You are here: Home / Learn About WordPress / Timthumb pwnd

Timthumb pwnd

August 2, 2011 By

Nick Roach is one of the premier WordPress designers of all time and his brand of premium themes can be found at Elegant Themes. I’ve owned an unlimited access pass to Elegant for 3 years and I’ve used them on rollouts a few times. Nick Roach has really pushed the envelope for the WP design world and I’m glad to see his brand get more recognition and a bigger following as time passes.

A couple years ago some of the [now older] Elegant Themes and bazillions of other WP Themes from other vendors started using a game changing script called “Timthumb” (sometimes referred to as Tim Thumb) to automatically resize images. It allowed a WordPress editor to upload an image and display it in a blog post, but also to automatically resize it for the homepage thumbnail saving incredible amounts of time. Tim Thumb finally got pwnd and any security problem in the WordPress world is taken super seriously. The bottom line to all my administrator friends is search your containers for older sites that run with Tim Thumb and update everything ASAP.

Here is the letter I got from Elegant Themes tonight…

Hello,

You are receiving this email because you are an active member of ElegantThemes.com. In the past, our themes have used a popular image re-sizing script called Timthumb (http://www.binarymoon.co.uk/projects/timthumb/). The script is used by millions of sites and is quite popular in the WordPress themeing community. That being said, it was noted yesterday that a vulnerability exists within certain versions of the script (http://code.google.com/p/timthumb/issues/detail?id=212), and therefore this vulnerability may also exist in your theme (depending on when you last updated it). While that author has provided a fix, it is highly recommended that you update all of your EelgantThemes themes to their latest versions. The latest versions of our themes no longer utilize the timthumb script and therefore are not subject to this security hole.

Regardless of when you last updated your theme, I would strongly suggest that everyone update their themes to the latest version and insure that the timthumb.php file and your /cache folder has been removed. To update your theme and remove the file, simply delete your current theme via the Appearances > Themes section of the WordPress Dashboard. Then you can re-download the theme from the members area and re-upload it normally:

https://www.elegantthemes.com/members-area/documentation.html#installdashboard

The latest theme versions require that your thumbnail images be hosted on the same domain name where WordPress is installed. If you were previously using timthumb.php to allow external image source by editing the file’s $allowedSites array, then these thumbnails will no longer function.

Before updating the theme, make sure that you are using the latest version of WordPress. I would also disable all of your plugins temporarily before doing any update to insure that no compatibility issues exist. Remember to always keep WordPress, your Themes and your Plugins up-to-date to help protect yourself against any vulnerabilities.

I am sorry for any inconvenience this has caused.


Best Regards,
Nick Roach
www.ElegantThemes.com

 

Filed Under: Learn About WordPress, Web Designer's Corner