TimThumb Security Vulnerability Affects Many WordPress Themes and Plugins

August 8, 2011 · 52 comments

in WordPress

Zero-Day Vulnerability
Getting WordPress Hacked!

This is just yuck kinda news. It affects not only a ton of WP sites but also a lot of static sites as well.

According to Mark Maunder, a developer who first located the timthumb.php vulnerability being exploited (his site was hacked), “An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it.”

The file is TimThumb.php but some themes and plugins have renamed it to Thumb.php (though not all thumb.php files are secretly timthumb.php)

While most are saying this is a “theme issue” a search of my backups yield the affected file present not only in a large number of themes but also in certain shopping cart plugins, thumbnail plugins, slider plugins and more (pretty much any plugin that even looks at an image sideways may be affected).

Checking only the active theme is not good enough. You can be impacted even if the plugin or theme containing the file is not active or activated. So simply having an affected theme or plugin installed even if you are not using it is too dangerous.

The developer that discovered the hack has subsequently started recoding the script but it will not fix whats on your site magically. Read more.

Here is a VERY partial list of themes affected by the timthumb.php vulnerability.

Information we know: Fixes for some of the WooThemes themes. Fixes for some of the ElegantThemes themes. Thesis claims as does Genesis now (and appear to possibly be right) to be using a already modified version of the code that is not affected. We also know that all VaultPress subscribers were auto-patched by the Automattic team.

To check if your theme and plugins carries the troublesome TimThumb.php and file (similar works for plugins, just use the plugin editor), from your admin Dashboard, click on “Appearances”, then select (in the sub-menu) “Editor”. In the theme drop down box at the upper right, select each individual theme and then look at the list of files you have on the right.

If you see Timthumb.php there, you’ll want to either delete it (make a copy first) or check on the status of the program being secure with the latest update. Alternatively, you could contact your theme’s developer and ask them if they have an update.

To check for the files in your plugins, simply do similar to above, only going Dashboard, then “Plugins” then “Editor” and then select (in the drop down box at the upper right) each individual plugin and look at its file list.

(Experienced user? The fastest way to check for the file anywhere it could be hiding is to download a copy of your hosting account (all sites, even non-wp ones) to your local computer and then do a file search for the files.)

Regardless of the theme you’re using, look for updates immediately. Contact your developer/designer if you have a support contract. If your theme is using timthumb.php its essential you get patched NOW even if your theme has no official support to do it for you. (Switching to a default wp theme like Twenty Ten or Twenty Eleven will temporarily put you in a safe zone.)

This is one of those times when having paid for a premium theme – with access to that themes support forum – is going to pay off for you as many on free themes are “on their own” for this one. Please remember you have to check for it in all themes AND all plugins, checking only your active theme is not enough.

Contact me if you wish to open as support ticket for assistance with your site.

Kimberly Castleberry
Your Partner In Online Success

PS: Want to learn more about how to secure WordPress against most hacking and malware attacks? Click here to learn how to defend your blog or WordPress site!

PS: In the unfortunate chance that your site has already been hacked (which may or may not be easily evident to you) for fixing a site affected by hacking or malware, learn more here.

Get The Inside Scoop!
social tripletKeep up with all the latest social marketing changes!


{ 51 comments… read them below or add one }

TrafficColeman August 8, 2011 at 1:21 pm

Wow..thanks for the heads up..I will take a look at some of my niche sites and see if I can find it.

“Black Seo Guy “Signing Off”

Reply

Kayla Javier August 8, 2011 at 2:52 pm

Great post, i would love to go back here and check for an updates,i probably share this to my friends.

Reply

Joyce Edwards August 8, 2011 at 8:22 pm

Once again you are out there protecting us from the idiots who spend time making up these viruses. Why they do this is beyond me but I can also depend on you as a great resource for keeping my site safe.

Reply

Jenna Waites August 8, 2011 at 9:26 pm

Kimberly, holly cow, I hadn’t heard of this vulnerability before. I have dozens of WP sites as well as building them for clients. This is a GREAT bit of info; I’m very appreciative. Thanks so much!

Reply

Dr. Erica Goodstone August 8, 2011 at 10:19 pm

Kimberly,
Very helpful information but I do not even know how to check if I do have this timthumb.php. What are the signs that a blog site has been hacked?
Erica

Reply

Sadie-Michaela Harris August 9, 2011 at 5:27 pm

Erica… the post mentions how to check this out….

