We often consider WordPress vulnerabilities to have no beginning or end – they have always been there in one form or another, bringing out the worst of cyberattacks. But, we also know that the only positive side of suffering through one vulnerability is to learn how to protect our WordPress websites better from the next one.
Let’s check out one of the old (yet active) WordPress hacks, the TimThumb Hack. When this hack was infamous and began to attack the first among many WordPress websites, the impact was much larger. It wasn’t limited to a few websites, hundreds and thousands got hit by the same malware. Good security plugins were unavailable as well since the use of web application firewalls (WAF) outside corporations was unheard of.
Of course, we have come a long way in terms of overall security, better plugin development, and awareness since then. But the plague of the TimThumb hack and other similar hacks such as WP-VCD, Redirection hacks, WordPress Pharma hack, Japanese SEO spam, has not left us entirely.
What is TimThumb?
On the face of it, TimThumb was a PHP script that allowed WordPress websites to resize images, making it popular with many plugins. Basically, it allowed you to create thumbnails of images (very important during that time) found on trusted sites. For resizing, the first step was to store the image in a cache directory so that you didn’t have to download the image every time.
What is the TimThumb hack?
The TimThumb hack was highly active during 2011 – 14 on many WordPress sites. In 2011, a small vulnerability popped up in this script, which allowed hackers to upload PHP files.
To understand the vulnerability, let’s look at the GET request that was used to download the images to the cache directory.
timthumb.php?src=http://trusted-site.tld/image.gifAs useful as it was, the GET request was also subject to easy modifications so that any number of arbitrary files could be downloaded. The developer did realize this vulnerability earlier on and attempted to correct it by comparing the header of the file with the URLs of trusted sites. However, the ‘checking for the header’ aspect fell prey to flawed implementation and quickly backfired.
This automatically meant that the script would practically ignore anything that didn’t have the ‘.php’ extension. Or, hackers could easily tag the PHP onto the end of the malicious code so that it’s executed every time the file is called for. We could have avoided the problem if the script restricted the downloads from trusted and verified sites only. However, the script only checked if the beginning of the URL matched the popular list of sites such as:
- blogger.com
- upload.wikimedia.org
- picasa.com
- img.youtube.com
- flickr.com
- wordpress.com, etc.
This was one of the many other flaws found in the coding, all of which combined to be the perfect vulnerability. Hackers used the prime opportunity to place backdoors and exploited websites to their heart’s content.
How to fix the TimThumb hack?
Despite this being a hack uncovered many years before, issues still pop up in WP websites on older versions. A lot of themes and extensions using this script sent updates fixing the issue right away, but there were many website owners who didn’t upgrade to the new versions, eventually getting hacked.
If you have been hacked with this hack. Here are a couple of steps you can follow to remove the TimThumb hack from your WordPress website completely:
1. Take a backup
Taking a backup is always the first step no matter what; It is crucial to make sure your content is safe and not completely lost if you take a wrong step.
Further, the hack may have penetrated a directory or a portion of your database, which means you’ll need to delete that portion. Before you do that, make sure to export your database locally for safekeeping and easy restoration. You can find the option to export a copy of all the tables under the database in your cPanel.
2. Gain Shell Access to the Host
This works out especially if you’ve multiple sites and are a bit unclear on which of them have been compromised. A majority of hosts offer shell access under their control panels for quick fixes in such situations.
3. Fixing the vulnerability
- Let’s download the secure version of the TimThumb code first and save it for further use.
- Replace all instances of the ‘TimThumb.php’ file on your server with the new and secure file.
- With the shell access, you’ll be able to do a quick search to find all the instances of the timthumb
find * -iname 'timthumb*' -ls- If you find themes that are not being used, just delete them directly. (most themes would have already released fixes, so you can download the latest versions directly to replace the current one)
rm -rf path/to/themeRELATED ARTICLE: WordPress Hack Removal Guide With Complete Steps
4. Cleaning up after the hack
- You may need to wipe out the entire directory of the hacked site, since you’ll not be able to get a fair estimate on which ones may or may not be compromised.
- Make sure to change all the passwords concerning your MySQL login information and update this on your WordPress site. Also, change the password for MySQL in ‘wp-config.php’, otherwise, you’ll end up with the ‘Error Establishing Connection’ screen.
- You should also change the secret keys in the ‘wp-config.php’ file. Generating new ones is easy with the online generator options that are easily available online.
- Since you’ve taken the backup of your site, you’ll need to manually go through the files to ensure that no new files have been added with suspicious content. (check through the ‘wp-content’ folder for any files that may look compromised).
- Check if you’ve any files with the ‘base64_decode’ in ‘wp-content’. There are legitimate reasons for it to be there, but if you don’t know the exact purpose or origin, research it.
5. Prevention
- Update all software (plugins, themes, core, etc.) pertaining to your WP website.
- Refine your file access and modification permissions (following the WordPress rules often suffices)
- Reset the permalinks to ensure that the ‘.htaccess’ file was completely overwritten.
- Finally, empty all the page caching plugins, your browser’s cache, and your cookies as well.
Some security scanners offer the ‘TimThumb Vulnerability Scanner’ that can be directly used in these scenarios to find out if you’re using the older version. There are plenty of other methods that can be used to deal with a hack like this since each website is affected slightly differently.