How to secure WordPress timthumb.php

If you have a selfhosted WordPress blog (WordPress.org), take urgent measures to secure your site from a recently discovered vulnerability.

Many WordPress themes and plug-ins use a script called “timthumb” (timthumb.php). This is the most common code used to create thumbnails from pictures.

End July, a vulnerability surfaced showing external users could dump malicious code onto your site. Typically, a short piece of .php code is uploaded via a timthumb backdoor. This hacking code then creates a wider backdoor to gain pretty much full access to your site.

It looks like the hackers were on holiday too, and are only gearing up their activity right now. Many sites were hacked in the last couple of days. As many sites use timthumb.php, we can foresee a major hacking spree in the next weeks.

So it is high time to secure your selfhosted WordPress site now.

How to check if you have been hacked via timthumb.php?

There is not one specific signature to this hack, contrary to the shared hosting hack last year, but here are some common things that seem to happen:

• First… Check if you actually use “timthumb.php” on your site. It does not come with the default WordPress installation, so check if any of your uploaded themes contain the file “timthumb.php”.
  Do a site wide search (with SSH or SFTP). Some popular plug-ins that use timthumb.php are “WordPress Popular Posts” and “WP Mobile Detector”.
  Many themes use timthumb.php, or a variation of it. E.g. the widely used “Thesis” theme uses it as “thumb.php”.
• If you find the timthumb.php in your plugin or themes directory, you’d better give your site a thorough check, so check further
• The hackers often upload .php files in the timthumb upload directory “/cache” (a subdirectory from the one where the timthumb script is stored). You should check that directory, and delete any non-picture files (.html .php,…)
• Often hackers upload .php files to several other subdirectories within your WordPress installation. I have seen them in the “/upload” “/supercache” directories (and their subdirectories) as well as in the directories for plugins and themes. Delete them.
• Recently, the hackers got bolder and entire subdirectories were uploaded. First a .zip file would be uploaded, it would be unzipped and an entire sub-site was installed in one of the WordPress directories. I have seen zipfiles called halifaxsecurity.zip, hal.zip, studentloanupdate.zip, student.zip. Malicious subdirectories I detected on other sites, were called /halifaxsecurity, /hal and /studentloanupdate. Delete those, if you find them.
• People also report direct hacks in .php files and style sheets, adding malicious code (similar to the last year’s hacks).
• Check your .htaccess files
• ..

Check also Sucuri’s blog for more hack signatures and scripts, and Mark Maunder’s blogpost for a full description of the timthumb vulnerability.
List of themes and plugins (non-exhaustive, though) using timthumb.php, you can find on Big Webmaster and Sucuri’s blog.

Deleting those malicious files is not sufficient, as it still leaves the backdoor open for future hacks, so you need to secure your timthumb.php code NOW ! Read on:

How to secure timthumb.php against hacks?

1. Locate all instances of timthumb.php (or any renames of it) on your site.
2. Download the newest timthumb.php code (Check also the plug-in’s home page)
3. Replace the old timthumb.php with your downloaded code.
4. While the new code is already secure, I strongly suggest to limit the access from external sites.
   Replace the line:
   define ('ALLOW_EXTERNAL', TRUE);
   with:
   define ('ALLOW_EXTERNAL', FALSE);

Good luck!

Picture courtesy TGDaily
With thanks to Michael Marus