Earlier this month, hackers began exploiting a vulnerability discovered in an image-resizing utility called TimThumb. This tool, which is widely used in over 40 million WordPress powered websites, was used on many BizzyWeb websites created before October 2010, and requires an update and/or removal to fix the vulnerability. Any BizzyWeb customers whose site was developed on or after October 2010 are not affected by this issue.
After some analysis and waiting out the pundits and security experts, we’ve gauged the danger to be great enough that we wanted to alert each of our customers and offer to update their sites. BizzyWeb customers who host with us via BizzyWeb’s branded hosting service have already had this issue fixed for free as part of our hosting agreement (if you’d like to enjoy similar security and convenience, please contact us to talk about our branded hosting plans).
Details of the TimThumb vulnerability are included below:
Mark Maunder, the CEO of Feedjit, discovered the problem when his own blog started loading ad content when previously his blog contained no ads.
He blogged about the problem, tracing it to an issue with the “timthumb.php” library, which is used within the theme he purchased for his blog.. The timthumb.php library was used in many free and premium themes to resize images for thumbnails. The developer of TimThumb, Ben Gillbanks, was the first to comment on Maunder’s post. “I can’t apologize enough for this oversight in the code and hope nobody has anything too bad happen to their sites because of my error.“
Mark Maunder and Ben Gillbanks, and other members of the WordPress community have been working tirelessly over the last several days to get the message out and to release fixes that take care of the problem. For more information about the TimThumb.php hack, and how to patch your website please visit Mark Maunder’s website.
More information is also available at Matt Mullenweg’s site (the founder of WordPress).
Beginning in mid 2010, BizzyWeb has exclusively developed websites using the Genesis framework for WordPress, and websites developed with the Genesis framework are not affected. Some of the websites we developed prior to moving to the Genesis framework likely have the TimThumb vulnerability.
How can you tell if your site uses the Genesis Framework?
- Log into your websites dashboard
- Look for the Genesis Settings area on the left hand side
If your site isn’t using the Genesis Framework, please contact your existing webmaster and share a link to this page with them (if your site is managed through BizzyWeb via Dreamhost, we can make changes for a fee, or we can move you to our branded hosting and take care of the vulnerability as part of the hosting agreement). If you need to direct your current webmaster to more information about this vulnerability and how to patch it at Mark Maunder’s website.
BizzyWeb is also available to help. Please contact us and fill out a Support Request at BizzyWeb.com/Support.
You can subscribe to the customers-only updates by email by clicking this link (1-3 times per month, only for customers, gets you access to special customer-only offers, training classes and more).
And you can also subscribe to BizzyWeb News and tips by email (1-3 times per week, consisting of industry news, helpful tips and tricks and more).