Are you a WordPress user for ages? If you are, you must have heard of the outbreak of the Timthumb hack during 2011-2014. Although fixes to this hack are out, it still holds the risk to websites. Despite WordPress being a secure CMS, its websites are always prone to web attacks by hackers all the time. And, it is a constant fight for you to protect them with everything you got.
The best way to secure your website is by understanding the most common vulnerabilities and remedying those issues quickly. In this article, you will learn about the Timthumb hack and the steps to fix the attack in no time. So, if you suspect that your website has this vulnerability, take the necessary steps as soon as possible.
What Exactly Is Timthumb?
First, before we get into what the attack is about, it is best to understand what Timthumb is. If I let you guess what it’s related to, what would you say? Let me know your guesses in the comment section(funny answers are most welcome!).
In all seriousness, Timthumb is a PHP script that assists in resizing images for the website thumbnails. These images are downloaded from trusted third-party websites. And they are stored in a cache directory to avoid downloading the picture every time it’s needed.
How does it work, though? Simple, the Timtumb scripts work with the help of the GET request as follows:
However, the hacker can manipulate these GET requests to download arbitrary files. The developers tried to rid this Timthumb vulnerability by making the script to check the header of the downloaded file and see if the headers match the URL of the trusted websites.
But how is this related to the hack? Well, hackers thwarted the developers’ idea.
What Is Timthumb Hack?
Although checking for the URL seemed to be the best option to prevent the installation of arbitrary files, the solution led to a different issue. It is well-known that PHP only considers whatever is inside the <?php ?> tags and ignores everything else.
This loophole gives hackers the convenience of adding any PHP code to the end of the downloaded image. This malicious code will get executed without any issue and harm your website.
As you already know, PHP script only accepts images from trusted websites. But hackers can get through this issue with no trouble. The PHP script will only consider the beginning of the files and check if it matches with the trusted website URLs.
But hackers can find a way through this too. For example, if we consider the instance where “trustedsite.com” is one of the trusted websites, a hacker can use the “trustedsite.com.example.com” URL and get through the PHP script check as a trusted site. This Timthumb exploit will help hackers to access your website.
How To Fix Timthumb Hack?
Although fixes to the WordPress Timthumb vulnerability got released in the form of updates, most users might still be using the older versions. As a result, websites can be a victim of this attack. If so, the following steps will help you fix the Timthumb hack:
→Backup Your Website
Every time you need to make changes to your website, it is necessary to back up your WordPress. A single wrong click could entirely go wrong, but having a backup will fix things up. If not, you will end up ruining your website.
Also, if the hacker managed to inject malicious code into your website directory or database, you will have to clean up that part. So, having a backup will help you make changes without worrying too much about making a wrong move.
→Get Shell Access To The Host
Getting shell access to the host will help you fix things quickly. Even if you run many sites and do not know which site is the victim of the hack, having shell access will speed things up.
→Fixing The Hack
Firstly, you must download the Timthumb code that is secure and save it. Later, find the Timthumb.php files on your server and replace them with the secure code you earlier installed.
Download the updates to all the themes you use and if you do not intend to use any WordPress themes, uninstall them. (You can use the shell access to find instances of Timthumb quickly.)
→The Cleanup Process
- First, change all your passwords starting from MySQL login to WordPress login passwords.
- If you do not change for MySQL in wp-config.php, you will see the Error Establishing Connection screen.
- It is also best to change the WordPress salts and security keys. You can generate new keys from the online generator.
- Check other files on your WordPress like in the wp-content folder to see if something out of the ordinary is in them.
- While you are at it, delete all the cache files because the hack might still be in them.
→Prevention Of The Timthumb Hack
- Make sure to update WordPress software, plugins, and themes all the time.
- Ensure that permission to file access is limited to only those who need it.
- Reset the permalinks to the .htaccess file to make sure that the file is secure.
While Timthumb is a security threat to your website, various other hacks will harm your website easily. However, you can not secure your website from all attacks on your own. That is why many users trust WordPress security plugins like the Hide My WP to protect their websites from threats. Here are some best features of the Hide My WP plugin:
It can help you hide your WordPress website from hackers, bots, plugins, and theme detectors.
- The Hide My WP plugin will help you hide the default Login Page of your website.
- It lets you secure your website by hiding or changing elements of the source code of your website.
- Its firewall will block attacks like XSS, SQL injection, CSRF, Command Injection, and more.
- The plugin has anti-spam included in it.
Timthumb is a PHP script that helps WordPress users to resize images for their thumbnails. However, hackers found a loophole in the way the PHP script works.
The Timthumb vulnerability allowed hackers to inject malicious PHP code into websites by disguising the code as the image downloaded from trusted websites.
Many updates rolled out with fixes to this issue, but your website is vulnerable to this attack if you didn’t install the updates. If you suspect that your website is a victim of the hack, follow the steps provided in this article to fix it.