WordPress W3 Total Cache Explodes- Killing Traffic with Vampire Vulnerability?

WepPage TestTime to First ByteI'm not a complainer, developer or WordPress code contributor. As editor of Wireless and Mobile News, I am however, responsible for the quality content and  a great user experience.  Recently, web traffic was down significantly and we did not know why until we looked a page load times. A vulnerability in a very popular plug-in not only affected our bottom line but also our sanity.

Our web developer is very bright, he writes core code for WordPress, but the recent SNAFU baffled him for a while. The signs were there in the past, but we didn't see them.  Page load times in a Google analytics over 20 seconds a page, in fact on some days it went over a minute.  I was busy with a personal tragedy, by the time we started testing the website, my nerves were frazzled.

On Sunday, while other people were happily making chips and dips to watch the Super Bowl, I spent three hours combing over data and trying to figure out what to do.  In a last-ditch effort I decided to call Fred over at MaxCDN/NetDNA because I figured the company should be aware of any issues with W3 Total Cache and or the CDN. Fred was an absolute dear and told me he would look into the matter. I also spent several hours on the phone with LiquidWeb, trying to figure out what the problem was.

At one point the kind tech at LiquidWeb, Taylor skirted around W3 Total Cache, on a completely new deployed server. He suggested another caching program, however I was devoted to W3 Total Cache because I thought I needed it to work with MaxCDN.

In total, I personally probably spent over 20 hours to figure out the problem, which I personally could not afford, but had no choice.  On Sunday, I noticed that there had been vulnerabilities noted on W3 Total Cache as of January 24.

Page load times began slowing in the middle of January, now that I went back and looked at Google Analytics.

There were also curious connections to China.  What we cover in Wireless and Mobile News, has nothing to do with China.

I know I should feel honored because the Wall Street Journal and the New York Times were hacked, but the way Wireless and Mobile News was hit was like with a Vampire creature that drained resources and prevented honest readers from getting the information they desired.

Over the past several days, we continually ran webpagetest.org test and received failing grades for the time for the first bite.

When Wireless and Mobile News, first deployed the very fast SSD Storm on Demand server the time to first byte was a 333 ms using webpagetest.org.  Over the weekend, the time to first byte was over two and half seconds.

On Monday, I saw pink notices in W3 Total Cache, after the notices there was update. I wasn't sure what it was.  My developer, Justin Givens, deactivated W3 Total Cache,  and activated again the first bite time and running NetDNA went back up to grade of "A". It appeared to fix something.

This afternoon, however, I had spent even more time because of what I learned.

This afternoon around two o'clock, I received an e-mail from Fred at NetDNA informing me that there is a vulnerability in W3 Total Cache and Frederick Towne is aware of it.

I usually don't write about the web or WordPress, it's not my expertise.  My expertise is as an editor however, webmasters and developers should check their page load speed to see if there is a problem.

Nowadays, most developers have fast Internet connections and a glitch in code to the human watching the page load will seem like less than nothing.  However, the great Google god, keeps track of every slow page and comes back to haunt you by not sending you traffic

I hold nothing against Frederick Towne, he wrote a wonderful plug-in that everybody uses which is part of the problem.  Because the hackers know so many websites run W3 Total Cache, it makes them want to hack it.

So here I go back down the trail trying to figure out what to do in the meantime and still maintain a fast website.

Current page load tests are decent but not as good as they were when we first deployed the SSD server.

New Speed

I am behind on my normal coverage of Wireless and Mobile News because of the is matter.  I am writing this in the hopes that others will not experience the same problems and will constantly monitor such problems.

I would also like to thank Justin Givens, LiquidWeb and MaxCDN  for investigating the problems.

I think it would also be nice if plug-in developers when they find a vulnerability somehow send out a message that an update is pending with advice on how to deal with the problem.

In the past, dealing with WordPress in many instances plug-ins were no longer supported, blew up over time or just plain stopped working.  It we are going to have an open community of WordPress developers, the most important thing is for everyone to communicate, problems as well as triumphs.

