Warning for Wordpress users - timthumb.php

Hey guys,
Tons of blogs are being hacked due to outdated themes using very old versions of the timthumb script. Generally this is installed in themes though many plugins use it as well.

I urge all users of Wordpress to search their theme files and if found update timthumb.php
http://code.google.com/p/timthumb/
This is the official URL of the timthumb script.

More WP Info:
It's always a good idea to backup your websites at least once a week.
Always delete unused themes and plugins. You never know what may be a security risk.
Keep all your WP, plugin, and theme software up to date!
And never use admin as your username... I mean come on.


Hope this post helps a few of you.

 

What do you mean by hacked? You mean they gain access to the files?

 

Thanks man for sharing this. Yes it's true. There are also plugins available now to check your timthumb.php for vulnerability issues. So always keep this file updated.

 

Why the warning about the username? I use the old default wp theme. I keep up to date as best I can. But I am getting zapped and am getting the feeling that my vulnerability has a lot to do with the hosting zoom servers I am using. Possible or paranoid?

 

Thanks for the heads up!
It's always wise to remove plugins which are not updated regularly.

 

Even if they are not activated?

It would be extremely useful to have a resource explaining how they do it. This exposing the vulnerabilities and more importantly the fixes one has to implement. Knowledge is power and if you shine a little light into those dark corners the big wide world is not so scary any longer.

 

That would be nearly impossible. Because not every plugin is going to have the same vulnerabilities as the next.

"why the warning about the username"
Because "admin" is the default username that WP creates. It's the first username any hacker would attempt to use to gain access to your blog if they so desired and attempted to do so. Making it something other than "admin" will at least throw them off.

 

Accepted but if we knew more about the nasties, how they get around and why they get around, it would make dealing with the fall out a lot easier. Getting hacked for the first time is a depressing and isolating experience.

 

The last time I heard about this add-on was that the plugin was updated to the latest version and all those who use timthumb old version needed to upgrade to latest version for security issues. Has anything changed in the recent few weeks again ?

 

I agree, it would be great to have a resource like that but usually it's up to the individual theme and plugin makers to do this. That's why, when I can, I only use these that are still being developed by their authors. Many themes/plugins get abandoned after some time and while they may still technically work in WP it leaves them open to a wide array of vulnerabilities.

I started this thread over a month ago during the height of the timthumb issue. Not everyone knows that themes using it most likely weren't going to release an update, at least free themes. I've updated it manually on many themes I use and it still works like normal, at least with what I've been using it for it.