TimThumb Security Vulnerability Affects Many WordPress Themes and Plugins

More share buttons
Share on Pinterest
Share with your friends










Submit

Zero-Day Vulnerability
Getting WordPress Hacked!

This is just yuck kinda news. It affects not only a ton of WP sites but also a lot of static sites as well.

According to Mark Maunder, a developer who first located the timthumb.php vulnerability being exploited (his site was hacked), “An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it.”

The file is TimThumb.php but some themes and plugins have renamed it to Thumb.php (though not all thumb.php files are secretly timthumb.php)

While most are saying this is a “theme issue” a search of my backups yield the affected file present not only in a large number of themes but also in certain shopping cart plugins, thumbnail plugins, slider plugins and more (pretty much any plugin that even looks at an image sideways may be affected).

Checking only the active theme is not good enough. You can be impacted even if the plugin or theme containing the file is not active or activated. So simply having an affected theme or plugin installed even if you are not using it is too dangerous.

The developer that discovered the hack has subsequently started recoding the script but it will not fix whats on your site magically. Read more.

Here is a VERY partial list of themes affected by the timthumb.php vulnerability.

Information we know: Fixes for some of the WooThemes themes. Fixes for some of the ElegantThemes themes. Thesis claims as does Genesis now (and appear to possibly be right) to be using a already modified version of the code that is not affected. We also know that all VaultPress subscribers were auto-patched by the Automattic team.

To check if your theme and plugins carries the troublesome TimThumb.php and file (similar works for plugins, just use the plugin editor), from your admin Dashboard, click on “Appearances”, then select (in the sub-menu) “Editor”. In the theme drop down box at the upper right, select each individual theme and then look at the list of files you have on the right.

If you see Timthumb.php there, you’ll want to either delete it (make a copy first) or check on the status of the program being secure with the latest update. Alternatively, you could contact your theme’s developer and ask them if they have an update.

To check for the files in your plugins, simply do similar to above, only going Dashboard, then “Plugins” then “Editor” and then select (in the drop down box at the upper right) each individual plugin and look at its file list.

(Experienced user? The fastest way to check for the file anywhere it could be hiding is to download a copy of your hosting account (all sites, even non-wp ones) to your local computer and then do a file search for the files.)

Regardless of the theme you’re using, look for updates immediately. Contact your developer/designer if you have a support contract. If your theme is using timthumb.php its essential you get patched NOW even if your theme has no official support to do it for you. (Switching to a default wp theme like Twenty Ten or Twenty Eleven will temporarily put you in a safe zone.)

This is one of those times when having paid for a premium theme – with access to that themes support forum – is going to pay off for you as many on free themes are “on their own” for this one. Please remember you have to check for it in all themes AND all plugins, checking only your active theme is not enough.

Contact me if you wish to open as support ticket for assistance with your site.

Kimberly Castleberry
Your Partner In Online Success

PS: Want to learn more about how to secure WordPress against most hacking and malware attacks? Click here to learn how to defend your blog or WordPress site!

PS: In the unfortunate chance that your site has already been hacked (which may or may not be easily evident to you) for fixing a site affected by hacking or malware, learn more here.

More share buttons
Share on Pinterest
Share with your friends










Submit

Comments

  1. TrafficColeman says

    Wow..thanks for the heads up..I will take a look at some of my niche sites and see if I can find it.

    “Black Seo Guy “Signing Off”

  2. Kayla Javier says

    Great post, i would love to go back here and check for an updates,i probably share this to my friends.

  3. says

    Once again you are out there protecting us from the idiots who spend time making up these viruses. Why they do this is beyond me but I can also depend on you as a great resource for keeping my site safe.

  4. says

    Kimberly, holly cow, I hadn’t heard of this vulnerability before. I have dozens of WP sites as well as building them for clients. This is a GREAT bit of info; I’m very appreciative. Thanks so much!

    • says

      Erica… the post mentions how to check this out….

