagaraj
      Rajkumar Kanagaraj  • 3 years ago

      i also use. it is a simple and effective cache plugin for WordPress. so far am happy with their performance.

  16. Luke Cavanagh
    Luke Cavanagh  • 3 years ago

    Cache Enabler and WP Fastest Cache are two other solid caching plugin options. They both work well with Autoptimize. The issue was fixed in the forked community version of W3 Total Cache.

  17. Adam
    Adam  • 3 years ago

    Its a real shame as I still consider it to be the best caching plugin available ( although admittedly not tried the paid options mentioned above ) .

    There has been a fix made apparently :

    Pity wordpress havent stepped up and applied the fix to the repo considering how widely used the plugin is.

    • Ramanan
      Ramanan  • 3 years ago

      Yeah, the best.

  18. Apartamento de Luxo
    Apartamento de Luxo  • 3 years ago

    Thank you for post. I have several sites with W3TC and will install the plugin WP Super Cache. Then I test the WP Rocket.

    Do you recommend any plugin for site security?

    • Michiel Heijmans

      Yes, try Sucuri ;)

      • Michelle
        Michelle  • 3 years ago

        I’ve had problems with Sucuri not working on 3 sites with it’s API key & so far the developer hasn’t responded back to my post of around 2 weeks.