Plugin Releases

WordPress Timthumb.php Vulnerability Scanner Plugin

September 2, 2011   ·   By   ·   133 Comments   ·   Posted in Plugin Releases, Security, Wordpress

Over the past few weeks, I’ve been absolutely inundated with requests to clean up hacks that have exploited the much publicized Timthumb.php vulnerability. I have to assume that the reason most people aren’t plugging up this security hole on their sites is either

  1. They don’t feel confident in their ability to find the problem
  2. They feel like the process to fix it is too complicated

To combat this, I took a couple of hours this morning to write a plugin that will do the dirty work for you. The WordPress Timthumb Vulnerability Scanner will check your entire wp-content directory (including all themes, plugins, and uploads) for any vulnerable (pre-2.0) instances of the timthumb script, and give you a one-click upgrade to upgrade each script to the latest, secure version.

The process is simple:

  1. Download the plugin here:
    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
  2. Install and activate using either FTP, or the built in WordPress uploader
  3. Go to the “Timthumb Scanner” page, under the “Tools” menu

  4. Click the “Scan” button.

  5. View your scan results

    In this case, I’ve got one vulnerable (outdated) file, and 2 that have been updated, and are safe. I’m going to want to upgrade that one vulnerable file – to do that, I just need to hit the “Fix” button next to it.
    You may not have any instances of timthumb on your site, or all of yours may be upgraded – if so, you’re all done!
  6. After hitting “Fix” for my one problem file, I’m showing “No Vulnerabilities Found”, which means I’m all set.

Just like that, you’re done. Quick and painless.

Note: If you’ve already been hacked, this will NOT clean up your site. This plugin fixes your door lock – which doesn’t matter if the burglars are already in your house.

Let me know of any problems or questions you have in the comments.

Good luck!

EDIT
Looking for a solution to scan a whole server, or a site not running on WordPress? By sort-of-popular demand, here it is:
http://codegarage.com/plugins/timthumb-full-server-vulnerability-scanner.zip
It’s much less polished, and much less tested, so use at your own risk.

New WordPress Plugin: Default Post Content

April 13, 2009   ·   By   ·   11 Comments   ·   Posted in Admin, Plugin Releases

Justin over at justintadlock.com made a post a few days ago about how to preset text in the WordPress post editor.  It’s a great post, with an interesting filter detailed.  In the comments, somebody mentioned that they’d like to be able to preset custom fields as well – something that seems like it shouldn’t work (Custom fields need a post id to work on, and new posts dont have a post id).  Yesterday, the workaround hit me like a slap in the face while I was in the shower – so I decided to package up this, along with the original code that Justin published in a plugin.

It’s not the most elegant piece of code in the world, but it works on all the installs I’ve tried it on.  I’ll try to put up a post detailing how it works soon, but in the meantime, feel free to download the plugin and give it a try.

Default Post Content Plugin