TimThumb Security Vulnerability Affects Many WordPress Themes and Plugins

August 8, 2011 · 52 comments

in WordPress

Zero-Day Vulnerability
Getting WordPress Hacked!

This is just yuck kinda news. It affects not only a ton of WP sites but also a lot of static sites as well.

According to Mark Maunder, a developer who first located the timthumb.php vulnerability being exploited (his site was hacked), “An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it.”

The file is TimThumb.php but some themes and plugins have renamed it to Thumb.php (though not all thumb.php files are secretly timthumb.php)

While most are saying this is a “theme issue” a search of my backups yield the affected file present not only in a large number of themes but also in certain shopping cart plugins, thumbnail plugins, slider plugins and more (pretty much any plugin that even looks at an image sideways may be affected).

Checking only the active theme is not good enough. You can be impacted even if the plugin or theme containing the file is not active or activated. So simply having an affected theme or plugin installed even if you are not using it is too dangerous.

The developer that discovered the hack has subsequently started recoding the script but it will not fix whats on your site magically. Read more.

Here is a VERY partial list of themes affected by the timthumb.php vulnerability.

Information we know: Fixes for some of the WooThemes themes. Fixes for some of the ElegantThemes themes. Thesis claims as does Genesis now (and appear to possibly be right) to be using a already modified version of the code that is not affected. We also know that all VaultPress subscribers were auto-patched by the Automattic team.

To check if your theme and plugins carries the troublesome TimThumb.php and file (similar works for plugins, just use the plugin editor), from your admin Dashboard, click on “Appearances”, then select (in the sub-menu) “Editor”. In the theme drop down box at the upper right, select each individual theme and then look at the list of files you have on the right.

If you see Timthumb.php there, you’ll want to either delete it (make a copy first) or check on the status of the program being secure with the latest update. Alternatively, you could contact your theme’s developer and ask them if they have an update.

To check for the files in your plugins, simply do similar to above, only going Dashboard, then “Plugins” then “Editor” and then select (in the drop down box at the upper right) each individual plugin and look at its file list.

(Experienced user? The fastest way to check for the file anywhere it could be hiding is to download a copy of your hosting account (all sites, even non-wp ones) to your local computer and then do a file search for the files.)

Regardless of the theme you’re using, look for updates immediately. Contact your developer/designer if you have a support contract. If your theme is using timthumb.php its essential you get patched NOW even if your theme has no official support to do it for you. (Switching to a default wp theme like Twenty Ten or Twenty Eleven will temporarily put you in a safe zone.)

This is one of those times when having paid for a premium theme – with access to that themes support forum – is going to pay off for you as many on free themes are “on their own” for this one. Please remember you have to check for it in all themes AND all plugins, checking only your active theme is not enough.

Contact me if you wish to open as support ticket for assistance with your site.

Kimberly Castleberry
Your Partner In Online Success

PS: Want to learn more about how to secure WordPress against most hacking and malware attacks? Click here to learn how to defend your blog or WordPress site!

PS: In the unfortunate chance that your site has already been hacked (which may or may not be easily evident to you) for fixing a site affected by hacking or malware, learn more here.

Get The Inside Scoop!
social tripletKeep up with all the latest social marketing changes!


52 comments
RN
RN

Thanks Kim for the definitive breakdown on the timthumb issue. I want to know if just copy/pasting the new timthumb code into the old timthumb file is enough of a fix. Sure quick and painless to do it that way...

RN

Chetan
Chetan

It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

Kevin Martineau
Kevin Martineau

Hi Kim:

Thankfully I wasn't affected by this but it is always good to do a check up to make sure.

Thanks!

Kevin

Having Trouble Updating Your Wordpress Elegant The
Having Trouble Updating Your Wordpress Elegant The

[...] of a theme… this time though, there was also an issue with WordPress Websites being hacked via a timthumb.php file included in most of the Elegant Themes.  This file renders your website vulnerable even if it [...]

Jupiter Jim
Jupiter Jim

Kimberly, this post just saved my blog. Home page was a friggin' mess! I read your post and fixed it. I am going to create a blog post about my experience and link back to and explicitly refer back to this post to give you the credit! Thanks so much. It only took an hour to fix everything on my own thanks to you. The KEY tip was to download and search files using FTP! That allowed me to see what themes and plugins were using the dreaded file!

Thanks a Million!

Jupiter Jim

Franziska San Pedro
Franziska San Pedro

Hi Kim,

oh wow, I wouldn't have known! What's wrong with those people who do that kind of stuff... I mean they are for sure smart enough to make a decent income by using their talents in some other ways.

My thoughts don't help, I should have a look into this and make some changes! Thanks so much,

Franziska San Pedro

The Abstract Impressionist Artress

Stevie Smith
Stevie Smith

Man!!! Three months ago I was the victim of some major hacking and worse thing is that it went on for months before I realized. It hit over 70 sites I own and operate and took me nearly 3 months to eradicate. At the end of the end, the scripts they had managed to insert in my sites were so deeply embedded that I had to simply erase over 15 sites all together and build them up from scratch as they been flagged already by google.

