How To Fix The Security Issue in Timthumb

Timthumb is the most popular image re-sizing script used in many WordPress themes and plugins. Recently a security vulnerability was found in it. This security vulnerability allowed anyone to upload any php file into the Timthumb cache directory and execute it to compromise the site.

One way to fix this security issue with timthumb is to NOT use timthumb at all. Just delete it. But make sure that your theme or plugin can work without it.

In case your theme or plugin depend on timthumb heavily and you must use it, then here’s the procedure to fix this security vulnerability.

• First download the latest version of timthumb from this link. Rename it from timthumb.php.txt to timthumb.php.

• Open this newly downloaded file and make sure that ALLOW_EXTERNAL is set to false.

define( 'ALLOW_EXTERNAL', false );

• Now make sure that the $allowedSites array is empty. In your new timthumb file, you will probably find this code,

$allowedSites = array(
    'flickr.com',
    'picasa.com',
    'img.youtube.com',
);

Replace it with this code,

$allowedSites = array();

• Now upload this newly downloaded and modified timhumb.php file on your web server to replace the existing timthumb file with it.

That’s it. Now you can use timthumb script safely. If you have any questions related to the timthumb security vulnerability or the procedure to fix this issue, then post it below.

Comments

  1. Alex:

    Thanks a lot. I still can’t find the Timthumb file. How can I search for it in my cpanel?

  2. Mayur Somani:

    @Alex

    Which theme are you using?

  3. Karl:

    Hi Mayur, What about if I really need it to allow one site. What can It happen, and if only that site is allowed does this still a hole?

  4. Jane from Hosting Grades Reviews:

    Alex, in some themes it’s just called thumbs.php rather than timthumb. I just found thumbs.php on one of my sites.

  5. Alessandro Zamboni:

    Hi, I’m using WordPress for every project by a lot of years, and I wasn’t aware about this image resizing script actually. Thanks to your help now I can check blog by blog via Cpanel File Manager and modify the file. Your help has been appreciated! I will come back soon to visit your blog.

    Thanks,
    Alessandro Zamboni

  6. Mayur Somani:

    @Karl

    Once you upgrade to the latest version of timthumb, it will work fine as the security vulnerability has been fixed in the new version.

    @Jane

    True. Especially for woothemes, they call it thumbs.php, but its essentially timthumb.

    @Alessandro Zamboni

    Thanks for your comment :)

  7. Deirdre:

    But what if the sites have already been hacked… what then?

    I replaced and/or deleted the timthumb.php or thumbs.php that I could find. But my sites cannot be logged into.

    I am screwed and Bluehost.com won’t help.

    Anyone take pity on me?

  8. Winning Inch:

    Thank you for this fix. I had just used “Category grid view” for a project and went to use it for another and found it had been removed due to the security fix. So I am really happy to have found a fix here :-)

  9. Hamish Carpenter:

    Mayur,

    If i use this technique to update, will this keep my website unchanged? I was told if I upgrade my theme template through wordpress it will undo all customization I have done in the code.

    This would be great if this change in code would secure my site without undoing all my changes.

    Thank you

  10. Chetan:

    It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

  11. Mayur Somani:

    @Deirdre

    If a site is already hacked then it must be cleaned up first. There is no point removing timhumb from a site which is already hacked.

    @Hamish Carpenter

    Making this change will secure the site. But if you are using a theme from Elegant Themes, I highly recommend upgrading the theme.

    You can start using child themes from now, so that you don;t have to make all the changes in case of an update.

  12. Tad Chef:

    How do I know my blog themes use Timthumb in the first place?

  13. Mayur Somani:

    @Tad Chef

    You need to search your /wp-content/themes and /wp-content/plugins folders to see if there is a file with name timthumb.php in it.

  14. Peter:

    If you’re having trouble finding the timthumb script, or you’re not sure if you’re using it (it’s in a number of plugins, and many, many themes – commercial and free), you might want to check out this plugin:

    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    That will find and update any instances of timthumb in your wp-content directory to a recent version, which solves the biggest security hole in the script. There will be an update later today or tomorrow (I’m the author) which will make sure to update the script to the very latest version, and keep you up to date when the script is updated.

    Hope that helps some of you!

  15. Mayur Somani:

    @Peter

    Thanks for the link. Its a useful plugin.

  16. tab:

    @ AgentWordpress
    @ Peter

    thanks a lot for this information and

    for this useful plugin.

    regards

Comment?

Your email address will not be published. Required fields are marked *