Today, 8/26/2011 my hosting service sent me chilling notification that my WordPress blog was vulnerable to attacks via timthumb.php files.
“This is a courtesy notice that we have found exploitable timthumb.php file(s) on your account.”
“The timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more. After a site has been exploited, it may lead to becoming labeled a ‘Malicious Website’ by Google or other security authorities.”
Fortunately, I’m a BlueHost customer and (full disclosure) an affiliate advertiser. I called BlueHost. This post is an enthusiastic recommendation for their excellent service.
The fix was painless. I learned that it was likely that my site had been compromised, which was why they sent the notice. Also learned that deleting plugins would not solve the problem if backdoors had been constructed in wp-includes files. There’s a potential quip here about closing the barn door after the backdoor has been installed, but will leave that as an exercise for the reader.
Bottom line: The BlueHost service representative asked me if I could delete a particular plugin, then replaced my wp-includes files and told me I could stop worrying.
The TimThumb vulnerability is serious and Google has blocked hacked sites according to this alarming article by WordPress guru Mark Maunder who originally discovered the TimThum threat. Maunder offers other articles on how the vulnerability is being addressed. Here’s another chilling article from .
The take-home news from Mark Maunder, “To prevent your site being listed as malware, clean it as fast as possible.”
For me, a non-coder, the technical cleaning solutions were like telling a caveman to build a 747. Thank goodness that the team at BlueHost had my back and helped me clean my site of the TimThumb threat in a few minutes.