Just today, WP Media pointed us to a high-risk XSS vulnerability in W3 Total Cache (W3TC). This was a very popular WordPress plugin that has over 1 million active installs. Although it’s a very popular plugin, it hasn’t been updated in over six months. We stopped recommending it a while back for WP Rocket, a W3 Total Cache alternative that skyrocketed in use over the past few months.
We agree with Julio’s statement that when you need to explain to other people you haven’t abandoned your plugin, due to questions about that, the clock has already struck midnight.
Let’s first explain what’s going on here:
XSS (short for Cross-Site Scripting) is a widespread vulnerability that affects many web applications. The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker while loading the page.
That’s definitely not what you want your website to do, right? In this case, we are talking about W3TC being vulnerable to a XSS flaw, high risk rated. This one should be fixed asap. With nobody maintaining the plugin, that is a huge issue for the millions of sites that use the plugin.
Instead of waiting for a fix, we recommend disabling the plugin and using a W3 Total Cache alternative like the ones listed below.
W3 Total Cache alternatives
Luckily, there are more plugins you can use to optimize your site speed. And most work pretty well out-of-the-box. We have listed three speed optimization plugins for you as alternatives for W3 Total Cache.
- WP Rocket
Our most-recommended speed optimization plugin. WP Rocket simply delivers speed improvement. It has a lot of options under the hood and works by simply clicking some checkboxes in their dashboard.
- WP Super Cache
Made by Automattic, so it works flawlessly with WordPress. It’s a simple speed optimization plugin that helps a lot of WordPress sites. We have to add a note: it hasn’t been updated in five months as well. But all in all, it’s a nice, free WP Rocket or W3 Total Cache alternative.
- Comet Cache
Formerly known as Zen Cache, formerly known as Quick Cache. If you change your name so often, you’re probably actively working on your plugin as well, right? Registration is needed.
Over to you
If you want your website to be safe and you are using W3 Total Cache, we recommend investing a few bucks in WP Rocket. It’ll be worth your while. If you don’t feel like investing that money in your website, feel free to switch to one of the other W3 Total Cache alternatives instead!
W3TC just committed an update to the repo. Please update any installation asap and then look at the presented W3 Total Cache alternatives. That way, the issue is fixed and you have time to investigate other options.
We’re using Sucuri’s Website Firewall at yoast.com, which eliminates the need for a separate speed plugin. But we have installed WP Rocket on some other sites with great results, so we’re happy to recommend them!