On Christmas Eve, knowledge of a rather serious security hole for
Wordpress was released.
The security hole, or “vulnerability”, only affects users that are using the W3 Total Cache plugin for WordPress. The details can be found here (and the technical details here).
No official patch has been provided yet, even in the most up-to-date version.
To combat this, go to the wp-content directory of every WordPress
install you may have that has this plugin installed, and create a file
named .htaccess in the w3tc directory there:
[Wordpress installation directory]
+wp-content
-+w3tc
—.htaccess
and in this .htaccess file, add the lines:
Order Allow,Deny
Deny from all
This will prevent outside access to the directory containing sensitive
information. Alternatively, you may also want to configure W3TC to
disallow cache directory listings.
As always, please be sure to update any WordPress installs and plugins
you may have installed.
This is a responsibility that we have of our customers (as it’s simply not feasible for us to be in control of this), and should be a quick and easy process to do. If you are unsure of how to do this, you can follow the documentation here (we recommend the Automatic Update feature). You can find more information regarding WordPress plugins here.