Site_speed_FI

W3 Total Cache high-risk XSS vulnerability

W3 Total Cache high-risk XSS vulnerability

September 23rd, 2016 – 21 Comments

Just today, WP Media pointed us to a high-risk XSS vulnerability in W3 Total Cache (W3TC). This was a very popular WordPress plugin that has over 1 million active installs. Although it’s a very popular plugin, it hasn’t been updated in over six months. We stopped recommending it a while back for WP Rocket, a W3 Total Cache alternative that skyrocketed in use over the past few months.

We agree with Julio’s statement that when you need to explain to other people you haven’t abandoned your plugin, due to questions about that, the clock has already struck midnight.

XSS vulnerability

Let’s first explain what’s going on here:

XSS (short for Cross-Site Scripting) is a widespread vulnerability that affects many web applications. The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker while loading the page.
Source: Sucuri

That’s definitely not what you want your website to do, right? In this case, we are talking about W3TC being vulnerable to a XSS flaw, high risk rated. This one should be fixed asap. With nobody maintaining the plugin, that is a huge issue for the millions of sites that use the plugin.

Order a website review and get a plugin of your choice for free. We'll even configure it for you

$ 699 - Buy now »Get a Yoast website review

Instead of waiting for a fix, we recommend disabling the plugin and using a W3 Total Cache alternative like the ones listed below.

W3 Total Cache alternatives

Luckily, there are more plugins you can use to optimize your site speed. And most work pretty well out-of-the-box. We have listed three speed optimization plugins for you as alternatives for W3 Total Cache.

  1. WP Rocket
    Our most-recommended speed optimization plugin. WP Rocket simply delivers speed improvement. It has a lot of options under the hood and works by simply clicking some checkboxes in their dashboard.
  2. WP Super Cache
    Made by Automattic, so it works flawlessly with WordPress. It’s a simple speed optimization plugin that helps a lot of WordPress sites. We have to add a note: it hasn’t been updated in five months as well. But all in all, it’s a nice, free WP Rocket or W3 Total Cache alternative.
  3. Comet Cache
    Formerly known as Zen Cache, formerly known as Quick Cache. If you change your name so often, you’re probably actively working on your plugin as well, right? Registration is needed.

Over to you

If you want your website to be safe and you are using W3 Total Cache, we recommend investing a few bucks in WP Rocket. It’ll be worth your while. If you don’t feel like investing that money in your website, feel free to switch to one of the other W3 Total Cache alternatives instead!

Update 09/26/2016
W3TC just committed an update to the repo. Please update any installation asap and then look at the presented W3 Total Cache alternatives. That way, the issue is fixed and you have time to investigate other options.

We’re using Sucuri’s Website Firewall at yoast.com, which eliminates the need for a separate speed plugin. But we have installed WP Rocket on some other sites with great results, so we’re happy to recommend them! Plus, we’re on the awesome and fast WP Engine hosting platform. Just in case you were wondering ;)


21 Responses to W3 Total Cache high-risk XSS vulnerability

  1. Apartamento de Luxo
    By Apartamento de Luxo on 23 September, 2016

    Thank you for post. I have several sites with W3TC and will install the plugin WP Super Cache. Then I test the WP Rocket.

    Do you recommend any plugin for site security?

  2. Adam
    By Adam on 23 September, 2016

    Its a real shame as I still consider it to be the best caching plugin available ( although admittedly not tried the paid options mentioned above ) .

    There has been a fix made apparently :
    https://wordpress.org/support/topic/0-9-4-1-version-vulnerable-to-xss/

    Pity wordpress havent stepped up and applied the fix to the repo considering how widely used the plugin is.

    • Ramanan
      By Ramanan on 25 September, 2016

      Yeah, the best.

  3. Luke Cavanagh
    By Luke Cavanagh on 23 September, 2016

    Cache Enabler and WP Fastest Cache are two other solid caching plugin options. They both work well with Autoptimize. The issue was fixed in the forked community version of W3 Total Cache.
    https://github.com/szepeviktor/fix-w3tc/pull/81

  4. FidoSysop
    By FidoSysop on 24 September, 2016

    I use WP Fastest Cache that works perfect and is simple to configure.

