I had an email yesterday to notify me of a phishing site on one of my blog sites. The site had a theme installed that uses the ‘Tim Thumb’ library which was recently found to have a serious exploit. It’s serious because it allows a hacker to upload and execute files on your site. You can find out all about it as well as some instructions for updating/patching it HERE.
The tim thumb library is used by a lot of WordPress theme developers and is common in many of the premium themes. I use WooThemes themes on many of my sites and there’s plenty of discussion in the WooThemes forums about sites being hacked. WooThemes have released updates for all of their themes which use TimThumb and have provided detailed ‘cleanup’ instructions in the forums as well.
You should check straight away whether your theme uses the library and whether an update is available. You also should be aware that once a hacker has gained access, they can read the wp-config.php file which contains your wordpress database details and can modify your .htaccess file – so you should check your .htaccess and also change the database password for your blog. If you are using CPanel you will need to delete the database user (just the user – not the database!) and then create the user again with a new password. After changing the password, you will need to edit your wp-config.php and insert the new password.
If you think your site may have been compromised then I recommend you have someone who knows what to look for check it out. It is very easy to detect in the themes directory as there are a number of oddly named files that will get uploaded in there and also the date/time stamps on the hack files will be very recent.