W3 Total Cache is one of the most popular WordPress plugins out there, it is used by thousands of websites and we here at RocketMill we are big fans of it and in most cases prefer it over its “closest” competitor WP Super Cache. While we do recommend WP3 Cache, I must admit that pretty much most of the caching plugins available are broken to some extent. From an technological aspect W3 Cache is using modern caching techniques compared to WP Super Cache but it can be a pain to configure properly. On the other hand, WP Super Cache has reliability issues in terms of garbage collection which does not give a favourable outcomes at all.
A couple of weeks ago, Jason Donenfeld from ZX2C4.com disclosed a security vulnerability which came to life due to mis-configuration. This security loophole is caused by the way WP 3 Cache handles and stores database cache. Basically, WP3 Cache stores your database in a publicly accessible directory which could enable an attacker to retrieve your hashed passwords and other database specific information.
Looking into the issue a bit further I realized that even if your server is configured properly, an attacker can actually and very easily predict the key value and filenames of the database cache items from the default location where database cache is stored “/wp-content/w3tc/dbcache/”.
Jason has released a shell script that guesses hash values that are extracted via the W3 Total Cache vulnerability, you can find it over at https://github.com/zx2c4/w3-total-fail
The WP3 Cache team has acknowledged this issue and were to quick to patch it. Here is what Fredrick Townes said:
“The hotfix (tested with WordPress version 3.5) will help those who are just now upgrading to 0.9.2.4 or are otherwise getting started with W3 Total Cache. Specifically, the hash logic is improved via wp_hash(), significantly stronger than the previous md5 hashing at the compromise of a bit of speed. I’ve also made sure that a web server’s lack of security around directory listings and the standard file structure of W3TC’s hashing logic are no longer of consequence for those attempting to download them from your server.
For those who are using database caching to disk already, please be sure to disable directory indexing and deny web access to the “wp-content/w3tc/dbcache/” directory in your web configuration, then empty the database cache for good measure. Or, simply deactivate W3 Total Cache, uninstall it, and re-install it via wordpress.org to have the hotfix applied upon re-activation. Again, empty the database cache for good measure. Your settings will not be lost during this process. If all of this is gibberish to you, then simply disable database caching to disk until the next release or use another method if available. Once again, empty the database cache using the button of the same name available on the database caching settings tab.”
Bottom line is, if you are using WP3 Cache then update it immediately.
According to stats from WordPress.com, almost 56% of sites are still using the unpatched version of W3 Total Cache – this means a huge number of sites out there are possibly vulnerable due to this security issue.