Fixing TimThumb Security in WordPress

TimThumb.php is a great open-source script that web developers can use to help speed up sites by doing some clever image caching and resizing.

Unfortunately it’s been discovered that there is a security hole in older versions of the script. If you are using this script on your site – it may be part of a premium theme – then you need to upgrade it to the latest version.

To know if you’ve been affected, you need to do a search for a file called “timthumb.php” – if you downloaded your theme files to your desktop before uploading, then you can do instant search by typing the filename into Voidtools Search Everything – watch the video for a full walkthrough.

Fortunately, the fix is easy. You need to get the latest version of timthump.php here and replace the existing timthumb.php file using FTP – choose “Overwrite” or “Replace” if your FTP programme asks you.

Update – free plugin: TimThumb Vulnerability Scanner

The fix is now even easier with the free TimThumb Vulnerability Scanner plugin scans your entire wp-content directory for outdated and insecure versions of the timthumb script (including those renamed to thumb.php). It gives you the option to automatically upgrade them with a single click.


If you use a theme from WooThemes, note that they’ve renamed timthumb.php to thumb.php, so that’s the file you’re looking for!

You can find more information here: Timthumb PHP script opens hole in WordPress blogs.

About Alastair McDermott

Alastair McDermott is an online business and technology consultant specialising in web design & development, internet marketing and search engine optimisation. He has been building websites and software since 1996 and is a nine year veteran of using WordPress.

He has co-founded several software, web and information based startup companies and has provided solutions for many large Irish and international organisations. Alastair blogs, and makes media of all kinds at SelfAssemblySites and at WebsiteDoctor. Follow him on Twitter at @WebsiteDoctor.

5 Responses to Fixing TimThumb Security in WordPress

  1. Sebastian says:

    Hi Alastair,

    I fixed it. The new version of timthumb.php needs PHP5 to work. My hoster had PHP4 as default and I had to change it in the htaccess file.

    Many thanks for you help.

    Sebastian

  2. Sebastian says:

    Hi, you are using the same theme as I use at my photography website.

    If I’m going to replace the timthumb.php, it won’t work anymore. How did you solve it?

    Regards!

    • Hi Sebastian,

      It should work with the new version of timthumb.php – I just dropped it in on top of the existing one, and made the couple of minor edits mentioned. If that’s not working can you give more info?

      Cheers,
      Alastair.

      • Sebastian says:

        Hi Alastair,

        didn’t work for me. Here is what I’m talking about (URL removed for your security)

        With the new timthumb.php the thumbnails won’t come up. They are clickable but they can’t be displayed. If I copy the old one back, everything is fine again. But I’m afraid to get hacked again if I use the old one.

        Cheers,
        Sebastian

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Yes, email me when someone posts a new comment. (You can also subscribe without commenting.)