Image via Wikipedia
Many small business owners and solo professionals are D.I.Y enthusiasts or do it themselves because they haven’t found a business with the products and services (customer) they’re looking for or expect. I tend to fall into the latter. When it comes to web design, I cringe and run screaming from the room when I view web designs. I have no idea what web designers are thinking. I often wonder, “Where did you learn web design? Was graphic design a part of the program? What makes you think the layout looks good? How does a huge photo at the top of a website look good? Do you understand the meaning of white-space?” Finding a clean, chic, elegant, optimized and streamlined website is like finding a needle in a haystack; at least it is for me. That is, until, I discovered the ‘Foundation’ web design. It was neat clean lines and looked very professional and seemed easy to customize. Little did I know the web designer used an outdated timthumb.php file (had no idea what this was) that could potentially open up my website to uninvited guests known as hackers. I was flabbergasted. Luckily, Blue Host (hosting company) is vigilant. They noticed the ‘outdated’ timthumb.php file and patched it. I decided to delete the WP theme and use my former theme. I’m determined more than ever to learn web design.
Here’s the email I received from Blue Host regarding timthumb.php:
Dear customer,
This is a courtesy notice that we have found and corrected exploitable timthumb.php file(s) on your account. While we have corrected these files, we do recommend you ensure all potential exploits are corrected on your account. This is best done by updating all scripts, plugins, modules and themes on your account to the latest version.
As the owner of the account, you are responsible for keeping your hosted content free of malicious software. For technical assistance, you can also reach our chat team from Bluehost.com or by going directly to http://www.bluehost.com/chat.
The timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more. After a site has been exploited, it may lead to becoming labeled a “Malicious Website” by Google or other security authorities.
Any timthumb.php file below version 1.35, but above version 1.09 is considered vulnerable, unless patched. To prevent being compromised, we advise you update all instances of timthumb.php to version 2.0, or patch the existing vulnerable files. Note that patching the files requires more in-depth knowledge of the PHP scripting language.
Additional information regarding the compromise can be found at the following two websites, as well as others; note that all external websites in this email are not affiliated with Bluehost.com in any capacity, and are for your reference only.
http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/
http://redleg-redleg.blogspot.com/2011/08/malware-hosted-newportalsecom.html
How to protect your website from hackers
1. Use WordPress themes and templates from reputable companies. If you download ‘free’ themes make sure there is no timthumb.php or the file is up-to-date.
2. If you hire a web designer ask questions such as, “What is timthumb.php and do I need it? What is the security level of the web coding?” and other questions.
3. Learn about web coding.
4. Use a reputable hosting company such as Blue Host, HostGator, etc. to ensure your website is secure.
5. Always check your website. Test out links. Review your pages and make sure everything looks alright. Update plugins or limit the amount you use. FYI: You could always install the WordPress Firewall 2 plugin which “monitors web requests to identify and stop the most obvious attacks.”
Related articles
- Zero-day bug found in WordPress image utility (theinformativereport.com)
- Security Alert: WordPress Timthumb Hacker on the Prowl (journalxtra.com)
- How to protect your WordPress site as hackers exploit TimThumb security hole (pressography.com)
- Vulnerability Found in timthumb.php (vaultpress.com)
- TimThumb Zero Day Vulnerability Affects Hundreds of WordPress Themes (pressography.com)
Nice post, thanks for your tips, Rebecca. Wasn’t aware of WordPress Firewall 2 so I’m off to take a look…
Thank you! I learned a lot about the timthumb.php and what I need to be aware of before I download a free WP template or purchase one.
Good stuff! It’s important to know as much as you can about HTML and web coding in general. Sometimes, it’s worth hiring a web designer. This way you, the business owner, won’t have to worry about the coding.
Hey,
Let me add some further points…
6.) Keep WP and your plugins up-to-date all the time. 🙂 I’m more techie but that’s something any editor can do too, it’s one click only.
7.) Password-protect your /wp-admin/ directory via .htaccess (Yeah, I know it’s like Chinese 😛 it’s not far that difficult how it sounds but you need a tech for it).
8.) Change the “wp_” prefix of your SQL tables (another tech bla-bla..) – this step also takes ~5 minutes for a tech.
9.) Add security plugins like Exploit Scanner – even if you as an editor do not understand what’s the exact problem the plugin reports, from the scans you can see if ANY problems were found or not.
So I would suggest to either complete these steps or ask the one who installed the blog to complete for you.
Also, if you’ve been hacked, a tech guy should run a general check on your blog – in some cases hackers leave “backdoors” on the hacked sites, does they can hack them again..
I hope this helps. 🙂
Thanks for the additional points. I never heard of the ‘Exploit Scanner’ plugin — I’ll check it out.