Wednesday, September 12, 2012

Wordpress Hack - How to prevent

What is Timthumb.php and how does it impact your Wordpress ?

- The Timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more. After a site has been exploited, it may lead to becoming labeled a “Malicious Website” by Google or other security authorities.

Timthumb.php is used by almost all free wordpress themes and some premium wordpress themes. Due to the vulnerability in the script most of the sites on wordpress are being hacked in recent times. The vulnerability of the timthumb.php script allows the hacker to get access of your wordpress panel and take control over your blog. He can now redirect your blog to his blog or any other site or completely change your home page or deny access to your wp-admin panel.

To prevent a Timthumb.php Wordpress hack by avoid using free WordPress themes because their not often updated and have no support, without any support your blog is vulnerable to such hacks.

Any timthumb.php file below version 1.35, but above version 1.09 is considered vulnerable, unless patched. To prevent being compromised, I advise you update all instances of timthumb.php to version 2.8.10, or patch the existing vulnerable files. Note that patching the files requires more in-depth knowledge of the PHP scripting language.

You can also install the the latest version of Timthumb.php manually by download from here http://timthumb.googlecode.com/svn/trunk/timthumb.php/ . It is highly recommended that you update your blog theme, plugins, scripts and all other files to the latest recommended versions to prevent compromise. I also recommend you install the latest version of Timthumb to avoid any compromise of your blog.

Don’t wait for a hack, prevent it.