In the past few months, we've fixed numerous hacked WordPress blogs that were installed prior to the fall of 2011 with one thing in common: one-click installs with outdated Timthumb scripts. If you've had your WordPress site up for a while you need to check it for any timthumb backdoor vulnerabilities.
As of January 22, 2012 when we tested it, DreamHost has removed and/or updated the timthumb scripts and closed that security hole. However, we have another concern, numerous WordPress themes and plugins pose security risks.
When we used their WordPress “One-Click Install” Deluxe from DreamHost, we were welcomed with 134 themes (5,536 files not including Twenty Ten and Twenty Eleven) and 9 plugins (624 files not including Akismet). Holy Crap that's alot of themes and files!!
When you put your mouse over the ? it says “Includes a glorious selection of themes from Automattic and standard plugins to help you get started. Great for beginners!” Are they serious??? 134 themes??? OMG!
I personally contacted DreamHost several times telling them about the vulnerability with the timthumb scripts and the crazy number of themes and plugins they install. And their answer was:
“We want to give our customers choices.”
Choices? Are they kidding me? People need to have 134 themes to choose from for what they want their blog to look like?
At least they got rid of the outdated timthumb scripts. But back then they had about 34 themes and now they've added about another 100 “choices.” This more than triples the footprint of your WordPress installation and causes a great risk for security. Think about it…
How can you possibly trust 134 themes on your site? If a malicious hacker finds a vulnerability and breaks into your site through one of them (and they don't have to be active) you're site will get hacked. And what if you're hosting multiple websites on the same account, every one of your sites can get hacked with a virus that can spread to your visitors' computers. Yikes!
If you MUST use the DreamHost One-Click Installer, please “UNCHECK” the Deluxe Install! Our recommendation is to do a manual installation. You owe it to yourself to learn how to do it. It's super easy and you know what is being installed on your website.
And if you have already used the “Deluxe Install,” please log-in to your WordPress blog or FTP client and delete any unused themes and plugins ASAP. Remember! Unused themes and plugins increase your security risks.
Note: Make sure that you keep either Twenty Eleven or Twenty Ten that comes with WordPress so you have a default theme to fall back on in case you ever need it.
Also, please install the Timthumb Vulnerability Scanner plugin and run it now to make sure you don't have a timthumb vulnerability on your WordPress site.
Leave Your Feedback
Have you used the WordPress Deluxe Install from DreamHost? How many unused themes did you have to delete from your blog? Did you find an outdated timthumb script that you had to update? Leave your comment below.
Four years ago when I was a total newbie I was on DreamHost. I used that one-click installer and was thrilled to have so many choices! When I later changed to Hostgator, I was very disappointed to only get one theme with my one-click install. I didn’t know anything – including where to get new themes or how to install them. I thought I was stuck with this one theme forever!
I think a lot of the newbies on DreamHost are in the same boat – they aren’t aware that they don’t have to have 134 (!!!) themes on their blog, and they don’t know they can delete the ones they’re not using. Too bad DreamHost is more interested in offering choices than real assistance – their customers are going to continue to have security problems because of it.
You don’t need to keep the TwentyTen theme, and the default can be switched away from TwentyEleven via:
define( ‘WP_DEFAULT_THEME’, ‘your-default-theme-name’ );
in wp-config.php file.
Hi Gary,
Thanks for your input. Appreciate it.
I had mentioned keeping Twenty Ten and Twenty Eleven since they come with the latest version of WordPress. But I agree with you.
The title of the article is misleading. You stated that: “I installed their Deluxe WordPress and no outdated timthumb scripts were found.” however your title seems to imply that these themes contained the timthumb vulnerability or other security risks.
In your quest to find something wrong in the article you missed the real point which is why would most people need 134 Themes(unneeded in most cases and in any case explaining that by going to wordpress.org they can find many more themes than they will probably ever need or want). In any case unless One Click installers and/or Fantastic o aren’t kept up to date they can and do cause problems.
Hi Robert and Double R,
Thank you both for your comments.
Robert is right, you can find a huge selection of themes over at WordPress.org and the “extra” themes cause security risks. There are many newbies out there that don’t know how to do SFTP like you and I do, can you imagine how long it would take them to manually delete all unwanted themes from the dashboard. And Dreamhost doesn’t have a cPanel so they couldn’t even do it inside the file manager. Yikes! It would take hours.
Double R, the timthumb vulnerability was found on themes that were installed using the one-click installer prior to Dreamhost updating their auto-installer recently. Now if another vulnerability is found on any one of those themes, Dreamhost does not update them for you automatically. It’s “one-click” not we’ll install and keep checking. Leaving them there is a ticking time bomb, an accident waiting to happen.
I have completely revamped my post to try to explain the risks for you. Please read it again and see if it makes more sense.
Looks like a good reason to not use Dream Host or at the very least there “One Click Installer”.
You know I’m not a fan of auto-installers, but at the very least they should uncheck the “Deluxe Install.” Oh how I wish people would learn how to install it themselves. I like to know exactly what plugin, theme and file I’m putting on my server.
Great tip Regina,
I wish people would realize just how important security is for their blog. Majority shoot for functionality and presentation and forget that all of it will not matter when their blog is hacked. What is even worse is when the hosting providers KNOWINGLY contribute to the problem.
On side note: in last few weeks I have seen an increase in hack attacks against my own blogs, I just published some interesting stats from few randomly chosen blogs. I posted link to the article as my website link, in case you want to read up on it.
Have you seen this increase lately? It seem to be consistent across multiple hosts and completely different blog networks…
Hi Alex,
Thanks for your comment. I totally agree.
Thanks for posting the link to your article “WordPress Hack Attack Against Login Increase.” Great advice and tips for all WordPress users. Everyone should hop over and check it out. Be sure to click on the link to watch the video on how a WordPress blog can be hacked in minutes. Scary, but eye-opening!