Fixed: Security Vulnerability in W3 Total Cache plugin in for WordPress


djbaxter

Administrator
Joined
Jun 28, 2012
Messages
2,534
Likes
745
An Important Announcement For WordPress Users
by Brent Saner, A Small Orange
December 24, 2012

On Christmas Eve, knowledge of a rather serious security hole for ordpress was released.

The security hole, or ?vulnerability?, only affects users that are using the W3 Total Cache plugin for WordPress.

The details can be found here (and the technical details here).

However, no official patch has been provided yet, even in the most up-to-date version.

To combat this, go to the wp-content directory of every WordPress install you may have that has this plugin installed, and create a file named .htaccess in the w3tc directory there:

Code:
 [Wordpress installation directory]
 +wp-content
-+w3tc
?.htaccess
and in this .htaccess file, add the lines:

Code:
Order Allow,Deny
Deny from all
This will prevent outside access to the directory containing sensitive information. Alternatively, you may also want to configure W3TC to disallow cache directory listings.
 

djbaxter

Administrator
Joined
Jun 28, 2012
Messages
2,534
Likes
745
Re: Security Vulnerability in W3 Total Cache plugin in for WordPress

New version released fixes the security vulnerability

WordPress › W3 Total Cache ? WordPress Plugins

Changelog

0.9.2.5


  • Fixed security issue that can occur if using database caching to disk. If using database caching to disk with a web server with directory listing or web accessible wp-content/w3tc/dbcache/* directories. This patch works for all hosting environments / types where PHP is properly configured, i.e. .htaccess modifications (or other web server configuration changes) are not necessary to ensure proper security. Empty the database cache after performing the update if you use database caching to disk.
 

Local Search Forum


Weekly Digest
Subscribe/Unsubscribe


Google Product Exert

@LocalSearchLink

Join Our Facebook Group

Top