standard

Vulnérabilité dans W3 Total Cache v0.9.2.4

banner-w3-total-cache
W3 Total Cache

Easy Web Performance Optimization (WPO) using caching: browser, page, object, database, minify and content delivery network support.

Easy Web Performance Optimization (WPO) using caching: browser, page, object, database, minify and content delivery network support.
  1. Deactivate and uninstall any other caching plugin you may be using. Pay special attention if you have customized the rewrite rules for fancy permalinks, have previously installed a caching plugin or have any browser caching rules as W3TC will automate management of all best practices. Also make sure wp-content/ and wp-content/uploads/ (temporarily) have 777 permissions before proceeding, e.g. in the terminal: # chmod 777 /var/www/vhosts/domain.com/httpdocs/wp-content/ using your web hosting control panel or your FTP / SSH account.
  2. Login as an administrator to your WordPress Admin account. Using the "Add New" menu option under the "Plugins" section of the navigation, you can either search for: w3 total cache or if you've downloaded the plugin already, click the "Upload" link, find the .zip file you download and then click "Install Now". Or you can unzip and FTP upload the plugin to your plugins directory (wp-content/plugins/). In either case, when done wp-content/plugins/w3-total-cache/ should exist.
  3. Locate and activate the plugin on the "Plugins" page. Page caching will automatically be running in basic mode. Set the permissions of wp-content and wp-content/uploads back to 755, e.g. in the terminal: # chmod 755 /var/www/vhosts/domain.com/httpdocs/wp-content/.
  4. Now click the "Settings" link to proceed to the "General Settings" tab; in most cases, "disk enhanced" mode for page cache is a "good" starting point.
  5. The "Compatibility Mode" option found in the advanced section of the "Page Cache Settings" tab will enable functionality that optimizes the interoperablity of caching with WordPress, is disabled by default, but highly recommended. Years of testing in hundreds of thousands of installations have helped us learn how to make caching behave well with WordPress. The tradeoff is that disk enhanced page cache performance under load tests will be decreased by ~20% at scale.
  6. Recommended: On the "Minify Settings" tab, all of the recommended settings are preset. If auto mode causes issues with your web site's layout, switch to manual mode and use the help button to simplify discovery of your CSS and JS files and groups. Pay close attention to the method and location of your JS group embeddings. See the plugin's FAQ for more information on usage.
  7. Recommended: On the "Browser Cache" tab, HTTP compression is enabled by default. Make sure to enable other options to suit your goals.
  8. Recommended: If you already have a content delivery network (CDN) provider, proceed to the "Content Delivery Network" tab and populate the fields and set your preferences. If you do not use the Media Library, you will need to import your images etc into the default locations. Use the Media Library Import Tool on the "Content Delivery Network" tab to perform this task. If you do not have a CDN provider, you can still improve your site's performance using the "Self-hosted" method. On your own server, create a subdomain and matching DNS Zone record; e.g. static.domain.com and configure FTP options on the "Content Delivery Network" tab accordingly. Be sure to FTP upload the appropriate files, using the available upload buttons.
  9. Optional: On the "Database Cache" tab, the recommended settings are preset. If using a shared hosting account use the "disk" method with caution, the response time of the disk may not be fast enough, so this option is disabled by default. Try object caching instead for shared hosting.
  10. Optional: On the "Object Cache" tab, all of the recommended settings are preset. If using a shared hosting account use the "disk" method with caution, the response time of the disk may not be fast enough, so this option is disabled by default. Test this option with and without database cache to ensure that it provides a performance increase.
  11. Optional: On the "User Agent Groups" tab, specify any user agents, like mobile phones if a mobile theme is used.

