If you have a blog or write for one (both of which I do) then you have no doubt looked for plugins to improve your traffic and user experience. There is certainly no shortage of ones available, given the popularity of the platform. But, not all of them are good or reliable or even secure. In fact, one of the most popular has just been outed to have an enormous security hole.
W3 Total Cache, a plugin designed to speed up web sites that use the WordPress content management system. It does so by caching site content, speeding up page loads, and downloads. In fact, it has more than 1.39 million users.
Now however, a security researcher, Jason A. Donenfeld, has found a vulnerability in the plugin that makes sites that use the plugin vulnerable to attacks.
The cache data is stored in [a] public accessible directory, which means a malicious hacker can browse and download the password hashes and other database information.
Certainly not good news for many web site owners, including major ones like Mashable, which use this plugin. In fact, the researcher published a simple script -- http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh -- that can identify and exploit the hole. Donenfeld points out that the plugin is "Trusted by countless sites like: stevesouders.com, mattcutts.com, mashable.com, smashingmagazine.com, makeuseof.com, yoast.com, kiss925.com, pearsonified.com, lockergnome.com, johnchow.com, ilovetypography.com, webdesignerdepot.com" and more.
Exposed cache directories are also discoverable by using a Google search. Even if you switch the directory listings to off, cache files are still publicly downloadable by default with W3 Total Cache. In fact, all a hacker would need to know is the key values and file names of the cache items, which Donenfeld claims is not exactly rocket science. Scary!
There is, however, some good news. In a post to Full Disclosure Donenfeld stated that W3 Edge, the company behind this plugin, is working on an update to close the security hole. In the meantime, those using this plugin on their blogs may want to consider temporarily disabling it while they wait for an update.
As far as Ghacks goes, we are safe from the vulnerability as we are running WP Super Cache.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.