I don't want to admit to the amount of sleep I lost over this problem.  I can tell you what I learned.  It pays to have a great developer, excellent CDN like MaxCDN, and great webhost.

I also really like the telephone support at MaxCDN, Amir is a great salesperson and Fred is very kind and helpful.

It takes a village to maintain a WordPress site.

11 thoughts on “WordPress W3 Total Cache Explodes- Killing Traffic with Vampire Vulnerability?”

  1. I'm a big WordPress fan. However, the fact that it is open source means that no one takes responsibility for problems especially problems such as security vulnerabilities.

    On the other hand if you don't use it you lose it. I agree that there should be some way that when there's a problem with the plug-in that users of the plug-in get a notice maybe that's something they should put in the core of WordPress.

    I too have had problems with plug-ins, having to delete and deactivate one at a time until I found out what was causing the problem.

    I wish there was an easier way, to.

    When I was running W3 total cache it seemed to work fine, but then you never know.

    My best wishes to you and your developer to finally get things straightened out and working again.

    Thank you so much for writing this because it has saved me hours and hours and hours of tinkering.

    • I agree with you that no one takes responsibility for the problem occurred with the open source software like WordPress. However, the WordPress community is so far the best one I have ever seen. You can post your concerns on Twitter, FB or even WordPress itself and someone will show up telling you what to do right away. 🙂

      I love to be a part of this awesome community.

  2. I'm sorry to hear about your problems. you did all the footwork and testing for us thank you very much.

    It's sad how many times even small to medium independent publishers are being hacked nowadays. You are in good company with the New York Times and Wall Street Journal.

    Keep up the good work. I hope you get over your personal tragedy.

  3. Wow I never thought about it that way. I would want to say that I never met a plug-in I didn't like. Now there is so many plug-ins floating around and WordPress, I'm lost and I can't find my way home.

    I think I have a plug-in addiction. Is there a program that can help me?

  4. I've had problems with plug-ins in the past. I think the best way is to keep the plug-ins down to as few as possible and update them every time you see an update.

    I also had to deactivate one plug-in at it in a time until I found out what was the matter.

    It took a really long time.

    Thanks for the heads up.

  5. I hope they can patch this vulnerability. I can still remember what happened to GoDaddy when it was hit via plugins and themes using timthumb codes.

  6. I have loved w3 Total Cache, but what happend yesterday with the major update, it does not work how it should work. My page speed goes from 96 to 91 in no time. The dashboard loads forever and also the uninstall takes forever. It also slows my site. So for me no w3 total cache anymore.

    • When you look in the W3 Total Cache support forum, there are still a lot of errors and problems with it.

      I wish we knew a month ago that there was a problem.

      Perhaps instead offering a totally free version, there would be paid version with a monitoring service that checked that it was working properly.

  7. Hey Lynn, this appears to be an issue with your backend server. A two second delay would normally not be caused by WordPress unless if some server process is hanging. We have personally not experienced any issues with W3 Total Cache nor would MaxCDN cause a slow time to first byte issue (which is the server rendering the content dynamically).

    As for the CDN issues in the latest W3 Total Cache, we are working closely with them to correct any issues. All of these changes are for the better and we apologize for any inconveniences.

    If you ever come across any issues, feel free to bring it by us or to the W3 Edge development team, and we'll help you track down these issues.

    • I don't think we'll ever know what really happened. However, the problem stopped after W3 Total Cache was deactivated. The WordPress.org support forum shows a lot of people are having problems with W3 Total Cache, one guy lost his entire website that turned white. There are reports of severs crashing, and many people are want to uninstall it or disable it.

      Frederick Townes is answering a lot support questions. He is a one man dynamo. I prefer to wait until all the bugs are worked out.

      I'm glad that MAXCDN was able to help.

      http://wordpress.org/tags/w3-total-cache

Comments are closed.