Select Page

This morning, I woke up to dozens of e-mails from my websites notifying me about issues. Worst of all, however, was the notification from MediaTemple: we’ve disabled your hosting account because your website is serving as a relay for spam e-mails. Yuck.

Immediately, my mind went to the TimThumb.php issue that was discovered a couple of weeks ago and reported widely throughout the WordPress community, perhaps most notably by WordPress co-founder Matt Mullenweg.

Sure enough, a quick check of the files via FTP revealed that the script had been compromised and other files uploaded to the site. It took only a moment to fix, and big kudos to the MediaTemple support department for the quick response. We were back online within 20 minutes.

Obviously, I knew exactly how to fix the issue. If you are like many people operating self-hosted WordPress sites, then you may not have a clue what to do. I’ll provide some step-by-step instructions below, but this video gets the point across very quickly.

Is Your Site Affected?

As I pointed out in the video clip, not every WordPress site has this vulnerability. The TimThumb.php script is mostly used in more advanced WordPress themes that have features related to dynamically resizing images. The script itself is freely available and can be used by anyone on any website thanks to its GPL 2.0 licensing. How can you tell if your site uses it?

  • Look for a file in your WordPress theme’s folder called timthumb.php. If it’s there, you need to fix it.
  • All WooThemes utilize the script, although as I pointed out in the video clip they have renamed the file itself to “thumb.php.” WooThemes has created a fix for the issue by moving the thumb.php into their “framework” and allowing you to update the framework to the latest version. Be warned, however, that using this “easy fix” may also break other functions on your site, depending upon what has changed in the Woo framework since your website was built and launched.

How to Replace timthumb.php in Your WordPress Theme

The easiest, safest and fastest way to eliminate this vulnerability to your website without risking breaking other functions is to follow the instructions I outlined in the video clip:

  1. Download the latest version of TimThumb from its Google Project site.
  2. Connect to your web server via FTP. In the video clip, I used the free Filezilla client, but any FTP software will do the trick. You may need to obtain the FTP hostname, username and password from your web hosting provider if you don’t already have it handy. You can usually find it by logging into your web hosting control panel. Contact your hosting provider if you get stuck on this.
  3. Navigate to the affected file. Locate your WordPress installation on your website, then look inside the wp-content folder. From there, go to the themes folder, then locate the name of the folder for the theme you are currently using. It’s a good idea to go ahead and fix any unused themes you have uploaded as well. If you are using a theme from WooThemes, the file is called thumb.php.
  4. Delete the file. I actually tend to rename things rather than deleting them. This is a good idea if you’re not sure that you have the right file, since you can always rename it back to the correct file name if you need to put it back.
  5. Upload the new version. Keep in mind that the actual name of the file needs to match the name of the one you deleted. In most cases, the file will just be called timthumb.php and will be fine when you upload it. If you have a WooTheme, make sure to rename it to thumb.php.
  6. Test. Usually, just refreshing whatever page on your site uses the script will tell you if it’s working. For Woo Themes that use sliders on the home page, just refresh the home page. Every theme will be different, however, so click around and make sure you refresh as you do so you can be sure everything went according to plan.