W3 Total Cache

W3 Total Cache XSS Vulnerability

W3 Total Cache Beginners Guide

According to the WordPress Plugins table, W3TC (W3 Total Cache) improves the SEO and user experience of your site. Especially by increasing website performance, reducing load times through a variety of features. For example, the CDN (content delivery network) integration and the latest best practices.

To enumerate, a CDN (content delivery network) is a system of distributed servers (network). In general, that deliver pages and other Web content to a user, based on various aspects. Such as the user’s geographic locations, the origin of the webpage and the content delivery server.

Q. What is Page Cache?

Page cache is responsible for creating static cache pages for each page that is loaded, so it is not being dynamically loaded upon each page load. By having this enabled, you will significantly decrease your load time and server resources while improving performance.

As you can see normally when a user comes to the site, they see a WordPress page. PHP recognizes the call, goes to the MySQL Database which finds the page your user is looking for, then outputs it. This takes server resources. Having the page caching turned on, allows you to skip all that server load and show a cached copy.

Q. What is Browser Cache?

Every time someone visits a website, your browser downloads all the images, CSS files, JavaScripts, etc in a temporary folder to enhance the website experience. So when a user goes to the next page, the site will load much faster because all the static files are in their browser cache.

Browser Cache option in W3 Total Cache sets a time limit on the Browser Cache. Considering you don’t change your logo every day, having static files like that cached for 24 hours does not hurt you.

W3 Total Cache before being Vulnerable

Important to realize, before we discovered its vulnerability, W3 Total Cache is one of the most popular caching plugins for a WordPress site. As a matter of fact, it works out of the box by caching every element on your WordPress installation. Equally, it helps to speed up WordPress sites by up to 10 percent. But this happens only if you configure the settings properly, otherwise, it may do more bad than good.

In the first place, let’s expound more on Setting Browser Cache. “Cache” (pronounced “cash“) is a memory file that your computer can access quickly. When you visit a website, the cache remembers certain information, such as passwords and usernames. If set improperly, your computer won’t remember essential data to let you access the ETUDES webpage. Luckily, this is much easier than it may sound to a computer beginner. Just follow the easy, step-by-step instructions HERE, illustrated with screenshots to help you through the procedure.

XSS Vulnerability in WordPress W3 Total Cache Plugin

Notably, XSS (Cross-Site Scripting) is a widespread vulnerability that affects many web applications. The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed. In addition, forcing a victim’s browser to execute the code provided by the attacker while loading the page.

On the contrary, a cross-site scripting vulnerability may be used by attackers to bypass access controls. Such as the same-origin policy.  In reality, cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities. This is in regards to what was documented by Symantec as of 2007. Whereby, in 2017, XSS was still considered a major threat vector.

Another key point is that XSS effects vary in range from a petty nuisance to significant security risk. Of course, depending on the sensitivity of the data handled by the vulnerable site. And also the nature of any security mitigation implemented by the site’s owner. That’s definitely not what you want your website to do, right?

WordPress sites W3 Total Cache Vulnerability Solution

In this case, we are talking about W3TC being vulnerable to an XSS flaw, high risk rated. This one should be fixed asap. With nobody maintaining the plugin, that is a huge issue for the millions of sites that use the plugin. Although W3 Total Cache has been a very popular plugin, it hasn’t been updated in over six months. To put it another way,  I may not recommend WordPress site developers to have a craving for it.

Surprisingly, with its endless installation settings, the jmexclusives website was almost inoperable with errors rising on the ground. From published post returning error 404 among other affiliated database risks.

Instead of waiting for a fix, we recommend disabling the plugin for that matter. Especially if you are experiencing some database trouble with your WordPress site. Luckily, there are more plugins you can use to optimize your site speed. And most work pretty well out-of-the-box. We have listed three-speed optimization plugins for you as alternatives for W3 Total Cache.

Major types of XSS attacks

As an example, CrossSite Scripting (XSSattacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Additionally, XSS attacks occur when an attacker uses a web application to send malicious codes. Generally, in the form of a browser side script, to a different end user.
Further, stored crosssite scripting is very dangerous for a number of reasons. Such as, the payload is not visible for the browser’s XSS filter. Whereby users might accidentally trigger the payload if they visit the affected page. At the same time, while a crafted URL or specific form inputs would be required for exploiting reflected XSS.

Below are the three major types of XSS attacks

  • Persistent XSS, where the malicious input originates from the website’s database.
  • Reflected XSS, where the malicious input originates from the victim’s request.
  • DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.

A third way to prevent cross-site scripting attacks is to sanitize user input. Sanitizing data is a strong defense, but should not be used alone to battle XSS attacks. It’s totally possible you’ll find the need to use all three methods of prevention in working towards a more secure application.

Consider these plugins as W3 Total Cache alternatives

Do you want to increase the speed of your WordPress website? Using a caching plugin on your website is one of the best ways to ensure your website loads faster. Statistically speaking, nearly half of your website’s audience expects your site to load in less than 3 seconds.

So it comes as no surprise that Google continues to emphasize site speed in its search algorithm. The higher the page speed, the better your search rankings, and the more organic traffic you can attract.

Above all, if you want your website to be safe and you are using W3TC (W3 Total Cache), I recommend you invest in WP Rocket. It’ll be worth your while. Whereby, if you don’t feel like investing that money on your website, feel free to switch. In that case, to one of the other W3 Total Cache alternatives instead!

  1. WP Rocket
    Our most-recommended speed optimization plugin. WP Rocket simply delivers speed improvement. It has a lot of options under the hood and works by simply clicking some checkboxes in their dashboard.
  2. WP Super Cache
    Made by Automattic, so it works flawlessly with WordPress. It’s a simple speed optimization plugin that helps a lot of WordPress sites. We have to add a note: it hasn’t been updated in five months as well. But all in all, it’s a nice, free WP Rocket or W3 Total Cache alternative.
  3. Comet Cache
    Formerly known as Zen Cache, formerly known as Quick Cache. If you change your name so often, you’re probably actively working on your plugin as well, right?

For your Takeaway,

Before I conclude, security on the web depends on a variety of mechanisms. Including an underlying concept of trust known as the same-origin policy. Essentially, it states that if the content from one site (such as https://josephmuciraexclusives.example1.com) is granted permission. For instance, to access resources (like cookies, etc.) on a web browser. Then again content from any URL with the same;

  • (1) URI scheme,
  • (2) hostname, and
  • (3) the port number will share these permissions.

Equally important, content from URLs where any of these three attributes are different will have to be granted permissions separately. As can be seen, XSS (cross-site scripting) is a common attack vector that injects malicious code into a vulnerable web application.

Although, cross-site scripting differs from other web attack vectors (e.g., SQL injections). Whereas, it does not directly target the application itself. Instead, the users of the web application are the ones at risk. Therefore, you need to be vigilant enough when it comes to the WordPress site cache plugins you install.

Resourceful References;

  1. The jmexclusives: Cloud Computing & Technology.
  2. Wikipedia: Cross-site scripting.
  3. WP Rocket: Pricing & Purchase.
  4. Is it Wp: 7 Best WordPress Caching Plugins Compared (2019).
  5. WpBeginner: Why we use a content delivery network (CDN) on WPBeginner.

We are pleased to have you on board! Leave your comments below.