0.9.4

  • Fixed undefined w3tc_button_link
  • Fixed support and other form submissions
  • Fixed extension enabled key error
  • Fixed Test CDN errors
  • Fixed trailing slashes in custom wp content path and Minify
  • Fixed WP_PLUGIN_DIR not being available when object-cache.php is loaded and W3TC constant not set
  • Fixed Minify Auto and restructuring of JS code placement on page
  • Fixed remove / replace drop in file on plugins page
  • Fixed false positive check for legacy code
  • Fixed deprecated wpdb escape
  • Fixed Fragment Caching and APC anomalies
  • Fixed cached configs causing 500 error on interrupted file writes
  • Fixed readfile errors on servers with the functionality disabled
  • Fixed false positives for license key verification
  • Fixed debug information not printed on cached pages
  • Fixed backwards compatibility and flushing and added doing it wrong notification
  • Fixed "Prevent caching of objects after settings change"
  • Fixed "Use late init" being shown as enabled with Disc:Enhanced
  • Fixed missing param in APC cache method declaration
  • Fixed user roles property not begin an array
  • Fixed adding empty Vary header
  • Fixed notice on failed upgrade licencing check
  • Fixed Database Cache description text
  • Fixed duplicate bb10 agents
  • Fixed settings link in Minify Auto notification
  • Fixed notice with undefined constant
  • Fixed nginx configuration and Referrer, User Groups setting
  • Fixed Genesis settings and Suhosin field name limit error
  • Fixed Genesis and Fragment Caching (caching categories etc)
  • Fixed CDN being enabled when creating NetDNA/MaxCDN pullzone
  • Fixed NewRelic related notice in compatibility popup
  • Fixed trailing slash issue in filename to url conversion
  • Fixed issue with wp in subdirectory and relative Minimal Manual urls
  • Fixed issue with widget styling
  • Fixed issue with Purge All button action
  • Fixed issue with exporting of settings
  • Fixed issue with plugin interferring with preview theme
  • Fixed issue with malformed config files
  • Added caching of list of posts pages (tags, categories etc) to Genesis extension a long with flush it checkbox
  • Added typecasting on expiration time in object cache drop-in
  • Added capability check for save options
  • Added FeedBurner extension
  • Added woff support to Browser Cache
  • Added new CloudFlare IPs
  • Added support for WordPress defined charset and collate in CDN queue table creation
  • Added WordPress SEO by Yoast extension
  • Added *.less to CDN theme uploads and MIME
  • Added default settings for MaxCDN Pull Zone creation
  • Added call to change MaxCDN canonical header setting to match plugin setting
  • Added one button default pull zone creation to MaxCDN without refresh
  • Added MaxCDN authorization validation
  • Added whitelist IPs notification for MaxCDN
  • Added support for use of existing zones without refresh
  • Added new mime types
  • Added support for separate domains for frontend and admin backend
  • Added CloudFlare as an extension
  • Added nofollow to blogroll links
  • Added DEV mode support to PRO version
  • Added EDGE MODE functionality
  • Improved wrapper functions in plugins.php for plugin / theme authors
  • Improved reliability of NetDNA / MaxCDN API calls by using WP HTTP and not cURL
  • Improved Fragment Caching debug information
  • Improved preview mode, removed query string requirement
  • Improved FAQ structure
  • Improved empty minify/pgcache cache notification when using CDN
  • Improved default settings for MaxCDN zone creation
  • Improved CDN queue performance
  • Improved blogmap url sanitation
  • Improved MaxCDN automatic zone creation process
  • Improved license key saving and Pro mode activation on Pro license purchases
  • Updated EDGE MODE: Full site mirroring support for MaxCDN
  • Updated translations

0.9.3

  • Added support for extensions
  • Added support for WordPress SEO image filter and CDN
  • Added file exclusions for media query string logic
  • Added user agents to user agents groups
  • Added CDN FTP path / host test
  • Fixed object cache and database cache for localization plugins
  • Fixed chinese filenames when using CDN
  • Fixed removal of stale cached files
  • Fixed missing slashes in inline HTML, JS and CSS files when using CDN
  • Fixed auto mode of minify filename length test
  • Fixed NetDNA / MaxCDN testing when domain does not match domain zone settings
  • Fixed CurlException and NetDNA / MaxCDN
  • Fixed pull zone dropdown not showing or showing wrong zone
  • Fixed trailing slash and redirect with apache
  • Fixed false notification for page cache rules verification
  • Fixed duplicate notifications for FTP
  • Fixed empty FTP form
  • Fixed add-in file validation
  • Fixed browser cache headers for proxy cases
  • Fixed wrong slash in Minify filepaths on windows based sites
  • Fixed settings link in minify test failure and multisite
  • Fixed missing param in canonical link generation
  • Fixed PHP 5.2 compatibility
  • Fixed handling of minify in preview mode
  • Fixed order of operation issue on install tab for nginx
  • Fixed translatable strings handling
  • Fixed page cache debug mode issues
  • Fixed home URL handling in multisite
  • Fixed manual minify mode and path based file source for sub-directory installations
  • Fixed path not set in disk enhanced caching
  • Fixed page cache rewrite rule detection
  • Improved security with esc_* usage
  • Improved backend performance with extensive refactoring

