We manage a ton of client sites at Press Wizards, and we’re seeing some serious issues W3 Total Cache’s latest update, v 0.9.5, recently released mainly because of a Cross-Site-Scripting exploit. They clearly didn’t do a ton of testing first, as it’s breaking thousands of websites, and I wanted to summarize the issues and how to fix them.

Requires PHPv5.3+

Be aware that v0.9.5 currently now REQUIRES PHP v5.3 or greater. It will cause a white screen if your site is still using PHP v5.2 (or lower, I hope not). While v5.2 is old and you should update, requiring 5.3+ is pretty harsh for many people. Many sites that have not been touched in months/years have been working just fine, until now. Not nice. But, we’re all here now, so…

W3 Total Cache white screen of death

If your site is white-screened, there are two ways to fix it. The first one is to ensure your site is configured to run using PHP v5.3+ through your hosting CP or Support, should be easy and quick, problem solved, I hope.

Optional but recommended: If you’re still having issues, edit your site’s root wp-config.php file, scroll to the bottom (or otherwise locate) and change WP-DEBUG from false to true and save it. It will output actual Fatal PHP errors instead of a White Screen, very helpful when asking for support or trying to troubleshoot.

Ok, if you can’t easily change PHP versions for whatever reason, then you have to use FTP or your host’s cPanel File Manager to rename the /wp-content/plugins/w3-total-cache/ folder to /wp-content/plugins/w3-total-cache-new or whatever you like, which will deactivate it, or just delete it (if you delete it, other plugins may need it and also error, rename those too maybe). Then try logging into /wp-admin/ again, it should let you log in now.

You can revert (download and upload to your site) the older version of w3 Total Cache here https://downloads.wordpress.org/plugin/w3-total-cache. or use the GitHub open source forked version that fixes mostly this issue, and isn’t rewritten to require PHP 5.3+:

We did have a few sites where they were running PHP v5.3+ and the front-end was working, but required a WP DB update on the back-end so they still gave errors… I renamed the /wp-content/plugins/w3-total-cache folder, did the update and logged in, then renamed the folder back, and reactivated the plugin, it is all working fine now.

XSS Exploit isn’t such a big deal

Also, be aware that the XSS Vulnerability isn’t so “High Risk” so no urgent need to update the plugin, as “in order to exploit the vulnerability, an administrator or user with sufficient permissions must have an active session.” Non-logged-in users, logged-in subscribers, the public, etc do not have permissions to access the link that will cause that XSS exploit to happen, so in my opinion, it’s a fairly low risk exploit, don’t always believe the hype that some security companies spew in order to sell you their web firewall service!

However, v0.9.5 does include dozens of other bug fixes as well, so it’s best to ensure you’re running PHP v5.3+ first, and then update the plugin.

If you’re interested in our website maintenance services (not hype – just help) so you don’t ever have to worry or read about this stuff, click here. If you need help fixing your website because it’s already broken, click here.