Warning to folks using Wordpress!

I'm not sure everyone's heard, but I thought I'd let folks using Wordpress know to check to make sure their installations don't use a php script called timthumb in any of their themes or plug-ins, as it's a major security hole.


I just had to basically wipe out the installation of several blogs and start from scratch to clean out this threat (as it had already been exploited on two to three of my installations). I'd love to save anyone else the headaches of that.


Just a heads-up!


I appreciate the warning!--I'll go through my wordpress stuff now to see if it contains any of the scripts.


...actually, is there an easy way to do this? Because I have *zero* clue as to how php works or how to check for a script like this.


Honestly, I went with the nuclear method. I'm running a few plug-ins now that were confirmed safe and I'm only running the twenty-ten or twenty-eleven themes (which I'm working on modifying to suit me).


I'm going to cross my fingers and hope I can find an alternative solution, because going nuclear on all my wordpress stuff sounds like more work than I can generate the necessary momentum for!


There are several plugins that will scan your php files for dodgy stuff. Also this might help... http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/


Yeah, that blog is actually how I figured out what was going on with my installation and how I'd been infected. Not everything's on that list, though (I ended up having to google a list of infected plug-ins and themes (on the initial list I checked, my original theme wasn't on it, but then I checked another and lo and behold, there it was).


I know for sure if you've got any kind of mobile detector plug-in, that's going to be affected.


Good lord, I didn't even know any of this was possible. I'm using Drupal, but a possibility to keep in mind.




Chris is right, Drupal is just as vulnerable. It has two rather nice features though:


1. Drupal has a dedicated security team mailing list that reports on security flaws found in both plugins and in the site itself, and issues warnings about how to deal with the detected threat. If upgrading to a later version of the plugin fixes the problem, they report which version.


2. Drupal's internal release management system will report when new versions of drupal and plugins are available and whether or not those releases are security updates.


WordPress didn't do that back when I was using it... that said, it's been a while. It may do it now.


I found another page that also explains how to get rid of it. I'm running atahualpa on my blogs, so it's not in my theme thank goodness! but i still don't know about my plugins. It sounds like a manual check is the best way to do it.


Here's the link.


http://digitalchoke.com/digitalchokeblog/?p=415