Why does speed matter?

Speed is among the most significant success factors web sites face. In fact, your site's speed directly affects your income (revenue) — it's a fact. Some high traffic sites conducted research and uncovered the following:

  • Google.com: +500 ms (speed decrease) -> -20% traffic loss [1]
  • Yahoo.com: +400 ms (speed decrease) -> -5-9% full-page traffic loss (visitor left before the page finished loading) [2]
  • Amazon.com: +100 ms (speed decrease) -> -1% sales loss [1]

A thousandth of a second is not a long time, yet the impact is quite significant. Even if you're not a large company (or just hope to become one), a loss is still a loss. However, there is a solution to this problem, take advantage.

Search engines like Google, measure and factor in the speed of web sites in their ranking algorithm. When they recommend a site they want to make sure users find what they're looking for quickly. So in effect you and Google should have the same objective.

Many of the other consequences of poor performance were discovered more than a decade ago:

  • Lower perceived credibility (Fogg et al. 2001)
  • Lower perceived quality (Bouch, Kuchinsky, and Bhatti 2000)
  • Increased user frustration (Ceaparu et al. 2004)
  • Increased blood pressure (Scheirer et al. 2002)
  • Reduced flow rates (Novak, Hoffman, and Yung 200)
  • Reduced conversion rates (Akamai 2007)
  • Increased exit rates (Nielsen 2000)
  • Are perceived as less interesting (Ramsay, Barbesi, and Preece 1998)
  • Are perceived as less attractive (Skadberg and Kimmel 2004)

There are a number of resources that have been documenting the role of performance in success on the web, W3 Total Cache exists to give you a framework to tune your application or site without having to do years of research.

Why is W3 Total Cache better than other cache plugins?

It's a complete framework. Most cache plugins available do a great job at achieving a couple of performance aims. Our plugin remedies numerous performance reducing aspects of any web site going far beyond merely reducing CPU usage (load) and bandwidth consumption for HTML pages alone. Equally important, the plugin requires no theme modifications, modifications to your .htaccess (mod_rewrite rules) or programming compromises to get started. Most importantly, it's the only plugin designed to optimize all practical hosting environments small or large. The options are many and setup is easy.

I've never heard of any of this stuff; my site is fine, no one complains about the speed. Why should I install this?

Rarely do readers take the time to complain. They typically just stop browsing earlier than you'd prefer and may not return altogether. This is the only plugin specifically designed to make sure that all aspects of your site are as fast as possible. Google is placing more emphasis on the speed of a site as a factor in rankings; this plugin helps with that too.

It's in every web site owner's best interest is to make sure that the performance of your site is not hindering its success.

Which WordPress versions are supported?

To use all features in the suite, a minimum of version WordPress 2.8 with PHP 5 is required. Earlier versions will benefit from our Media Library Importer to get them back on the upgrade path and into a CDN of their choosing.

Why doesn't minify work for me?

Great question. W3 Total Cache uses several open source tools to attempt to combine and optimize CSS, JavaScript and HTML etc. Unfortunately some trial and error is required on the part of developers is required to make sure that their code can be successfully minified with the various libraries W3 Total Cache supports. Even still, if developers do test their code thoroughly, they cannot be sure that interoperability with other code your site may have. This fault does not lie with any single party here, because there are thousands of plugins and theme combinations that a given site can have, there are millions of possible combinations of CSS, JavaScript etc.

A good rule of thumb is to try auto mode, work with a developer to identify the code that is not compatible and start with combine only mode (the safest optimization) and increase the optimization to the point just before functionality (JavaScript) or user interface / layout (CSS) breaks in your site.

