Mass attacks that exploit a known vulnerability in the WordPress publishing platform have continued to bear fruit for hackers, with thousands of websites claimed in the past few weeks, a researcher said. The security bug, in a widely used image resizing utility known as TimThumb, allows attackers to seize control of WordPress …
Wipe and Load
I haven't used Wordpress that much, but if I'm not mistaken it is possible to do a Wordpress backup (posts, comments) etc., bomb the WordPress directory, reinstall WordPress, theme and plugins and restore from backup. Seems like this would be safer than manually looking through files in an attempt to discover malicious code etc. It doesn't take that long to reinstall everything.
Perhaps I'm missing something though; if anyone knows any better I'd be interested in hearing.
WordPress has an excellent system for in-place updates. (way better than Drupal for example). It highlights any out-of-date add-ons such as TimThumb and a couple of clicks will automatically download and install it directly to the site.
If people haven't upgraded then they probably aren't keeping a close eye on their site. The upside is that nobody is visiting them much either.
TimThumb is not a WordPress plugin.
It is more commonly a part of themes and other WordPress plugins, so you won't know that your TimThumb is out of date. You have to trust that the WordPress plugin creators provide an updated version.
Unfortunately, many of the plugins and themes using TimThumb are commercially paid editions which are not managed directly by WordPress' own plugin database, you download and install them semi-manually or fully manually.
Also, these plugins and themes rarely publish which TimThumb version they use, they don't publish security advisories or notes regarding their products, and and and.
Nevermind that the entire concept of TimThumb is b0rken, technically speaking. :)
Generally, allowing pluggable PHP code is a Bad Thing security wise.
One click installer scripts used in many popular Website Control Panels such as cPanel/Plesk/Lots of others will only make this issue worse, most users will expect it to update everything. Problem is issues with other scripts are not as widely reported.
The problem with one press installs
...is that the hosting companies generally have old versions of WordPress. I helped a guy recently, his hosting package meant he couldn't do a "normal" WP install as he didn't have rights to create databases, and had to use their installer. If I hadn't told him he absolutely had to update imediately, he probably wouldn't have.
I've said it before, computers becoming seemingly easier to use is not necessarily such a good thing. Now everyone is using them.
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Mounties get their man: Heartbleed hacker suspect, 19, CUFFED
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Did a date calculation bug just cost hard-up Co-op Bank £110m?
- Feast your PUNY eyes on highest resolution phone display EVER