Warning to WordPress Bloggers about TimThumb plug-in
Last week, I was at an Akamai security demo. One of the topics of conversation was around IT security vulnerabilities found on government websites that employ Word Press for blogs.Over the last several years, my IT security chief has talked a bunch about the many vulnerabilities WP can have if the blog owner isn’t careful with how its configured and the plug-ins they use.
My organization doesn’t use WP for its blogs, but I do. So I asked Akamai what were the big security concerns they had, and the BIG one they mentioned was TimThumb plug-in. I wasn’t familiar with it because I’m not using it. It’s an open source image thumbnail generator. They say that although there’s been a fix for the plug-in, what they find is that most folks aren’t updating their plug-ins, which allows this plug-in vulnerability to be pervasive. Are you using it?
The recent Timthumb.php vulnerability has left scores of unsuspecting bloggers hacked. It’s the perfect combination of not so easy to fix for the technically disinclined, and easy to find and exploit for the malicious – resulting in a disastrous number of compromised sites.
If you are using this plugin, please be sure to keep the plug-in up to date AND consider installing the TimThumb Vulnerability Scanner. This plugin scans your wp-content directory for vulnerable instances of timthumb.php, and optionally upgrades them to a safe version.
As of Thursday (4/17/14) Akamai still considers this un-updated plug-in a threat, so if you’re using it you might want to consider using another plug-in tool. Because I don’t use this plug-in, I haven’t researched the alternatives – but its important that your blog doesn’t get hacked. Keep WordPress sites and its plug-ins updated and you should be in better shape.