WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] notice from hosting about timthumb file (5 posts)

  1. Bloke
    Member
    Posted 2 years ago #

    I received a email from my hosting company saying they found and corrected exploitable timthumb.php file(s) on my account. The file was located in .../themes/Basic/timthumb.php Its great they found this and fixed it but I was curious. Are there any other things like this that I should look out for? I had just updated my WordPress and it didn't include an update to the basic theme. I don't even use it. I also keep my plugins up to date. So how can I prevent something like this?

  2. wpismypuppet
    Member
    Posted 2 years ago #

    Tim Thumb is actually a third party PHP script that many people use (or used) to manipulate photos on the fly without altering the original file. Here is a story about the issue found with Tim Thumb related to WordPress:

    http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

    In any event... there is no real way for you to know about these exploits unless you keep up-to-date on the newest technology. Even then it's a crap shoot. There are a ton of WordPress plugins that scan your install for potential exploits...

    If you are really concerned about your site and possible problems, do a search for "hardening wordpress" in Google. Our company uses a set of plugins to lock down our install and monitor exploits... but again, it's someone else's plugin... that in itself could be an exploit!

    Best of luck!

  3. Bloke
    Member
    Posted 2 years ago #

    I was both surprised and glad they caught it. But in the email they said its my responsibility to keep all the plugins and files up to date. But the "basic" theme was not in the update.

  4. JarretC
    Member
    Posted 2 years ago #

    The Basic theme wasn't in the last update most likely because it wasn't updated by the theme author. Theme updates are handled by theme authors and not the people who develop WordPress.

    Technically it is your theme author's responsibility to keep the theme up to date and secure and release new versions. Either your theme author has abandoned development on that theme or just doesn't care anymore. In any event, even if you weren't using the Basic theme you have the files stored on your server which gives a possible point for attack.

    Standard practices advise deleting all themes that you are not using in order to help avoid potential issues such as this one.

  5. Bloke
    Member
    Posted 2 years ago #

    You're right I forgot that I had downloaded that theme. Makes sense to me now.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.