Further compounding the issue is the fact that WooThemes suffered a massive server hack which, while it does not pose any direct threat to users of their themes, did cause the automatic upgrade function within the WordPress dashboard to stop working. That means you can’t rely on a dashboard notification to let you know when it’s time to upgrade. Instead, you’ll need to check your version number. Anything before version 5.3.12 is at risk and should be updated immediately.

If you don’t have the upgrade button on your dashboard, you’ll need to update your theme manually. You can find the instructions here.

Make sure you upgrade all your themes – even the ones you’re not using – because this vulnerability can be exploited even in an inactive theme. Actually, now might be a really good time to just get rid of those themes you’re not using. The only themes you need on a WordPress site are your current theme, any required parent theme, and at least one of the two that come installed with WordPress (Twenty-ten and Twenty-eleven). Everything else is an unnecessary security risk.

Perhaps the most concerning thing about this whole incident is that this vulnerability was discovered on April 23, and users were not notified until today. Seven days is a long time to let your customers' sites remain open to attack. Shame on WooThemes for not being more proactive.

More information about the exploit can be found at WooThemes.com.

What about you? Do you use WooThemes? Have you upgraded yet? Let us know how the upgrade process went for you. 

Webinar Details:

MyNAMS Live Training Webinar

Date: Wednesday, March 21, 2012
Time: 8:00 - 9pm Eastern Time
(Convert to your timezone)

Topic: Protecting Your Business Assets

Description: How to Spot Danger Before Your Computer Gets Infected, Your Site Hosts Malware, and Your Credit Card Number Gets Stolen.

I'll be covering things like:

• How to tell if it’s a real site or a “fake” site pretending to be real
• How to tell if your website is infected with malware
• How to tell if your website is blacklisted by search engines (e.g. Google, Yahoo, etc.)
• How to tell if your email account is hacked
• How to know when someone is spamming you
• How to tell if your social networking account (e.g. Twitter, FaceBook, etc.) is hacked

Register for free at http://wpsecuritylock.com/2012-03-21-regina-mynams-webinar

Hurry, space is limited so be sure you register now so you can be at the live event.

This webinar will help anyone you know that uses the Internet, so be sure to invite your friends and colleagues. 

Leave Your Feedback

Got a question about security on the topic I'm covering? Get your question in early by leaving your comment below.

~ Regina Smola
WP Security Expert 

I've been cleaning alot of WordPress sites infected with malware on DreamHost lately. I am finding some common denominators that put users hosting accounts and WordPress sites at risk:

1. Used One-Click Installs to install the WordPress "Deluxe" Install. (Be sure to "uncheck" Deluxe.)
2. Enhanced Security has been disabled.
3. Extra Web Security is turned off.

DreamHost One-Click Install Security Tip:

I'm not a fan of auto-installers, but if you don't want to learn the WordPress Famous 5-Minute Install and use the DreamHost One-Click Installer for WordPress, please uncheck "Deluxe Install" so you don't end up with 134 themes and 9 plugins. To find out why this is a security risk be sure to read my post here.

Important: To keep the auto-installer from installing multiple themes and plugins, before clicking the "Install it for me now!" button, uncheck "Deluxe Install."

DreamHost Enhanced Security Tip:

The hacked WordPress sites I've been cleaning have this feature turned off. Yikes! If you're hosting with DreamHost please check all of your users individually and make sure that "Enhanced Security" is enabled.

Manage Users > click "Edit" next to the username > Enhanced Security - Check the box.

According to the DreamHost Wiki:

The Enhanced User Security setting prevents other users from accessing your home directory. It can be enabled independently for each user in the DreamHost control panel under Users / Manage Users. It is enabled by default.

It is strongly recommended that you only disable this option if you need your files to be accessible to other Dreamhost users (which you really probably don't).

Read more about DreamHost Enhanced Security.

DreamHost Extra Web Security Tip:

To help prevent common attacks, be sure each domain has "Extra Web Security" enabled.

Manage Domains > click "Edit" next to your domain name > Extra Web Security - make sure this is enabled (checked).

According to the DreamHost Wiki:

The Extra Web Security option (you see it when adding a new domain or editing the web settings for an existing domain) enables the use of a very special security module for your website. Many common attacks that can compromise your website will be blocked by this option. We cannot guarantee that all attacks will be blocked but we will do our best to ensure the most common known attacks will be prevented. 

Read more about DreamHost Extra Web Security.

Leave Your Feedback

Are you hosting with DreamHost? Be sure to let me know if you found these tips helpful by leaving your comment below.

~ Regina Smola
WordPress Security Expert

TimThumb is a PHP script that crops, zooms, and resizes images. It's commonly used in WordPress themes and plugins.

This script uses a cache directory from within your wp-content directory to grab and resize your images.

Authors of themes and plugins that use this script name the file timthumb.php or thumb.php (used by Woo Themes), but it could be on your WordPress site with a different name.

