How to Protect Your WordPress Site as Hackers Exploit TimThumb Security Hole

How to Protect Your WordPress Site as Hackers Exploit TimThumb Security Hole

A month ago we told you about a serious security whole in popular image manipulation script, TimThumb.

Used by hundreds of WordPress themes this was a particularly far-reaching exploit that opened up many sites to hackers who could gain entry and do pretty much what they wanted.

Thanks (or should that be “praise be”?) to the quick actions of Mark Maunder and the subsequent collaboration between him and TimThumb’s original author Ben Gillbanks, the hole has been patched up and the latest version of TimThumb is much more secure.

However, themes must then be updated with the new version, or patched accordingly. Otherwise hackers looking for this exploit could get in to your site – and guess what? It’s happening.

This week a WPMU DEV member posted on the forum;

Sigh. I forgot to check one of my sites, and wouldn’t you know it? It’s the one that got hacked. I’m running a site that has TimThumb and it’s been hacked.

Bad times :(

In fact, Mark has a very insightful post showing just what hackers are capable of when they exploit this hole. In short, they can do almost anything with your web site.

Protecting yourself

So how do you know you haven’t missed a copy of TimThumb somewhere and shown hackers a wide open door?

Well, since August 14 I’ve received over 1,400 e-mails informing me that hackers were attempting to hack into my site using the TimThumb exploit.


Using the excellent WordPress Firewall plugin. This excellent piece of kit automatically detects attacks and blocks them, sending you an e-mail each time. If the guy quoted above had been using the plugin he never would have been hacked!

In once case, I’ve received over 1,000 of these e-mails on the same day! It was only after I blocked the IP address of the attacker (included in the e-mail) that the attacks ceased.

What are you waiting for? Protect yourself now!

Got any other tips for securing WordPress? Let us know in the comments or contact us!

Update: Via WordPress Tavern I’ve learned that a new plugin allows you to scan your WordPress site for the TimThumb vulnerability.