We take security quite seriously even though our focus is on making it trivial to allow any publisher to maximize the performance they can extract from their hosting environment and WordPress itself. Most recently we took a look at the steps that GoDaddy was taking in the shared hosting segment of the market.
In versions of W3 Total Cache prior to 0.9.2.5 vulnerability exists (CVE-2012-6077, CVE-2012-6078, CVE-2012-6079) if the following two cases are true:
- Directory listing and download of w3tc/dbcache/ directories is possible
- W3 Total Cache has database caching enabled and is set to use disk
This issue was resolved, irrespective of whether or not #1 was true in release 0.9.2.5 which offset the next release than some of you may have been testing to 0.9.2.6.
For those of you who feel they were affected, here are some remediation steps:
- Empty and disable database caching until you upgrade W3TC
- Audit your administrator accounts and change their passwords, potentially add HTTP Basic Authentication to /wp-login.php and /wp-admin/ if possible
- Update your database credentials, name (and table name offset if possible)
- Ensure that you have nightly backups of your site, if you’re not sure contact your web host
The 0.9.2.6 release expected within less than a week further expands on the initial approach to securing caching files to disk while using database caching and ameliorates issues caused with the previous patch.
One might ask, why not completely remove disk caching for the database from the W3TC framework? The problem is that our goal is to make it possible for users to take control of their performance needs, that means that if they have an environment where they’ve tested to find that reading cache files from disk provided lower execution times than not caching at all, that option should be available.
After years of scaling web sites, one thing we know for sure is that as your site grows, the techniques you use to scale it change. W3TC is ready to grow with you. With more than 140 features and fixes in the next release, the future is bright.