We're always working to make this more simple and straight forward in future releases, but this is not an undertaking we can realize on our own. When you find a plugin, theme or file that is not compatible with minification reach out to the developer and ask them either to provide a minified version with their distribution or otherwise make sure their code is minification-friendly.

Who do you recommend as a CDN (Content Delivery Network) provider?

That depends on how you use your site and where most of your readers read your site (regionally). Here's a short list:

What about comments? Does the plugin slow down the rate at which comments appear?

On the contrary, as with any other action a user can perform on a site, faster performance will encourage more of it. The cache is so quickly rebuilt in memory that it's no trouble to show visitors the most current version of a post that's experiencing Digg, Slashdot, Drudge Report, Yahoo Buzz or Twitter effect.

Will the plugin interfere with other plugins or widgets?

No, on the contrary if you use the minify settings you will improve their performance by several times.

Does this plugin work with WordPress in network mode?

Indeed it does.

Does this plugin work with BuddyPress (bbPress)?

Yes.

Will this plugin speed up WP Admin?

Yes, indirectly - if you have a lot of bloggers working with you, you will find that it feels like you have a server dedicated only to WP Admin once this plugin is enabled; the result, increased productivity.

Which web servers do you support?

We are aware of no incompatibilities with apache 1.3+, IIS 5+ or litespeed 4.0.2+. If there's a web server you feel we should be actively testing (e.g. lighttpd), we're interested in hearing.

Is this plugin server cluster and load balancer friendly?

Yes, built from the ground up with scale and current hosting paradigms in mind.

What is the purpose of the "Media Library Import" tool and how do I use it?

The media library import tool is for old or "messy" WordPress installations that have attachments (images etc in posts or pages) scattered about the web server or "hot linked" to 3rd party sites instead of properly using the media library.

The tool will scan your posts and pages for the cases above and copy them to your media library, update your posts to use the link addresses and produce a .htaccess file containing the list of of permanent redirects, so search engines can find the files in their new location.

You should backup your database before performing this operation.

How do I find the JS and CSS to optimize (minify) them with this plugin?

Use the "Help" button available on the Minify settings tab. Once open, the tool will look for and populate the CSS and JS files used in each template of the site for the active theme. To then add a file to the minify settings, click the checkbox next to that file. The embed location of JS files can also be specified to improve page render performance. Minify settings for all installed themes can be managed from the tool as well by selecting the theme from the drop down menu. Once done configuring minify settings, click the apply and close button, then save settings in the Minify settings tab.

I don't understand what a CDN has to do with caching, that's completely different, no?

Technically no, a CDN is a high performance cache that stores static assets (your theme files, media library etc) in various locations throughout the world in order to provide low latency access to them by readers in those regions.

What if I don't want to work with a CDN right now, is there any other use for this feature?

Yes! You can take advantage of the pipelining support in some browsers by creating a sub-domain for the static content for your site. So you could select the "Origin Push / Self-hosted" method of the General Settings tab. Create static.domain.com on your server (and update your DNS zone) and then specify the FTP details for it in the plugin configuration panel and you're done. If you disable the scripting options on your server you'll find that your server will actually respond slightly faster from that sub-domain because it's just sending files and not processing them.

How do I use an Origin Pull (Mirror) CDN?

Login to your CDN providers control panel or account management area. Following any set up steps they provide, create a new "pull zone" or "bucket" for your site's domain name. If there's a set up wizard or any troubleshooting tips your provider offers, be sure to review them. In the CDN tab of the plugin, enter the hostname your CDN provider provided in the "replace site's hostname with" field. You should always do a quick check by opening a test file from the CDN hostname, e.g. http://cdn.domain.com/favicon.ico. Troubleshoot with your CDN provider until this test is successful.

Now go to the General tab and click the checkbox and save the settings to enable CDN functionality and empty the cache for the changes to take effect.

How do I configure Amazon Simple Storage Service (Amazon S3) or Amazon CloudFront as my CDN?

