Fixing TimThumb Security in WordPress

TimThumb.php is a great open-source script that web developers can use to help speed up sites by doing some clever image caching and resizing.

Unfortunately it's been discovered that there is a security hole in older versions of the script. If you are using this script on your site - it may be part of a premium theme - then you need to upgrade it to the latest version.

To know if you've been affected, you need to do a search for a file called "timthumb.php" - if you downloaded your theme files to your desktop before uploading, then you can do instant search by typing the filename into Voidtools Search Everything - watch the video for a full walkthrough.

Fortunately, the fix is easy. You need to get the latest version of timthump.php here and replace the existing timthumb.php file using FTP - choose "Overwrite" or "Replace" if your FTP programme asks you.

Update - free plugin: TimThumb Vulnerability Scanner

The fix is now even easier with the free TimThumb Vulnerability Scanner plugin scans your entire wp-content directory for outdated and insecure versions of the timthumb script (including those renamed to thumb.php). It gives you the option to automatically upgrade them with a single click.


If you use a theme from WooThemes, note that they've renamed timthumb.php to thumb.php, so that's the file you're looking for!

You can find more information here: Timthumb PHP script opens hole in WordPress blogs.

About Alastair McDermott

Alastair McDermott is an online business and technology consultant specialising in web design & development, internet marketing and search engine optimisation. He has been building websites and software since 1996 and is a ten year veteran of using WordPress.

Alastair blogs and makes media of all kinds at WebsiteDoctor. Follow him on Twitter at @WebsiteDoctor.

Leave a Reply

Your email address will not be published. Required fields are marked *