W3 total cache security and performance issues

There have been a lot of problems recently with this popular WordPress plugin. Many users report that W3 Total Cache was having some serious security and performance issues

Fortunately, it’s still actively developed and there is a new version of W3 Total Cache available for download or auto-update within the WordPress admin console. Here’s a look at what version 0.9.2.7 has to offer:

Fixed config file write in more hosting environments
Fixed legacy config file import on servers with hardened file permissions
Fixed page cache write cache rules in some environments
Fixed retina images
Fixed false positive notifications when permissions are not changed or same
Fixed minify help
Improved upgrade notifications
Improved page cache and minify notifications

This is what version 0.9.2.6 added and fixed:

Added support for grouping cache entries for easier flushing
Added more options for placing minified files on pages. Custom placements using HTML comments.
Added CSS inclusion for auto / manual minify. If present its used:
Added JS inclusion for minify auto mode. If present its used: ,
Added JS inclusion for minify manual mode. If present they are used when selecting correspong location in placement dropdown: , ,
Added new minification inclusion options, async, defer, extsrc and asyncsrc
Added flushing sitemaps
Added flushing custom pages
Added flush the current blog when flushing in MultiSite
Added flushing home page and/or post page if static
Added flushing older pages (page/2, page/3) on purge requests
Added flushing a limited amount of pagenumbers
Added purging caches for deleted blogs in WordPress MultiSite
Added uninstall process to the plugin for easier cleanup
Added upgrade support that cleans up and removes old cache folders
Added message when disk enhanced page caching is not working properly
Added custom wp-content name and locations
Added CDN feature “Dont use CDN for specific roles”
Added “Purge from cache” link on edit post/page pages
Added permalink suffixes (.html, .htm etc)
Added uploading blogs.dir files when using MultiSite and CDN
Added notification about IAM when using Amazon services (SNS, CloudFront, S3 etc)
Added ‘Don’t minify JS files’ ‘Don’t minify CSS files’ options for minify
Added Access-Control-Allow-Origin support for CDNs
Added hooks clean_post_cache and menu changes
Added caching JSON mime-type. Other mime-types can be added using array filter ‘w3tc_is_cacheable_content_type’
Added automatic reloading of config files when APC apc.stat is disabled
Added request reload of APC file over HTTP
Added priming of post on publish
Added single config file (by default) when using WordPress MultiSite
Added switch_to_blog() support
Added wp_cache_decr, wp_cache_incr support
Added wp_cache_switch_to_blog support
Added fragment caching functionality that extends the transient caching methods in WordPress core
Added network activation and network policy management
Added control for comment cookie lifetime
Added Go Daddy SUBDOMAIN_DOCUMENT_ROOT directive support
Added JSON to mod_deflate configuration
Added JavaScript mime-type variations to mod_deflate configuration
Added WP-CLI support for purging cache, purging pull CDNs, reloading APC files, clearing APC, deleting pgcache files, and updating browser query string
Added .htc mime type
Added Rackspace CloudFiles container location selection
Added rejected terms in database cache, to allow for deeper database caching capability
Added Akamai CDN origin pull support
Added system cache purge when apc.stat is disabled
Added origin rel canonical support for CDNs
Added AT&T origin pull CDN
Added full-page mirroring and purging for origin pull CDNs
Added compatibility mode improve disk enhanced page caching performance ~20% for users that don’t care about interoperability
Added nginx example files
Added varnish example files
Added basic application monitoring support using New Relic
Added application monitoring widget using New Relic
Added plugin dashboard page to display widgets etc
Added purge from cache link to admin bar dropdown while browser posts/pages on front-end
Added purge CDN completely link to admin bar dropdown
Added CDN SSL checkbox “Disable CDN on SSL page”
Added pull CDN support to MultiSite
Fixed caching of the “Front Page” and added an option for the same
Fixed w3_url_format function was not included error
Fixed security vulnerability with file cache: disk basic page caching, database or object caching to disk. CVEs: CVE-2012-6077, CVE-2012-6078, CVE-2012-6079
Fixed issue with concurrent writes to single config file
Fixed Preview mode and deploy button
Fixed varnish purging (See varnish config example file in ini folder)
Fixed false positive notification on Page Cache: Disc Enhanced
Fixed broken images for feedburner in dashboard on HTTPS sites
Fixed minify ID generation causing notices
Fixed false positive on minification related to group configuration among other
Fixed default wp-content path and CDN uploads when WordPress is installed in directory
Fixed pages not flushing when making changes in WordPress Admin
