Many small business owners and solo professionals are D.I.Y enthusiasts or do it themselves because they haven’t found a business with the products and services (customer) they’re looking for or expect. I tend to fall into the latter. When it comes to web design, I cringe and run screaming from the room when I view web designs. I have no idea what web designers are thinking. I often wonder, “Where did you learn web design? Was graphic design a part of the program? What makes you think the layout looks good? How does a huge photo at the top of a website look good? Do you understand the meaning of white-space?” Finding a clean, chic, elegant, optimized and streamlined website is like finding a needle in a haystack; at least it is for me. That is, until, I discovered the ‘Foundation’ web design. It was neat clean lines and looked very professional and seemed easy to customize. Little did I know the web designer used an outdated timthumb.php file (had no idea what this was) that could potentially open up my website to uninvited guests known as hackers. I was flabbergasted. Luckily, Blue Host (hosting company) is vigilant. They noticed the ‘outdated’ timthumb.php file and patched it. I decided to delete the WP theme and use my former theme. I’m determined more than ever to learn web design.
Here’s the email I received from Blue Host regarding timthumb.php:
This is a courtesy notice that we have found and corrected exploitable timthumb.php file(s) on your account. While we have corrected these files, we do recommend you ensure all potential exploits are corrected on your account. This is best done by updating all scripts, plugins, modules and themes on your account to the latest version.
As the owner of the account, you are responsible for keeping your hosted content free of malicious software. For technical assistance, you can also reach our chat team from Bluehost.com or by going directly to http://www.bluehost.com/chat.
The timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more. After a site has been exploited, it may lead to becoming labeled a “Malicious Website” by Google or other security authorities.
Any timthumb.php file below version 1.35, but above version 1.09 is considered vulnerable, unless patched. To prevent being compromised, we advise you update all instances of timthumb.php to version 2.0, or patch the existing vulnerable files. Note that patching the files requires more in-depth knowledge of the PHP scripting language.
Additional information regarding the compromise can be found at the following two websites, as well as others; note that all external websites in this email are not affiliated with Bluehost.com in any capacity, and are for your reference only.
How to protect your website from hackers
1. Use WordPress themes and templates from reputable companies. If you download ‘free’ themes make sure there is no timthumb.php or the file is up-to-date.
2. If you hire a web designer ask questions such as, “What is timthumb.php and do I need it? What is the security level of the web coding?” and other questions.
3. Learn about web coding.
4. Use a reputable hosting company such as Blue Host, HostGator, etc. to ensure your website is secure.
5. Always check your website. Test out links. Review your pages and make sure everything looks alright. Update plugins or limit the amount you use. FYI: You could always install the WordPress Firewall 2 plugin which “monitors web requests to identify and stop the most obvious attacks.”
- Zero-day bug found in WordPress image utility (theinformativereport.com)
- Security Alert: WordPress Timthumb Hacker on the Prowl (journalxtra.com)
- How to protect your WordPress site as hackers exploit TimThumb security hole (pressography.com)
- Vulnerability Found in timthumb.php (vaultpress.com)
- TimThumb Zero Day Vulnerability Affects Hundreds of WordPress Themes (pressography.com)