W3 Total Cache and HTTPS

As many of you know, Google has now announced HTTPS as a ranking signal.

In plain English this means that all things being equal, a site served over HTTPS will rank higher than a site served over HTTP. And don’t take “all things being equal” lightly, there are hundreds of factors that influence how well your site ranks (so there’s no need to drop everything and buy an SSL certificate). Regardless, security (as in the case with performance) is clearly a direction towards which the web is moving.

Configuring SSL is a pain, even when you know what you’re doing. The last thing we want here at W3 EDGE is to make it harder for you to run a secure website once you’ve gone through the trouble of implementing security measures.

There are a number of ways in which W3 Total Cache supports both performance and security, and we wanted to highlight a few of these capabilities below:

Page caching

  1. Caching of HTTPS pages: on the page cache settings page, you can “Cache SSL (https) requests” (uniquely) for improved performance.
  2. Page caching exceptions: Pages with customer-specific data (such as shopping cart pages and member profiles) should not be cached in most cases, and W3TC allows you to implement a page caching exception on the pages of your choice via the “Never cache the following pages” section of the page cache settings page. Usage: simply enter “cart/” to exclude that page or “cart/*” to exclude that page and all sub-pages. (Without the quotes, of course.)
  3. Pro tip: you can also use the define('DONOTCACHEPAGE', true); define statement in your functions.php file to specify a page or series of pages where page caching should be disabled. Navigate to Performance > FAQ in your Dashboard for more information.

Content Delivery Networks

  1. Disable CDN on SSL pages: We have a lot of customers who run ecommerce websites and secure transaction pages (/cart, etc.) with SSL. Many of these customers also integrate a Content Delivery Network on their site to improve performance, and this can break SSL pages if the CDN URLs are HTTP. W3TC has long since allowed you to disable CDN on HTTPS pages with a snippet of code, but this functionality is now fully exposed through the UI. Usage: On the CDN Settings page, simply select the “Disable CDN on SSL pages” checkbox under the Advanced section.
  2. SSL Support: W3TC also supports CDNs served over HTTPS.
  3. Pro tip: to maximize the use of W3TC and your CDN on sites with both HTTP and HTTPS pages, you can define both versions of your CDN hostnames in the “Replace site’s hostname with” fields of the CDN settings page in the following format: cdn.yourdomain.com,ssl-cdn.yourdomain.com. You can see Yoast’s configuration illustrated in his excellent post on WordPress and CDNs.

CloudFlare

CloudFlare is a product that many of our customers use for securing and accelerating their sites. You can actually use CloudFlare’s Pro plan ($20/mo as of the time of this post) to serve your site over SSL without needing to purchase and configure an SSL certificate.

The latest version of W3TC ships with a CloudFlare extension to facilitate the connection between your site and the CloudFlare services. This connector is not required for CloudFlare to function of course (CloudFlare works at the DNS level), but our connector exposes a number of useful functions that allow you to make changes right from W3TC.

Fun fact: CloudFlare was originally conceived as a security product that ended up having performance benefits as a result of how it functions.

Help!

I know, this stuff can be overwhelming if you don’t have an engineering degree or if you’re just wading into these waters. You can drop us a note or order professional configuration if you need help.

Heartbleed bug and W3 Total Cache

By now, you’ve no doubt read posts from all over the web about the Heartbleed Bug. If you’ve somehow missed the news, here’s a quick overview:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Pretty scary stuff.

How it affects you

Here at W3 EDGE, and we use SSL to secure credit card transactions when customers purchase W3 Total Cache Pro license through the WordPress dashboard.

Upon learning of the bug, we upgraded OpenSSL on our servers to version 1.0.1g which was released on Monday and contains a patch for the Heartbleed bug. No action is required on your part, and you can continue using W3 Total Cache with confidence.

Website Performance on the Edge with W3 Total Cache

For those of you that have been bothered or concerned with the notion of upgrading W3 Total Cache because new features have been problematic for you, we understand your concerns and we’re grateful to those that take the time to reach out about their challenges. As you may know, no amount of testing or known process allows us to identify issues that may occur on your site before hand due to all of the various hosting environments, plugins and themes that exist in eco-system.

