WP Super Cache and W3 Total Cache security

Several people have asked us about the recent WordPress WP Super Cache and W3 Total Cache plugin security vulnerability.

For the most part, sites hosted on our servers aren’t vulnerable to this because we block comments that contain the malicious code.

However, some customers asking about this haven’t yet updated their old copies of the plugins to the latest secure versions. You should always update plugins (and themes, and WordPress itself) as soon as the WordPress dashboard suggests it. If you do, your site will usually be secure long before you read about a vulnerability elsewhere. You should also delete any inactive plugins or themes, because it’s sometimes possible for “hackers” to take advantage of security bugs in them even if they’re deactivated.

By the way, although our customers are already protected against the most common forms of this, here’s a sample mod_security rule to block comments that include these malicious snippets if you’re not one of our customers but you’re running your own server with mod_security enabled:

SecRule REQUEST_LINE "^post .*/wp-comments-post\.php" "deny,status:412,auditlog,chain"
SecRule ARGS_POST:comment "< !-+\s*(mclude|mfunc|dynamic-cached-content)"