Thank you for pointing out this problem Kim. I am going to have to look things up again...

grrrrr

Stevie

Tom
Tom

Your advice won't find timthumb in many themes, because it's often (usually?) renamed to either thumb.php or thumbs.php

ie, you advice will miss the vulnerable script in WooThemes, NattyThemes, Gorilla Themes, Elegant Themes, many Themeforest themes, all versions of Headway, etc.

reeha
reeha

Nice alerting post. after reading that i am going to check TimThumb.php is here at my sites or not. thanks a ton for sharing this information. keep writing great

Judy
Judy

Thanks for another heads up Kimberly. just checked and fixed the sites affected. How do you know these issues so quickly?

Loren
Loren

Hi Kimberly,

You just darn well rock!

I can't thank you enough for passing along the TimThumb information. I poured through my themes and plugins and found it in one the themes. I'd been noticing some bugs on my site and suspected it was related to the TimThumb issues. Without your thoughtful article, though, I would not have known where to look nor how to remedy the problems. I'm the farthest thing removed from "techie"; but, I've replaced the code with the revised one and have my "tim thumbs" crossed hoping that's all that's needed!

Thanks again for your detailed remedy to the problem plus all the links and other valuable information you gave us all!

Houda
Houda

Thanks so much Kim for the warning! I have just checked all my themes (even the ones that are not active) thanks for sharing :)

Richard Goutal
Richard Goutal

Just spent two days working on a sales page only to read this morning of your warning. And it's in OptimizePress ! I wonder if they have figured this out and updated it.

Andy Nathan
Andy Nathan

Thanks for the heads up! I am updating my elegant themes sites now!

Jaden Daniels
Jaden Daniels

Kim,

I don't know how you find these things out so quickly, but I am glad you do, and really GLAD you share it with us.

I use Thesis, but I haven't upgraded my theme in a long time. I have some work to do.

Thanks again for sharing,

Jaden

Paul Reimers
Paul Reimers

Thanks for giving this warning along with how to find the php file that could cause a problem. I just checked my blog and it's all clear!

Alicia Wilson
Alicia Wilson

Thanks Kim, you are always on top of the latest issues and show us what to do to take action immediately to correct the situation. It is great to know we can rely on you every time.

Bryan McHeyzer
Bryan McHeyzer

Hi Kim,

Thanks for this info so good to have you looking after our back...

Here is another reason you are so special.

Cheers

Bryan

William Earl Amis, Jr. III
William Earl Amis, Jr. III

Kim,

this is a great find for me. I have updated my blog and added all sorts of plugins. I have locked your location down. Tomorrow I will see if this information has any affect on my site. I use a different theme that is not created by wordpress.

I love your site with all information for us bloggers to get quality and simplicity information at one source. You are a valued leader in our industry.

I thank you for sharing and look forward in reviewing all the information you total site has to offer.

Linda Thomas
Linda Thomas

Hi Kim,

Whew, thanks a lot for the information. I checked all through my theme and I could not find TimThumb.php anywhere. My plugins are all standard plugins--I did not see anything, and they are all pretty standard plugins. So if you hear of any of the essential pluggins are messed with, please advise!

Thanks again!

Linda

Linnea
Linnea

Thanks much, Kim.

Looks like some late hours taking care of this one. Thanks so much for the heads up.

(btw - I tried the "Woo themes fixes" link above and it seems to just load another copy of your site....perhaps it isn't really a link...just sayin')

Thanks again.

Willena Flewelling
Willena Flewelling

Thanks Kim! I'm not exactly a techie, so I really appreciate the research you do, and are so generous in sharing with us!

Willena Flewelling

Lian
Lian

Thanks so much for keeping us informed. I took a look at my theme and found the timthumb file but it doesn't have the external source functionality. I also deleted all the other themes that I wasn't using.

You are a great resource. Will definitely spread the word on this.

Pastor Sherry
Pastor Sherry

Thanks for the update, Kim, and keeping us informed of trouble. I'm still using the Twenty Ten, so I didn't find the file in my "editor." One advantage to not getting too creative! However, I haven't checked the plugins -- how does one do that? Probably I don't have it since I only have very standard plugins.

Kevin Schmidt
Kevin Schmidt

Hi Kim,

I found it on one of my sites. Do we just click on it and delete the code?

Thanks for informing us :)

-Kevin

Brian Perisho
Brian Perisho

Kim,

Thanks for the security information. I am fortunate enough to have a theme that does not use that file. Have an awesome day!

Brian Perisho

Dawn Hogan
Dawn Hogan

Thanks Kim. I appreciate your dedication in helping us with all this WP stuff!

:o)

Dawn

Alan Jenkin
Alan Jenkin

Great job catching this one, Kim, and thanks for warning us all. I have promulgated your message through the usual channels, so let's hope we catch this bug before it does too much damage.

This is one example of the power of TSAMastery, and is much appreciated!

Thanks too, for your other help to me personally.

Have a wonderful week!

Alan

Joe Emmet
Joe Emmet

Thanks for the heads up Kim. Important info to stay on top of, that's for sure.

Do you know if this affects the "Empowered" Tribe blogs Clifton was creating?