So, to begin to address challenges nonetheless, the next release of W3 Total Cache includes two key new features that will allow us to iterate faster, provide maintenance updates which are not expected break your installation (because they don’t relate to features) and also make you aware of security or best practice updates so that you can keep your site as up-to-date as WordPress itself.

Version 0.9.4 (among numerous new features and fixes includes the following key improvements):

  1. Maintenance Updates Now each release will notify you of the changes that have occurred to the default settings since the last update and also make it easy for you to identify best practices that will help you make your site or application faster. The notifications can be ignored or automatically applied to your settings in just a click.
  2. Edge Mode WordPress is used in countless ways, environments and alongside of various software including plugins, themes and even drop-ins. For that reason, rather than continue to fail to maintain a developer network to help us go beyond our automated testing suite (and continuous integration practices), we are rolling out edge mode.The key is that in the new update you will be prompted to opt-in to edge mode that will allow you to test features that have not yet been tested in a large enough % of the user-base. This provides us the ability to use the typical WordPress workflow to provide updates more frequently for maintenance and also allows us to allow testers and early adopters to benefit from new features immediately as well.We anticipate that this change will allow us to make at least one release per month, but will be targeting one release per week.

    Again, those who have opted into edge mode would be able to preview features that are not available to users who have opted-out (the default setting).

    Pro subscribers will not be opted into the edge mode; however there will be Pro features available in edge mode periodically.

We hope that these changes will create a much better user experience and allow us to more aggressively further our mission to empower publishers and application developers to focus on their content and business rather than on web performance optimization.

Announcing W3 Total Cache Pro

Several weeks ago we silently launched version 0.9.3, a very exciting release for us. As we get closer to a final release of the popular web performance optimization (WPO) framework, we’re finally able start employing the best practices our colleagues like Joost de Valk and Pippin Williamson (among others) have championed for some time.

But before we get into that, let’s take a look at the highlights:

  • Fragment Caching Social layer, personalization and e-commerce etc are common elements of highly dynamic web sites. That means that caching entire pages to improve user experience and performance is not a solution. Fragment Caching bridges the gap between no caching at all and the “ideal,” full page caching. By extending the WordPress Transient API, W3TC allows developers to bring both horizontal and vertical scale to bear without doing anything differently.
  • Extension Framework As mentioned above, extensions / add-ons represent a great opportunity to both de-bloat projects that solve many problems or address many use cases. It also allows for innovation as 3rd parties can make contributions without having to be a core project developer to contribute or solve their problems while maintaining the control they need. We’re excited for you to try this first iteration of our extension framework, and documentation can be found (for now) inside the plugin’s FAQ.
  • Genesis Framework Extension Among the most popular theme clubs in the market and part of a highly valuable suite of publishing solutions is the Genesis Framework. Our work in the website optimization industry for the past 11+ years allows us to know great products and communities when we see them, and that is why we chose to work with CopyBlogger Media to enhance the performance of the framework.The extension is included in the W3TC default distribution and requires an active Genesis theme as well as W3TC Pro. The extension leverages the fragment cache in order to do its magic, a solid example of the power of the new extension framework. Once enabled, a given page request will be served 30-60% faster (and will be even faster as we move forward).

    Working with the Genesis team to get this extension into play has been fun, but we do expect to find some bugs along the way. Please let us know what you find so that we can promptly address. Meanwhile, we hope the value we’re offering helps you create engaging experiences for your readers / users. For Synthesis hosting customers, the upgrade is free and already running on your site(s).

For those interested in upgrading to the Pro version, simply use the upgrade button to obtain a license key valid for a single WordPress installation. To have a professional from the team tune your site for performance, simply make a purchase from the support tab of the plugin itself.

To learn more about how fragment caching helps “origin optimization” (optimizing your site for the cache miss and other use cases), check out the white paper we co-authored with our friends at CopyBlogger Media!

We have a lot more planned for the Pro version of W3TC, so please stay tuned or share your ideas with us as we move forward.

Security & W3 Total Cache 0.9.2.4

We take security quite seriously even though our focus is on making it trivial to allow any publisher to maximize the performance they can extract from their hosting environment and WordPress itself.  Most recently we took a look at the steps that GoDaddy was taking in the shared hosting segment of the market.

