Recently, many WordPress sites have been hacked due to a security vulnerability in timthumb.php, a script that is used by hundreds of WordPress themes to resize images.
Oh no! How do I fix it?
The advice that came after the first sites started getting hacked was not the easiest to implement for non-technical WordPress users:
If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty.
This isn’t very helpful if you have no idea where to look or what you’re looking for. The first hurdle is to figure out if you’re affected and then to apply the right fix.
Timthumb Vulnerability Scanner to the Rescue!
If you have no idea what to look for, then the Timthumb Vulnerability Scanner will be a real lifesaver. Install it like any other plugin and it will scan your wp-content directory for vulnerable instances of timthumb.php. It also gives you the option to upgrade your scripts to a safe version with a single click.
The creator of this pugin was overwhelmed with requests to clean up hacks that have exploited the timthumb.php script. He made this plugin incredibly easy to use. If you know how to install a WordPress plugin, then you can manage this. It saves your site in two steps:
1. Scan
Click “Scan” to have the plugin check for the timthumb.php script.
2. Fix
If it finds an outdated and insecure version of the script, you will be given a “Fix” button to click for an instant upgrade.
What if I’ve already been hacked?
The plugin’s author notes that if you’ve already been hacked, this plugin will NOT clean up your site. Essentially, it fixes the door lock, which doesn’t matter if the burglars are already in your house. Believe me, you do not want the hackers to get in there. It can take down your entire server and if your host shuts down your account, you’ll be missing critical traffic and email.
For added security, check out Philip’s post on using a firewall to help protect your WordPress site from attack:
How to Protect Your WordPress Site as Hackers Exploit TimThumb Security Hole
Millions of WordPress sites are still vulnerable to the Timthumb security hack. Don’t let yours be the next victim! Download the Timthumb Vulnerability Scanner and check your sites today.
thanks, just fixed 2 sites I didn’t think had timthumb, a lifesaver
hey paul, do yopu know that worpress has launched a latest version which is very secure and tough to hack…try this and upgrade your version
i am also usin wordpress latest version and it is too secure.
Indeed. Didn’t think I was affected, but the onswipe plugin was affected on my blog.
same here!
I had to ask my hosting to whitelist timthumb on my domain so that a theme would work. But looking for more info on timthumb, discovered it was a spot for hackers. Thanks for calling my attention to “Timthumb Vulnerability Scanner”. I will install it on all sites I have control.
Came across this warning from Yoast. Thankfully my theme do not use this script. Thanks for the updates & to the person who wrote the scanner. Us non programmer won’t know how to fix this flaw otherwise
hey there, i found this post very useful. thanks a lot for publishing this article
I never got hacked, but I was scared anyways … I did what you said and it acts as if all was successful. So thanks very much, easy solution! Now here’s to hoping 2.8.2 doesnt become vulnerable