WordPress.org

Ready to get started?Download WordPress

Forums

W3 Total Cache
[resolved] Plugin Security Check on W3 Total Cache (2 posts)

  1. Axel13
    Member
    Posted 2 years ago #

    I recently installed the WP Plugin Security Check (http://wordpress.org/extend/plugins/wp-plugin-security-check/?topic_id=22126).

    The author says the following about the plugin:

    WP Plugin Security tries to detect the bad practices and most common mistakes made by plugin developers. Of course this is almost impossible to fully check and therefor I'd like to add that it's more like an early warning system.

    Currently the plugin checks the following:

    Usage of $_SERVER['REQUEST_URI'] ( which could open your site to CSRF attacks ). However some plugins require this, especially those who facilitate 301 redirects.
    Usage of the eval() PHP function which allows users to interpret a string as PHP code
    Variable execution. Although this is somewhat common it's also a trick often used to prevent easy detection of malicious code as pointed out in this excellent post by Samuel Wood.

    On W3 Total Cache the plugin gives a red warning saying:

    $_SERVER['REQUEST_URI'] detected in w3-total-cache/inc/define.php
    Variable execution detected in w3-total-cache/inc/define.php
    eval() detected in w3-total-cache/lib/JSON.php

    W3 Total Cache is not the only famous plugin that got in the reds, but an article like this, http://wpmu.org/wordpress-security-exploit-found-upgrade-wptouch-addthis-and-w3-total-cache/, doesn't make me feel very comfi. I know too little about it to even have an opinion, so it'd be nice to get some opinions and wise words on the subject here. TY!

    http://wordpress.org/extend/plugins/w3-total-cache/

  2. cyonite
    Member
    Posted 2 years ago #

    Its no problem you can ignore the messages.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic