Why Synthesis Sites Were Never at Risk From New Vulnerability Found in Cache Plugins

Our hosting architecture was put into production to provide speed, security, and operational stability. We have received feedback on a few of our architectural decisions that happened to be contrarian to the offerings available at generic hosts.

These architecture decisions proved to be unpopular with some folks. In some cases, they actually cost us customers.

You might wonder, then, why we keep them in place.

Simple. Popular and right are not the same, often far from it, and we won’t compromise the security of everybody for the convenience of few.

That is why, for example, we do not allow phpexec() calls on our servers. Not even on a server-by-server basis. We don’t believe in it. It opens your site up to danger without enough of a system-wide reward to justify the risk.

And it’s why Synthesis-hosted sites were never in danger of being exploited by what Sucuri called a very serious vulnerability.

To recap: it was discovered recently that W3 Total Cache and WP Super Cache – two of the most widely downloaded WordPress plugins ever – possessed a remote code execution (RCE), vulnerability. What does this mean? As Tony Perez summed up on the Sucuri blog, “This means I can pass any commands I want to your server and they’ll execute.”

I’m sure you can parse the risk from that statement.

As soon as the Sucuri blog post went up, we received Help Desk tickets and tweets wondering how we were going to “handle the situation.” Our response today was the same as it was two weeks ago when panic erupted in the WordPress community regarding worldwide brute force attacks: nothing.

Well, nothing is perhaps the wrong word. Nothing new would be more appropriate. It’s just business as usual.

As soon as we realized the threat to W3 Total Cache, which we recommend as our preferred caching plugin, we tested the code injection on our own sites. It didn’t work.

Our refusal to allow phpexec() calls on our servers – unpopular as it may be with some folks – kept every site we host safe from the W3TC and WPSC vulnerability, whether the plugins were updated or not.

We take great pride in that. Synthesis customers should too. It’s why paying a premium for serious managed WordPress hosting is worth it.

How much are safety and peace of mind worth? We think a lot. That’s why for us the “cost” of this particular unpopular decision has always been worth paying.


For the record: do update your cache plugin as soon as you’re able, but not out of fear … simply because it’s a best practice to always keep all plugins current.

Leave a Reply