X
    Categories: JoomlaSecurityWordPress

Has your WordPress site been hacked recently?

If you're using WordPress as your favorite open source blogging platform, chances are pretty high you've already heard about the recent security flaw found in the TimThumb plugin fow WP. If you haven't - you should, cause it's pretty severe. Here is more info on that:

http://www.websitedefender.com/wordpress-security/timthumb-vulnerability-wordpress-plugins-themes/

The security flaw isn't a core WordPress vulnerability, so you won't be vulnerable for just using WordPress. However, the bad news is that a pretty big number of themes out there use the TimThumb plugin in order to operate correctly and therefore TimThumb is included in a lot of WordPress plugins and themes, both free and paid. The result is that there is a good chance you might have the vulnerable TimThumb installed and running on your WordPress even if you don't really know about it or you don't care.

The flaw itself is rather stupid - the TimThumb plugin allows uploading files from a list of so called "trusted domains". Among those domains are "flickr.com", "picasa.com", "blogger.com", etc - all of which you might find useful in case you keep your image gallery there and would like to get an image transferred to your blog at a glance. However, the check is flawed because you can bypass it by using a domain like blogger.com.hacker.com. This domain passes the check but belongs to hacker.com, making the script exploitable. Hackers have already been exploiting this vulnerability in the wild and many many bloggers suffered from it already.

In case you are a WordPress user and have TimThumb installed or even worse - you've already been hacked, you might wonder what to do to get things resolved? Well, the good news is there's already a fix for the plugin available here:

http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

Along with the good and the bad news in this situation, there's also a great news for you in case your WordPress is hosted at SiteGround -- it should be secured without you doing anything! As always we've been trying to take care of our fellow customers without boring them with unnecessary details and overcomplicated technical stuff. After all you've entrusted us with your website and its security is our primary goal. So here's what we did - the day after the exploit went live, which if my memory serves me well, was about a month or so ago - we checked how many people are using the TimThumb plugin. The number was devastating - around 15,000 WP instances had it installed and around 350 of those were already compromised. Obviously upgrading 15,000 WP instances was not an option - it's a huge number and given the fact there were so many different versions of TimThumb and we needed to ask for customers' consent prior to upgrading his/her website, it was simply impossible to accomplish. At least not in the short term. So, we decided to find an intelligent and efficient way to deal with the vulnerability before a much larger number of customers were affected. Well, most hosts wouldn't even bother suggesting a fix as they would define the problem as "beyond the scope of the technical support", but we try to do it differently and make sure we spare troubles and work to our customers where possible.

And then in just a few hours, one of our System Engineers found the solution, elegant, simple and fast - the TimThumb plugin uses a folder called tmp/cache to store uploaded files. What we did is suspend execution of files from that folder in all WordPress instances. In simple words - if you upload an image - it will work, but if you upload a script (e.g. badass hack script) it won't. And that magically solved it all with no hassle whatsoever for our customers. We then modified our Apache security module (mod_security) by adding some rules that will prevent execution of the hack, so our customers could be protected by two layers, instead of just one. And then notified the unlucky 350 hacked guys what they should do to get things resolved - namely get rid of the hack and upgrade plugin version. We also offered the service of cleaning the hack and upgrading the plugin to be performed by the Super Heroes @ SiteGround Support Team for the people that felt uncertain how to do it for themselves.

So the answer to the question: "Has your WordPress site been hacked recently?" will disturbingly often be YES in the general case and will most probably be NO if you use SiteGround WordPress hosting.

Tenko
The SiteGround Mastermind

Tenko: For the last few years Tenko Nikolov has been one of the masterminds behind the success of SiteGround. He has come up with multiple successful strategies for overcoming technical problems and has achieved real business results for SiteGround. His vision and skills have made SiteGround a leading host in terms of technology and platform reliability.

View Comments

  • On the eve of Halloween,
    Take the leap and be seen,
    Make Siteground your host of choice,
    Doing so will make them rejoice.

  • As always, thanks for keeping our sites safe, Siteground! And Happy Halloween :)

  • As a developer for a decent volume of Wordpress sites, I always try to research vulnerability of a plugin before installing it for my clients. Of course that won't always work as sometimes vulnerabilities aren't always instantly discovered - so I also always back up my client's database once every two weeks.

    Then again sometimes clients update the plugins without letting me know and get themselves into vulnerable plugins that way - so now I just mostly assign clients user roles that cannot install/update plugins. Of course that means that I'd have to update all their plugins but it's better than knowing that they could get hacked from vulnerable plugins..:)

  • Hi,

    My food blog has been getting spammed for ages. It was becomign labourious to delete the entries especially from my email account which would sent me a notification every time a new one was made. They have slown down of late which was good. However I did not realise that my site was being used to somehow send out spam to other sites too?

    My site has been temp suspended by SiteGround. I have replied to a ticket regardign this problem. Also I think due to some update my ip address has changed and I have been asked to make appropriate changes via my Control Panel for the site however I cannot access this as I don;t know how to as my site is down.

    Can anyone help me get my site bakc up and running and also how to combat the spam in future?

    Thanks