Today VaultPress is launching a new help section, with updated FAQs and our first two How-to guides. Our goal with the new help section is to create a one-stop location for VaultPress subscribers to find the help they need, when they need it — including access to our Safekeeper WordPress experts.
If there’s a topic you’d like to see us cover with a How-to or FAQ, don’t hesitate to mention it in the comments.
The VaultPress plugin activated on a WordPress multisite installation.
We’ve heard your requests, and support for Multisite is coming. We’ve begun testing an updated plugin which now works with WordPress Multisite installs.
In the coming weeks, we’ll be adding more customers to our tests. As we get closer to the release, we’ll post some notes about the registration key you’ll need to activate the new plugin.
If you’re interested in being a part of our testing, feel free to contact us.
We recently contacted VaultPress customers who were affected by the TimThumb image library vulnerability with instructions on how to secure their sites. As previously noted, the vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory, compromising your entire WordPress site.
After some additional work, we’ve gone ahead and fixed the vulnerability for most of the affected VaultPress customers who haven’t yet updated their sites. We’ve fixed 712 copies of the script across our customers’ sites. We’ve sent out emails to all affected customers detailing what we fixed, and if there is additional cleaning that still needs to be done.
We provide services like this to sites under our care because keeping sites safe and secure is something that we’re passionate about. We like to think that each of the 712 files we fixed helps make the Internet that much better of a place.
Please refer to our instructions for updating TimThumb if you must continue to use it on your site. Customers can also contact the VaultPress Safekeepers directly for help from the VaultPress dashboard.
Yesterday we learned of a vulnerability in a popular image resizing library called TimThumb, which is used in many WordPress themes and plugins. The vulnerability was first reported by Mark Maunder in a post on his blog, and has been confirmed by the author of TimThumb.
The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.
We recommend deleting timthumb.php or thumb.php if your site will work without them. If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or plugin directory. After you remove the TimThumb library make sure you check that your site is still working correctly.
If you must use TimThumb please make sure to update the file with the latest version and remember to check the TimThumb site regularly for updates. You should also set ALLOW_EXTERNAL to false and find the $allowedSites array inside the file and remove the domain names to prevent remote file downloading.
Make sure this constant is set to false:
define( 'ALLOW_EXTERNAL', false );
Before:
$allowedSites = array ( 'flickr.com', 'picasa.com', 'img.youtube.com', 'upload.wikimedia.org', );
After:
$allowedSites = array();
Theme and plugin authors should use the built-in WordPress functions such as add_image_size to resize images.
We are sending out emails to all VaultPress customers who have TimThumb installed on their site. Customers can contact the VaultPress Safekeepers directly for help from the VaultPress dashboard.
One of our favorite parts of summer is the way there seems to be a WordCamp happening somewhere in the world every weekend. July is no exception this year, and we’re excited to be sponsoring three upcoming WordCamps here in the US.
WordCamp Boston 2011 will be held July 23rd and 24th at the George Sherman Union at Boston University.
WordCamp Chicago 2011 will take place on July 30th and 31st at the DePaul University Student Center, Lincoln Park Campus.
WordCamp Fayetteville 2011 is scheduled for July 30th and 31st at the Reynolds Center on the University of Arkansas campus.
If you haven’t been before, WordCamps are conferences that focus on everything WordPress. They’re usually informal, community-organized events that are put together by WordPress users (the only one put on by Automattic is the annual WordCamp San Francisco). Everyone from casual users to core developers participate, share ideas, and get to know each other. They’re open to WordPress.com and WordPress.org users alike.
We hope you get the chance to check out a WordCamp (or three) this summer. There’s a full listing of upcoming WordCamps on the WordCamp Central schedule.
VaultPress Blog 