Unfortunately, back in August 2011 malicious hackers discovered a backdoor in the TimThumb script and infected a massive number of WordPress sites. This put website owners in a panic! WordPress users were removing themes and plugins, writing articles on how to remove timthumb from their blog, and calling me to fix their hacked WordPress sites.

Luckily, the developers of TimThumb acted quickly to close the backdoor and released TimThumb v 2.8.2 and fixed this security issue. issue.

Here are few theme authors who released a security patch and wrote blog posts to inform customers.

• Woo Themes - Timthumb (thumb.php) Security Flaw
• ElegantThemes - Timthumb Vulnerability + Security Update
• Arras Theme - Zero Day Vulnerability in timthumb script

 Why You Need To Check Your WordPress Blog NOW for TimThumb Vulnerabilities

Some TimThumb scripts have not been updated and people are still getting hacked!

SOLUTION! There's a great plugin called Timthumb Vulnerability Scanner by Peter Butler of http://codegarage.com that will scan your site for outdated timthumb scripts AND update them for you :

This plugin could save your blog's life!!!

I highly recommend you download the Timthumb Vulnerability Scanner at WordPress.org or install the plugin from your Dashboard and run a scan now.

A big shout out to Peter Butler for giving us such a great tool to use! 

Here's a quick video I did on Timthumb Vulnerability Scanner.

Have you checked your WordPress blog for any outdated versions of the Timthumb script? Let me know by leaving your comment below.

~ Regina Smola
WordPress Security Expert

You'll find me talking on the blog and in my email blasts about WordPress plugin security, but one area I haven't covered is how plugins can slow your website down.

Did you know that even if a WordPress plugin is disabled it can still affect your site's load time?

Yes, it's true! Every time someone opens your site, the database is checked to see which plugins need to be loaded, including the disabled ones. Your WordPress installation queries the database to see which plugins are active and which ones load on the post/page that your visitor has clicked on. It may only take a nano-second, but it does affect load time for each and every plugin you have.

For more help with plugins slowing down your site, be sure to check out Kimberly Castleberry's blog post: "How To Find Out Which WordPress Plugins Are Making Your Site Slow."

Of course, I have to mention WordPress Plugin Security too!

Did you know that even if a plugin is disabled/deactivated it can pose a security risk on your site?

Even if a plugin is not active, it can still be reached in a browser.

Bottom feeders (malicious hackers) can have a 15-course meal off of any vulnerabilities they've found.

For example: Hackers can search Google for inurl:wp-content/plugins/PLUGINNAME and try to attack every site using it.

Or let's say they know of a plugin they can break into (active or deactivated). They can visit your site and try to open http://yourdomainname.com/wp-content/plugins/yourvulnerableplugin/yourvulnerableplugin.php. If it's there, it's dinner time!

Just so you understand, when you deactivate a plugin you're telling WordPress not to load said plugin. But it still exists on your hosting server and is accessible.

The moral of the story is, if you're not using a plugin delete it to help speed up your site and remove the security risk. And always remember to keep the plugins up to date.

P.S. When you look at your list of plugins, please don't say, "Well, I want to leave it there in case I want to use it later." If you want to use it in the future then install it when you're ready to activate it!

LEAVE YOUR FEEDBACK

Would love to hear how many plugins you "deleted" after reading this post. Please leave your comment below.

Securely yours,

Regina Smola
WordPress Security Expert
Follow me on Twitter
Follow WPSecurityLock on Twitter
Become a Facebook Fan

by Paul Thewlis

"Covers everything you need to develop a custom look for your blog, use analytics to understand your visitors, market your blog online,and foster connections with other bloggers to increase your traffic and the value of your blog"

Many of you inquire about how to make a WordPress blogs profitable and since the focus here on the blog is WordPress security, we thought a review of this book would help you get started.

If you currently have a WordPress blog but are a little stuck where to go next, this book will help.  This book seems best for someone who already has a self hosted WordPress blog set up.

You won't learn how to set up a WordPress blog but it will teach you about some of the following:

• How to stand out from the crowd
• Blog writing tips
• Fonts and Colors
• Categories and tags
• Trackbacks

and much more!

Throughout the book, you'll find images in brackets like a notepad/pencil for important notes and a light bulb for various tips and tricks. Be sure to read them! You will also find helpful images in the e-book to help walk you through many of the sections.

This e-book does not seem to be written for the super affiliate professional blogger,s but those new to business blogging. However, after a couple years of blogging, there are still things in this book we didn't even know about.  We still have a lot to learn and believe this book can help you improve your business!

*Thanks to PACKT Publishing for offering this e-book free for review.

by Ric Shreves

"Focuses on providing solutions to common WordPress problems so that you can translate your site to one of the best"

We found this book to be very helpful in many areas especially when it comes to advertising and SEO, but this book covers almost everything you can imagine like

• managing media files
• customizing themes
• digging into plugins and widgets
• how to get more interaction with your community

and more!

Of course chapter 9 is about security so you don't want to miss that.  This e-book has great use of images and don't miss the light bulb images throughout the book where you'll find interesting tips.

