Peter Butler, WordPress developer and the mind behind security monitoring service Code Garage, has released a plugin to search for any vulnerable instance of TimThumb. Butler’s plugin will also, if you wish (and you should) offer a one click option to upgrade the outdated copy of TimThumb.
The TimThumb vulnerability was news over a month ago now, and was called “the security event of the year” by Matt Mullenweg in his State of the Word keynote this year. In other words, you should fix this problem if you still have it.
Butler explained to WPCandy that he developed and released the plugin because he can’t help everyone who has been contacting him about the problem:
I literally don’t have enough time in the day to clean up all the hacked sites people are sending my way over the past couple of weeks, and the vast majority of them have happened because of the TimThumb exploit.
When I tell people why their sites got hacked, many of them have even heard about the vulnerability, but just assumed the risk was small, or decided they couldn’t figure out how to fix it themselves (which is ludicrous, because it’s so easy).
As a result, his TimThumb Vulnerability Scanner plugin is now available in the WordPress.org plugin directory. Butler also recorded a quick screencast for the plugin which you can watch just after the jump.
Have you taken a moment to be sure all of the sites you manage are clear of outdated TimThumb scripts?