TimThumb 2.0 – Use it to avoid your WordPress from getting hacked

WordPress has been long criticized for security issues although by just applying certain steps one can make it secure and with proper regular backup policy, one need not worry at all.  You must be wondering that why am I talking about security suddenly – well, TimThumb one of the popular library that is used in various WordPress themes has serious security flaws that can be compromised to hack the servers. The flaw was found by Mark Maunder and has started working with the Ben Gillbanks, original developer to come up with TimThumb 2.0. Here’s what Matt has to say about the whole issue around it and how following standards can make life easy in the eco-system -

Because the code is commonly embedded in themes it’s not easy to discretely update like it would be if the code were a plugin, and even when a theme is updated people are hesitant to update because they often customize theme code rather than making child themes, so if they were to overwrite their theme with a new version they’d lose their modifications. That, combined with the severity of the flaw, means that this is one of the more serious issues in the WordPress ecosystem in a while, even more than normal because it wasn’t in core.

Not that it was Ben’s fault – he never would have imagined that TimThumb would grow to such a level and that most of the theme developers  would start using it instead of WordPress API. I’m not the coder kinds, however according to Ashish Saini, WordPress can generate multiple size of the uploaded images, so if one sticks to the WordPress coding standards then this issue is not an issue for them. We ourselves have been using TimThumb and didn’t realize that it had such a serious flaw [our bad]. We’ll be reaching our clients and will apply TimThumb 2.0 on their WordPess setups to avoid such an issue.

Akismet further becomes de-facto as Anti-blogspam!

HubSpot, internet marketing company has announced the integration of Akismet in their blog platform. I wouldn’t say that it was an expected move, however looking at how blog spam has increased it has become really important for blog platform providers to come up with strong anti-spam solutions. Here’s what Hubspot had to say -

Akismet is the best-in-class comment filtering system available today, one that monitors millions of blogs and forums and keeps up to date on the methods and tricks used by spammers in real time. Akismet has prevented over 30 billion spam comments from appearing on websites over the years, and now HubSpot is also offering you this same high level of protection.

Now there are few services like Akismet, although Akismet seems to be the most effective till this point of time. Although, it’ll be fun to test these services at a bigger level. Here’s the list of anti-blogspam services -

Till this time, I’m kind of sold for Akismet & Defensio – do let us know what you think about them.

Varnish + Apache = Is it better than Nginx?

Well, that’s one question whose answer is yet to be figured. I recently managed to setup a VPS of 512 MB RAM with NGINX, PHP, MySQL, APC along with WordPress Multisite + Custom domain mapping and it all works great! The server is running without any issues and handling decent amount of traffic. The setup doesn’t have WP Super Cache, however I reckon that if I throw WP Super Cache in it then it’ll become one ultimate server setup for hosting WordPress sites.

Although I’m wondering if the whole setup can be just be replaced by Varnish + Apache and the reason, it got me thinking was because I recently stumbled across the article by Donncha, Developer of WP Super Cache. He recently installed Varnish along with Apache and has seen good results. Here’s why Donncha did this setup even though he was on NGINX setup a while back -

I have tried Nginx in the past but could not getting it working without causing huge CPU spikes as PHP went a little mad. In comparison, Varnish was simple to install and set up.

One of the reasons, why a developer will prefer this setup over Nginx setup is because Apache has better support available on the internet and works flawlessly with WordPress. Anyway, if you are the one who loves to play around with servers, are using Apache and want to please your server by removing the load on it then follow this article.

I hope you’ll enjoy this roundup. I’ll continue with these kind of roundups from now on to keep you all up to date with the best links and articles from the WordPress community.

Bookmark and Share