Don’t panic. Security Breach Averted!
I first learned about the zero day vulnerability affecting many WordPress themes today on LinkedIn. Plenty has been written about the security flaw found in the timthumb.php script used by many themes that could result in a serious security breach by allowing the upload of malicious scripts to your server. I won’t go into detail, because these fine folks already have:
- Using TimThumb on Your Website? Either Patch It Or Ditch It Right Now
- Timthumb.php Security Vulnerability – Just the Tip of the Iceberg
- Security Tip: Timthumb.php
- Vulnerability Found in timthumb.php
See the above links for plenty of information, opinions, and fixes. I’ll just quickly outline what I did to ensure we remained safe here at Tripawds.
- Log in to cPanel account for domain
- Access File Manager
- Search all files for “timthumb”
- Note location of file(s) if found
- Delete timthumb.php*
- Repeat for any other domains
*Note: Deleting the TimThumb script may break certain themes, or at least affect how they manage and display images. I chose to just delete any themes using the script.
If you need the TimThumb script running on your site, upgrade to the latest version. This issue has already been addressed. If, like me, you find some merit in the many discussions about the safety – or lack thereof – of allowing any scripts on your server to access data from third party sites, then delete the file. Or, follow these steps to remove the vulnerability:
Line 21: Ensure this constant is false:
define ('ALLOW_EXTERNAL', FALSE); // allow external website (override security precaution - not advised!)
Line 27: Remove all domains from this array:
$allowedSites = array();
What the TimThumb Issue Means for Tripawds Members
Nothing, really. Because we’re on top of things.
If, however, you are a Tripawds Supporter and had activated either of the premium themes, Magazeen or Mystique, you will need to activate a different theme. If you were using either of these themes and you cannot access your blog, again, don’t panic. Point your browser to yourblogname.tripawds.com/wp-admin/themes.php and select another of the more than 135 themes we make available to Tripawds bloggers.
UPDATE: I also found at least one theme – “Blogtheme” – that uses the TimThumb script in a file named thumb.php, so searching for that may be beneficial too if you have lots of themes. Searching for “thumb” may return far too many results to sift through since that will return all your image thumbnails.