Title: Frequent malware in WP Super Cache cached pages
Last modified: May 24, 2024

---

# Frequent malware in WP Super Cache cached pages

 *  Resolved [Floris](https://wordpress.org/support/users/florismk/)
 * (@florismk)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/)
 * Since I started using WP Super Cache, it happens often (almost monthly) that 
   WordFence finds malware (PD9) in cached pages. It’s good news that it’s getting
   caught, of course, but bad news that it’s there at all. WordFence _never_ found
   malware on my sites before I installed WP Super Cache. And the malware is always
   only found in cached pages.
 * How and why does this happen, and how do I keep it from happening?
 * Reports are like this (filename varies, of course):
 *     ```wp-block-code
       /mnt/web003/e2/70/511363570/htdocs/floriskleijne.nl/wp-content/cache/supercache/www.floriskleijne.nl/meta-wp-cache-3c685ba0ad8c85ade50e389730ed2748.php
   
       Backdoor: PHP/PD9.5376 (A backdoor known as PD9).
       ```
   
 * PS: Previously posted in the WP Super Cache forum, they refer me to WorfFence
   as they are not aware of a vulnerability in the plugin, and if there was a plugin
   vulnerability, there would be way higher incidence of this issue.
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Ffrequent-malware-in-wp-super-cache-cached-pages%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 14 replies - 1 through 14 (of 14 total)

 *  Thread Starter [Floris](https://wordpress.org/support/users/florismk/)
 * (@florismk)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17778894)
 * PS: This is the WP Super Cache topic that referred me here: [https://wordpress.org/support/topic/frequent-malware-in-cached-pages/](https://wordpress.org/support/topic/frequent-malware-in-cached-pages/)
 *  Plugin Support [wfmargaret](https://wordpress.org/support/users/wfmargaret/)
 * (@wfmargaret)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17779557)
 * Hi [@florismk](https://wordpress.org/support/users/florismk/),
 * Thank you for reaching out.  The last version of [WP Super Cache](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-super-cache/wp-super-cache-18-unauthenticated-cache-poisoning)
   with a reported vulnerability was in 1.8, so please ensure you have WP Super 
   Cache fully updated.
 * The “meta-wp-cache-….php” files in WP Super Cache hold information about requests
   like the URL and cookies, so this may be a false positive due to an attempt to
   access a malicious URL being cached.  While Wordfence will automatically protect
   you from these attempts, the page visit attempt may still be cached.  If this
   is the case, you can check your web server access logs and you should see the
   same matched text appear there sometime in the last few days.
 * To have our team take a look, please send a copy of the files to **samples @ 
   wordfence . com** with the pasted scan result information and a link to this 
   topic. Remember to remove any passwords, keys, or salts from any files you send
   to us, if applicable. 
 * Thanks,
   Margaret
 *  Thread Starter [Floris](https://wordpress.org/support/users/florismk/)
 * (@florismk)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17780175)
 * Next time it happens, I’ll submit the files. I’ve already deleted them this time
   around. Can we leave this open, or do I need to submit a new ticket?
 *  [dimal](https://wordpress.org/support/users/dimalifragis/)
 * (@dimalifragis)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17780356)
 * [@florismk](https://wordpress.org/support/users/florismk/) PAGE Caching plugins
   and Wordfence are not a good idea. At least switch WP Super cache to LATE INIT
   settings.
 *  Thread Starter [Floris](https://wordpress.org/support/users/florismk/)
 * (@florismk)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17780415)
 * Thanks [@dimalifragis](https://wordpress.org/support/users/dimalifragis/). I’m
   taking your advice to the WP Super Cache thread.
 *  [Donncha O Caoimh (a11n)](https://wordpress.org/support/users/donncha/)
 * (@donncha)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17780559)
 * Jumping over here from the WPSC thread. Hi! 🙂
 * [@dimalifragis](https://wordpress.org/support/users/dimalifragis/) if Wordfence
   notices something odd about the current request, be it query params for a backdoor
   or something, does it set a constant or flag for other plugins to recognise there’s
   something wrong? If so, I can add support for that in WPSC so it doesn’t cache
   the page.
 * I agree with [@wfmargaret](https://wordpress.org/support/users/wfmargaret/) that
   this is very likely a false positive, as we’ve had this happen many times over
   the years but there is a way for Wordfence to stop the caching. If it sets the
   constant DONOTCACHEPAGE it will stop WPSC from caching the page entirely. The
   meta file would not be created, and this problem would be avoided.
 * WPSC won’t need to run on “late init”, as Wordfence will have, I presume, detected
   the malware trigger attempt and stopped the process and caching of the page.
 *  [dimal](https://wordpress.org/support/users/dimalifragis/)
 * (@dimalifragis)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17780577)
 * [@donncha](https://wordpress.org/support/users/donncha/) Hi,
 * If WPSC (or any PAGE caching plugin) works in mod_rewrite mode, the pages are
   served BEFORE anything else.
 * **BEFORE Wordfence php prepend waf.**
 * It is unclear what happens related to that. As i posted in WF forum, using ANY
   page caching, both in php or mod_rewrite mode, overcomes several Wordfence features.
   Like RATE LIMITING for example.
 * So, better to be safe and not use page caching with Wordfence. Maybe use some
   object plugin like Redis, that doesn’t seem to conflict.
 * Anyways, this is what i have found and thanks for your time to reply.
 *  Thread Starter [Floris](https://wordpress.org/support/users/florismk/)
