Fixed: Security Vulnerability in W3 Total Cache plugin in for WordPress

[djbaxter]

An Important Announcement For WordPress Users
by Brent Saner, A Small Orange
December 24, 2012

On Christmas Eve, knowledge of a rather serious security hole for ordpress was released.

The security hole, or ?vulnerability?, only affects users that are using the W3 Total Cache plugin for WordPress.

The details can be found here (and the technical details here).

However, no official patch has been provided yet, even in the most up-to-date version.

To combat this, go to the wp-content directory of every WordPress install you may have that has this plugin installed, and create a file named .htaccess in the w3tc directory there:

 [Wordpress installation directory]
 +wp-content
-+w3tc
?.htaccess

and in this .htaccess file, add the lines:

Order Allow,Deny
Deny from all

This will prevent outside access to the directory containing sensitive information. Alternatively, you may also want to configure W3TC to disallow cache directory listings.

 

[djbaxter]

Re: Security Vulnerability in W3 Total Cache plugin in for WordPress

New version released fixes the security vulnerability

WordPress › W3 Total Cache ? WordPress Plugins

Changelog

0.9.2.5

• Fixed security issue that can occur if using database caching to disk. If using database caching to disk with a web server with directory listing or web accessible wp-content/w3tc/dbcache/* directories. This patch works for all hosting environments / types where PHP is properly configured, i.e. .htaccess modifications (or other web server configuration changes) are not necessary to ensure proper security. Empty the database cache after performing the update if you use database caching to disk.