WordPress sites vulnerable to Timthumb.php security vulnerability
You may have seen our blog article yesterday ‘[intlink id=”481″ type=”post”]{{empty}}[/intlink]’ about making sure your website is secure and protected. We were prompted to post that article following a recent security issue that could potentially have affected many sites, which was a reminder of the constant threats to which there is often little time to react.
The recent issue was with a script called Timthumb.php, commonly used in WordPress themes to dynamically resize images. A security flaw allowed hackers to exploit this script to download other files to the targets server. There were many cases where hackers injected other PHP scripts onto servers and loaded Malware and other malicious software. Our current theme for this site uses Timthumb.php, which we have updated to close the security hole I might add! When I contacted the website host because the script had been blocked causing images not to display they told me it was a nightmare due to the number of sites that use it and the amount it had been exploited by hackers, hence they locked it down.
I would like to thank our web host, who did a great job in making all the necessary updates to fix the issue in such a short space of time. It just goes to show the importance of having a good and diligent web host.
If you have a WordPress site, then we recommend the following:
[checklist]
- Check whether or not your site uses timthumb.php.
- If it does, update it to the latest version available fromĀ http://code.google.com/p/timthumb/.
- Check to make sure that files haven’t been loaded onto your server that you weren’t aware of.
- If in doubt, contact your webmaster / IT consultant / web host.
[/checklist]
Is it safe to still use timthumb.php?
The security flaw has been fixed in the latest version (2.0), which is actually a complete rewrite with security a top consideration from the beginning and therefore we consider it safe to use, and indeed do use it.