The WordPress 3 Cookbook is easy to follow and will definitely teach you a lot about the various ways you can develop your site/blog using WordPress.  The WordPress 3 Cookbook is for those who are already WordPress users, but we believe that even beginner WordPress users could get quite a bit from it as well.

*Thanks to PACKT Publishing for offering this e-book free for review.

Win a Copy of WordPress 3 for Business Bloggers & WordPress 3 Cookbook

We have teamed up with Packt Publishing to do a giveaway here on the blog.  They have generously offered up 2 e-books for you to have a chance to win.  So we will be choosing two lucky winners!

Packt Publishing let us give away SIX e-books at NAMS so we are excited to be able to give all WPSecurityLock readers who didn't get the chance to win at NAMS to win something here.

Overview of WordPress 3 for Business Bloggers by Paul Thewlis

• Use WordPress to create a winning blog for your business
• Develop and transform your blog with strategic goals
• Market and measure the success of your blog

Overview of WordPress 3 Cookbook by Ric Shreves and Jean-Baptiste Jung

• Take your WordPress site to the next level with solutions to common WordPress problems that make your site better, smarter, faster, and more secure
• Enhance your SEO and make more money online by applying simple hacks
• Rich with screenshots and practical tasks that you will find quite useful

We are in the process of writing a full review of each book so you will see those posted here on the blog over the next week. 

Entering is easy... Take a look at the Rafflecopter entry form below and follow the steps.  Be sure to read the directions when you click on the +1 on the entry form, you must leave a blog comment for your entry to count. Contest ends 2/27/12. Winners will be contacted by email so be sure to use a current email address when you enter.

a Rafflecopter giveaway

If you're serious about your business, NAMS 7 is a "not to be missed" event!

I attended NAMS4 in Atlanta, which helped me launch my business. And right before NAMS5, David Perdew, the founder of NAMS, took our training a giant step further by launching the MYNAMS membership. Inside we get a private support forum, accountability groups, member blogs, training modules, webinars, monthly Q&A calls, interviews from the experts, weekly blog posts, website reviews and much much more. Then I took what I learned from NAMS5 and my business grew even more.

Then I was honored when David asked me to speak at NAMS6. I gave two live security workshops and the attendee participation was amazing! I truly enjoyed showing the class how to protect themselves and their content online.

Now NAMS7 is just around the corner. I hope you can join me there!

I'll be teaching two live workshops at NAMS7 from February 10-12, 2012 in Atlanta, GA:

• Workshop #1 - Setting Up Your Business Right (with Chris Cobb and Dan R. Morris).
• Workshop #2 - Bullet Proofing Your Business

Discover How You Can Build A Profitable, Sustainable, Recession-Proof Business With Hands-On Training By Real-World, Proven Experts. Come hang out with me, learn from the instructors, network with the attendees, and GROW YOUR BUSINESS!

NAMS7 starts February 10, so hurry and grab your ticket!

*Go to: http://www.wpsecuritylock.com/nams7

 In addition to learning how to be successful in your business, you're going to make amazing friends, find JV opportunities, and get REAL help tailored to your business needs.

Here's some fun shots from NAMS6 I thought I would share:

In between workshops, one of my favorite things to do is have a meal with my NAMS friends.

The restaurant at the hotel has great food and friendly staff too.

Hope to have a meal with you too!

<< CLICK PHOTO TO ENLARGE

In the evenings, you can catch the NAMSters out by the firepit (next to the pool).

This is a great place to meet everyone, share ideas, make lifetime connections.

Be sure to bring a sweater and hang out by the firepit with me!

Okay, so this was supposed to be a serious pic.  The WP Security Lock team was "attempting" to look like serious "hacker attackers" so we could make some fun marketing materials with it. However, you can see how well that turned out.

Hey, did I tell ya that Kurt Scholle is doing pro-headshots at NAMS7?

LEAVE YOUR FEEDBACK

I'm arriving early Thursday, February 9 and leaving after the network breakfast on Monday, February 13. If you're going to be at NAMS7 let me know so we can have a meal together or hang out by the firepit. If you've been to NAMS before, encourage others to attend by leaving your feedback below. And if you have a specific question about NAMS or a security question you want me to answer at one of my live workshops, leave your comment below.

Securely yours,

Regina Smola
WordPress Security Expert
Follow me on Twitter
Follow WPSecurityLock on Twitter
Become a Facebook Fan

* Denotes our Affiliate Link. If you a make a purchase through this link, we may receive a commission. See our Disclosure.

P.S. I'm bringing some really cool prizes for the giveaways at NAMS! Make sure you bring your business cards for the daily prize drawings.

Limited Offer! Hurry and Grab Your free copy of lol... OMG!

This educational offer is sponsored by Intel and the Associated Students of Stanford University. Parents, students, educators and libraries should take advantage of this opportunity.

Check out the National Cyber Security Alliance at Stay Safe Online to learn more about online safety.