How to Fix TimThumb Theme Script Security Exploit

Tripawds is a user-supported community. Thank you for your support!

Don’t panic. Security Breach Averted!

I first learned about the zero day vulnerability affecting many WordPress themes today on LinkedIn. Plenty has been written about the security flaw found in the timthumb.php script used by many themes that could result in a serious security breach by allowing the upload of malicious scripts to your server. I won’t go into detail, because these fine folks already have:

See the above links for plenty of information, opinions, and fixes. I’ll just quickly outline what I did to ensure we remained safe here at Tripawds.

  1. Log in to cPanel account for domain
  2. Access File Manager
  3. Search all files for “timthumb”
  4. Note location of file(s) if found
  5. Delete timthumb.php*
  6. Repeat for any other domains

*Note: Deleting the TimThumb script may break certain themes, or at least affect how they manage and display images. I chose to just delete any themes using the script.

If you need the TimThumb script running on your site, upgrade to the latest version. This issue has already been addressed. If, like me, you find some merit in the many discussions about the safety – or lack thereof – of allowing any scripts on your server to access data from third party sites, then delete the file. Or, follow these steps to remove the vulnerability:

Line 21: Ensure this constant is false:
define ('ALLOW_EXTERNAL', FALSE); // allow external website (override security precaution - not advised!)

Line 27: Remove all domains from this array:
$allowedSites = array();

What the TimThumb Issue Means for Tripawds Members

Nothing, really. Because we’re on top of things.

If, however, you are a Tripawds Supporter and had activated either of the premium themes, Magazeen or Mystique, you will need to activate a different theme. If you were using either of these themes and you cannot access your blog, again, don’t panic. Point your browser to yourblogname.tripawds.com/wp-admin/themes.php and select another of the more than 135 themes we make available to Tripawds bloggers.


To remove ads from your site and others, upgrade to a Tripawds Supporter blog!

Download WordPress Guide To Easy Blogging

Tripawds is a user-supported community. Thank you for your support!

We considered posting this in the Tripawds Downloads blog, but it has much more to do with blogs than it is about three legged dogs.

Download Free WordPress Editors Guide

While we provide Tripawds bloggers with helpful WordPress tutorial videos, and do our best to answer any technical questions about blogging in the Tech Support forum, we want to provide more information for those who want it. That’s why we’re making this comprehensive guide detailing How To Publish a WordPress Blog available as a free PDF download.

How to Use WordPress Blog Dashboard

This comprehensive WordPress How To Guide covers everything you need to know about writing posts and pages, customizing your blog layout, moderating comments and much, much more. And did we mention it is absolutely free? This is just another value added service we are able to offer thanks to our WPMU Dev Membership.

New features in WPMU 2.9.1

In his post about how to add commentmeta tables to your WordPress MU database, Donncha said …

…nothing quite like the stress of upgrading and finding that something has broken.

So true. I’m just happy nothing broke during our recent upgrade to WPMU 2.9.1, because apparently the upgrade function can choke when creating all those tables. We have over 160 blogs and all went well, but Admins for large MU sites should take care to run the script Donncha provides before upgrading. Then they should also skip ahead to WordPress 2.9.1.1.1.1.1.1.1.1.1.1.1.1. Supposedly this will be the last release before the big merge.

WordPress MU 2.9.1 New Feature Overview

What does all this mean for Tripawds community members? Just that we are successfully running on WPMU 2.9.1 now, which includes some great new features in addition to various bug fixes.

Video embedding made simple

WordPress 2.9 introduces native video embedding! Now all Tripawds Bloggers can easily insert a video from sharing sites like YouTube, simply by adding the video URL to their post …

See! It’s that simple. Just copy and paste the video page URL onto a new line in your post and the video will be automatically embedded. It is important that the video URL be on a line by itself and that the text is not wrapped in any tags, so don’t style it or link it to the video page itself. Native video embedding supports the following video sharing web sites: YouTube, Vimeo, DailyMotion, blip.tv, Flickr (both videos and images), Viddler, Hulu, Qik, Revision3, Scribd, Photobucket, PollDaddy, Google Video, WordPress.tv.

Viper’s Video Quicktags Enhance Embedded Videos

So what does this mean for Tripawds Supporters who have been using the Viper’s Video Tags plugin? Just that they now have advanced control over how their videos appears if they choose to continue using it. Viper wrote the new native object embed code, so his plugin is completely compatible. Supporter blogs can still embed movies and have additional video sharing sources to choose from. Supporters also have the ability to embed raw Flash video files, and have much more control over how their videos display …

Viper’s Video Quicktags plugin allows embedding from the following video sharing web sites: YouTube, Google Video, DailyMotion, Vimeo, Veoh, Viddler, Metacafe, Blip.tv, Flickr Video, IFILM/Spike, MySpaceTV, Flash Video (FLV).

Viper’s Video Quicktags plugin has been disabled. WordPress now supports auto-embedding of videos.

