How to Fix the WordPress Timthumb Vulnerability

How to Fix the WordPress Timthumb Vulnerability

Many WordPress themes — including those designed by Elegant Themes— use a script called Timthumb to automatically create thumbnail versions of uploaded images. If your WordPress theme lets you select an image to use as a featured thumbnail image for a post, there is a good chance that it uses Timthumb. If it does, your website may have a critical vulnerability that you need to patch immediately. This vulnerability could allow a hacker direct access to your site.

  1. Click the Plugins menu on your WordPress Dashboard, and then click Add New.
  2. Search for the plugin Timthumb Vulnerability Scanner.
  3. Install and activate the plugin by clicking Install Now, OK and Activate Plugin.
  4. Click the Tools menu on the Dashboard, and then click Timthumb Scanner.
  5. Click the Scan! button. If the scanner finds a copy of the Timthumb script vulnerable to the exploit, it prompts you to fix it.
  6. Click the Fix button. The Timthumb Scanner downloads the current version of Timthumb and overwrites the vulnerable file.

I have updated several websites in this fashion, and so far, updating Timthumb has yet to break anything. Since the scanner merely replaces the vulnerable Timthumb file with the current version, all of your themes should continue working as normal.

This vulnerability affects all of your WordPress website’s installed themes — even those that are inactive. So, be sure to update every instance of Timthumb listed by the vulnerability scanner.

If you use a theme from Elegant Themes, I should not that all ET themes have been updated and that all Elegant Themes no longer use Timthumb for generating thumbnails. If you remove and re-download your current theme or download a theme in the future, it will not include Timthumb at all. The downside is that, since so many users make direct modifications to their PHP and CSS files, Elegant Themes is unable to assist a great deal with the update process. You will have to remember all of the changes that you made and repeat them after updating.

Comments are closed.