Hi to all great themers here.
Once again a WP site attacked AND destroyed thanks to Thimthumb, even last version and well setup. One of my network has been hacked using the last version of thimthumb.
WP Include his propoer thumbs generator please use it and definitly forget thimthumb, even update all your themes if using it and suppress it spimply.
Elegant Themes done it for all their themes, this is urgent and very unsecure to continue using that shit.
Thanks to all of you !!!!
First learn to spell it correctly. Just because your website got hacked it doesn’t mean it’s because of timthumb, you sound like an amateur just accusing here and there, everyone.
I am not an “amateur” but a sysadmin of several multisite networks AND had the proof that direct requests on timbthumb was the cause of injections on files.
So before telling someone is an “amateur” begin to code your themes correctly and use WP guidlines correctly.
I accuse no one i just request themers not to use timthumb and a PRO coders should just NOT use it. I accuse Timthumb to be a very huge security issue which is worldwide known.
So if YOU still use it in your theme, YOU are the amateur, dear.
and sorry for the “h”, keyboard error from non english speaking user
Hello, I’m an admin of WordPress french users association, and I’m definitively no amateur. I worked with Aphrodite on his problem and he is perfectly right, the source of the malware was timthumb
I personnally never used any theme with Timthumb, even before the security leak was revealed. I don’t understand something that “needs” a 777… basic security.
If you theme uses Timthumb, can you explain the advantages of the script and why is it so needed when you have a proper thumb system with Wordpress ?
Would you mind sharing some technical details about the exploit ? being a sysadmin myself, i’m very interested in the matter.
Then why don’t you report the issues to the timthumb developers so they can fix it in the next version? And don’t forget that still millions of websites are using timthumb, if what you say is true, then most of them will/should already be hacked. But they’re not.
Coming here and crying instead of fixing the issue and reporting it to the developer is not a sign of professionalism.
And it’s needed due to multiple reasons including WP not being able to resize images located in a folder other than the wp one, wp can’t resize external images.
Yep the issue has been solved by suppressing ALL themes using timthumb (more than 50, up to date, free wp.org themes), and restoring all the server account, purged of all themes before restoring. And the server has bee stable immediatly.
Specialists are now analysing the logs to see what happened exactly. But i wont share anything with them. There is absolutely no need to duplicate a core, secure function of WP by an external application. No need to use an external folder. Put images where they must be, as in 95% of themes, as Elegant thees has done.
And by the way, many sites ARE hacked. We have that all days on forums. Because of timthumb ? Possibly. What is sure is that I will never user anymore theme with timthumb and will write a review about that.
You may be right, but still I think the best way to handle this kind of situations is to help the developers improve it and report any possible logs and vulnerabilities to them. timthumb has its purpose, “put images where they must be” isn’t a valid reason for not using it, many users have separate folders with their images or many multimedia themes use vimeo / youtube for videos, we need thumbnails for them, WP isn’t capable of getting those thumbs manually and the easiest way is to use a timthumb-like solution.
I’d suggest checking the timthumb configuration and permissions and make sure you were using the latest version because from my research I don’t see any major websites hacked in the past weeks because of any new vulnerability discovered.
WP isn’t capable of getting those thumbs manuallyAgain, can you explain me what Timthumb does that the standard API does not ?