There is a high-risk XSS Vulnerability in W3 Total Cache, and we have got the guide to the fix for you.
TTJ Poll

After Note 7 Disaster what are your thoughts on Samsung Mobile?

View Results

Loading ... Loading ...

If you are one of the Million+ users of W3 Total Cache, the most famous WordPress Free Caching plugin, your day probably started bad reading the High-risk Vulnerability report in the wild. And this plugin is unofficially abandoned, so millions of website left in the dark. There are some alternative, but if somehow you don’t want to, or can’t update, here I will share you a fixed version, which not only will fix the vulnerability but will deliver even better performance as well.


how-to-fix-w3-total-cache-1

 

Update: W3 Total Cache Gets Official Update From Frederick Townes

This is a very sad situation when a popular plugin, with millions of download and even had premium version and support, are abandoned. And even after Vulnerability this big, the developer is nowhere to be found.

There is a free plugin like WP Super Cache and several others, but there are many reasons why W3 Total Cache got this popularity. There is also the newest Premium Only player WP Rocket in the field. But if for some reason (there could be several actually) W3 Total Cache is still the best option for you, you are in a kind of deep issue.

As there is no official update, what do you do? Hacked could try this opportunity any time. Many are thinking to remove W3TC entirely, but that will cause a lot other issues. The test shows W3TC (or any good configured caching plugin lets you save about 400% CPU and server resource.

There are several workarounds, fork and fix available in the wild. I found this project is the most active for months, and I have tested it in 5+ server. It entirely removes that Vulnerable module entirely and added several amazing new features.

Take a look –

 

Solution & Guide:

Here is how to update to this version and apply the fix.

* Before you start to run some speed test. I use https://gtmetrix.com/, run it at least twice to get a better result over the cache.

  1. First, save/ backup your WordPress.
  2. Save the W3 Total Cache setting. Export Configuration from General Settings.screenshot-2016-09-24-21-38-06
  3. Now, Deactivate the W3 Total Cache, but do not delete or click Uninstall from the plugin.
  4. This is the only part where you need to use FTP/SFTP or SSH to rename the existing ‘w3-total-cache‘ folder. To keep it simple, rename it to ‘w3-total-cache-old‘. If you just delete the entire folder right away, WordPress will through error, as there are object cache, and other drop-ins, configuration, cache present in your WordPress. And we need those setting to make this process smooth.
  5. Now get this fixed version from my forked repo of fix-w3tc.
    Repo: https://github.com/Asif2BD/W3-Total-Cache-Reloaded
    Download: https://github.com/Asif2BD/W3-Total-Cache-Reloaded/releases/download/0.9.4.5.2.1/w3-total-cache.zip
  6. Save this file to your computer.
  7. Go back to your WordPress Dashboard, go to add new Plugin Screen.
  8. Select upload new plugin.
  9. Locate the just downloaded ‘w3-total-cache.zip‘, upload and activate the plugin.
  10. Now the plugin is active. Visit the Performance tab. There could be few new fix, all of those are safe to apply in my test, Apply All option did not work in my test, I just applied one by one.
  11. Go to Performance -> General Settings, check all the setting, and save.
  12. Go to Performance -> Dashboard, clean the cache.
  13. Go to your site and test. Everything should be fine, and you are fully safe.

After you are done, run the Speed Test again. Feel free to share that with us. In my test this version shows remarkable speed boost, if you use PHP7 and recent caching technology like Redis.

Notes:

  • Credit: This original plugin is by Frederick Townes, and the fix I used is by the community, check the contribution list.
  • Why I Forked: So, as the project was already it git and community supported why I needed to create a separate fork? Here are the reasons
    1. I wrote this tutorial for the normal user, not necessarily developer. Developers could solve one way or other, but millions of normal people use WordPress, they need something very basic that they could follow.
    2. The source git release gives a zip with folder name different, and user needs additional steps decompress, edit the folder name and re-pack or the direct upload will cause an issue.
    3. Even this fix version of W3TC has some code reference that has the plugin folder name hard-coded. If I could get more time I probably could fix this, but needed to release this ASAP, as got request from my people, clients, friends that all need a fix ASAP. So, I had to edit the old folder name and keep this version as ‘w3-total-cache’.
    4. I named the plugin as “W3 Total Cache Reloaded” as I kept the old plugin in the plugin list in my process, so to differentiate I needed to change the name a little bit.
  • Official Update & Backward Compatibility: I wanted to keep the backward compatibility, and there is a big chance that an official update will come. So, I kept the old plugin on the server. When the new update arrives you just reverse the process by deactivating this one, rename this folder as ‘w3-total-cache-reloaded’ and renaming back the ‘w3-total-cache-old’ to ‘w3-total-cache’, and all will be fine. I am personally will be a little skeptic about official route if that does not contain any bug fix, just fixing this vulnerability will not be enough for me to move from this community version.
  • Tested: This version is community built and well excepted, and I personally tested and deployed it more than 5 live sites, so, if you trust me, you could trust this.

This type of  hardcore WordPress related article is pretty new to TTJ, so you might wonder. Actually, despite being Editor-in-Chief and Admin of this site, I am a long time WordPress Enthusiast, working very closely with WordPress for past 12 years. You could know more about me on my personal site – Asif.im.

Read it on Apple News

Billion-Dollar Worth Mode Media Sudden Shutdown: We Lost Money With Many Other Publishers!

W3 Total Cache Gets Official Update From Frederick Townes
You can also press the left/right arrow key on your keyboard to go to previous/next post
  On September 24, 2016(7 months, 5 days ago.)

You May Also Like:

What Do You Think?

46 Responses

  1. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  2. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  3. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  4. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  5. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  6. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  7. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  8. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  9. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  10. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  11. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  12. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  13. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  14. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  15. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  16. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  17. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  18. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  19. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  20. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  21. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  22. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  23. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  24. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  25. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  26. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  27. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  28. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  29. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  30. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  31. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  32. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  33. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  34. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  35. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  36. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  37. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  38. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  39. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  40. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  41. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  42. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  43. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  44. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  45. Fahime Shariayer Says:

    😒

    Okay

    Posted on September 24th, 2016 at 12:16 PM

  46. ManagedWPHosting Says:

    For anyone needing time to switch plugins, or anyone who really needs W3TC but needs to make it secure .. this small plugin will stop all access to the W3 total Cache (Version 0.9.4.1) XSS support page,

    just install (preferably as mu-plugin) and you are all done.
    https://github.com/ramonfincken/w3tc_deny_supportpage Instructions are in the README.md file

    W3TC will continue to cache your site, and you will have some “breathing time” to search for an alternative caching plugin.

    Note: I still think it is time that W3Edge releases a fix for this and many other things as well (PHP 7 support for instance).

    Posted on September 25th, 2016 at 6:14 AM

Leave a Reply




Loading Facebook Comments ...

FTC Disclosure: Some of the links of this website are "affiliate links." This means if you click on the link and purchase the item, we will receive an affiliate commission.


Recent Search

Recent Tutorials

There is a high-risk XSS Vulnerability in W3 Total Cache, and we have got the guide to the fix for you.
Check out this tutorial to know how to install Apple watchOS 3 beta certificate on your Apple Watch and start enjoying the new version.
If you are trying to jailbreak iPhone, iPad or iPod on iOS 9.2 - 9.3.3 without using a computer or Apple ID, then check this video tutorial.
Pokemon Go users are complaining about the crashing and server issues. Check out the tutorial to solve error problems and thanks us later.
Turning off Wi-Fi Assist is a great way to save mobile data since it automatically starts using cellular data when Wi-Fi signal is poor .
If you want to secure your SIM card from others using it, then check out this tutorial to know how to set up the SIM Pin code on your iPhone.
CiderTV is a great alternative to control Apple TV from the Notification Center. Check out this tutorial to set up CiderTV on your iPhone.
Are you annoyed by the split screen mode on the iPhone 6 Plus or 6s Plus? Check out this quick tutorial to turn off split screen feature.
If you could not wait to installed the iOS 10 beta version on you iPhone and now struggling for the errors, then this tutorial is for you.
Siri might not understand the question you asked. But you can use Siri by editing the text that you asked & it will give an updated answer.
Close You Have To Login
User:
Pass:
Login With »Login With TwitterLogin With Facebook