Dennis Dornon
Hi, I'm Dennis Dornon! As the creator and co-founder of MainWP, my team has helped thousands of web professionals streamline their WordPress maintenance workflow.
How to quickly remove W3 Total Cache using MainWP
Heads up: This page may include affiliate links. Read the full disclaimer.
W3 Total Cache is one of the more popular caching plugins with over 1 million active installs and there is a current report of high risk explot that has been disclosed:
No update on W3 Total Cache SSRF reported over 4 months ago. Fix is basically adding 1 character #responsibledisclosure #wordpress #plugin
— Klikki Oy (@klikkioy) September 23, 2016
I’m not a security expert so I’ll send you over to SecuPress for more information on the vulnerability so you can determine if you would like to remove the plugin. As of now the issue still has not been fixed and the plugin has not been updated for 6 months.
Update 1: I just read in the Advanced WordPress Group from Jim Walker:
Only works for authenticated users and and need to have permissions tu access W3 Total Cache Support Menu of left sidebar on WP Admin Panel.
So, if I’m reading this right, the exploit is only possible from a logged in Admin users. If that is the case, well, other than for coding purists this alert is rather pointless.
Update 2: The W3 Total Cache plugin has been updated resolving the problem.
What I’m going to go over is 4 step process of checking, deactivating and deleting the plugin using MainWP. These same steps can be used for any plugin.
Part 1: Seeing if W3 Total Cache is active on any Child sites
First we’re going to search if you have W3TC actively running on any of your Child sites
- Log into your MainWP Dashboard
- Select Plugins from the left menu then on the Manage tab
- From Step 1, Select status: Active Plugins and Containing Keyword: W3
- From Step 2, Click All to select all your sites
- Press the Show Plugins button
If you find any active move to Part 2
If you don’t find any active Skip to Part 3 to be sure you do not have it sitting deactivated on any of your child sites.
Part 2: Deactivating any that are Active
Now that you know you have the plugin running on some of your Child sites let’s go ahead and deactivate it.
- In the results window click on the W3 Total Cache name (column header) this will check every site for you
- From the “Choose Action” drop down select Deactivate
- Press the Confirm button
Now all the active version of W3TC has been deactivated so let’s get them removed from the child sites.
Part 3: Searching for deactivated versions of W3TC
Finally let’s remove them from the Child sites until the issue is fixed.
- From Step 1, Select status: Inactive Plugins and Containing Keyword: W3
- From Step 2, Click All to select all your sites
- Press the Show Plugins button
If you didn’t find any then you are done and can be sure none of your sites are running W3 Total Cache
If you find some move on to Step 4
Part 4: Deleting W3TC from all your child sites
- In the results window click on the W3 Total Cache name (column header) this will check every site for you
- From the “Choose Action” drop down select Delete
- Press the Confirm button
That’s it now you have removed W3 Total Cache from all your websites!
Share
Manage Unlimited WordPress Sites from One Dashboard!
- Privacy-first, Open Source, Self-hosted
- Easy Client Management
- 15+ & 30 + Premium Add-ons
- Bulk Plugins & Themes Management
8 comments
sterndata
and it’s fixed in the WP repository (oops… it’s the “library” now) as of Sept 26.
Dennis Dornon
Yep have that in Update 2 in the article. It’s still a good tutorial on how to remove any plugin from your MainWP Child sites.
Simone Nigro
That issue is already fixed in the forked community version though.
https://github.com/szepeviktor/fix-w3tc/pull/81
Dennis Dornon
Apologies I missed this Simone. Do you know if that repository will be updated to take into account the new version of W3TC or will it be it’s own fork going forward?
Todd Jones
I didn’t realize all this. I like it best, but if the hosting is good, you often don’t need it. The one by WordPress is more simple. I may switch over to it. I always liked W3 Total Cache, so something makes me think he is caught up with other stuff.
Dennis Dornon
I’m not a security guy but some people are screaming the roof is on fire and others are saying no big deal. I tend to listen to the roof is on fire people when it comes to the security of my sites.
It is concerning that it hasn’t been updated in 6 months not even the “Compatible up to” has been updated which is 1 minute process. So it may very well be an abandoned plugin with 1 million active users.
Todd Jones
Frederick’s always been on top his stuff. Wondering what’s going on here? Maybe he is getting ready to discontinue the free version? I don’t know.
Dennis Dornon
Looks like in March he told WPTavern it wasn’t abandoned but it hasn’t been updated since then “Frederick Townes Confirms W3 Total Cache is Not Abandoned“
Comments are closed.