To check if your theme carries the troublesome TimThumb.php and file (similar works for plugins, just use the plugin editor), from your admin Dashboard, click on “Appearances”, then select (in the sub-menu) “Editor”. In the theme drop down box at the upper right, select your current theme and then look at the list of files you have on the right.

If you see Timthumb.php there, you’ll want to either delete it (make a copy first) or check on the status of the program being secure with the latest update. Alternatively, you could contact your theme’s developer and ask them if they have an update.

I’m going to check mine now… fingers crossed… Thanks a Kim :o)

Reply

Steve-Personal Success Factors August 8, 2011 at 10:44 pm

Kim, thanks for the heads up. I appreciate you watching out for your readers. I have the Genesis theme, which I did not see on your list. I’ll keep my fingers crossed.

Reply

Justin Dupre August 8, 2011 at 10:53 pm

Thanks for sharing this info. Very useful for those who have WordPress sites.

Reply

Sherry Nouraini August 8, 2011 at 11:39 pm

Great information, thank you! Just checked my theme according to your instructions and did not find the file there, whew…. Thanks again!

Reply

Andy Bailey August 9, 2011 at 6:39 am

it’s also important to point out that you don’t even need to be using the theme on your site to be affected. Any theme folder with the timthumb.php file (sometimes renamed to just thumb.php) is vulnerable!

Reply

Kimberly Castleberry August 9, 2011 at 11:29 am

Thanks for that important reminder Andy, I had heard that and totally forgot to mention it! You’re the best!
Kim

Reply

Sadie-Michaela Harris August 9, 2011 at 6:09 pm

Oooh la la as we say here in France, that’s a worry isn’t it?
Best check those Themes we have hanging in the wings too or delete them I guess.
You’re a pair of superstars, merci beaucoup! :)

Reply

Dr. Erica Goodstone August 9, 2011 at 6:30 pm

Sadie, Thanks for explaining. i had missed it in Kim’s post. That was easy enough to test and I am relieved to not find timthumb.php in my files.

Reply

Sadie-Michaela Harris August 11, 2011 at 6:52 am

That’s great news Erica, I was relieved to be in the clear too.
Have a great weekend :)

Emma August 9, 2011 at 11:30 am

Hi Kim,

Thank you so much for keeping us up to date with these things!

I checked where you said for any timthumbs lurking and no sign so hopefully all is fine, though, I only checked the theme, not anything else…

It feels great to know you’re looking out for these things! I can’t imagine anything getting past you!

Emma :-)

Reply

Justin Germino August 9, 2011 at 12:00 pm

My site was hacked yesterday with the RemoteViewPHP as a result of the timthumb vulnerability in the IGIT Related Posts plugin, I did my own article on how to address and cleanup your site post hack as well as how to prevent it and secure your Wordpress install better not just the timthumbs specifically.

Reply

Beth Hewitt August 9, 2011 at 1:20 pm

Hey Kim,

I have the little blighter!…I don’t actually know what to do in terms of saving and deleting so I don’t want to do anything. Can you help me out when your schedule lets you.

Thank you chicca.

Beth :)

Reply

Kimberly Castleberry August 9, 2011 at 10:08 pm

Beth, I believe you are on a Woo Themes theme (or were last time I checked). Their link is here: http://www.woothemes.com/2011/08/timthumb-security-flaw-patch/ The correction is simply to go get a fresh copy (newest version) of your theme from them and install it. Easy peasy!

Hope that works for you!
Kim

Reply

Nicole Rushin August 9, 2011 at 1:58 pm

I have Genesis with a mocha child theme and I don’t see this file. But I did have a bunch of old themes I had downloaded that I just deleted. Thanks for the heads up Kim.

Reply

Theuns August 9, 2011 at 2:27 pm

Hi Kim

Thanks fot this info I will have a look at my blog

Regards
Theuns

Reply

Joe Emmet August 9, 2011 at 3:33 pm

Thanks for the heads up Kim. Important info to stay on top of, that’s for sure.

Do you know if this affects the “Empowered” Tribe blogs Clifton was creating?

