Blog

13 Nov 2013

Update: how to deal with vulnerability in old Themify framework versions

Development / 0 Comment

As was mentioned in the previous post, there were some issues regarding the existance of themify-ajax.php, which was a legacy file used in a very old framework version, leading to a vulnerability. In this post we'll address how to completely clean the theme folder. If you find the legacy file themify-ajax.php file in the theme folder, follow these steps on how to fix it:

  1. Download an updated theme zip from your member area and unzip it on your computer. We will upload it later by FTP.
  2. Access your site through FTP and navigate to the Themify theme folder in wp-content/themes/
  3. Download the current theme folder on the server to your computer for backup.
  4. You have 2 ways to delete the old files:
    • A) if you have made changes to the template files (we recommend to create a child theme for template modification) you can delete the uploads directory inside the theme and the themify-ajax.php file inside the themify folder, also located inside the theme. If you continue having issues, you should delete the entire theme folder.
    • B) if you haven't made any changes to the parent theme, great! you can delete everything. However, make sure you haven't created the files custom-functions.php, custom-modules.php, custom-config.php or custom_style.css. If you did, you can upload these files again from the backup folder.
  5. Whatever method you have chosen in the previous step, themify/themify-ajax.php and uploads folder inside the theme should now be gone. You can now step out of the theme folder, and upload by FTP the updated theme you downloaded from your Themify membership account.

NOTE:

The file themify-ajax.php was retired in framework version 1.2.2, released in November 9, 2012, so only if you started using Themify themes at a later date you're safe and no action is required. If you use Themify themes since an earlier date or are unsure about it, check your installation following the steps outlined above.

Updated Fix (Nov 14, 2013):

We've released a new framework update to fix this issue. Please read this post and upgrade your theme.

Reply

Themify 7.5 has released! Please read the update notes.