[wp-hackers] WordPress security question

Phillip Lord phillip.lord at newcastle.ac.uk
Wed Jun 6 14:08:09 UTC 2012

Unfortunately, this this is not quite true. It may be that it is not
allowed now, but this doesn't mean that it was never allowed. 

What I never understood with Wordpress is why plugins have update
notification, while themes do not. I was one of the many who get
zero-day exploited through timthumb. The theme in question (suffusion)
had removed timthumb quite a long time before but, of course, we got no
update notifications, so we had not updated. More fool me, you might say.
Well, yes, true. Also more fool many of the other thousands who got

Combined with an largely undocumented schema change between WPMU-2 and
WP-3 which made the restoration from backup a long, long process. I was
thinking 2 or 3 hours (including VM set up), but it took 2 or 3 days. 


Mika A Epstein <ipstenu at ipstenu.org> writes:

> TimThumb is not a part of core, nor is it allowed in themes hosted on
> the WP theme repo (as of the last time I looked).
> On Jun 5, 2012, at 7:50 AM, Mickey Panayiotakis <mickey at infamia.com> wrote:
>> I've seen plenty of hacks based on timthumb vulnerabilities.
>> However, I don't think wordpress core uses timthumb. (I'm sure the group
>> will correct me here, which I invite.)
>> The user is left to fend on their own when using a free or commercial
>> theme, to a lesser or greater extent depending on the theme vendor.  Some
>> themes do a great job of providing updates and alerting the user to theme
>> and framework udpates (and thanks to WP3 we can see that in the usual
>> updates area).  The problem is that when you customize a theme, updates
>> become more visible.
>> One of the most disturbing bits of advice I heard recently is that if you
>> use a custom theme, you shouldn't update wordpress.  I'm sure what the
>> speaker meant was to work with your vendor to make sure that WP and all
>> plugins and themes stay up to date.
>> mickey
>>> Message: 1
>>> Date: Mon, 4 Jun 2012 19:50:39 -0700
>>> From: Andrew Freeman <andrew.s.freeman at gmail.com>
>>> Subject: Re: [wp-hackers] WordPress security question (Dan Phiffer)
>>> To: wp-hackers at lists.automattic.com
>>> Message-ID:
>>>       <CALT+zmKFuBXUXjH2F8NYaYp0FHHdvdkvQe9xyvkec6dN5S7D1g at mail.gmail.com
>>> Content-Type: text/plain; charset=ISO-8859-1
>>> Howdy Dan,
>>> Having cleaned up about a half-dozen sites in the past two months or so, I
>>> have some suggestions for things to look for in terms of
>>> backdoors/potential vulnerabilities.
>>> Most hacks I've seen come from a vulnerable Timthumb hack, an old image
>>> thumbnail script which allowed an attacker to upload malicious code to the
>>> server, giving them full shell access (or at least as much as Apache/PHP/WP
>>> has). You can read technical details about it here:
>>> http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
>>> You can use the Timthumb Vulnerability Scanner to quickly see if you have
>>> any outdated versions of the script lying around:
>>> http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/ . Even
>>> an unused theme with the old version of the script is vulnerable.
>>> Most hacks definitely add crazy base64_decode script to the header of
>>> important files - often index.php of site root or theme root. This one
>>> looks like it gets around base64_decode which makes it harder to detect. If
>>> you can, ssh into the server and grep for 'lqxizr' to find if it's been
>>> injected into any other files. Also, checking wp-config.php is a good idea,
>>> because I've seen old backdoors left inside the file (usually separated
>>> above and below the malicious script by several thousand blank lines).
>>> Other hacks I've seen append every front-facing JavaScript with malicious
>>> code right instead of going the PHP route. I'd recommend checking your
>>> frontend scripts for anything strange, the time last updated in FTP may be
>>> of some help.
>>> Also, if you can, check the raw access logs for anything suspicious. One
>>> time I thought my server was clear of shell-like scripts, but after another
>>> hack that day the raw access logs showed that one actually just signed in
>>> and used the WordPress editor to make the changes.
>>> I hope this can be of assistance and best of luck,
>>> Andrew Freeman
>> --
>> Mickey Panayiotakis
>> Managing Partner
>> 800.270.5170 x512
>> <http://www.infamia.com>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Phillip Lord,                           Phone: +44 (0) 191 222 7827
Lecturer in Bioinformatics,             Email: phillip.lord at newcastle.ac.uk
School of Computing Science,            http://homepages.cs.ncl.ac.uk/phillip.lord
Room 914 Claremont Tower,               skype: russet_apples
Newcastle University,                   msn: msn at russet.org.uk
NE1 7RU                                 twitter: phillord

More information about the wp-hackers mailing list