Thanks,

Joe

Reply

Alan Jenkin August 9, 2011 at 4:09 pm

Great job catching this one, Kim, and thanks for warning us all. I have promulgated your message through the usual channels, so let’s hope we catch this bug before it does too much damage.
This is one example of the power of TSAMastery, and is much appreciated!
Thanks too, for your other help to me personally.
Have a wonderful week!
Alan

Reply

Dawn Hogan August 9, 2011 at 4:22 pm

Thanks Kim. I appreciate your dedication in helping us with all this WP stuff!
:o)
Dawn

Reply

Brian Perisho August 9, 2011 at 4:27 pm

Kim,
Thanks for the security information. I am fortunate enough to have a theme that does not use that file. Have an awesome day!

Brian Perisho

Reply

Kevin Schmidt August 9, 2011 at 6:25 pm

Hi Kim,
I found it on one of my sites. Do we just click on it and delete the code?
Thanks for informing us :)
-Kevin

Reply

Pastor Sherry August 9, 2011 at 7:05 pm

Thanks for the update, Kim, and keeping us informed of trouble. I’m still using the Twenty Ten, so I didn’t find the file in my “editor.” One advantage to not getting too creative! However, I haven’t checked the plugins — how does one do that? Probably I don’t have it since I only have very standard plugins.

Reply

Lian August 9, 2011 at 7:37 pm

Thanks so much for keeping us informed. I took a look at my theme and found the timthumb file but it doesn’t have the external source functionality. I also deleted all the other themes that I wasn’t using.
You are a great resource. Will definitely spread the word on this.

Reply

Willena Flewelling August 9, 2011 at 8:44 pm

Thanks Kim! I’m not exactly a techie, so I really appreciate the research you do, and are so generous in sharing with us!

Willena Flewelling

Reply

Linnea August 9, 2011 at 8:58 pm

Thanks much, Kim.

Looks like some late hours taking care of this one. Thanks so much for the heads up.
(btw – I tried the “Woo themes fixes” link above and it seems to just load another copy of your site….perhaps it isn’t really a link…just sayin’)
Thanks again.

Reply

Kimberly Castleberry August 9, 2011 at 10:06 pm

Hey Linnea, lets try this instead: http://www.woothemes.com/2011/08/timthumb-security-flaw-patch/

Hope that works for you!
Kim

Reply

Linda Thomas August 9, 2011 at 9:13 pm

Hi Kim,
Whew, thanks a lot for the information. I checked all through my theme and I could not find TimThumb.php anywhere. My plugins are all standard plugins–I did not see anything, and they are all pretty standard plugins. So if you hear of any of the essential pluggins are messed with, please advise!
Thanks again!
Linda

Reply

William Earl Amis, Jr. III August 9, 2011 at 10:09 pm

Kim,
this is a great find for me. I have updated my blog and added all sorts of plugins. I have locked your location down. Tomorrow I will see if this information has any affect on my site. I use a different theme that is not created by wordpress.

I love your site with all information for us bloggers to get quality and simplicity information at one source. You are a valued leader in our industry.

I thank you for sharing and look forward in reviewing all the information you total site has to offer.

Reply

Bryan McHeyzer August 9, 2011 at 11:09 pm

Hi Kim,
Thanks for this info so good to have you looking after our back…
Here is another reason you are so special.
Cheers
Bryan

Reply

Alicia Wilson August 9, 2011 at 11:35 pm

Thanks Kim, you are always on top of the latest issues and show us what to do to take action immediately to correct the situation. It is great to know we can rely on you every time.

Reply

Paul Reimers August 10, 2011 at 2:12 am

Thanks for giving this warning along with how to find the php file that could cause a problem. I just checked my blog and it’s all clear!

Reply

Jaden Daniels August 10, 2011 at 6:34 am

Kim,
I don’t know how you find these things out so quickly, but I am glad you do, and really GLAD you share it with us.
I use Thesis, but I haven’t upgraded my theme in a long time. I have some work to do.
Thanks again for sharing,
Jaden

Reply

Andy Nathan August 10, 2011 at 7:21 am

Thanks for the heads up! I am updating my elegant themes sites now!

Reply

Richard Goutal August 10, 2011 at 8:46 am

Just spent two days working on a sales page only to read this morning of your warning. And it’s in OptimizePress ! I wonder if they have figured this out and updated it.

Reply

Houda August 10, 2011 at 4:03 pm

Thanks so much Kim for the warning! I have just checked all my themes (even the ones that are not active) thanks for sharing :)

Reply

Loren August 11, 2011 at 4:20 pm

Hi Kimberly,

You just darn well rock!

