WP SuperCache Plugin Danger!

Up until recently I’ve been using the WP SuperCache plugin to help speed up my WordPress sites. I was working on one of the sites the other night and had Weaver II run a diagnostics to see if there were any problems with the theme. It came back with a warning that I was using the WP SuperCache plugin and that this would prevent the automatic mobile device version of the theme from working. They did suggest a couple other caching plugins that would work without issues. The first one I tried was very complicated to setup and it actually slowed the site down  so badly I had to FTP into the server and rename the plugin’s folder so WordPress would automatically disable it. The second plugin Quick Cache was very simple to configure and worked well. Also like that it places a Clear Cache button at the top of your WordPress dashboard.

Yesterday afternoon I was doing some housekeeping on one of the sites which I had been using the Wp SuperCache plugin. I had selected to remove the plugin from within the WordPress dashboard. After I confirmed, yes I want to remove the plugin it went ahead and removed the plugin. However, instead of taking me back to the Plugins manager section in the dashboard the contents of that site’s wp-config.php file were now being displayed in plain text whenever anyone went to the blog. For those not familiar with this file, it is the core WordPress configuration file that resides in your WordPress root /install folder. Included in this file is your database server name, your database name, your database user name and your database password. This is certainly not something you want to be advertising on your website.

I had to quickly rename the install folder to something else and throw up a temporary ‘Site Undergoing Maintenance’ page. At first I wasn’t sure what the plugin did when it had been removed. I started looking on the server for files that had been changed recently and discovered the wp-config.php had been changed minutes ago. I opened the file from the server in Notepad++ (great free and lightweight text editor).  I saw that there were some lines that had to do with the old caching plugin that had been commented out. However, I still wasn’t sure what had happened. I opened another wp-config.php file from a site that I wasn’t using the plugin to compare. The first thing I noticed was the first line was missing:

<?php

This very important line of code tells the browser that the files is a PHP file and not a regular HTML file. It does not matter if the file has the .php extension, without this line of code at the very beginning of the file the browser is going to treat it like an HTML file. More importantly  since PHP code is not valid HTML, it will just display the contents. Once I pasted this missing line of code in and uploaded the file to the server (plus changing the folder name back) the WordPress site came up again.

Now, this seems to be hit and miss. Out of the five sites I had using this plugin, this happened on two sites when I uninstalled the plugin. At least the second time around I was prepared and was able to very quickly get on the server and fix the file.

I should point out that Notepad++ integrates very nicely with FileZilla (FTP) Client. You can setup so Notepad++ as the default file editor. From within FileZilla go to Edit > Settings … then in the Settings… window go down to File editing and select Use custom editor and then click browser to locate Notepad++. Once done click OK. Now anytime you need to edit/view a file on the server, simply right-click on the file in the Remote site pane and select View/Edit. FileZilla will download a temporary copy of the file and then open it in Notepad++. Once you are done editing the file in Notepad++, save the file, then close the tab (or Notepad++ entirely).  Filezilla will then ask if you want to upload the modified file. This is a real time saver as you don’t have to download the file,  locate the file locally, edit the file and finally re-upload the file back to the remote server.