I got an email from firstname.lastname@example.org saying:
In an effort to preserve the security of WordPress.org sites, we are requiring all plugins that make use of TimThumb to update to the most recent version by Monday, April 16th.
So I have updated the timthumb version that I am using to patch old version with to the newest version 2.8.10 as a temporary quick fix. I think I will later remove it from distrobution within my plugin but add a way for users to automatically download the latest version directly from the Google Code Repository.
As for "Other similar plugins", well, I really don't like to brag but since you brought them up:
- VaultPress - You posted a link to their article that brags about fixing 712 timthumb files (something you just told me was a "bad idea"). I would guesstimate that my plugin has already patched more old timthumbs than that, given that it has been downloaded over 1,400 times and it fixed over 100 older timthumb files on my servers alone.
- Sucuri - Their inadequate scan did nothing for my own server's infections (it didn't even find most of them). Even though they say "your site for malware using Sucuri SiteCheck right in your WordPress dashboard" they are actually using an outside url (sitecheck.sucuri.net) to perform the scan (maybe you should be picking on them for that ;). And to top it all off, if you click on any of the gazillion links to their site you will find that what they really want is for you to pay them a few hundred dollars to fix you site. It seems to me that they are just using their "Plugin" to promote their services and drive potential customers to their site.
- Brave enough to release my own code, for free, to the word.
- Intelligent enough to write a program that actually works very well for most people who need it
- Tenacious enough to stand firm on my decision to take bold actions against these malicious hacks.
- Creative enough to build a powerful plugin that you don't have to be a programmer to use to remove real "known threats" from your server.
- Honest about my goals, intentions, and methods. Willing to answer any questions anyone may have about my plugin.
I think those are all attributes that you can appreciate :)
Anyway, I will continue to support my plugin as an attempt to "Get it fixed", not just another "foo-foo scan your site and do nothing about it" plugin. As I see it, WordPress is only thriving because of all the plugins that everyone has contributed to make it do anything you need it to do. I think WP could be a little more supportive of someone like me who has something really great to offer the community. I had originally written this plugin for myself but I have spent a lot of time nicing it up for others to use too.
I had wanted to give it away, in the spirit of free software, and in the hopes that people would show their gratitude by making generous donation. I am now feeling like this could become a full time job for me to maintain and support and, although I have received a few donations already, it is not enough to support my family while I devote myself to this project. Perhaps I should charge for such a valuable program but I will keep it free for as long as I can.
I hope you can appreciate what I have here and see how my boldness in offering a "fix" that others have not offered is a good thing.