Use themeforest or codecanyon read this

cannybagotudor · Sep 9, 2014

I'm guessing a few of you use themeforest for themes and maybe code canyon for sliders etc, well they have a serious security issues with hundreds of wordress themes using 2 popular sliders, revolution slider and showbiz Pro. These sliders are commonly bundled with wordpress themes and are also available on their own.
You can find out more below

http://marketblog.envato.com/general/plugin-vulnerability/

The weakness allows hackers full access to the server so if you host other sites on the same server they can also be attacked.

Adam H · Sep 10, 2014

Yeah was released by Sucuri last week and also a check to see if your slider has been affected , what they dont tell you is the problem was actually patched a long time ago ( months ) but was never made a big deal of in the update logs.

http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

If your site is using the revolution slider then trying this URL obviously replacing the site name :

Code:

http://victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

will tell you if your site is at risk, if it is at risk it will allow you to download the wp-config.php from the admin-ajax , if it gives you a blank page or "image not found" message then you are running a safe version.

grantw · Sep 10, 2014

This is what happens when you run your site from the online equivalent of a council house!

timter51 · Sep 10, 2014

AdamH said:
If your site is using the revolution slider then trying this URL obviously replacing the site name :

Code:

http://victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

will tell you if your site is at risk, if it is at risk it will allow you to download the wp-config.php from the admin-ajax , if it gives you a blank page or "image not found" message then you are running a safe version.

My sites all return a HTML page just with a "0" on it, that's it. All good?

Adam H · Sep 10, 2014

timter51 said:
My sites all return a HTML page just with a "0" on it, that's it. All good?

Yeah i believe thats fine, if it was vulnerable you would physically see the ability to download the file from the server to your local machine, obviously doing so would then give that person access to your wp-config SQL logins plus the ability to download any other file they wished.

timter51 · Sep 10, 2014

Wow, I just found an old site with the vulnerability... using the "X" theme which is a best seller at ThemeForest. Scary being able to just download the wp-config with all the passwords etc. inside :/

Aegean · Sep 10, 2014

grantw said:
This is what happens when you run your site from the online equivalent of a council house!

Man, wordpress itself allows sites to be hacked, never mind sliders.

Alien · Sep 10, 2014

I get a -1 on one site, I assume (hope) that's OK?!

atlas · Sep 10, 2014

grantw said:
This is what happens when you run your site from the online equivalent of a council house!

Do you mean Wordpress or the themes? Or both?

Adam H · Sep 10, 2014

Aegean said:
Man, wordpress itself allows sites to be hacked, never mind sliders.

Any self managed platform that has a decent sized community and lets the website owner choose their own plugins, themes and hosting environment with out really knowing what they are installing will always have downfalls

As they say the majority of the time the real issue is PEBPAK ( problem exists between keyboard and chair ) people don't check what they are installing, they dont update when they are told to or they simply dont understand the risks.

I would put money on the majority of the people that have been hit with this slider vulnerability ( and most likely the people that still dont know about it until they are hacked ) are actually people that downloaded older nulled versions of these themes, obviously not all of them as some themes were not updated but i suspect huge numbers we people taking the cheap way out.

grantw · Sep 10, 2014

atlas said:
Do you mean Wordpress or the themes? Or both?

I was referring to anything Wordpress but especially if it's had themes/plugins added to it, it's like putting a sign up to hackers asking them to come and have a go.

I get probably 50+ phishing emails a day, the majority of them contain a link to a page on a hacked wordpress site. The whole system is like a dormant virus spreading around the internet just waiting to be unleashed.

Grant

ChrisMM · Sep 10, 2014

grantw said:
The whole system is like a dormant virus spreading around the internet just waiting to be unleashed.

Newsflash: Everything is OK in the world... until it isn't!

cannybagotudor · Sep 11, 2014

I tend to agree with grantw, I had a wordpress site hacked before, themes breaking down when you update to the latest version of wordpress etc. I then started to learn html, haven't used wordpress since. An html site can still get hacked but the process is alot more involved and due to how easily wordpress and to an extent joomla are hacked, few waste their resources trying to attack html sites.
I understand the popularity of wordpress, it's end user friendly and for those selling websites , they can be turned out fast. The disadvantage is end users are not really tech savvy and may use plugins and experienced web designer or internet marketer wouldn't touch.

As adamH pointed out this was fixed some time ago, the issue being as these plugins were bundled into themes, it was reliant on the theme creator to update their themes and no support was offered from the original plugin creators in these cases as the theme was not purchased directly.

Those in high comp seo will remember the infamous frog in a well case, which effectively ensured the payday loan niche was manually reviewed by google on a regular basis. Hackers used plugin backdoors and could effectively rank for any term they wanted.