WP Super Cache and W3 Total Cache security

Posted April 25th, 2013 in Tales From the Support Team, Tech Corner. Tags: , , .

Several people have asked us about the recent WordPress WP Super Cache and W3 Total Cache plugin security vulnerability.

For the most part, sites hosted on our servers aren’t vulnerable to this because we block comments that contain the malicious code.

However, some customers asking about this haven’t yet updated their old copies of the plugins to the latest secure versions. You should always update plugins (and themes, and WordPress itself) as soon as the WordPress dashboard suggests it. If you do, your site will usually be secure long before you read about a vulnerability elsewhere. You should also delete any inactive plugins or themes, because it’s sometimes possible for “hackers” to take advantage of security bugs in them even if they’re deactivated.

By the way, although our customers are already protected against the most common forms of this, here’s a sample mod_security rule to block comments that include these malicious snippets if you’re not one of our customers but you’re running your own server with mod_security enabled:

SecRule REQUEST_LINE "^post .*/wp-comments-post\.php" "deny,status:412,auditlog,chain"
SecRule ARGS_POST:comment "< !-+\s*(mclude|mfunc|dynamic-cached-content)"

  1. Recent Posts

    1. PHP versions 8.2.17 and 8.3.4
    2. President’s Day 2024 holiday hours
    3. PHP versions 8.1.27 and 8.2.15
    4. Martin Luther King, Jr. Day 2024 holiday hours
    5. New Year’s 2024 Holiday Hours
    6. Christmas 2023 Holiday Hours
    7. Brief scheduled maintenance December 16-17, 2023
    8. Thanksgiving 2023 Holiday Hours
    9. PHP versions 8.1.25 and 8.2.12
    10. PHP versions 8.1.24 and 8.2.11

  2. Categories

  3. Tags

    all servers email holiday hours linux mailman maintenance mod_security mysql network php phpmyadmin security server updates spam ssl status updates webmail wordpress zapp

  4. Feeds