    • Rajkumar Kanagaraj
      By Rajkumar Kanagaraj on 24 September, 2016

      i also use. it is a simple and effective cache plugin for WordPress. so far am happy with their performance.

  5. Marianne
    By Marianne on 24 September, 2016

    Also, I tested Hyper Cache plugin on my parenting blog http://www.cocktailmarianne.com/ and the blog was hacked in two days, I activate Wordfence Premium Plugin, I hide WordPress login page, and I activated in 2 steps authentication, now the site is very secure

  6. Patrick Garde
    By Patrick Garde on 24 September, 2016

    Thanks, Michiel.

    I was using W3 Total Cache for our website. We’ll change immediately to WP Super Cache and also review WP Rocket’s paid plugin if it’s worth the cost.

    Thank you.

  7. Agencja Marketingowa OzonMedia
    By Agencja Marketingowa OzonMedia on 24 September, 2016

    We use in their realizations of the plugin WP Super Cache and it is the most optimal solution. With emphatically we recommend this plugin to optimize WordPress;)

  8. janw.oostendorp
    By janw.oostendorp on 24 September, 2016

    Actually the last time the plugin was really updated was 10-dec-2014
    All commits after that only change the compatibility of the WP version.

    https://plugins.trac.wordpress.org/log/w3-total-cache?limit=100&mode=stop_on_copy&format=rss

  9. Devendra
    By Devendra on 24 September, 2016

    Thank you for letting us know the issue! I have removed WP Total Cache and installed Super Cache. A general WordPress user has a tendency to install plugin that is most downloaded and rated. So I think, Yoast, being an authority in WordPress, should consider publishing a list of recommended WordPress plugins in other areas as well.

    Thanks again.

    • Michiel Heijmans
      By Michiel Heijmans on 26 September, 2016

      That’s a nice idea. But I’d have to say upfront that we don’t test drive all the plugins in the repo (impossible). We do have some preferred ones, though :)

  10. Dan Smith
    By Dan Smith on 24 September, 2016

    Why use another plugin that hasn’t been updated in 5 months?

    • Michiel Heijmans
      By Michiel Heijmans on 26 September, 2016

      Main reason: because it’s Automattic, really. But again, I’d use WP Rocket.

  11. M Asif Rahman
    By M Asif Rahman on 24 September, 2016

    I can’t immediately change to other plugin, tested had separate issue in other plugin, like WP Super Cache does not handle mobile cache or page with string properly even after setting it up. And WP Rocket did not bring the result I need in past, could test them again, but need more time. So, right now I needed W3TC to work. I found the fix-w3tc project in github, tested few approach, and after multiple test, shared my best find method here – https://thetechjournal.com/how-to/fix-w3-total-cache-reloaded-vulnerability-wordpress.xhtml

    • Michiel Heijmans
      By Michiel Heijmans on 26 September, 2016

      Thanks for your addition. I’m aware of the github fix, but would rather see the fix in repo, as most users probably don’t even know of the github continuation.

  12. Sanjay Sharma
    By Sanjay Sharma on 25 September, 2016

    Thank you very much for this useful information. Please keep it up.

  13. Tom
    By Tom on 27 September, 2016

    Really insightful article – thank you.

    I’ve been a long time user of W3 Total cache and was disappointed to hear about these developments. Will take a look into Sucuri.

  14. Ann Marie Walts
    By Ann Marie Walts on 1 October, 2016

    I can totally vouch and recommend Sucuri Security. I was severely hacked 18 months ago, and have since rebuilt. I had 14 sites and my hard blogging work compromised. Sucuri, actually wrote a piece on the whole ordeal. “sucuri.net customers loftsalon”

    Their email support is excellent, too. I was very hesitant at first, because that, but it has been fine.

    I had tried another company before I had found them, and am so glad I can sleep at night now.

    Load times are good.

Leave a reply

Your email address will not be published. Required fields are marked *


Check out our must read articles about WordPress