A vulnerability in the W3 Total Cache plugin was revealed Christmas Eve. It’s one that site owners who use the plugin need to take seriously and get fixed. Plus, another recent report on the real speed improvements has been released and, for me, call into question whether using such a plugin is worth the potential risk and hassle. See what I found in these two reports and more, and then decide for yourself.
The initial report of the W3 Total Cache plugin vulnerability came from Jason A. Donenfeld on SecLists.org. He said, “Directory listings were enabled on the cache directory, which means anyone could easily recursively download all the database cache keys, and extract ones containing sensitive information, such as password hashes.” He was even kind enough to provide the script to do it.
In non-geek terms, that means hackers, or anybody really, can easily run a little script and grab the encrypted info that contains passwords. It’s VERY easy to decrypt those keys. In fact, there are free Web apps that do it. I’ve used them myself to recover passwords for clients.
Jason’s post was picked up and further explained by Daniel Cid on the Sucuri blog, which is very popular and brought everyone’s attention to the problem on Christmas day.
Daniel also provided more info on the fix, which is to install a new .htaccess file in the plugin’s directory to deny access. It’s easily done, if you know what you are doing.
In the initial report, Jason suggested that the plugin itself should be creating this change, which may happen now that this security issue has been widely reported. Then again, the plugin’s page states that it is only compatible up to WordPress version 3.2.1 and hasn’t been updated since August 2011. So, don’t hold your breath, and consider hiring someone like me to fix it if you don’t know how. Better yet, consider getting rid of the plugin. Here’s why.
Is it Really Faster?
Craig Grella has a post on WPMU.org titled 2 Plugins to Put Your Site in the Fast Lane that’s going to fall into my Really? pile. He cited an Amazon study that showed a 20% traffic loss on pages that loaded a half second slower than others. He ran speed tests on his site and found that W3 Total Cache made his site load 7% faster, which equated to 300ms. That’s the time it takes to blink your eyes. I looked it up. One bar less of reception on your wi-fi will slow page load time way more than that.
Will this Work for You?
If you’re Amazon and you have billions of visitors to billions of pages then that revenue loss adds up. But think about it. Amazon is a store that delivers tons of static content per page. If that’s the type of site you run, the W3 Total Cache plugin is going to do you no good. You need to be on a dedicated server and/or using CDN, which is a cloud service to store and deliver your static content, and a different type of plugin like WP Minify, or some other similar combination.
Setup is Key
I also belong to a few WordPress groups and caching plugins are one of the topics that come up frequently. The number one comment about W3 Total Cache is that it has to be set up properly for your hosting, because each host provider handles caching differently. In fact, WP Engine, one of the premier WordPress hosts, doesn’t even allow caching plugins because they do all of that for you at the server level.
Here’s the truth about caching plugins like W3 Total Cache.
Just because a host service like HostGator recommends W3 Total Cache doesn’t mean that the plugin works correctly out of the box. You have to follow their setup recommendations to the letter.
What W3 Total Cache and other such plugins really do is not speed up page load times directly. They decrease server load. And that indirectly increases page load time, but by a miniscule amount per page. The real measurable effect is to the server overall. That is why hosts recommend these plugins. A faster server means faster page loads for everyone on that server.
Another complaint about caching plugins is that you can’t see changes you are making to a page in real time. That drives site owners so crazy that W3 even includes a link you can click in the admin bar to turn the thing off so you can see your edits. The trick, of course, is to remember to turn it back on.
Stop chasing every shiny thing that is recommended and ensure that it is a good fit for your site first.
I don’t use a caching plugin on BlogAid. Most of my clients don’t either. They are more trouble than they are worth in my opinion. There is simply not enough speed difference in site load time to matter.
However, I have found plenty of other things to fix on sites that do significantly affect load time, like other slow plugins. Caching won’t fix that. Getting a better plugin, or simply finding another way to do whatever it was doing, does fix the problem.
There’s a little plugin called P3 (Plugin Performance Profiler) that will tell you what plugins are slowing down your page loads. And you can delete it after you use it.
Graphics are another speed killer. If you have a graphic-heavy site, consider CDN or other cloud storage options to deliver those. I use Amazon S3 to store and deliver over 50 videos to the BlogAid Video Library. Works like a charm.
Get it Fixed
If you want to use W3 Total Cache and want the .htaccess file fix, but don’t feel comfortable poking around in your core host files, contact me.
If you want to have your whole site checked for security vulnerabilities, I can do that too. Get a 20 Point Site Inspection and tune up. It’s live and you see what I see. Takes 30 minutes and you get a written report immediately afterward.
If you use W3 Total Cache, and I have done such a site inspection on your site, and have already secured your files, contact me and I’ll add this new security patch for free.
Do you use the W3 Total Cache plugin or something similar? Does it really help? How do you know? Have you had any issues with it? I expect that I’ll draw some fire for this post, especially from the WordPress groups I belong too. I’m hoping you’ll consider leaving your comment here on the blog for everyone to read and reply to. It’s a conversation worth having and hearing about from all angles.