In the past few months, we've fixed numerous hacked WordPress blogs that were installed prior to the fall of 2011 with one thing in common: one-click installs with outdated Timthumb scripts. If you've had your WordPress site up for a while you need to check it for any timthumb backdoor vulnerabilities.
As of January 22, 2012 when we tested it, DreamHost has removed and/or updated the timthumb scripts and closed that security hole. However, we have another concern, numerous WordPress themes and plugins pose security risks.
When we used their WordPress “One-Click Install” Deluxe from DreamHost, we were welcomed with 134 themes (5,536 files not including Twenty Ten and Twenty Eleven) and 9 plugins (624 files not including Akismet). Holy Crap that's alot of themes and files!!
When you put your mouse over the ? it says “Includes a glorious selection of themes from Automattic and standard plugins to help you get started. Great for beginners!” Are they serious??? 134 themes??? OMG!
I personally contacted DreamHost several times telling them about the vulnerability with the timthumb scripts and the crazy number of themes and plugins they install. And their answer was:
“We want to give our customers choices.”
Choices? Are they kidding me? People need to have 134 themes to choose from for what they want their blog to look like?
At least they got rid of the outdated timthumb scripts. But back then they had about 34 themes and now they've added about another 100 “choices.” This more than triples the footprint of your WordPress installation and causes a great risk for security. Think about it…
How can you possibly trust 134 themes on your site? If a malicious hacker finds a vulnerability and breaks into your site through one of them (and they don't have to be active) you're site will get hacked. And what if you're hosting multiple websites on the same account, every one of your sites can get hacked with a virus that can spread to your visitors' computers. Yikes!
If you MUST use the DreamHost One-Click Installer, please “UNCHECK” the Deluxe Install! Our recommendation is to do a manual installation. You owe it to yourself to learn how to do it. It's super easy and you know what is being installed on your website.
And if you have already used the “Deluxe Install,” please log-in to your WordPress blog or FTP client and delete any unused themes and plugins ASAP. Remember! Unused themes and plugins increase your security risks.
Note: Make sure that you keep either Twenty Eleven or Twenty Ten that comes with WordPress so you have a default theme to fall back on in case you ever need it.
Also, please install the Timthumb Vulnerability Scanner plugin and run it now to make sure you don't have a timthumb vulnerability on your WordPress site.
Leave Your Feedback
Have you used the WordPress Deluxe Install from DreamHost? How many unused themes did you have to delete from your blog? Did you find an outdated timthumb script that you had to update? Leave your comment below.