      To check if your theme carries the troublesome TimThumb.php and file (similar works for plugins, just use the plugin editor), from your admin Dashboard, click on “Appearances”, then select (in the sub-menu) “Editor”. In the theme drop down box at the upper right, select your current theme and then look at the list of files you have on the right.

      If you see Timthumb.php there, you’ll want to either delete it (make a copy first) or check on the status of the program being secure with the latest update. Alternatively, you could contact your theme’s developer and ask them if they have an update.

      I’m going to check mine now… fingers crossed… Thanks a Kim :o)

  5. says

    it’s also important to point out that you don’t even need to be using the theme on your site to be affected. Any theme folder with the timthumb.php file (sometimes renamed to just thumb.php) is vulnerable!

  6. says

    Hi Kim,

    Thank you so much for keeping us up to date with these things!

    I checked where you said for any timthumbs lurking and no sign so hopefully all is fine, though, I only checked the theme, not anything else…

    It feels great to know you’re looking out for these things! I can’t imagine anything getting past you!

    Emma :-)

  7. says

    My site was hacked yesterday with the RemoteViewPHP as a result of the timthumb vulnerability in the IGIT Related Posts plugin, I did my own article on how to address and cleanup your site post hack as well as how to prevent it and secure your WordPress install better not just the timthumbs specifically.

  8. says

    Hey Kim,

    I have the little blighter!…I don’t actually know what to do in terms of saving and deleting so I don’t want to do anything. Can you help me out when your schedule lets you.

    Thank you chicca.

    Beth :)

  9. says

    I have Genesis with a mocha child theme and I don’t see this file. But I did have a bunch of old themes I had downloaded that I just deleted. Thanks for the heads up Kim.

  10. Joe Emmet says

    Thanks for the heads up Kim. Important info to stay on top of, that’s for sure.

    Do you know if this affects the “Empowered” Tribe blogs Clifton was creating?

    Thanks,

    Joe

  11. says

    Great job catching this one, Kim, and thanks for warning us all. I have promulgated your message through the usual channels, so let’s hope we catch this bug before it does too much damage.
    This is one example of the power of TSAMastery, and is much appreciated!
    Thanks too, for your other help to me personally.
    Have a wonderful week!
    Alan

  12. says

    Thanks for the update, Kim, and keeping us informed of trouble. I’m still using the Twenty Ten, so I didn’t find the file in my “editor.” One advantage to not getting too creative! However, I haven’t checked the plugins — how does one do that? Probably I don’t have it since I only have very standard plugins.

  13. Lian says

    Thanks so much for keeping us informed. I took a look at my theme and found the timthumb file but it doesn’t have the external source functionality. I also deleted all the other themes that I wasn’t using.
    You are a great resource. Will definitely spread the word on this.

  14. says

    Thanks much, Kim.

    Looks like some late hours taking care of this one. Thanks so much for the heads up.
    (btw – I tried the “Woo themes fixes” link above and it seems to just load another copy of your site….perhaps it isn’t really a link…just sayin’)
    Thanks again.

  15. says

    Hi Kim,
    Whew, thanks a lot for the information. I checked all through my theme and I could not find TimThumb.php anywhere. My plugins are all standard plugins–I did not see anything, and they are all pretty standard plugins. So if you hear of any of the essential pluggins are messed with, please advise!
    Thanks again!
    Linda

  16. says

    Kim,
    this is a great find for me. I have updated my blog and added all sorts of plugins. I have locked your location down. Tomorrow I will see if this information has any affect on my site. I use a different theme that is not created by wordpress.

    I love your site with all information for us bloggers to get quality and simplicity information at one source. You are a valued leader in our industry.

    I thank you for sharing and look forward in reviewing all the information you total site has to offer.

  17. says

    Thanks Kim, you are always on top of the latest issues and show us what to do to take action immediately to correct the situation. It is great to know we can rely on you every time.

