Security is always a big issue for every open source platform as attackers spend a lot of time searching for loopholes in the code. WordPress is no exception in this and every day, security vulnerabilities come up. Many of these are however discovered and silently fixed by the team at Auttomatic before they even reach the community.
Late last month, a major vulnerability was discovered in the TimThumb 2.8.13 script which is widely used by WordPress theme and plugin developers. The script has a feature called “webshot” that, if enabled, gives an attacker the ability to run commands from a remote server. This means that an attacker can access, modify and even remove your website files without having to login to your cpanel.
This is not the first time that the script has been plagued by a security exploit. Two years ago, large scale security attacks were launched against the script and hundreds o websites were brought down by hackers. This however did not affect its popularity as it is still used in all themes from Themefy, the WordPress Gallery Plugin and several other third party services.
Security experts at Sucuri have already made a breakdown of the exploit here.
Although a fix is yet to be released as of now, there is some good news in that the Webshot feature is by default disabled. This means that your site may be secure despite running the script in the active theme or plugins. It is however important to confirm that the Webshot is actually disabled and correct that accordingly. This can be done by simply searching for the word “WEBSHOT_ENABLED” across all your themes and plugins to confirm that it is set to false as shown below.
define (“WEBSHOT_ENABLED”, false);
This simple fix is the only option that you have if you want to secure your site from yet another TimThumb exploit. Themify has also addressed this in all their themes and all you need to do is to run a theme update.