WordPress users get great additional functionality from wordpress plugins, many of which are free. Like any code, WordPress plugins sometimes have waiting-to-be discovered vulnerabilities. Software is considered “good” if it has been tested thoroughly using industry-accepted methods. However, one can never test for every possible contingency. TimThumb, a script running in many WordPress plugins and themes, is the latest code to have its weaknesses exploited.
TimThumb is a simple, PHP script for your self-hosted WordPress install. TimThumb debuted as a part of Mimbo Pro, a magazine-style theme for WordPress. A collaboration between well-known designers Darren Hoyt and Ben Gillbanks, TimThumb is a part of many themes and WordPress plugins. Recently the victim of a [glossary]zero-day[/glossary] attack, it left many WordPress plugins and themes vulnerable.
Lessons To Be Learned About WordPress and WordPress Plugins
Although this incident may have caused much grief, the greater importance is the lesson it teaches about the maintenance of WordPress Plugins and software in general.
The majority of cyber attacks occur on software that is out-of-date. It is worth the trouble to keep your version of WordPress and WordPress plugins (as well as any other software) updated. For most WordPress plugins there is no cost and you cannot afford the potential loss. The TimThumb weakness was fixed in a recently released version 2.8.14.
When making an upgrade decision, reasearch the alternatives. There is often a comparable and possibly even better alternative. Where cost is a factor, consider the cost of potential loss (and replacement).
WordPress, although user-friendly and easier than other CMSs,
requires maintenace. Whoever maintains your site must stay abreast of upgrades and security. If you lack the knowledge or desire to be an administrator, managed WP hosting may be for you. Managed WP hosting (by companies such as WP Engine) allows you TO do what you do best (run your business)– while leaving tech and admin issues to the experts.
Comment Policy:Your words are your own, so be nice and helpful if you can. Please, only use your real name and limit the amount of links submitted in your comment. We accept clean XHTML in comments, but don't overdo it please.