Are you being hacked because of the w3 total cache plugin vulnerability? (2016 Update)
It’s been a couple of years now (2016) or two since I’ve written something about WordPress, hackers or something related to the internet, life often has a habit of getting in the way. However, I read about a new vulnerability that has come to light while logging online in the last few days and as such enables hackers to take advantage of a high-risk XSS (abbreviated from cross-site scripting) flaw. This XSS bug allows a hacker to use infected plugins to insert malicious code into a WordPress website, changing how the site can be viewed. This tricks the browser into executing the code inserted while loading the tab. Now this is the part where it becomes spicy and leads me to what inspired me to write this blog post.
W3 Complete Cache Plugin on WordPress, is a common website search and performance optimization plugin used by many large online companies including AT&T and mashable.com to name but a few (If you want me to name anymore, I’m expecting ad revenue). It has also not been updated in about six months or so, being vulnerable to abuse in the process. This is the part in which I assume a pose (think Shakespeare, Hamlet, and you’re half of the way there), and think about what the heck was going on with this particular WordPress plugin, and what would its creator(s) do?
Possibly nothing, to be entirely honest. Typically when someone publishes a rebuttal to rumours that a WordPress plugin has been abandoned and subsequently does not continue to update it, the WordPress plugin can be considered ‘abandoned.’ The consequences for this, sadly, are that it affects the end user, and by the end user I mean you, AT&T or even Mashable. Although I am sure they have somebody on it already, and if not … why not (rhetorical question).
Enough on them, more on you. If you find that a hacker ‘s behaviour in relation to the security holes currently present in the latest version of this WordPress plugin have compromised your WordPress. First off, disable the above mentioned plugin or even delete it. Yes it has its advantages and certainly improves efficiency for your WordPress pages, but with the disadvantages it now poses it’s just not worth the risk of enticing other would be hackers to bend you over a barrel and have their wicked with your undoubtedly precious WordPress account.
First of all, you’d be recommended to turn to WPRocket, this WordPress plugin offers the same operation, easy user choices and delivers speed improvement over ‘Vanilla WordPress’ which can support almost all without the W3 Complete Cache drawbacks.
If you’ve been hacked due to this weakness, I ‘d suggest you take the following steps as well:
- Download our easy-to-use (really!) www.fixhackedwebsite.com exploit scanner
- Add this scanner to your WordPress, it just works like using any of your plugins. Upload, and activate. That is everything!
- Let’s do all the job, scanning your WordPress files all over.
- We are informing you which files are compromised and can be abused further by hackers. Providing a solution for any exploitative problems you might have. Enable you to easily and effectively clean those up.
Will you find any of your data compromised or abused as a result of this or other vulnerabilities and be uncertain about what to do next. Contact Us and Employ an Expert to help solve the problems you might have, and then you can get back to doing what you do best and create more content for your WordPress site or company.