Fixed mod_filter being used on unsupported Apache versions
Fixed WordPress upgrade issue caused by W3TC remaining active
Fixed minify path when using WordPress MultiSite and blogs in sub-directories
Fixed user interface for “Dont cache specific roles”
Fixed CDN and minify to file for storage
Fixed feed_link filters interferring with feed purging
Fixed false positive with minify rewrite test and WordPress MultiSite sub-directory mode
Fixed WordPress Multisite in sub-directory mode and minify paths
Fixed caching posts page when using static home page
Fixed object cache not being initialised before getting options
Fixed locating document root for minify in certain environments
Fixed saving settings if permalinks are turned off
Fixed “Install” page displaying rules that is not required
Fixed minify cache being empty while page is cached so no minified files are generated, minified files auto generation no longer depend on pages not being cached
Fixed unnecessary flushing with SSL, user agents and referrer not being activated
Fixed “Purge from Page Cache” not purging varnish or CDN when enabled
Fixed CSS minification and relative paths in external files
Fixed login / logout and compability with BuddyPress
Fixed flushing same posts many times if status is trashed or restored
Fixed handling of .html fancy permalinks with nginx
Fixed handling of missing xcache opcode cache
Fixed Amazon S3 allowing LIST permissions to everyone
Fixed handling of .xml mime type
Fixed numerous object cache compatibility issues
Fixed memcached port support issue
Fixed HTTP_HOST not defined warning issue
Fixed xdebug not configured halt issue
Fixed minified files not being mirrored by push CDNs
Fixed uploading to CDNs multiple times even if force overwrite is disabled
Improved CloudFlare support: purging, dev mode, minification options, automatic IP range updates, rocket loader feature, security levels
Improved support for the Bad Behavior plugin
Improved object cache and MultiSite compability
Improved flushing behavior with better post and pages detection. To change behavior hook into filter ‘w3tc_flushable_post’
Improved XML user interface when using Page Cache Disc: Enhanced
Improved minify filename path generation
Improved minify custom placement usage
Improved PHP 5 compability by removing deprecated functionality
Improved WP 3.4 and 3.5 compability by removing deprecated functions usage
Improved plugin by removing unnecessary ob_starts
Improved minify usage by returning old minify files while generating new
Improved update procedure by removing need to manually deactivate and reactivate plugin
Improved CDN paths and URL generation using both single and multisite installs
Improved Admin Bar menu with more flushing actions
Improved minify auto by adding support for downloading and combining external files
Improved descriptions for various “Do not cache …” textareas
Improved header settings so plugin header settings override WordPress default header where appropriate
Improved debug logging by adding a debug folder constant: W3TC_DEBUG_DIR
Improved support for WPTouch plugin
Improved custom post type support and flushing
Improved cache key format and handling
Improved minify support on Windows
Improved purging functionality for CDN providers
Improved compatibility wp-fb-autoconnect plugin
Improved support of WordPress installed when in a sub-directory
Improved support of non-default WordPress folder setups
Improved use of HTTP API and FileSystem API in WordPress. HTTP API usage improves minify and CDN functionality. FileSystem API integration improves activation, deactivation and configuration changes
Improved execution time across all caching engines
Improved cache miss performance for page caching
Improved notification handling
Improved cache priming algorithm
Improved minify error reporting
Improved varnish purging capability
Improved memory caching logic and purging speed
Improved support for auto minify in more hosting environments
Improved support for use of sockets in memcached
Improved handling of old settings upon update
Improved detection of document root on additional hosting providers
Improved handling of eTags
Improved browser cache policy options
Improved bug submission form implementation
Improved NetDNA / MaxCDN support by using their new API
Disabled minify if CloudFlare is active
Removed PHP 4 support
Removed cookie used for user agent groups unless the feature is used
Removed cookie used for referrer unless the feature is used

Quite a few of my clients reported slowdowns that were attributed to this plugin, which is a shame because in general this plugin can take static WP sites to much faster page load times. In 90% of cases, a simple update resolved their issues, so it’s worth doing if you are having slowdowns that you can’t find the reason for.

Personally, I always remove any caching plugin and htaccess code before attempting to diagnose slowdown or instability issues as it often masks or compounds server and code problems.

Let me know below if you have any issues that W3 caused or that you managed to resolve.

Removed duplicate inclusion of JSON library

Leave a Reply