Thanks,

Joe

Theuns
Theuns

Hi Kim

Thanks fot this info I will have a look at my blog

Regards

Theuns

Nicole Rushin
Nicole Rushin

I have Genesis with a mocha child theme and I don't see this file. But I did have a bunch of old themes I had downloaded that I just deleted. Thanks for the heads up Kim.

Beth Hewitt
Beth Hewitt

Hey Kim,

I have the little blighter!...I don't actually know what to do in terms of saving and deleting so I don't want to do anything. Can you help me out when your schedule lets you.

Thank you chicca.

Beth :)

Justin Germino
Justin Germino

My site was hacked yesterday with the RemoteViewPHP as a result of the timthumb vulnerability in the IGIT Related Posts plugin, I did my own article on how to address and cleanup your site post hack as well as how to prevent it and secure your Wordpress install better not just the timthumbs specifically.

Emma
Emma

Hi Kim,

Thank you so much for keeping us up to date with these things!

I checked where you said for any timthumbs lurking and no sign so hopefully all is fine, though, I only checked the theme, not anything else...

It feels great to know you're looking out for these things! I can't imagine anything getting past you!

Emma :-)

Andy Bailey
Andy Bailey

it's also important to point out that you don't even need to be using the theme on your site to be affected. Any theme folder with the timthumb.php file (sometimes renamed to just thumb.php) is vulnerable!

Sherry Nouraini
Sherry Nouraini

Great information, thank you! Just checked my theme according to your instructions and did not find the file there, whew.... Thanks again!

Justin Dupre
Justin Dupre

Thanks for sharing this info. Very useful for those who have WordPress sites.

Steve-Personal Success Factors
Steve-Personal Success Factors

Kim, thanks for the heads up. I appreciate you watching out for your readers. I have the Genesis theme, which I did not see on your list. I'll keep my fingers crossed.

Dr. Erica Goodstone
Dr. Erica Goodstone

Kimberly,

Very helpful information but I do not even know how to check if I do have this timthumb.php. What are the signs that a blog site has been hacked?

Erica

Jenna Waites
Jenna Waites

Kimberly, holly cow, I hadn't heard of this vulnerability before. I have dozens of WP sites as well as building them for clients. This is a GREAT bit of info; I'm very appreciative. Thanks so much!

Joyce Edwards
Joyce Edwards

Once again you are out there protecting us from the idiots who spend time making up these viruses. Why they do this is beyond me but I can also depend on you as a great resource for keeping my site safe.

Kimberly Castleberry
Kimberly Castleberry

LOL! Loren you made me giggle crossing your "tim thumbs"! Thanks for the kind words and I'm glad to hear you got that straightened out. If you think you're having infection related issues just go ahead and do a free scan over at sucuri to make sure you've not picked up any nasties: http://just-ask-kim.com/recommends/sucuri They're tops and their free scan is useful for tracking down early stage infections. If you continue to have site instabilities and its just the site not performing right then go through the basic wordpress troubleshooting guide which will usually help identify the culprit.

Kim

Kimberly Castleberry
Kimberly Castleberry

Thanks for that important reminder Andy, I had heard that and totally forgot to mention it! You're the best!

Kim

Sadie-Michaela Harris
Sadie-Michaela Harris

Erica... the post mentions how to check this out....

To check if your theme carries the troublesome TimThumb.php and file (similar works for plugins, just use the plugin editor), from your admin Dashboard, click on “Appearances”, then select (in the sub-menu) “Editor”. In the theme drop down box at the upper right, select your current theme and then look at the list of files you have on the right.

If you see Timthumb.php there, you’ll want to either delete it (make a copy first) or check on the status of the program being secure with the latest update. Alternatively, you could contact your theme’s developer and ask them if they have an update.

I'm going to check mine now... fingers crossed... Thanks a Kim :o)

Loren
Loren

Anything for a giggle! :D

Thanks for the great advice... I'm going to do another sucuri check right now and then head over to wp/troubleshooting... there are some little issues that could be related to the multitude of image files I have on deck right now... (need to get them onto an external HD). Maybe coincidence with them bugging me at the same time as "the thumb" issue and so glad to know about Sucuri for backup! I can't think of anything I'd rather do on a Friday night while I'm waiting for Colin James on the radio!! :)) Thanks again Kim.

Sadie-Michaela Harris
Sadie-Michaela Harris

Oooh la la as we say here in France, that's a worry isn't it?

Best check those Themes we have hanging in the wings too or delete them I guess.

You're a pair of superstars, merci beaucoup! :)

Dr. Erica Goodstone
Dr. Erica Goodstone

Sadie, Thanks for explaining. i had missed it in Kim's post. That was easy enough to test and I am relieved to not find timthumb.php in my files.

Sadie-Michaela Harris
Sadie-Michaela Harris

That's great news Erica, I was relieved to be in the clear too.

Have a great weekend :)

Trackbacks

  1. Having Trouble Updating Your Wordpress Elegant Themes? says:

    […] of a theme… this time though, there was also an issue with WordPress Websites being hacked via a timthumb.php file included in most of the Elegant Themes.  This file renders your website vulnerable even if it […]