[Tutorial] W3 Total Cache Reloaded: How To Fix High-risk XSS Vulnerability in Popular WordPress Plugin

If you are one of the Million+ users of W3 Total Cache, the most famous WordPress Free Caching plugin, your day probably started bad reading the High-risk Vulnerability report in the wild. And this plugin is unofficially abandoned, so millions of website left in the dark. There are some alternative, but if somehow you don’t want to, or can’t update, here I will share you a fixed version, which not only will fix the vulnerability but will deliver even better performance as well.



Update: W3 Total Cache Gets Official Update From Frederick Townes

This is a very sad situation when a popular plugin, with millions of download and even had premium version and support, are abandoned. And even after Vulnerability this big, the developer is nowhere to be found.

There is a free plugin like WP Super Cache and several others, but there are many reasons why W3 Total Cache got this popularity. There is also the newest Premium Only player WP Rocket in the field. But if for some reason (there could be several actually) W3 Total Cache is still the best option for you, you are in a kind of deep issue.

As there is no official update, what do you do? Hacked could try this opportunity any time. Many are thinking to remove W3TC entirely, but that will cause a lot other issues. The test shows W3TC (or any good configured caching plugin lets you save about 400% CPU and server resource.

There are several workarounds, fork and fix available in the wild. I found this project is the most active for months, and I have tested it in 5+ server. It entirely removes that Vulnerable module entirely and added several amazing new features.

Take a look –


Solution & Guide:

Here is how to update to this version and apply the fix.

* Before you start to run some speed test. I use https://gtmetrix.com/, run it at least twice to get a better result over the cache.

  1. First, save/ backup your WordPress.
  2. Save the W3 Total Cache setting. Export Configuration from General Settings.screenshot-2016-09-24-21-38-06
  3. Now, Deactivate the W3 Total Cache, but do not delete or click Uninstall from the plugin.
  4. This is the only part where you need to use FTP/SFTP or SSH to rename the existing ‘w3-total-cache‘ folder. To keep it simple, rename it to ‘w3-total-cache-old‘. If you just delete the entire folder right away, WordPress will through error, as there are object cache, and other drop-ins, configuration, cache present in your WordPress. And we need those setting to make this process smooth.
  5. Now get this fixed version from my forked repo of fix-w3tc.
    Repo: https://github.com/Asif2BD/W3-Total-Cache-Reloaded
    Download: https://github.com/Asif2BD/W3-Total-Cache-Reloaded/releases/download/
  6. Save this file to your computer.
  7. Go back to your WordPress Dashboard, go to add new Plugin Screen.
  8. Select upload new plugin.
  9. Locate the just downloaded ‘w3-total-cache.zip‘, upload and activate the plugin.
  10. Now the plugin is active. Visit the Performance tab. There could be few new fix, all of those are safe to apply in my test, Apply All option did not work in my test, I just applied one by one.
  11. Go to Performance -> General Settings, check all the setting, and save.
  12. Go to Performance -> Dashboard, clean the cache.
  13. Go to your site and test. Everything should be fine, and you are fully safe.

After you are done, run the Speed Test again. Feel free to share that with us. In my test this version shows remarkable speed boost, if you use PHP7 and recent caching technology like Redis.


  • Credit: This original plugin is by Frederick Townes, and the fix I used is by the community, check the contribution list.
  • Why I Forked: So, as the project was already it git and community supported why I needed to create a separate fork? Here are the reasons
    1. I wrote this tutorial for the normal user, not necessarily developer. Developers could solve one way or other, but millions of normal people use WordPress, they need something very basic that they could follow.
    2. The source git release gives a zip with folder name different, and user needs additional steps decompress, edit the folder name and re-pack or the direct upload will cause an issue.
    3. Even this fix version of W3TC has some code reference that has the plugin folder name hard-coded. If I could get more time I probably could fix this, but needed to release this ASAP, as got request from my people, clients, friends that all need a fix ASAP. So, I had to edit the old folder name and keep this version as ‘w3-total-cache’.
    4. I named the plugin as “W3 Total Cache Reloaded” as I kept the old plugin in the plugin list in my process, so to differentiate I needed to change the name a little bit.
  • Official Update & Backward Compatibility: I wanted to keep the backward compatibility, and there is a big chance that an official update will come. So, I kept the old plugin on the server. When the new update arrives you just reverse the process by deactivating this one, rename this folder as ‘w3-total-cache-reloaded’ and renaming back the ‘w3-total-cache-old’ to ‘w3-total-cache’, and all will be fine. I am personally will be a little skeptic about official route if that does not contain any bug fix, just fixing this vulnerability will not be enough for me to move from this community version.
  • Tested: This version is community built and well excepted, and I personally tested and deployed it more than 5 live sites, so, if you trust me, you could trust this.

This type of  hardcore WordPress related article is pretty new to TTJ, so you might wonder. Actually, despite being Editor-in-Chief and Admin of this site, I am a long time WordPress Enthusiast, working very closely with WordPress for past 12 years. You could know more about me on my personal site – Asif.im.

M Asif Rahman

M Asif Rahman is the Founder and Editor-in-chief of TheTechJournal. He describes himself as WordPress Enthusiast, Entrepreneur, Workaholic and Loving Man. He loves to read and passionate about creativity. He has his own blog. You could follow him on Twitter or Google+.

This Post Has 46 Comments

  1. ManagedWPHosting

    For anyone needing time to switch plugins, or anyone who really needs W3TC but needs to make it secure .. this small plugin will stop all access to the W3 total Cache (Version XSS support page,

    just install (preferably as mu-plugin) and you are all done.
    https://github.com/ramonfincken/w3tc_deny_supportpage Instructions are in the README.md file

    W3TC will continue to cache your site, and you will have some “breathing time” to search for an alternative caching plugin.

    Note: I still think it is time that W3Edge releases a fix for this and many other things as well (PHP 7 support for instance).

Leave a Reply