You get a tweet or you get a call from someone reporting that your website is down! You call the host to see what’s going on and they report that your website uses WordPress and it’s been hack so, they had to shut it down otherwise it will jeopardise the rest of the server. So the first thing you do is ask “Why did my WordPress site get hacked?”
Well firstly there are a lot of reasons but one reason a lot of WordPress sites get hacked is because of the theme or plugins that are used and certain scripts used within those themes and plugins. One such script has had many attacks over the years and that’s the TimThumb script, although it is common knowledge in the development world that this script shouldn’t be used, it still gets used vastly by some modern theme designers and plugin developers.
The latest attack exploits a vulnerability with the Webshot feature, WPTavern recently reported the hack:
TimThumb 2.8.13 has a vulnerability with its “Webshot” feature that, when enabled, allows attackers to execute commands on a remote website. At this time there is no patch. Security experts at Sucuri break down the threat as follows: “With a simple command, an attacker can create, remove and modify any files on your server.”
Although the Webshot feature should be disabled by default, Sucuri recommends that you check your timthumb file to make sure it’s disabled. Search for “WEBSHOT_ENABLED” and verify that it’s set to “false,” as shown below:
define (‘WEBSHOT_ENABLED’, false);
Read more about the New Zero-Day Vulnerability Discovered in TimThumb Script