[wp-hackers] WordPress security question

Mickey Panayiotakis mickey at infamia.com
Tue Jun 5 12:50:52 UTC 2012

I've seen plenty of hacks based on timthumb vulnerabilities.
However, I don't think wordpress core uses timthumb. (I'm sure the group
will correct me here, which I invite.)

The user is left to fend on their own when using a free or commercial
theme, to a lesser or greater extent depending on the theme vendor.  Some
themes do a great job of providing updates and alerting the user to theme
and framework udpates (and thanks to WP3 we can see that in the usual
updates area).  The problem is that when you customize a theme, updates
become more visible.

One of the most disturbing bits of advice I heard recently is that if you
use a custom theme, you shouldn't update wordpress.  I'm sure what the
speaker meant was to work with your vendor to make sure that WP and all
plugins and themes stay up to date.


> Message: 1
> Date: Mon, 4 Jun 2012 19:50:39 -0700
> From: Andrew Freeman <andrew.s.freeman at gmail.com>
> Subject: Re: [wp-hackers] WordPress security question (Dan Phiffer)
> To: wp-hackers at lists.automattic.com
> Message-ID:
>        <CALT+zmKFuBXUXjH2F8NYaYp0FHHdvdkvQe9xyvkec6dN5S7D1g at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
> Howdy Dan,
> Having cleaned up about a half-dozen sites in the past two months or so, I
> have some suggestions for things to look for in terms of
> backdoors/potential vulnerabilities.
> Most hacks I've seen come from a vulnerable Timthumb hack, an old image
> thumbnail script which allowed an attacker to upload malicious code to the
> server, giving them full shell access (or at least as much as Apache/PHP/WP
> has). You can read technical details about it here:
> http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
> You can use the Timthumb Vulnerability Scanner to quickly see if you have
> any outdated versions of the script lying around:
> http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/ . Even
> an unused theme with the old version of the script is vulnerable.
> Most hacks definitely add crazy base64_decode script to the header of
> important files - often index.php of site root or theme root. This one
> looks like it gets around base64_decode which makes it harder to detect. If
> you can, ssh into the server and grep for 'lqxizr' to find if it's been
> injected into any other files. Also, checking wp-config.php is a good idea,
> because I've seen old backdoors left inside the file (usually separated
> above and below the malicious script by several thousand blank lines).
> Other hacks I've seen append every front-facing JavaScript with malicious
> code right instead of going the PHP route. I'd recommend checking your
> frontend scripts for anything strange, the time last updated in FTP may be
> of some help.
> Also, if you can, check the raw access logs for anything suspicious. One
> time I thought my server was clear of shell-like scripts, but after another
> hack that day the raw access logs showed that one actually just signed in
> and used the WordPress editor to make the changes.
> I hope this can be of assistance and best of luck,
> Andrew Freeman


Mickey Panayiotakis
Managing Partner
800.270.5170 x512

More information about the wp-hackers mailing list