Site: US UK AU |
Nexcess Blog

W3 Total Cache Release Fixes XSS Vulnerability And Introduces A Host Of New Features

October 12, 2016 0 Comments RSS Feed

XSS VulnerabilityW3 Total Cache has been the subject of much discussion over the last couple of weeks, and not for good reasons. Leading voices in the WordPress world have criticized the slow pace of updates and lack of responsiveness on the part of its developer. On top of which, a serious cross-site scripting vulnerability was recently discovered. Couple slow development with critical vulnerabilities and there are some serious questions to be asked about the continuing viability of W3 Total Cache as a project.

A new release, which fixes the XSS vulnerability and introduces a host of new features goes some way to allaying the reasonable fears of W3 Total Cache users. In terms of functionality, W3 Total Cache is unmatched as tool for optimizing the performance of WordPress sites. There are plenty of alternative caching plugins, many of which are easier to use, but none includes the vast range of tweakable functionality that W3 Total Cache exposes.

The new releases adds to the feature list. Among the most interesting new features are support for Redis, the APCi Opcode Cache, Google Drive, Amazon S3, and memcached. A highlight is the ability to apply minification to external fonts. The changelog for version 0.95 includes a list of over 45 feature additions, and a collection of bug fixes which include the patching of the XSS scripting vulnerability. This release also bring W3 Total Cache into full compatibility with PHP 7.

Version 0.95.1, which quickly followed and fixed a number of bugs introduced by the previous release, also included new features like support for Google’s Accelerated Mobile Pages and improved compatibility with the Jetpack plugin collection.

Because of the slow pace of development, a group of developers forked W3 Total Cache and had already implemented a number of the fixes and features that are now included in the new release of the “official version.” The fork is hosted on GitHub and isn’t in the WordPress Plugin Repository, which makes it difficult for the majority of WordPress users to install.

W3 Total Cache is an impressive achievement, and it’s hugely popular, with over a million downloads from plugin repository. But on today’s web, that’s not enough. WordPress users have to be able to rely on plugins to be updated in a timely fashion.

The new features are great, but bundling the fix in with a tranche of feature additions, many of which weren’t well tested and resulted in broken WordPress sites, was not the best idea. Most of the problems are fixed in the point release that trailed 0.95 by a few days, but it would probably have been better to quickly push out the vulnerability fix in its own release and leave the feature additions until after they’d been tested properly.

There’s no direct replacement for all of the functionality that W3 Total Cache offers, and it remains a powerful tool for WordPress performance optimization. Hopefully, its developer will continue to actively engage with the community, react quickly to security problems, and not allow such a critical part of the WordPress ecosystem to languish for months once again.

Posted in: Security