Has your WordPress site been hacked recently?
If you’re using WordPress as your favorite open source blogging platform, chances are pretty high you’ve already heard about the recent security flaw found in the TimThumb plugin fow WP. If you haven’t – you should, cause it’s pretty severe. Here is more info on that:
http://www.websitedefender.com/wordpress-security/timthumb-vulnerability-wordpress-plugins-themes/
The security flaw isn’t a core WordPress vulnerability, so you won’t be vulnerable for just using WordPress. However, the bad news is that a pretty big number of themes out there use the TimThumb plugin in order to operate correctly and therefore TimThumb is included in a lot of WordPress plugins and themes, both free and paid. The result is that there is a good chance you might have the vulnerable TimThumb installed and running on your WordPress even if you don’t really know about it or you don’t care.
The flaw itself is rather stupid – the TimThumb plugin allows uploading files from a list of so called “trusted domains”. Among those domains are “flickr.com”, “picasa.com”, “blogger.com”, etc – all of which you might find useful in case you keep your image gallery there and would like to get an image transferred to your blog at a glance. However, the check is flawed because you can bypass it by using a domain like blogger.com.hacker.com. This domain passes the check but belongs to hacker.com, making the script exploitable. Hackers have already been exploiting this vulnerability in the wild and many many bloggers suffered from it already.
In case you are a WordPress user and have TimThumb installed or even worse – you’ve already been hacked, you might wonder what to do to get things resolved? Well, the good news is there’s already a fix for the plugin available here:
http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/
Along with the good and the bad news in this situation, there’s also a great news for you in case your WordPress is hosted at SiteGround — it should be secured without you doing anything! As always we’ve been trying to take care of our fellow customers without boring them with unnecessary details and overcomplicated technical stuff. After all you’ve entrusted us with your website and its security is our primary goal. So here’s what we did – the day after the exploit went live, which if my memory serves me well, was about a month or so ago – we checked how many people are using the TimThumb plugin. The number was devastating – around 15,000 WP instances had it installed and around 350 of those were already compromised. Obviously upgrading 15,000 WP instances was not an option – it’s a huge number and given the fact there were so many different versions of TimThumb and we needed to ask for customers’ consent prior to upgrading his/her website, it was simply impossible to accomplish. At least not in the short term. So, we decided to find an intelligent and efficient way to deal with the vulnerability before a much larger number of customers were affected. Well, most hosts wouldn’t even bother suggesting a fix as they would define the problem as “beyond the scope of the technical support”, but we try to do it differently and make sure we spare troubles and work to our customers where possible.
And then in just a few hours, one of our System Engineers found the solution, elegant, simple and fast – the TimThumb plugin uses a folder called tmp/cache to store uploaded files. What we did is suspend execution of files from that folder in all WordPress instances. In simple words – if you upload an image – it will work, but if you upload a script (e.g. badass hack script) it won’t. And that magically solved it all with no hassle whatsoever for our customers. We then modified our Apache security module (mod_security) by adding some rules that will prevent execution of the hack, so our customers could be protected by two layers, instead of just one. And then notified the unlucky 350 hacked guys what they should do to get things resolved – namely get rid of the hack and upgrade plugin version. We also offered the service of cleaning the hack and upgrading the plugin to be performed by the Super Heroes @ SiteGround Support Team for the people that felt uncertain how to do it for themselves.
So the answer to the question: “Has your WordPress site been hacked recently?” will disturbingly often be YES in the general case and will most probably be NO if you use SiteGround WordPress hosting.
Tenko
The SiteGround Mastermind
