How to protect your WordPress site as hackers exploit TimThumb security hole

A month ago we told you about a serious security whole in popular image manipulation script, TimThumb.

Used by hundreds of WordPress themes this was a particularly far-reaching exploit that opened up many sites to hackers who could gain entry and do pretty much what they wanted.

Thanks (or should that be “praise be”?) to the quick actions of Mark Maunder and the subsequent collaboration between him and TimThumb’s original author Ben Gillbanks, the hole has been patched up and the latest version of TimThumb is much more secure.

However, themes must then be updated with the new version, or patched accordingly. Otherwise hackers looking for this exploit could get in to your site – and guess what? It’s happening.

This week a WPMU DEV member posted on the forum;

Sigh. I forgot to check one of my sites, and wouldn’t you know it? It’s the one that got hacked. I’m running a site that has TimThumb and it’s been hacked.

Bad times :(

In fact, Mark has a very insightful post showing just what hackers are capable of when they exploit this hole. In short, they can do almost anything with your web site.

Protecting yourself

So how do you know you haven’t missed a copy of TimThumb somewhere and shown hackers a wide open door?

Well, since August 14 I’ve received over 1,400 e-mails informing me that hackers were attempting to hack into my site using the TimThumb exploit.

How?

Using the excellent WordPress Firewall plugin. This excellent piece of kit automatically detects attacks and blocks them, sending you an e-mail each time. If the guy quoted above had been using the plugin he never would have been hacked!

In once case, I’ve received over 1,000 of these e-mails on the same day! It was only after I blocked the IP address of the attacker (included in the e-mail) that the attacks ceased.

What are you waiting for? Protect yourself now!

Got any other tips for securing WordPress? Let us know in the comments or contact us!

Update: Via WordPress Tavern I’ve learned that a new plugin allows you to scan your WordPress site for the TimThumb vulnerability.

Comments (25)

  1. Hello,

    i just saw that all my websites were hiten most probably from that thing. what can i do?just came back from holidays and “voila” what a surprise!!

    Jesus Christ!Someone if they no how to help!
    Nek

  2. If you’re after an easy way to upgrade all copies of timthumb on your site (and make sure you don’t get caught with your pants down), I’ve written a plugin that does it here:

    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    I havent tested it with MU specifically, but I’m almost positive it will work without issue (if it doesnt, leave me a response, and I’ll get to fixing it).

    If you’ve already been hit though, you’re going to need to either clean up your site, or hire someone to do so – upgrading your timthumb scripts won’t save you. Not a fun process.

        • I got it. It works fine. Site was hacked and funny things are going on. Any idea the easiest way to block an IP address where the hack came from? I’m pretty certain a location in the Russian Federation is responsible for our hack. Thx!

          • It depends on the level of access you have and the operating system in use. For most *nix varieties you can block an IP in a shell with:
            /sbin/route add -host 1.2.3.4 reject

            If you don’t have shell access you can add the following near the top of the .htaccess file:

            order allow,deny
            allow from all
            deny from 1.2.3.4

Participate