An Important Announcement For WordPress Users - Blogging, Small Business, Web Design & Hosting Tips - A Small Orange

An Important Announcement For WordPress Users

On Christmas Eve, knowledge of a rather serious security hole for
Wordpress was released.

The security hole, or “vulnerability”, only affects users that are using the W3 Total Cache plugin for WordPress.
The details can be found here (and the technical details here).

However, no official patch has been provided yet, even in the most up-to-date version.

To combat this, go to the wp-content directory of every WordPress install you may have that has this plugin installed, and create a file named .htaccess in the w3tc directory there:

[Wordpress installation directory]


and in this .htaccess file, add the lines:

Order Allow,Deny
Deny from all

This will prevent outside access to the directory containing sensitive information. Alternatively, you may also want to configure W3TC to disallow cache directory listings.

As always, please be sure to update any WordPress installs and plugins you may have installed.

This is a responsibility that we have of our customers (as it’s simply not feasible for us to be in control of this), and should be a quick and easy process to do. If you are unsure of how to do this, you can follow the documentation here (we recommend the Automatic Update feature). You can find more information regarding plugins here.

Need hosting with great support? Check out A Small Orange’s SharedResellerBusiness, or Dedicated hosting plans

  • I’m so glad to see this reported here at my very own hosting company’s blog!

    I installed the W3 Total Cache plugin to my WordPress blog last week and I didn’t notice any problems until a couple of days ago when I was alerted by that my site was down. When I checked it, it seemed to be up and running, so I contacted ASO for support. They asked me to check it on and it seemed okay, but I decided to go ahead and create an account with Pingdom to be alerted by them if something went awry with my site. Within a couple of minutes I was getting email alerts from Pingdom saying my site was down.

    After checking the error log in cPanel and discovering a bunch of errors related to W3 Total Cache, I decided to just deactivate the plugin to see if my site would be acknowledged as being up by both Pingdom and Uptrends. As soon as I hit the “deactivate” link in my WordPress, my screen went white and I had an odd little piece of code at the top of the page. I tried to refresh the page and kept getting the same piece of code. I tried to go to my site and got the same. Thinking there was an off chance I could access my cPanel to remove W3 Total Cache entirely, I was met with the same white screen. I couldn’t access my site from any avenue!

    Mike at ASO was able to access my cPanel and remove a bit of script that was left behind in my .htaccess file by W3 Total Cache. Once that was removed, my site was accessible by me and I was alerted by Pingdom and Uptrends that the site was up again.

    I don’t know that this was related to the the security hole/vulnerability or by some misconfiguration on my part, but after searching forums and finding that other people have had similar problems without a clear answer from the developer, I no longer trust this plugin. When I emailed the developer, he basically said he couldn’t help me other than offering to install a new beta version and configure it for me for $150. I have a small blog and the idea of paying $150 to have the developer configure a free plugin that was working fine for me for a week and then took my site down is ridiculous to me. And I generally don’t mind making donations to developers to support them in some small way.

    Now that I find out that the plugin actually has a security hole and doesn’t seem to be acknowledging it, I am even more irritated. Do you suggest any alternatives to using W3 Total Cache?