On Christmas Eve, knowledge of a rather serious security hole for
Wordpress was released.
The security hole, or “vulnerability”, only affects users that are using the W3 Total Cache plugin for WordPress.
The details can be found here (and the technical details here).
However, no official patch has been provided yet, even in the most up-to-date version.
To combat this, go to the wp-content directory of every WordPress install you may have that has this plugin installed, and create a file named .htaccess in the w3tc directory there:
[Wordpress installation directory]
and in this .htaccess file, add the lines:
Deny from all
This will prevent outside access to the directory containing sensitive information. Alternatively, you may also want to configure W3TC to disallow cache directory listings.
As always, please be sure to update any WordPress installs and plugins you may have installed.
This is a responsibility that we have of our customers (as it’s simply not feasible for us to be in control of this), and should be a quick and easy process to do. If you are unsure of how to do this, you can follow the documentation here (we recommend the Automatic Update feature). You can find more information regarding plugins here.