I’ve been using Themify themes since long time. Some of their themes are awesome including Funki, Pinboard and Bizco.
Recently all of Themify themes which I’ve been been using on my various blogs were compromised one by one. Vulnerability allowed spammers to exploit the loophole and turn them into email spam machine.
Luckily I had email spam protection in place on my host which diminishes the threat and I was saved from a major disaster.
I did some quick search to find out what is the problem and I found the culprit to be a very simple mistake which Themify folks have ignored. I applied the patch and all of the blogs are now secure. I didn’t do extensive research though as I didn’t have time but I’m sure that the problem which I found via quick investigation is the real problem and I hope there is no other major security hole in the themes.
I’m not disclosing the vulnerability and it’s solution so that not give other spammers upper hand. I’ve notified Themify folks though. I’ll keep updated if I receive any reply from them.
If you are affected then contact me via comment below and I’ll send you the simple solution.
It is really shame that premium theme authors let such simple mistake slip through in their themes.
I just received reply from Themify informing that this vulnerability has been already identified and they have update theme to fix it. Here is link to their blog.
Ignorance is not bliss! Only if they had informed theme buyers via e-mail about this vulnerability as soon as it was found then it would have saved my and others time and effort.
Oh My! I also use one of their theme. Could you please let me know what is the fix?
I’ve sent solution to you by email. Just to be on safe side you can delete the theme completely and use other safe theme. Unless theme author comes back with a proper explanation it is not safe to use these themes anymore.
Thanks for writing about this. If you have time to share I’d appreciate more details on your fix too to make sure hole is plugged.
They have already released the fix. You can see more details on http://themify.me/blog/updated-themify-framework-to-fix-the-vulnerability
I no longer trust premium themes. I’m getting rid of all of them. I recommend others to do the same. Get your own theme, it’s not too difficult to develop one or hire someone to do that for you.
I just checked the link you mentioned above, it said to update the theme. I can’t see any theme on my account on themify. How do I update the theme now?
Your subscription has expired, you have to buy new annual subscription in order to access updated theme. This is another reason why I’m ditching all premium themes. These guys release unsecured theme and then you pay extra to just get upgrade.