W3 Total Cache XSS Vulnerability – You’re Protected With Shield

By 24th September 2016 News
Shield Plugin Banner

So a few days ago ‘Zerial‘ reported a Cross-Site-Scripting vulnerability in the hugely (un)popular W3 Total Cache plugin for WordPress.

The plugin’s original author hasn’t been around much, it seems, and everyone and their cat is recommending you go and find a new caching plugin. You’d be forgiven for mistaking it for the End Times.

The problem with this “new caching plugin” solution? There are several …

  • What if W3TC works just fine for you? (It works just fine for us.)
  • What if you value your time and you don’t actually live to manage your WordPress sites?
  • What if, like many of our clients, you don’t just have 1 site to fix?  Perhaps you have 5… or even 50, 200?

Are you gonna go to each site and install/setup/configure a new caching plugin just because of this iddy-biddy vulnerability?

Well we aren’t. And if W3TC works just fine for you, we don’t recommend you do that either.

So if we’re not going to get a new caching plugin, what are our options?

Solution: Simply Block the XSS Vulnerability Altogether

We read the original report from Zerial to understand it. It seems pretty straight forward.

You have to realise that while this is a potentially serious vulnerability if you’re impacted, the chances are majorly slim that that’s going to happen. You don’t need to stress too hard about it and don’t listen to the scaremongers. But you should protect yourself and your site owners none-the-less.

What if we could just block the possibility that the XSS vulnerability ever gets a chance to run on your site?  Wouldn’t that be cool?  Wouldn’t that save you a massive ton of time?

That’s just what we’ve done.

With Shield Security v5.5.1 and the ‘Hack Protection’ module enabled (which is is by-default) you are protected against this security vulnerability. How? We just block the page from loading. Easy.

No new caching plugins; no wasted time.

DIY Solution?

Don’t worry – if your WordPress security plugin provider hasn’t bothered to supply you with this simple fix, and you don’t want to use our free Shield plugin, we wont force you.  But we still think you should ;D

Here is what you need to do on your site to solve this security problem.

    1. Open up the functions.php for your currently active theme in your favourite PHP editor
    2. Find a suitable spot for your new code – you can put it at the beginning, or at the end
    3. Copy and paste exactly the code below and now replace your functions.php on your server. (of course, make sure you backup your functions.php in-case you mess this up a little – don’t worry it happens to all of us!)
      if ( defined( 'W3TC_VERSION' ) && version_compare( W3TC_VERSION, '0.9.4.1', '<=' ) ) {
       	$sShieldW3tcPage = isset( $_GET[ 'page' ] ) ? $_GET[ 'page' ] : '';
       	if ( $sShieldW3tcPage == 'w3tc_support' ) {
       	 	wp_die( 'Access to W3 Total Cache support page is disabled due to XSS.' );
       	}
      }
    4. The Pros among you will want to wrap it up in a function, and hook it into an action, or perhaps take it out to dinner. But it doesn’t matter, it’ll work anywhere so long as it runs before the page itself gets rendered. If you put this at the beginning of your functions.php, you’ll be fine.

Thoughts? Suggestions?

We aim to try and make your WordPress management life easy. Both Shield Security and iControlWP deliver this in spades.

If we can save you time and effort, such as installing/buying a brand new caching plugin, we will. After all, it saves us time and effort too 🙂

Leave a Reply