I can’t thank you enough for passing along the TimThumb information. I poured through my themes and plugins and found it in one the themes. I’d been noticing some bugs on my site and suspected it was related to the TimThumb issues. Without your thoughtful article, though, I would not have known where to look nor how to remedy the problems. I’m the farthest thing removed from “techie”; but, I’ve replaced the code with the revised one and have my “tim thumbs” crossed hoping that’s all that’s needed!

Thanks again for your detailed remedy to the problem plus all the links and other valuable information you gave us all!

Reply

Kimberly Castleberry August 12, 2011 at 10:04 pm

LOL! Loren you made me giggle crossing your “tim thumbs”! Thanks for the kind words and I’m glad to hear you got that straightened out. If you think you’re having infection related issues just go ahead and do a free scan over at sucuri to make sure you’ve not picked up any nasties: http://just-ask-kim.com/recommends/sucuri They’re tops and their free scan is useful for tracking down early stage infections. If you continue to have site instabilities and its just the site not performing right then go through the basic wordpress troubleshooting guide which will usually help identify the culprit.
Kim

Reply

Loren August 12, 2011 at 10:27 pm

Anything for a giggle! :D
Thanks for the great advice… I’m going to do another sucuri check right now and then head over to wp/troubleshooting… there are some little issues that could be related to the multitude of image files I have on deck right now… (need to get them onto an external HD). Maybe coincidence with them bugging me at the same time as “the thumb” issue and so glad to know about Sucuri for backup! I can’t think of anything I’d rather do on a Friday night while I’m waiting for Colin James on the radio!! :)) Thanks again Kim.

Reply

Judy August 13, 2011 at 7:48 am

Thanks for another heads up Kimberly. just checked and fixed the sites affected. How do you know these issues so quickly?

Reply

reeha August 13, 2011 at 7:53 am

Nice alerting post. after reading that i am going to check TimThumb.php is here at my sites or not. thanks a ton for sharing this information. keep writing great

Reply

Tom August 13, 2011 at 12:56 pm

Your advice won’t find timthumb in many themes, because it’s often (usually?) renamed to either thumb.php or thumbs.php

ie, you advice will miss the vulnerable script in WooThemes, NattyThemes, Gorilla Themes, Elegant Themes, many Themeforest themes, all versions of Headway, etc.

Reply

Stevie Smith August 16, 2011 at 5:07 pm

Man!!! Three months ago I was the victim of some major hacking and worse thing is that it went on for months before I realized. It hit over 70 sites I own and operate and took me nearly 3 months to eradicate. At the end of the end, the scripts they had managed to insert in my sites were so deeply embedded that I had to simply erase over 15 sites all together and build them up from scratch as they been flagged already by google.

Thank you for pointing out this problem Kim. I am going to have to look things up again…

grrrrr

Stevie

Reply

Franziska San Pedro August 16, 2011 at 10:46 pm

Hi Kim,

oh wow, I wouldn’t have known! What’s wrong with those people who do that kind of stuff… I mean they are for sure smart enough to make a decent income by using their talents in some other ways.
My thoughts don’t help, I should have a look into this and make some changes! Thanks so much,

Franziska San Pedro
The Abstract Impressionist Artress

Reply

Jupiter Jim August 26, 2011 at 8:09 pm

Kimberly, this post just saved my blog. Home page was a friggin’ mess! I read your post and fixed it. I am going to create a blog post about my experience and link back to and explicitly refer back to this post to give you the credit! Thanks so much. It only took an hour to fix everything on my own thanks to you. The KEY tip was to download and search files using FTP! That allowed me to see what themes and plugins were using the dreaded file!
Thanks a Million!
Jupiter Jim

Reply

Kevin Martineau October 4, 2011 at 10:25 pm

Hi Kim:

Thankfully I wasn’t affected by this but it is always good to do a check up to make sure.

Thanks!
Kevin

Reply

Chetan October 21, 2011 at 4:40 am

It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

Reply

RN November 13, 2011 at 6:52 pm

Thanks Kim for the definitive breakdown on the timthumb issue. I want to know if just copy/pasting the new timthumb code into the old timthumb file is enough of a fix. Sure quick and painless to do it that way…

RN

Reply

Leave a Comment

CommentLuv badge

{ 1 trackback }