Security & W3 Total Cache 0.9.2.4

We take security quite seriously even though our focus is on making it trivial to allow any publisher to maximize the performance they can extract from their hosting environment and WordPress itself.  Most recently we took a look at the steps that GoDaddy was taking in the shared hosting segment of the market.

In versions of W3 Total Cache prior to 0.9.2.5 vulnerability exists (CVE-2012-6077, CVE-2012-6078, CVE-2012-6079) if the following two cases are true:

  1. Directory listing and download of w3tc/dbcache/ directories is possible
  2. W3 Total Cache has database caching enabled and is set to use disk

This issue was resolved, irrespective of whether or not #1 was true in release 0.9.2.5 which offset the next release than some of you may have been testing to 0.9.2.6.

For those of you who feel they were affected, here are some remediation steps:

  • Empty and disable database caching until you upgrade W3TC
  • Audit your administrator accounts and change their passwords, potentially add HTTP Basic Authentication to /wp-login.php and /wp-admin/ if possible
  • Update your database credentials, name (and table name offset if possible)
  • Ensure that you have nightly backups of your site, if you’re not sure contact your web host

The 0.9.2.6 release expected within less than a week further expands on the initial approach to securing caching files to disk while using database caching and ameliorates issues caused with the previous patch.

One might ask, why not completely remove disk caching for the database from the W3TC framework? The problem is that our goal is to make it possible for users to take control of their performance needs, that means that if they have an environment where they’ve tested to find that reading cache files from disk provided lower execution times than not caching at all, that option should be available.

After years of scaling web sites, one thing we know for sure is that as your site grows, the techniques you use to scale it change. W3TC is ready to grow with you. With more than 140 features and fixes in the next release, the future is bright.

WPO & GoDaddy: How to configure W3 Total Cache and APC

APC is an opcode cache used by many sites to improve application performance. PHP is an interpreted language, and the scripts (such as the ones that comprise your WordPress site) are loaded, parsed, compiled into an opcode, and executed when called. This process can use an inordinate amount of resources on a busy site, especially one without caching, so we need to do what we can to optimize this process.

While installing APC on a dedicated server or VPS is a straightforward process, this post (the first in a series of Web Performance Optimization (WPO) posts for GoDaddy) outlines how to enable it on your GoDaddy shared web hosting account:

  1. Log into your GoDaddy account and navigate to your hosting dashboard
  2. Go to Tools > FTP File Manager
  3. Locate the php5.ini file and make a copy by clicking the checkbox, clicking on the “html” directory on the left, and entering php5.ini.backup.txt as the file name
  4. Look for a line mentioning apc.shm_size and if one doesn’t exist, add this: apc.shm_size = 64M
  5. Make sure lines beginning with zend_optimizer and zend_extension are preceded by a semicolon
  6. Save the file and then click the X in the top-right corner

And now we need to restart PHP:

  1. Navigate to your hosting dashboard again
  2. Click the “Launch” button that corresponds with the hosting account in question
  3. Under “Stats & Monitors” click “System Processes”
  4. Click “End Web” in the top
  5. This will restart the PHP process on your account and you should now be able to cache against APC in W3 Total Cache

Note that the optimal configuration depends on available memory, your theme, active plugins, and other factors. If you’d like help unlocking your site’s performance potential, place your order here and we’ll implement these best practices for you.

And if you’d like to be updated when products are updated or announced, be sure to sign up here.

W3 Total Cache Version 0.9.2.5

We recently released a security update to W3 Total Cache that addresses a vulnerability that can be exploited on misconfigured servers when database caching to disk is enabled. All users are encouraged to update.

If you see the following error following the upgrade: Fatal error: Call to undefined function w3_is_dbcluster() in /path/to/wp-content/some-file.php

This likely means that you’ve had us configure W3 Total Cache on your site already, and you were running a newer version of the plugin already.

You’ll need to manually disable W3 Total Cache to restore access and reach out so we can get you sorted.