Plugin Review: Timthumb Vulnerability Scanner

Well, if you are an active WordPress user (or designer, or developer), you are likely aware of the Timthumb vulnerability that has recently been wreaking havoc on WordPress blog owners.  (If you’re not aware, then read on, as you are actually far more likely to be effected than someone who has been paying attention to WordPress security.) 

This vulnerability is one of the base64 encoded hacks (similar to one that was going around a couple years ago).  Here is some information on the attack

So, have you been hacked by the TimThumb exploit?  Are you vulnerable?  Now there is a quick and easy plugin to scan for this vulnerability.

The TimThumb Scanner is a plugin that is quick to install, quick to scan, and will tell you if you are vulnerable to attack via the exploit.

Install via Add New in your WordPress Plugin Admin Panel.  Search for “TimThumb” and it is currently the first result in the list.  Select Install Now to download and install the plugin.

Once installed, using the plugin is easy.  Go to the Tools menu and select Timthumb Sanner in the submenu.  Once there, click the “Scan” button.  It’s pretty simple – which in this case is a good thing.  It does one thing, and apparently does it well.  There are more details on the plugin page listed below.

The one downside that it only scans for a vulnerability.  It does not fix it for you.  But Peter Butler has provided some insight into how to clean up your site should you find that your site has been compromised.

Authors: Peter Butler, Jacob Gillespie

Plugin Page

Where to get it: WordPress.org Plugin Repository

 

 

 

 

 

 

 

 

  • http://www.quincyyachtclub.net Christopher Fox

    Hi Chad,

    I have had great success using WP Members except one problem I have a side bar with navigational links so a member can move around the private section. But when they log out the left nav is still showing . Is there a way to “Block” that content too?

    Thanks,

    Chris

    • http://butlerblog.com Chad

      probably the cleanest way would be to create a second widget area in your template that displays when is_user_logged_in() is true.

      Alternatively, if your sidebar has shortcodes enabled, you could create a text widget and put navigation links inside the [wp-members status="in"]protected content here…[/wp-members] shortcode. The downside is that doing it that way you would need to manually create/update your navigation links.