In versions of W3 Total Cache prior to 0.9.2.5 vulnerability exists (CVE-2012-6077, CVE-2012-6078, CVE-2012-6079) if the following two cases are true:

  1. Directory listing and download of w3tc/dbcache/ directories is possible
  2. W3 Total Cache has database caching enabled and is set to use disk

This issue was resolved, irrespective of whether or not #1 was true in release 0.9.2.5 which offset the next release than some of you may have been testing to 0.9.2.6.

For those of you who feel they were affected, here are some remediation steps:

  • Empty and disable database caching until you upgrade W3TC
  • Audit your administrator accounts and change their passwords, potentially add HTTP Basic Authentication to /wp-login.php and /wp-admin/ if possible
  • Update your database credentials, name (and table name offset if possible)
  • Ensure that you have nightly backups of your site, if you’re not sure contact your web host

The 0.9.2.6 release expected within less than a week further expands on the initial approach to securing caching files to disk while using database caching and ameliorates issues caused with the previous patch.

One might ask, why not completely remove disk caching for the database from the W3TC framework? The problem is that our goal is to make it possible for users to take control of their performance needs, that means that if they have an environment where they’ve tested to find that reading cache files from disk provided lower execution times than not caching at all, that option should be available.

After years of scaling web sites, one thing we know for sure is that as your site grows, the techniques you use to scale it change. W3TC is ready to grow with you. With more than 140 features and fixes in the next release, the future is bright.

WPO & GoDaddy: How to configure W3 Total Cache and APC

APC is an opcode cache used by many sites to improve application performance. PHP is an interpreted language, and the scripts (such as the ones that comprise your WordPress site) are loaded, parsed, compiled into an opcode, and executed when called. This process can use an inordinate amount of resources on a busy site, especially one without caching, so we need to do what we can to optimize this process.

While installing APC on a dedicated server or VPS is a straightforward process, this post (the first in a series of Web Performance Optimization (WPO) posts for GoDaddy) outlines how to enable it on your GoDaddy shared web hosting account:

  1. Log into your GoDaddy account and navigate to your hosting dashboard
  2. Go to Tools > FTP File Manager
  3. Locate the php5.ini file and make a copy by clicking the checkbox, clicking on the “html” directory on the left, and entering php5.ini.backup.txt as the file name
  4. Look for a line mentioning apc.shm_size and if one doesn’t exist, add this: apc.shm_size = 64M
  5. Make sure lines beginning with zend_optimizer and zend_extension are preceded by a semicolon
  6. Save the file and then click the X in the top-right corner

And now we need to restart PHP:

  1. Navigate to your hosting dashboard again
  2. Click the “Launch” button that corresponds with the hosting account in question
  3. Under “Stats & Monitors” click “System Processes”
  4. Click “End Web” in the top
  5. This will restart the PHP process on your account and you should now be able to cache against APC in W3 Total Cache

Note that the optimal configuration depends on available memory, your theme, active plugins, and other factors. If you’d like help unlocking your site’s performance potential, place your order here and we’ll implement these best practices for you.

And if you’d like to be updated when products are updated or announced, be sure to sign up here.

W3 Total Cache Version 0.9.2.5

We recently released a security update to W3 Total Cache that addresses a vulnerability that can be exploited on misconfigured servers when database caching to disk is enabled. All users are encouraged to update.

If you see the following error following the upgrade: Fatal error: Call to undefined function w3_is_dbcluster() in /path/to/wp-content/some-file.php

This likely means that you’ve had us configure W3 Total Cache on your site already, and you were running a newer version of the plugin already.

You’ll need to manually disable W3 Total Cache to restore access and reach out so we can get you sorted.

How to integrate a CDN with W3 Total Cache

The integration of a Content Delivery Network (CDN) into your website remains one of the easiest and most cost-effective ways to improve web performance. W3 Total Cache supports several CDN types (self-hosted, origin pull, and origin push) and makes the integration into WordPress simple.

In this post, I’ll show you how to integrate MaxCDN’s origin pull CDN product into W3TC. MaxCDN’s product remains one of the most commonly used CDNs in W3TC because it’s both affordable, simple to set up, and requires virtually no maintenance once integrated.

