W3 Total Cache Pro Activation Patch

We recently noticed an increase in the number of customers experiencing activation issues with W3 Total Cache Pro. For those of you who don’t know, this is how it works:

Once you upgrade from the Community (free) version of W3 Total Cache to the Pro version ($99/yr subscription), you’re assigned a license key that in most cases is automatically applied. In the event that activation isn’t automatic, you simply need to paste the license key (which is sent via email and displayed in your browser at the time of purchase) in the License field on the General Settings page and save settings.

A number of customers were unsuccessful in getting the Pro version activated despite following the steps above, and our investigation has revealed that a patch is required in order to complete the activation process if you’re among those affected.

Two things before I reveal the patch:

  1. We’re happy to implement this patch for you! Just email us at w3tc-team@w3-edge.com and let us know that you need help. We’ll provide you with a secure link so you can send us WP Admin and filesystem (SSH or FTP) access. Note that both required to implement and verify the patch, so please be sure you have both ready.
  2. This patch will be in the next release, so most people won’t have to worry about it. We don’t have an ETA we can give you for this release, but it will be available “soon” (smile).

Without further ado.

On line 117 of /w3-total-cache/lib/W3/Licensing.php, the following line:

network_admin_url('admin.php?page=w3tc_general&w3tc_licensing_check_key'))

needs to be replaced with:

wp_nonce_url(network_admin_url('admin.php?page=w3tc_general&w3tc_licensing_check_key'), 'w3tc'))

That’s it.

Please make a backup of this file before making changes if you attempt this on your own, and as always, thanks so much for using W3 Total Cache.

W3 Total Cache and HTTPS

As many of you know, Google has now announced HTTPS as a ranking signal.

In plain English this means that all things being equal, a site served over HTTPS will rank higher than a site served over HTTP. And don’t take “all things being equal” lightly, there are hundreds of factors that influence how well your site ranks (so there’s no need to drop everything and buy an SSL certificate). Regardless, security (as in the case with performance) is clearly a direction towards which the web is moving.

Configuring SSL is a pain, even when you know what you’re doing. The last thing we want here at W3 EDGE is to make it harder for you to run a secure website once you’ve gone through the trouble of implementing security measures.

There are a number of ways in which W3 Total Cache supports both performance and security, and we wanted to highlight a few of these capabilities below:

Page caching

  1. Caching of HTTPS pages: on the page cache settings page, you can “Cache SSL (https) requests” (uniquely) for improved performance.
  2. Page caching exceptions: Pages with customer-specific data (such as shopping cart pages and member profiles) should not be cached in most cases, and W3TC allows you to implement a page caching exception on the pages of your choice via the “Never cache the following pages” section of the page cache settings page. Usage: simply enter “cart/” to exclude that page or “cart/*” to exclude that page and all sub-pages. (Without the quotes, of course.)
  3. Pro tip: you can also use the define('DONOTCACHEPAGE', true); define statement in your functions.php file to specify a page or series of pages where page caching should be disabled. Navigate to Performance > FAQ in your Dashboard for more information.

Content Delivery Networks

  1. Disable CDN on SSL pages: We have a lot of customers who run ecommerce websites and secure transaction pages (/cart, etc.) with SSL. Many of these customers also integrate a Content Delivery Network on their site to improve performance, and this can break SSL pages if the CDN URLs are HTTP. W3TC has long since allowed you to disable CDN on HTTPS pages with a snippet of code, but this functionality is now fully exposed through the UI. Usage: On the CDN Settings page, simply select the “Disable CDN on SSL pages” checkbox under the Advanced section.
  2. SSL Support: W3TC also supports CDNs served over HTTPS.
  3. Pro tip: to maximize the use of W3TC and your CDN on sites with both HTTP and HTTPS pages, you can define both versions of your CDN hostnames in the “Replace site’s hostname with” fields of the CDN settings page in the following format: cdn.yourdomain.com,ssl-cdn.yourdomain.com. You can see Yoast’s configuration illustrated in his excellent post on WordPress and CDNs.

CloudFlare

CloudFlare is a product that many of our customers use for securing and accelerating their sites. You can actually use CloudFlare’s Pro plan ($20/mo as of the time of this post) to serve your site over SSL without needing to purchase and configure an SSL certificate.

The latest version of W3TC ships with a CloudFlare extension to facilitate the connection between your site and the CloudFlare services. This connector is not required for CloudFlare to function of course (CloudFlare works at the DNS level), but our connector exposes a number of useful functions that allow you to make changes right from W3TC.

Fun fact: CloudFlare was originally conceived as a security product that ended up having performance benefits as a result of how it functions.

Help!

I know, this stuff can be overwhelming if you don’t have an engineering degree or if you’re just wading into these waters. You can drop us a note or order professional configuration if you need help.

Heartbleed bug and W3 Total Cache

By now, you’ve no doubt read posts from all over the web about the Heartbleed Bug. If you’ve somehow missed the news, here’s a quick overview:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Pretty scary stuff.

How it affects you

Here at W3 EDGE, and we use SSL to secure credit card transactions when customers purchase W3 Total Cache Pro license through the WordPress dashboard.

Upon learning of the bug, we upgraded OpenSSL on our servers to version 1.0.1g which was released on Monday and contains a patch for the Heartbleed bug. No action is required on your part, and you can continue using W3 Total Cache with confidence.

Website Performance on the Edge with W3 Total Cache

For those of you that have been bothered or concerned with the notion of upgrading W3 Total Cache because new features have been problematic for you, we understand your concerns and we’re grateful to those that take the time to reach out about their challenges. As you may know, no amount of testing or known process allows us to identify issues that may occur on your site before hand due to all of the various hosting environments, plugins and themes that exist in eco-system.

So, to begin to address challenges nonetheless, the next release of W3 Total Cache includes two key new features that will allow us to iterate faster, provide maintenance updates which are not expected break your installation (because they don’t relate to features) and also make you aware of security or best practice updates so that you can keep your site as up-to-date as WordPress itself.

Version 0.9.4 (among numerous new features and fixes includes the following key improvements):

  1. Maintenance Updates Now each release will notify you of the changes that have occurred to the default settings since the last update and also make it easy for you to identify best practices that will help you make your site or application faster. The notifications can be ignored or automatically applied to your settings in just a click.
  2. Edge Mode WordPress is used in countless ways, environments and alongside of various software including plugins, themes and even drop-ins. For that reason, rather than continue to fail to maintain a developer network to help us go beyond our automated testing suite (and continuous integration practices), we are rolling out edge mode.The key is that in the new update you will be prompted to opt-in to edge mode that will allow you to test features that have not yet been tested in a large enough % of the user-base. This provides us the ability to use the typical WordPress workflow to provide updates more frequently for maintenance and also allows us to allow testers and early adopters to benefit from new features immediately as well.We anticipate that this change will allow us to make at least one release per month, but will be targeting one release per week.

    Again, those who have opted into edge mode would be able to preview features that are not available to users who have opted-out (the default setting).

    Pro subscribers will not be opted into the edge mode; however there will be Pro features available in edge mode periodically.

We hope that these changes will create a much better user experience and allow us to more aggressively further our mission to empower publishers and application developers to focus on their content and business rather than on web performance optimization.