 * (@florismk)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17780604)
 * [@dimalifragis](https://wordpress.org/support/users/dimalifragis/) If WPSC worded
   in mod_rewrite mode, I assume this would be visible in .htaccess? If so, WPSC
   is not using mod_rewrite, because .htaccess shows no trace of it.
 * Also, [@donncha](https://wordpress.org/support/users/donncha/) ‘s question is
   interesting: does WordFence signal request warnings for other plugins to notice?
 * And [@donncha](https://wordpress.org/support/users/donncha/), do you know the
   answer to the implied mod_rewrite question?
 *  [Donncha O Caoimh (a11n)](https://wordpress.org/support/users/donncha/)
 * (@donncha)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17780610)
 * mod_rewrite can be used to serve cached files, but if Wordfence can detect the
   request is dodgy before the page is cached then it won’t matter what way cached
   files are served (mod_rewrite or PHP or late_init) as we can stop the page being
   cached entirely.
 * I can see there’s a tension between using a full page cache and Wordfence, especially
   when attempting to rate limit requests. The cache is designed to allow more requests
   to be served, not have them rate limited.
 * I guess we’ll find out a lot more when the next false positive happens and [@florismk](https://wordpress.org/support/users/florismk/)
   sends the offending file to you for analysis.
 *  [dimal](https://wordpress.org/support/users/dimalifragis/)
 * (@dimalifragis)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17780618)
 * [@florismk](https://wordpress.org/support/users/florismk/) WPSC mod_rewrite mode
   is called **Advanced mode** and YES you should see it in your modified .htaccess.
 * Please note that mod_rewrite has the **HIGHEST priority** in execution of .htaccess.
 * (This is not an issue only for Wordfence but for all security plugins, bots fighting
   plugins also. And tests MUST be done AFTER all the pages are cached and not with
   a clear/empty cache).
 *  Thread Starter [Floris](https://wordpress.org/support/users/florismk/)
 * (@florismk)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17780623)
 * Thanks, [@dimalifragis](https://wordpress.org/support/users/dimalifragis/). I
   use **Simple **mode, so that explains why I don’t see any trace in .htaccess.
   I take it that means cached pages are _not_ served before anything else?
 *  [dimal](https://wordpress.org/support/users/dimalifragis/)
 * (@dimalifragis)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17780625)
 * [@florismk](https://wordpress.org/support/users/florismk/) Well, i have to guess
   here, since i’m not a Wordfence developer 🙂
 * If you use Wordfence optimized firewall, that prepends WF waf in your .htaccess(
   BEFORE WordPress loads), logically Wordfence is checking the requets BEFORE any
   caching (php mode) happens IN WordPress.
 * BUT in reality even with that, for example, Rate Limiting doesn’t work. I have
   no idea why. It should, since Wordfence sits infront of WordPress requests. Also
   i have no idea what else could be not working, since it is very hard to debug
   this. Very hard for a webmaster.
 * That is why i posted, it is a grey/unclear zone and better refrain from using
   PAGE caching with Wordfence. Better safe than sorry that is.
 *  Plugin Support [wfmargaret](https://wordpress.org/support/users/wfmargaret/)
 * (@wfmargaret)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/#post-17790267)
 * Hi [@florismk](https://wordpress.org/support/users/florismk/),
 * Thanks for following up. In the future, you can submit any samples you’re unsure
   of to **samples @ wordfence . com** and our team can review them without you 
   opening a topic on the forums. In the future, you can combat this if you are 
   sure the content is harmless by either choosing “**Ignore**” after a scan or 
   telling Wordfence not to scan the specific cache meta files. You can do the latter
   by visiting **Wordfence > All Options > Scan Options > Advanced Scan Options 
   > Exclude files from scan that match these wildcard patterns (one per line) **
   and adding `wp-content/cache/supercache/www.floriskleijne.nl/meta-wp-cache-*.
   php` on a new line.
 * [@dimalifragis](https://wordpress.org/support/users/dimalifragis/), you are correct
   that some caching plugins can interfere with Wordfence blocks by displaying a
   cached page instead of the block page. This is typically safe to ignore unless
   there is a reason to prevent blocked visitors from seeing cached content. Wordfence
   will continue to block any malicious actions and display a block page on uncached
   pages.
 * [@donncha](https://wordpress.org/support/users/donncha/), there are no constants
   set that WP Super Cache can use to prevent caching in this case.
 * The URL and query string in the cache file may include code that would be malicious
   in another context. Since the site was previously hacked (as mentioned in an 
   older forum thread), the original attacker may try to reach their old scripts,
   triggering this periodically, or it could be an attacker targeting an old vulnerability
   that the site may not even have.
 * Thanks,
   Margaret
 *  Thread Starter [Floris](https://wordpress.org/support/users/florismk/)
 * (@florismk)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/page/2/#post-17790719)
 * Thanks, you’ve been immensely helpful, [@wfmargaret](https://wordpress.org/support/users/wfmargaret/)!

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘Frequent malware in WP Super Cache cached pages’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

## Tags

 * [cache](https://wordpress.org/support/topic-tag/cache/)

 * 16 replies
 * 4 participants
 * Last reply from: [Floris](https://wordpress.org/support/users/florismk/)
 * Last activity: [1 year, 10 months ago](https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/page/2/#post-17790719)
 * Status: resolved