cooltwins
Member • Aug 4, 2011
WordPress Not Safe Anymore? Make It Safe.
Thanks to the advancement in the technology and the simultaneous growth of human knowledge, technology does not seem safe anymore. One of the leading blogging tool and publisher tool, WordPress is no exception to it. The free-to-use publishing tool, which according to #-Link-Snipped-# has 25million+ users, is just not that immune to hackers. The easily deployable default form is not vulnerable to attack in its original form. It’s only when people want to change the appearance of the site and use any of the available 1,417 themes that the barrier may breach. Most of them are coupled with an image resizing and cropping tool called timthumb. Its working gives the hackers privilege to execute codes on your site. Considering the number of people using the platform it is indeed a worrying issue.
The concerning part of the working of timthumb is that it allows files to be written on to a directory on the site accessible to everyone. That is sufficient for the hackers to gain access of your site’s control. But fret not, for Mark Maunder who identified this vulnerability has suggested a way to fix this security hole.
His method will disable timthumb.php’s ability to load images from external sites but that should not be a drawback sinbce most users use the tool for locally stored pics only.
THE STEPS:
The concerning part of the working of timthumb is that it allows files to be written on to a directory on the site accessible to everyone. That is sufficient for the hackers to gain access of your site’s control. But fret not, for Mark Maunder who identified this vulnerability has suggested a way to fix this security hole.
His method will disable timthumb.php’s ability to load images from external sites but that should not be a drawback sinbce most users use the tool for locally stored pics only.
THE STEPS:
- SSH into your web server. You can use “putty†if you use windows and you’ll need to know your username and password.
- cd into your wordpress installation directory. That is going to vary according to which host you’re using or how you've installed it.
- You need to find every copy of timthumb.php on your system. Use the following command without double quotes: †find . -name ‘timthumb.php’ “
- It will show you a list of where timthumb.php is located. You may want to repeat this command using “thumb.php†as some users have reported that’s what it’s called on their systems.
- Edit timthumb.php using a text editor like pico, nano or (if you know what you’re doing) vim. You would type (without double quotes) †nano directory/that/tim/thumb/is/in/timthumb.php †for example.
- Go down to line 27 where it starts $allowedSites = array (
- Change it to remove all the sites listed like “#-Link-Snipped-#†and “Find your inspiration. | Flickrâ€. Once you’re done the line should look like this from $allowedSites to the semi-colon:
- $allowedSites = array();
- Note the empty parentheses.
- The next line should be blank and the following line will probably say “STOP MODIFYING HEREâ€
- That’s it. Save the file and you’re done.