If you have a WordPress site, this is critical. The W3 Total Cache plugin has a severe security vulnerability that can allow attackers to run PHP commands on your site. In other words, they can take control of your site without logging in.
Hackers can submit a malicious comment on your site, and then the plugin will execute arbitrary code hidden in that comment. This occurs via a weak function in the W3 Total Cache plugin that executes special dynamic coded messages.
If an attacker can leverage this third-party code functionality in the platform, they can:
If you are not running version 2.8.13, or greater, you should be sure to update promptly.
Can't update now?
Disable the plugin for safety.
Pay attention to your comments
Hackers will commonly use your comments section to push malware/code into your website. You should limit or moderate your comments.
Examine your server logs.
Be on the lookout for unusual commands and unknown activity.
By taking those precautionary actions, you can keep your site safe until you update.
I really enjoy using W3 Total Cache because it make sites faster, but the reality is that any plugin could have bugs. The only way to stay protected, from any plugin including W3 Total Cache, is to keep everything up to date.
So, What Has Happened?
Versions before 2.8.13 are all problematic.Hackers can submit a malicious comment on your site, and then the plugin will execute arbitrary code hidden in that comment. This occurs via a weak function in the W3 Total Cache plugin that executes special dynamic coded messages.
If an attacker can leverage this third-party code functionality in the platform, they can:
- Tamper with your site files
- Inject malware
- Redirect your visitors
- Or completely take over your server
What Should You Do Now
Verify your versionIf you are not running version 2.8.13, or greater, you should be sure to update promptly.
Can't update now?
Disable the plugin for safety.
Pay attention to your comments
Hackers will commonly use your comments section to push malware/code into your website. You should limit or moderate your comments.
Examine your server logs.
Be on the lookout for unusual commands and unknown activity.
By taking those precautionary actions, you can keep your site safe until you update.
My Thoughts
I have experience running WordPress sites, so I understand the importance of updating matters. I waited too long to update a plugin on a client site, and their site was hacked due to a bug with an old plugin. Since then, I am always mindful of updating.I really enjoy using W3 Total Cache because it make sites faster, but the reality is that any plugin could have bugs. The only way to stay protected, from any plugin including W3 Total Cache, is to keep everything up to date.
