Recently announced by Sucuri Security, WordPress caching plugin W3 Total Cache had a security hole.
The issue is connected to the way W3TC stores the database cache (in a public accessible directory). It can be used to retrieve password hashes and other database information.
Sucuri outlined a fix for the issue as an interim solution:
It seems the easiest way to protect your sites is by disabling database cache or creating an .htaccess file inside the wp-content/w3tc directory denying direct access there:
deny from all
WP Force was a victim of this security hole, but measures were taken to secure all data on the site and its users of the site. The fix worked and the site was never compromised after an investigation.
Four days after the announcement of the security hole, W3 Total Cache owner Frederick Townes, released an update.
I ran the upgrade and it went smoothly. Everything seems to be in order.
Were you affected by this security hole? Let us know in the comments.