Over the past few weeks, I’ve been absolutely inundated with requests to clean up hacks that have exploited the much publicized Timthumb.php vulnerability. I have to assume that the reason most people aren’t plugging up this security hole on their sites is either
To combat this, I took a couple of hours this morning to write a plugin that will do the dirty work for you. The WordPress Timthumb Vulnerability Scanner will check your entire wp-content directory (including all themes, plugins, and uploads) for any vulnerable (pre-2.0) instances of the timthumb script, and give you a one-click upgrade to upgrade each script to the latest, secure version.
Just like that, you’re done. Quick and painless.
Note: If you’ve already been hacked, this will NOT clean up your site. This plugin fixes your door lock – which doesn’t matter if the burglars are already in your house.
Let me know of any problems or questions you have in the comments.
Looking for a solution to scan a whole server, or a site not running on WordPress? By sort-of-popular demand, here it is:
It’s much less polished, and much less tested, so use at your own risk.
Justin over at justintadlock.com made a post a few days ago about how to preset text in the WordPress post editor. It’s a great post, with an interesting filter detailed. In the comments, somebody mentioned that they’d like to be able to preset custom fields as well – something that seems like it shouldn’t work (Custom fields need a post id to work on, and new posts dont have a post id). Yesterday, the workaround hit me like a slap in the face while I was in the shower – so I decided to package up this, along with the original code that Justin published in a plugin.
It’s not the most elegant piece of code in the world, but it works on all the installs I’ve tried it on. I’ll try to put up a post detailing how it works soon, but in the meantime, feel free to download the plugin and give it a try.