Upgrade

WordPress Timthumb.php Vulnerability Scanner Plugin

September 2, 2011   ·   By   ·   133 Comments   ·   Posted in Plugin Releases, Security, Wordpress

Over the past few weeks, I’ve been absolutely inundated with requests to clean up hacks that have exploited the much publicized Timthumb.php vulnerability. I have to assume that the reason most people aren’t plugging up this security hole on their sites is either

  1. They don’t feel confident in their ability to find the problem
  2. They feel like the process to fix it is too complicated

To combat this, I took a couple of hours this morning to write a plugin that will do the dirty work for you. The WordPress Timthumb Vulnerability Scanner will check your entire wp-content directory (including all themes, plugins, and uploads) for any vulnerable (pre-2.0) instances of the timthumb script, and give you a one-click upgrade to upgrade each script to the latest, secure version.

The process is simple:

  1. Download the plugin here:
    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
  2. Install and activate using either FTP, or the built in WordPress uploader
  3. Go to the “Timthumb Scanner” page, under the “Tools” menu

  4. Click the “Scan” button.

  5. View your scan results

    In this case, I’ve got one vulnerable (outdated) file, and 2 that have been updated, and are safe. I’m going to want to upgrade that one vulnerable file – to do that, I just need to hit the “Fix” button next to it.
    You may not have any instances of timthumb on your site, or all of yours may be upgraded – if so, you’re all done!
  6. After hitting “Fix” for my one problem file, I’m showing “No Vulnerabilities Found”, which means I’m all set.

Just like that, you’re done. Quick and painless.

Note: If you’ve already been hacked, this will NOT clean up your site. This plugin fixes your door lock – which doesn’t matter if the burglars are already in your house.

Let me know of any problems or questions you have in the comments.

Good luck!

EDIT
Looking for a solution to scan a whole server, or a site not running on WordPress? By sort-of-popular demand, here it is:
http://codegarage.com/plugins/timthumb-full-server-vulnerability-scanner.zip
It’s much less polished, and much less tested, so use at your own risk.

Upgrading or Uploading WordPress Via FTP

August 17, 2011   ·   By   ·   1 Comment   ·   Posted in Troubleshooting, Wordpress

Yesterday we talked about how to access your WordPress site via FTP – today, we’ll talk about something more important: Upgrading or reinstalling WordPress using FTP instead of the WordPress backend.

Why?

Again – this all comes down to saving your own butt. If an automatic upgrade fails in the middle, you’re in trouble – chances are that some, but not all of the files necessary have been reinstalled/updated. Because of this, the Dashboard is often left inaccessible, and you have to fall back on your old friend FTP.

Other reasons you might do this:

  1. You got hacked, and you want to make sure your core WP files are clean.
  2. You started tinkering with Core WordPress files, and now the site doesn’t work
  3. You uploaded a shady plugin which modified core WordPress files, and now the site doesn’t work

Public Service Announcement

Back up your site before you do this. Please. If you mess it up, and lose all your uploads, you’re going to be really mad, maybe at me. Don’t have a backup service? Good news – I have one that I can shamelessly plug. Check it out at the front page.

Lets get to it. Since we already understand how to access WordPress via FTP, we can get started without fear.

Step 1: Download WordPress

WordPress.org has a handy feature: the latest version of WordPress is always available at:

http://wordpress.org/latest.zip

If you ever need a copy, just enter that address in the url, and it will start downloading. The more traditional page for finding your download is here:

http://wordpress.org/download/

Need an old version of WordPress? They’re nice enough to keep those around too:

http://wordpress.org/download/release-archive/

So you’ve downloaded the version of WordPress you need. Good work!

Step 2: Unzip it

Next, you need to extract the zip you downloaded. Hopefully this isn’t too tricky – as long as you know where your downloads end up. In most cases, it’s as simple as finding the zip file and double clicking it. You should end up with a folder titled “WordPress”, which has the entirety of a WordPress install inside of it.

Step 3: Upload it

All that’s left is to upload. Now – you need to take some special consideration before you just go uploading all these files. Make sure you’re:

  • Uploading the right things
  • To the right place
    • Simple, right? Here’s what we need to do: We want to upload the contents of the WordPress folder (which we just extracted) to the directory on our web server where wordpress is installed, with one important caveat:

      We don’t want to overwrite wp-content

      That deserved to be bolded. The wp-content folder holds your themes, plugins, and uploads – and we don’t want to overwrite it with the default wordpress content. So, we’re going to upload everything except that.

      Upload Everything BUT wp-content


      Now that we’re ready to upload, we’ll just click and drag that mess into filezilla – making sure that in filezilla, we’re looking at the current wordpress install (you should be looking at the inside of a directory that has wp-load.php in it).

      When it asks if you’d like to overwrite files, go ahead and check “Overwite”, as well as “Always use this action” and click “Ok”. Before clicking “Ok” would be a good time to double check that you’ve backed up, adn you’re not overwriting wp-content.

      Now, this is going to take a while – WordPress has a lot of files. Go eat a sandwich, it will be done when you get back.

      All done. Now what?

      Now head back over to your site and get a feel for your handiwork. If you were just trying to fix a problem, ideally at this point your site is working again. If the upload went ok, and your site still isn’t working, the problem lies somewhere else – check your plugins and themes if you haven’t already.

      If you were doing this to upgrade your WordPress install, you’ve got one more step. Head over to yoursite.com/wp-admin, and you should be presented with a screen saying you need to upgrade your database. Go ahead and approve that, give it a minute to think, and you should be redirected to the login page – and you’re done!