Timthumb exploit in WordPress – how to find if you have it

September 6, 2011 — GoogleThem

Timthumb.php is sometimes named thumb.php or even maybe thumbnail.php, resize.php, crop.php or something else.

The quickest way to find it is to look inside your theme folder. WordPress by itself has a thumbnailer which does not have the vulnerability, so you may not have it. Usually it’s the theme’s author that may decide to use Tim Thumb to resize images.

If you can’t find it and are still concerned, and you use Cpanel file manager search your public_html folder for “thumb”.

If you really want to find and update TimThumb.php even if it’s using another name, SSH in to your server (if you can) and issue this command (from: http://wordpress.shadowlantern.com/2011/08/timthumb-php-is-vulnerable/)

find ~/public_html -type f -wholename “*wp-content*” -name “*.php” -print0 | xargs -0 grep -Hl “TimThumb”

PS. Here’s the updated TimThumb file that is patched:

http://code.google.com/p/timthumb/source/browse/trunk/timthumb.php

Posted in wordpress security. No Comments »

WordPress Auth_Key Secure_Auth_Key and Salt generator

September 5, 2011 — GoogleThem

This is an official WordPress secret auth key and secure auth key salt generator. Just click the link and it will make unique keys for your wp-config.php file.

https://api.wordpress.org/secret-key/1.1/salt/

If you reload the page or click this link again, you’ll get another unique WP salt. This is how to have your own WordPress salt that no one else has (likely).

Posted in wordpress security, Wordpress Tips. No Comments »

Apache security – response headers – hide apache version

September 5, 2011 — GoogleThem

While this does fall into WordPress tips and tricks, it’s more of a WordPress security tip:

How to set: ServerSignature Off ServerTokens Prod

 

 

 

Posted in wordpress security, Wordpress Tips. No Comments »
«
»
Stop SOPA