It seems there is a huge vulnerability with TimThumb.
The script is used by millions of sites and is quite popular in the WordPress users community. That being said, it was noted yesterday Aug 4/2011 that a vulnerability exists within certain versions of the script (http://code.google.com/p/timthumb/issues/detail?id=212), and therefore this vulnerability may also exist in your theme (depending on when you last updated it). While that author has provided a fix, it is highly recommended that you update all of your WordPress Themes to their latest versions. This vulnerability is in the timthumb.php file, and is included in a lot of WordPress themes (though it is not necessarily exclusive to WordPress scripts/themes).
As an end-user YOU will need to be responsible and update your theme or your script to resolve this issue. A developer that releases a new version to fix this insecurity will do you absolutely no good, unless you explicitly upgrade the theme or script.
Simple solution – you can edit timthumb.php file and replace all code. Latest version –
http://timthumb.googlecode.com/svn/trunk/timthumb.php
Securing your WordPress.
So How Do Hackers Hack Into WordPress Blogs?
Most of the skilled Hackers will target your wp-config as it’s in an unsecure place by default. Wp-config file is the most important file present on your wordpress blog. It holds very sensitive information such as including your database access, table prefix and Secret Key, So in order to protect your wordpress blog from getting hacked you would need to harden your wp-config file.
Protecting Wp-Config File From .htacess
The first step you should take write away is to add the following code to your .htacess file, This is the first step you should take in hardening your wordpress.
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
Changing The Permission
I came across a wordpress blog, whose permission for wp-config file was set to readable, All the hacker needed to do is to upload a mysql database and use those to access victim’s wordpress blog. So the bottom line is that the permission should not be set to readable, it should be set to something like “400?.