First create an S3 account; it may take several hours for your account credentials to be functional. Next, you need to obtain your "Access key ID" and "Secret key" from the "Access Credentials" section of the "Security Credentials" page of "My Account." Make sure the status is "active." Next, make sure that "Amazon Simple Storage Service (Amazon S3)" is the selected "CDN type" on the "General Settings" tab, then save the changes. Now on the "Content Delivery Network Settings" tab enter your "Access key," "Secret key" and enter a name (avoid special characters and spaces) for your bucket in the "Create a bucket" field by clicking the button of the same name. If using an existing bucket simply specify the bucket name in the "Bucket" field. Click the "Test S3 Upload" button and make sure that the test is successful, if not check your settings and try again. Save your settings.

Unless you wish to use CloudFront, you're almost done, skip to the next paragraph if you're using CloudFront. Go to the "General Settings" tab and click the "Enable" checkbox and save the settings to enable CDN functionality. Empty the cache for the changes to take effect. If preview mode is active you will need to "deploy" your changes for them to take effect.

To use CloudFront, perform all of the steps above, except select the "Amazon CloudFront" "CDN type" in the "Content Delivery Network" section of the "General Settings" tab. When creating a new bucket, the distribution ID will automatically be populated. Otherwise, proceed to the AWS Management Console and create a new distribution: select the S3 Bucket you created earlier as the "Origin," enter a CNAME if you wish to add one or more to your DNS Zone. Make sure that "Distribution Status" is enabled and "State" is deployed. Now on "Content Delivery Network" tab of the plugin, copy the subdomain found in the AWS Management Console and enter the CNAME used for the distribution in the "CNAME" field.

You may optionally, specify up to 10 hostnames to use rather than the default hostname, doing so will improve the render performance of your site's pages. Additional hostnames should also be specified in the settings for the distribution you're using in the AWS Management Console.

Now go to the General tab and click the "Enable" checkbox and save the settings to enable CDN functionality and empty the cache for the changes to take effect. If preview mode is active you will need to "deploy" your changes for them to take effect.

How do I configure Rackspace Cloud Files as my CDN?

First create an account. Next, in the "Content Delivery Network" section of the "General Settings" tab, select Rackspace Cloud Files as the "CDN Type." Now, in the "Configuration" section of the "Content Delivery Network" tab, enter the "Username" and "API key" associated with your account (found in the API Access section of the rackspace cloud control panel) in the respective fields. Next enter a name for the container to use (avoid special characters and spaces). If the operation is successful, the container's ID will automatically appear in the "Replace site's hostname with" field. You may optionally, specify the container name and container ID of an existing container if you wish. Click the "Test Cloud Files Upload" button and make sure that the test is successful, if not check your settings and try again. Save your settings. You're now ready to export your media library, theme and any other files to the CDN.

You may optionally, specify up to 10 hostnames to use rather than the default hostname, doing so will improve the render performance of your site's pages.

Now go to the General tab and click the "Enable" checkbox and save the settings to enable CDN functionality and empty the cache for the changes to take effect. If preview mode is active you will need to "deploy" your changes for them to take effect.

My YSlow score is low because it doesn't recognize my CDN, what can I do?

Rule 2 says to use a content delivery network (CDN). The score for this rule is computed by checking the hostname of each component against the list of known CDNs. Unfortunately, the list of "known CDNs" are the ones used by Yahoo!. Most likely these are not relevant to your web site, except for potentially yui.yahooapis.com. If you want an accurate score for your web site, you can add your CDN hostnames to YSlow using Firefox's preferences. Here are the steps to follow:

  • Go to about:config in Firefox. You'll see the current list of preferences.
  • Right-click in the window and choose New and String to create a new string preference.
  • Enter extensions.yslow.cdnHostnames for the preference name.
  • For the string value, enter the hostname of your CDN, for example, mycdn.com. Do not use quotes. If you have multiple CDN hostnames, separate them with commas.

If you specify CDN hostnames in your preferences, they'll be shown under the details for Rule 2 in the Performance view.

What is the purpose of the "modify attachment URLs" button?

If the domain name of your site has changed, this tool is useful in updating your posts and pages to use the current addresses. For example, if your site used to be http://www.domain.com, and you decided to change it to domain.com, the result would either be many "broken" images or many unnecessary redirects (which slow down the visitor's browsing experience). You can use this tool to correct this and similar cases. Correcting the URLs of your images also allows the plugin to do a better job of determining which images are actually hosted with the CDN.