MaxCDN configuration steps

First, create MaxCDN account if you haven’t already. When you log in, click “Manage Zones” Then click “Create Pull Zone” Configure your new Pull Zone and then click “Create” Make a note of your CDN URL, which we’ll use in a moment

We could technically integrate our CDN now, but W3TC can communicate with the MaxCDN (allowing purge requests to be sent directly from WordPress) if we set up the API connection.

Click “my settings” in the top-right corner Click “API” in the sub-menu that appears You’ll notice that we don’t have any API Keys configured. Click “Add Key” Add a description if you’d like and then click “Save” Your API ID and Key will appear here, I’ve removed my Key from the screenshot

That’s all we need to do in MaxCDN right now. In the next section, we’ll configure W3 Total Cache using the pull zone we just created.

W3 Total Cache configuration steps:

Once logged into WordPress, navigate to the W3 Total Cache by clicking on the “Performance” tab towards the bottom of your Dashboard sidebar. From the General Setting page, ensure that CDN is disabled and select “NetDNA / MaxCDN” from dropdown menu Navigate to the CDN Settings. Enter your API ID and Key, your CDN URL, and click “Test NetDNA”

You should see “Test passed” in green if you’ve done everything correctly. Save your settings and then navigate back to the General Settings page. Enable the CDN by clicking the check box and saving your settings.

Power user tip #1: Configure a subdomain like cdn.yourdomain.com so we can get rid of long MaxCDN URL. W3 Total Cache lets you configure multiple CDN subdomains, so we’ll go ahead and configure a few.

Log back into MaxCDN and from the dashboard, click “Manage” next to the Pull Zone you created: Then click “Settings” right above the Zone Configuration You’re presented with an overview of your Pull Zone settings The section we want is labeled Custom Domains. Click “Edit” and enter your desired subdomains Click “Update” and then navigate to your DNS control panel. Create a CNAME entry for every subdomain that you entered in MaxCDN, and alias them to your MaxCDN URL Once DNS propagates, you can update W3TC with the subdomains and replace the long CDN URL with the new, custom ones

Power user tip #2: We can further improve page loads speeds by using a completely different domain for the CDN, ensuring that the domain is cookie-free. So if your site is www.domain.com, you could set domain.<strong>net</strong> as the domain to use with your CDN. Note: this assumes that you own domain.net and have access to its DNS control panel. That’s it! If you have any issues getting it working, drop us a line. If you’d like us to set this up for you, we’re happy to help.

How to configure W3 Total Cache to work with HTTPS and SSL

We’ve worked with a few sites recently that use HTTPS to secure certain parts of there site. Some of the pages are SSL protected due to the data captured (pages processing registration or financial information, for example).

When using a CDN in conjunction with HTTPS / SSL, customers often find that the CDN product they use lacks an HTTPS endpoint, or the one provided is different from the standard, non-HTTPS one.

One simple solution to this would be to force the loading of your CDN assets via HTTP like so:

How to configure W3 Total Cache to work with HTTPS and SSL

This leads to one other issue, however…

Why dont I see the Blue/Green Bar?

https When a page and all of its assets are served over HTTPS, modern web browsers provide a visual indicator—usually in green or blue. This is designed to provide visitors with the confidence to shop or register on your site.

When your HTTPS pages are served with “mixed content” (as it sounds, this is a situation in which HTTPS and HTTP assets are both being loaded on a single page, this indicator does not appear. This could happen for any number of reasons — all beyond the scope of this article — but there’s a simple solution for addressing this with only a few short lines of code.

Disabling CDN on HTTPS pages only

W3 Total Cache ships with documentation (Performance > FAQ) that provides instructions on disabling each of the caching types. Combined with a simple PHP function and WordPress hook, we’re able to conditionally disable the CDN for pages that utilize HTTPS.

Add the following code snippet to your theme’s functions.php file:

add_action('wp_head','nocdn_on_ssl_page');function nocdn_on_ssl_page() {if ($_SERVER['HTTPS'] == &quot;on&quot;) {define('DONOTCDN', true);}}

This of course assumes that you have W3 Total Cache active and that the only assets being served over HTTP are originating from your CDN (otherwise, you might need something like this). When you reload a page being served over HTTPS, you should notice that the familiar green / blue indicator appears in your address bar.

Note: we’ve found that MaxCDN‘s SSL support and easy integration with W3 Total Cache provides a solid solution for many customers.