Title: Plugin security vulnerability Last modified: January 7, 2026 --- # Plugin security vulnerability * Resolved [Jason Wong](https://wordpress.org/support/users/eljkmw/) * (@eljkmw) * [4 months, 2 weeks ago](https://wordpress.org/support/topic/plugin-security-vulnerability-4/) * Today, my client’s website got hacked into, and I found a different config file in the `/wp-content/wpo-cache/config/` folder. I’m surprised as to how did this happened. The new config file immediately redirects visitors to a different site. I’m fortunate enough to restore the website from its backup copies. * Is anyone else experiencing the same issue? I’m using the latest core and plugin versions. Viewing 5 replies - 1 through 5 (of 5 total) * Plugin Support [jbgupdraft](https://wordpress.org/support/users/jbgupdraft/) * (@jbgupdraft) * [4 months, 2 weeks ago](https://wordpress.org/support/topic/plugin-security-vulnerability-4/#post-18779252) * Hi, * Thanks so much for reaching out about this! I haven’t encountered this issue before but I will notify our Product and Development team to look into to see if there is something we need to make changes to in regards to this file. Depending on how the site was infected it could have been replaced by another plugin that had access to the file system or could also have been something at the hosting level. * We will take a look on our side and see what changes might need to be made in an upcoming release! * Thread Starter [Jason Wong](https://wordpress.org/support/users/eljkmw/) * (@eljkmw) * [4 months, 1 week ago](https://wordpress.org/support/topic/plugin-security-vulnerability-4/#post-18779865) * In the `/wp-content/wpo-cache/config/` folder contains the config-mydomain.php file. However, to my surprise, I found a different file, config-otherdomain.php, which caused the redirection. * Besides your plugin, [Redis Object Cache](https://wordpress.org/plugins/redis-cache/) plugin too encountered the same hack. Its object-cache.php file in `/wp-content/` had redirection code inserted into it. * I’m beginning to whether there are security vulnerabilities for most caching plugins. Due to this concern, I had to remove both plugins from my website, and I haven’t had any further _hacked_ redirection since. * Plugin Support [vupdraft](https://wordpress.org/support/users/vupdraft/) * (@vupdraft) * [4 months, 1 week ago](https://wordpress.org/support/topic/plugin-security-vulnerability-4/#post-18783475) * Hi, * It sounds like someone has targeted your caching plugin but it could have been any of your plugins. * What might be helpful in these scenarios is a plugin that detect file changes, we have a free one: [https://en-gb.wordpress.org/plugins/all-in-one-wp-security-and-firewall/](https://en-gb.wordpress.org/plugins/all-in-one-wp-security-and-firewall/) but there are others as well. * Thread Starter [Jason Wong](https://wordpress.org/support/users/eljkmw/) * (@eljkmw) * [4 months, 1 week ago](https://wordpress.org/support/topic/plugin-security-vulnerability-4/#post-18784421) * Ever since I deactivated and uninstalled the caching plugins, there hasn’t been any further redirection. As you said, it could’ve been any plugin, but nothing has happened. So, I’m curious why target only the caching plugins? Are they that vulnerable? * Plugin Support [vupdraft](https://wordpress.org/support/users/vupdraft/) * (@vupdraft) * [4 months, 1 week ago](https://wordpress.org/support/topic/plugin-security-vulnerability-4/#post-18784912) * It’s difficult to say why the caching plugins. Object caching and browser caching are very different mechanisms. They work in very different ways. I suspect they were targeted as pretty much every website has at least one caching plugin and this can be seen in the headers of any website. * My advice would be to try Cloudflare (you can use this with WPO if you like). It would hide this information. It works really well as a first line of defence. We use it on all of our sites. There is a free tier. We are in no way affiliated with Clouflare, I just think it’s an excellent service! Viewing 5 replies - 1 through 5 (of 5 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fplugin-security-vulnerability-4%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/wp-optimize/assets/icon-256x256.png?rev=1552899) * [WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance](https://wordpress.org/plugins/wp-optimize/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-optimize/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-optimize/) * [Active Topics](https://wordpress.org/support/plugin/wp-optimize/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-optimize/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-optimize/reviews/) * 6 replies * 3 participants * Last reply from: [vupdraft](https://wordpress.org/support/users/vupdraft/) * Last activity: [4 months, 1 week ago](https://wordpress.org/support/topic/plugin-security-vulnerability-4/#post-18784912) * Status: resolved