As always, it never hurts to back up your database first.

Is this plugin comptatible with TDO Mini Forms?

Captcha and recaptcha will work fine, however you will need to prevent any pages with forms from being cached. Add the page's URI to the "Never cache the following pages" box on the Page Cache Settings tab.

Is this plugin comptatible with GD Star Rating?

Yes. Follow these steps:

  1. Enable dynamic loading of ratings by checking GD Star Rating -> Settings -> Features "Cache support option"
  2. If Database cache enabled in W3 Total Cache add wp_gdsr to "Ignored query stems" field in the Database Cache settings tab, otherwise ratings will not updated after voting
  3. Empty all caches

I see garbage characters instead of the normal web site, what's going on here?

If a theme or it's files use the call php_flush() or function flush() that will interfere with the plugins normal operation; making the plugin send cached files before essential operations have finished. The flush() call is no longer necessary and should be removed.

How do I cache only the home page?

Add /.+ to page cache "Never cache the following pages" option on the page cache settings tab.

I'm getting blank pages or 500 error codes when trying to upgrade on WordPress in network mode

First, make sure the plugin is not active (disabled) network-wide. Then make sure it's deactivated network-wide. Now you should be able to successful upgrade without breaking your site.

A notification about file owner appears along with an FTP form, how can I resolve this?

The plugin uses WordPress FileSystem functionality to write to files. It checks if the file owner, file owner group of created files match process owner. If this is not the case it cannot write or modify files.

Typically, you should tell your web host about the permission issue and they should be able to resolve it.

You can however try adding define('FS_METHOD', 'direct'); to wp-config.php to circumvent the file and folder checks.

This is too good to be true, how can I test the results?

You will be able to see it instantly on each page load, but for tangible metrics, consider the following tools:

I don't have time to deal with this, but I know I need it. Will you help me?

Yes! Please reach out to us and we'll get you acclimated so you can "set it and forget it."

Install the plugin to read the full FAQ on the plugins FAQ tab.

What users have to say:

Press: Mentions, Tutorials & Reviews

August 2013:

June 2013:

March 2013:

January 2013:

December 2012:

November 2012:

October 2012:

September 2012:

August 2012:

July 2012:

June 2012:

May 2012:

April 2012:

March 2012:

February 2012:

January 2012:

December 2011:

November 2011:

October 2011:

September 2011:


Présentation

Recommandé par des hébergeurs web comme : MediaTemple, Host Gator, Page.ly et WP Engine et bien plus. Mis en confiance par d'innombrables sites comme : stevesouders.com, mattcutts.com, mashable.com, smashingmagazine.com, makeuseof.com, yoast.com, kiss925.com, pearsonified.com, lockergnome.com, johnchow.com, ilovetypography.com, webdesignerdepot.com, css-tricks.com et des dizaines de milliers d'autres. 3316226 téléchargements ... je vous parle du plugin WordPress "W3 Total Cache".

Aujourd'hui

Ce célèbre plugin "W3 Total Cache" vient de faire un "Total Fail". Une faille vient d'être découverte permettant de lire le contenu des requêtes mises en cache et donc de trouver des couples login/pass (hashés) par exemple. Cette faille appelée "Full Disclosure" ressemble presque à une injection SQL mais n'en est pas une. Cependant, la faille permettant de lire toutes les requêtes effectuées sur votre site, cela donne déjà trop d'informations aux pirates.

Demain

Aucun patch officiel n'est sorti, par contre un script existe et tourne entre les mains des pirates, vous pourriez devenir la cible, demain. Dependant les pirates ont besoin de renseigner le préfixe de votre base de données pour faire fonctionner leur script malicieux, j'espère pour vous que ce n'est pas "wp_" car c'est bien ce préfixe qui sera testé en premier lors de leurs attaques.

