revslider plugin vulnerability

website hackedBack in July the revslider WordPress plugin was discovered to have a vulnerability that allowed arbitrary files to be downloaded. This was specifically for version 4.1.4.

This vulnerability has been actively used to infect WordPress websites.

Normally, being able to download a file to your local computer isn’t a huge news flash. However, when you consider this allows people to download your wp-config.php, which contains all the login information for your database, it can be used in a variety of ways by cybercriminals.

I bring this up because we’ve been seeing a number of websites infected this way.

When the hackers download the wp-config.php file, they strip out the database login credentials and then try to login to the database remotely. If successful, they either add another user with administrative rights or change the password to one of the existing users with administrative rights.

Next, they login and either upload a malicious backdoor or use the theme-editor to inject malicious code in the theme files.

I would like to mention that some hosting providers, Bluehost, Hostmonster, JustHost and many others, don’t allow remote access to phpMyAdmin in the cPanel by default. You have to whitelist an IP address to enable remote access to phpMyAdmin.

That basically kills this specific attack in their environments. However, that’s only this specific attack. Other files could be downloaded that would provide the attackers enough information to be able to infect the website.

Also, some website owners use the same username and password as their cPanel. This could be disastrous. Never use the same password as your cPanel. Never.

As always, keep all your plugins and WordPress updated.


Thank you for reading. If you have this plugin contact me for a way to test your site (no charge).

Send me an email:


TimThumb WordPress Plugin Leads to Hacked Websites

The WordPress Plugin TimThumb which is primarily used in themes as an image resizing tool, was found to be vulnerable to an attack that could be classified as a remote file inclusion exploit.

TimThumb allows an attacker to retrieve a remote file and saves it to directory that is accessible via a browser. Mark Maunder who is CEO of technology firm Feedjit, based in Seattle, found out the hard way about this vulnerability when his own blog: was infected by this.

He has provided a good detailed description, for those of you who are technically oriented, on his blog at:

It’s also been reported that the developer of the plugin had his own blog infected via this vulnerability. To his credit, he has been extremely busy in fixing this and has definitely shown responsibility in this matter.

The fix that Mark has suggested is this:

  1. Edit timthumb.php
  2. Scroll down to line 27 where it starts: $allowedSites = array(
  3. Remove all the sites like “” and “”
  4. After removing the sites your line should look like: $allowedSites = array();

Save the file and you’re finished. Keep in mind this is for version 1.33. If you’re running an older version, you’ll have to contact the Theme developer and ask them for an update.

Our research shows that some themes use this plugin but the file is not named timthumb.php it could be named:

  • thumb.php
  • resizer.php
  • crop.php
  • cropper.php
  • and various similar names

Search your files for all these names just to be sure you find it.

If you see a folder/directory named “cache” in your wp-content folder or any of it’s sub-folders, you can add this .htaccess file there which will block running any .php files. Quick backstep: this is typically where this plugin stores the files that a hacker may have uploaded. So even if a hacker were to upload the files to that folder, they cannot run them.


RewriteEngine On

Order Deny,Allow
Deny from all
Allow from localhost

Please post a comment here if you’re having issues with this, or for that matter, any other security related issues.

Thank you.