Thankfully, I haven’t experienced this reported security vulnerability, but it’s a pretty big deal.
It takes the right combination of server settings and W3 Total Cache (W3TC) plugin configurations for the vulnerability to exist, which is why I titled this post with “concern” instead of “vulnerability” (but, yes, it’s a very bad if you’ve got the wrong settings).
The most complete WordPress performance framework.
Recommended by web hosts like: MediaTemple, Host Gator, Page.ly and WP Engine and countless more.
And I wanted to clarify that our and our clients’ hosting (on WP Engine) does NOT employ W3TC. In fact, it’s listed as a WP Engine Disallowed Plugin (all caching plugins are). Additionally, in December 2011, the founder, Jason Cohen, wrote a blog post stating:
Other so-called “Managed” WordPress hosting companies say they’ll make your page fast, then leave it to you to find and configure complicated page- and database-caching plugins with 100 options. We think “managed” means you shouldn’t have to figure all that out!
At WP Engine, we’re 2x faster than the closest competitor, and we ban all caching plugins because we do it better, and we do it automatically.
I point all this out for two reasons:
- It’s pretty big news, and I didn’t want our clients worrying.
- WP Engine DOES NOT use W3TC. In fact, they don’t even allow it.
I think W3TC is the best WordPress caching plugin, and a decent server setup (i.e. not ultra-cheap hosting) combined with a properly configured W3TC plugin shouldn’t have this vulnerability. However, I’m glad to use and provide WP Engine hosting because they take care of the scary, important stuff like security and caching.
If you need clarification or help with W3TC or want to sign up for our managed WordPress hosting, you’re invited to contact us.
W3TC was recently overhauled — totally redone. The changelog is lengthy but thankfully resolved issues: http://wordpress.org/extend/plugins/w3-total-cache/changelog/
Image from W3TC plugin on WordPress plugin repository