Je vous propose donc 3 solutions pour patcher en attendant :

  1. Modifier vite le préfixe de votre installation grâce au plugin "WP Security Scan" qui permet de le faire en quelques clics sans danger,
  2. Désactiver le "disk cache" et vider le contenu de /wp-content/w3tc/dbcache/,
  3. Ajouter un fichier ".htaccess" dans /wp-content/w3tc/dbcache/ avec en contenu "deny from all" même si vous avez déjà un .htaccess à la racine avec "Options -Indexes"

Edit du 30 déc 2012

Le plugin a été mis à jour hier nuit, la version 0.9.2.5 corrige la faille.

Lire la suite

Vous aimez ? Partagez !

À propos de Julio Potier

Consultant en Sécurité & Expert WordPress, je développe et sécurise du contenu web tous les jours. La création de plugins WordPress fait partie de mon quotidien. Mon livre de chevet ? Le codex WordPress bien sur !

Commentaires

  1. Merci pour l’info, ce plugin est une référence pourtant, la preuve que l’on est pas à l’abri d’une faille, qui j’espère sera très vite résolue.
    • AuteurJulio Potier a écrit:
      Oui, je l’ai déjà dis, mais connu ou pas, premium ou pas, cela reste du code PHP fait par des humains et l’erreur est humaine. Ne jetons pas la pierre, nous fautons tous ;)
  2. Merci pour l’information Julio.

    Une question, quand tu dis « changé vite votre préfixe  » tu parles des tables ?
    Dans le cas ou ce préfixe avait été changé.lors de l’installation faut il de nouveau le changer ?

    merci (:

    • AuteurJulio Potier a écrit:
      Je dis bien dans l’article « le préfixe de votre base de données » puis « j’espère pour vous que ce n’est pas “wp_” » donc oui le seul préfixe qu’on parle dans WP c’est celui des tables dans la base de données de l’installation de WP. Et si ce n’est pas « wp_ » c’est suffisant.
  3. Merci pour le WP Security Scan. Je me demandais depuis quelques temps comment modifier ce préfixe.
  4. Merci pour l’info Julio, je fais tourner :)
  5. Il semble que la faille n’affecte que la méthode « disk cache », et effectivement j’ai observé avec un ls que ce dossier était vide chez moi.
    • AuteurJulio Potier a écrit:
      Oui c’est pour cela que je propose de désactiver l’option de disk cache.
      merci !
  6. Comme indiqué dans le commentaire plus haut, l’utilisation d’un cache autre que disque pour les requêtes de la bdd est donc sur.
    Ca devrait être dans une des solutions non ? Plutôt que désactiver le cache.

    Sinon, si on n’autorise pas le listing par défaut des dossiers, la faille est quand même présente?

  7. Même si ça ne me concerne pas vraiment non plus, j’imagine que ça doit être la même chanson avec le dossier /wp-content/w3tc/pgcache/, pour faire du XSS, par exemple…
  8. Au moment d’installer un plugin de cache sur mon blog, il y a deux mois, j’avais vraiment hésité à l’installer car il n’avait pas été mis à jour depuis plusieurs mois. ça me rassure de voir qu’il l’est toujours.
  9. Je m’étais demandé pourquoi il y avait eu plusieurs mises à jour rapprochées. Bon, 4 jours de réaction ça reste acceptable pour moi.
    Sinon, même commentaire que Li-Ann pour WP Security Scan ;)
  10. 10
    Reggaeton a écrit:
    Sympas pour la new je n’était pas encore au jus de ça ^^
    Jme coucherais moins bête grâce à votre news

    Tanks en tout cas ça fait plaisir de lire un bonne article

    Hop en favoris

  11. 11
    Alice a écrit:
    très intéressant! merci pour l’info
  12. Hey I just wanted to thank you for your blog post. It was a fascinating read and some thing I will need to
    ponder on over several days.
  13. J’arrive ici un peu tard … tant mieux, je n’ai pas à me soucier de cette faille!
    Merci pour le lien de téléchargement.

    Lucien

Envie de dire quelque chose ?

Avant de parler, merci de lire la charte des commentaires.

*

Vous pouvez utiliser le tag [php][/php] pour ajouter quelques lignes de PHP, si c'est un pavé, merci d'utiliser service comme pastebin.com.

a2b3e23a2cb60ca413504dd9348af7a4SSSSSSS