WordPress MU Blog Dashboard Trash Can

Tripawds Bloggers will also now notice a Trash link when managing posts and comments on their blog. This allows for the removal of items without immediately deleting them. The Trash can (and should) then be emptied periodically to permanently deleting the unwanted items. This protects bloggers from inadvertently deleting valid comments or valuable post drafts.

Issues with New WordPress Image Editor

One of the most anticipated feature enhancements has to be the new Image Editor built right into the WordPress Media Library. There have been a number of reports, however, regarding difficulties so we will report back with an update on that. For now, feel free to provide feedback in the forums.

Trimming the Fat

I did it!WordPress Post Revisions

<pats self on back>

OK, with that said, I finally found this great SQL query for deleting old WordPress draft revisions.

What this means to Tripawds Bloggers

You may have noticed the Save Draft button in your Tripawds Blog post editor. This will do just that – save a current working draft of your post. Actually doing so, however, is unnecessary considering WordPress has it’s own auto-save function built right in. But if you are writing an important post and concerned about losing your work, go ahead and save your drafts. I am no longer concerned about database bloat!

Scroll down beneath your post editor after saving a draft and you will notice a section called Post Revisions. Clicking the link there will allow you to review the latest draft you saved, compare it to the most recent auto-save, and restore whichever one you prefer.

Why only one revision, and How?

Anyone familiar with WordPress may wonder why only one revision shows, no matter how many times the post is saved. Those very familiar might be asking how we did that.

Every saved post revision is stored in the WordPress database. Over time, especially in a WordPress MU environment, and particularly with users who tend to frequently save drafts, this can create excessive unnecessary database entries – said bloat I eluded to earlier. By limiting revisions to one draft, we are still allowing members to save important drafts and compare that draft with the current auto-save, while keeping unnecessary entries out of the database. FYI: Every draft manually saved will replace the most recent revision.

How did we do it? We are running the Limit Post Revisions WordPress MU plugin from the wpmudev.org project repository. I know, I know, limiting post revisions will not delete old drafts from the database, and that’s what truly enquiring minds want to know. We’re getting to that.

Limit Post Revisions WPMU Plugin Site Admin OptionWhat use this is for WPMU Site Administrators

Limiting post revisions can also be done with this simple hack to your wp-config file, immediately following the db_collate definition, as in…

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/** Number of saved revisions; false acts as 0 */
define('WP_POST_REVISIONS', 1);

But I like to avoid editing core files whenever possible, and much prefer to use awesome WPMU plugins. But I digress, back to the task at hand – how to delete all those old revisions in the MySQL database driving your WordPress installation…

Here is the query I used, edited for use with WordPress MU:

DELETE a,b,c
FROM wp_{id}_posts a
LEFT JOIN wp_{id}_term_relationships b ON (a.ID = b.object_id)
LEFT JOIN wp_{id}_postmeta c ON (a.ID = c.post_id)
WHERE a.post_type = 'revision'

Simply replace {id} with the id for the blog on which you want to delete old post revisions. Backup your database first! To be safe, I also exported copies of the affected tables so I could restore them quickly if anything broke. But nothing did, at least not that I can tell, yet. 😉

In our case, I reduced file size of our wp_1_posts export from more than 11 MB to less than 2MB! Please note, this worked for me. No promises, and good luck!

Many thanks to Andrei for providing this query, and explaining how it will remove related entries from the postmeta and term_relationship (i.e.: tags, categories, etc.) tables. I found many references to the following query for deleting post revisions, but Andrei’s solution gave me the confidence that all unnecessary data would be deleted from the database.

DELETE FROM wp_posts WHERE post_type = "revision";

While we’re at it, for anyone looking to delete all old post revisions from a basic WordPress install, here ya go…

DELETE a,b,c
FROM wp_posts a
LEFT JOIN wp_term_relationships b ON (a.ID = b.object_id)
LEFT JOIN wp_postmeta c ON (a.ID = c.post_id)
WHERE a.post_type = 'revision'

Hope this helps someone, as much as it helped me!

WordPress MU Upgrade Complete

We have just completed the maintenance upgrade of all Tripawds Blogs to WordPress MU 2.8.5.2. Thank you for your patience!

This update addresses various administrative bugs and security fixes. If you experience any technical difficulties or unexpected anomalies, please report them in the Tripawds Technical Support discussion forum.

Sometimes it feels lie we are always tinkering behind the scenes and upgrading things around here. But after the ordeal we went through making a major version leap earlier this year, it’s the least we can do to keep things operating smoothly around here for all our members. Thank you all for your continued support.

Upgrading core files for the Tripawds Blogs community is always nerve-wracking. But I actually find it easier than upgrading our regular WordPress blog. Perhaps just because between this site and the RVblogz free travel blog community, I just have more practice. But the steps for upgrading WPMU are pretty simple. It’s just the need to follow them exactly, and the potential for data loss if you don’t that greys my hair. As if it isn’t grey enough already! 🙂