  18. Jaden Daniels says

    Kim,
    I don’t know how you find these things out so quickly, but I am glad you do, and really GLAD you share it with us.
    I use Thesis, but I haven’t upgraded my theme in a long time. I have some work to do.
    Thanks again for sharing,
    Jaden

  19. says

    Just spent two days working on a sales page only to read this morning of your warning. And it’s in OptimizePress ! I wonder if they have figured this out and updated it.

  20. says

    Hi Kimberly,

    You just darn well rock!

    I can’t thank you enough for passing along the TimThumb information. I poured through my themes and plugins and found it in one the themes. I’d been noticing some bugs on my site and suspected it was related to the TimThumb issues. Without your thoughtful article, though, I would not have known where to look nor how to remedy the problems. I’m the farthest thing removed from “techie”; but, I’ve replaced the code with the revised one and have my “tim thumbs” crossed hoping that’s all that’s needed!

    Thanks again for your detailed remedy to the problem plus all the links and other valuable information you gave us all!

    • says

      LOL! Loren you made me giggle crossing your “tim thumbs”! Thanks for the kind words and I’m glad to hear you got that straightened out. If you think you’re having infection related issues just go ahead and do a free scan over at sucuri to make sure you’ve not picked up any nasties: http://just-ask-kim.com/recommends/sucuri They’re tops and their free scan is useful for tracking down early stage infections. If you continue to have site instabilities and its just the site not performing right then go through the basic wordpress troubleshooting guide which will usually help identify the culprit.
      Kim

      • says

        Anything for a giggle! :D
        Thanks for the great advice… I’m going to do another sucuri check right now and then head over to wp/troubleshooting… there are some little issues that could be related to the multitude of image files I have on deck right now… (need to get them onto an external HD). Maybe coincidence with them bugging me at the same time as “the thumb” issue and so glad to know about Sucuri for backup! I can’t think of anything I’d rather do on a Friday night while I’m waiting for Colin James on the radio!! :)) Thanks again Kim.

  21. says

    Nice alerting post. after reading that i am going to check TimThumb.php is here at my sites or not. thanks a ton for sharing this information. keep writing great

  22. Tom says

    Your advice won’t find timthumb in many themes, because it’s often (usually?) renamed to either thumb.php or thumbs.php

    ie, you advice will miss the vulnerable script in WooThemes, NattyThemes, Gorilla Themes, Elegant Themes, many Themeforest themes, all versions of Headway, etc.

  23. says

    Man!!! Three months ago I was the victim of some major hacking and worse thing is that it went on for months before I realized. It hit over 70 sites I own and operate and took me nearly 3 months to eradicate. At the end of the end, the scripts they had managed to insert in my sites were so deeply embedded that I had to simply erase over 15 sites all together and build them up from scratch as they been flagged already by google.

    Thank you for pointing out this problem Kim. I am going to have to look things up again…

    grrrrr

    Stevie

  24. says

    Hi Kim,

    oh wow, I wouldn’t have known! What’s wrong with those people who do that kind of stuff… I mean they are for sure smart enough to make a decent income by using their talents in some other ways.
    My thoughts don’t help, I should have a look into this and make some changes! Thanks so much,

    Franziska San Pedro
    The Abstract Impressionist Artress

  25. says

    Kimberly, this post just saved my blog. Home page was a friggin’ mess! I read your post and fixed it. I am going to create a blog post about my experience and link back to and explicitly refer back to this post to give you the credit! Thanks so much. It only took an hour to fix everything on my own thanks to you. The KEY tip was to download and search files using FTP! That allowed me to see what themes and plugins were using the dreaded file!
    Thanks a Million!
    Jupiter Jim

  26. says

    It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

  27. says

    Thanks Kim for the definitive breakdown on the timthumb issue. I want to know if just copy/pasting the new timthumb code into the old timthumb file is enough of a fix. Sure quick and painless to do it that way…

    RN

Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *