Tonight I learned about a recent security breach involving WordPress sites that use the super-popular TimThumb script which resizes images on they fly — such as automatically creating your thumbnails for example. You need to know and understand that this is not something your hosting company or your designer is responsible for. TimThumb is in use by probably hundreds of thousands of WordPress sites and is automatically included in many WordPress themes but most commonly in the premium (paid) themes.
WPMU.org reports: “Timthumb is a very, very popular script and so it is worth checking to see if you are using it in your theme. If you are resizing a lot of images as thumbnails then it’s quite possible that it is being used. Of course, these days WordPress can do this itself but TimThumb does increase flexibility.“
It’s things like this happening to WordPress sites that helps keep the “hate” part of my love-hate relationship with it alive. Because it is so darn popular — WordPress is an automatic target for hacking and things like script vulnerability. This doesn’t mean that the developer of your theme, WordPress itself or the developers of TimThumb are no-good-dirty-so and so’s. Theme developers have used the TimThumb script for a very long time without any trouble whatsoever and there are fixes available. You should check with the developer of your theme to determine the fix for your specific theme.
List of Known Theme Makers Who Use TimThumb
WPMU.org also provides the following list list of major theme-makers who utilize the Tim Thumb script in their themes. It should not be considered a complete list. If your theme was made by one of the developers listed, you should visit their websites to obtain more information on the fix for your specific theme. If your theme developer isn’t on this list, you should check their website.
- Woo Themes – update your theme or the code in thumb.php
- Templatic – thumb.php script does not use $allowedSites so not affected
- Elegant Themes – update to latest version
- Theme Shift – update theme or change code to latest version of timthumb
- Theme Lab – 3 themes using timthumb. Fix provided at link
What’s the Cost to Fix?
You should not expect your website developer will fix this for free! This is not something that he or she has any control over. If you’re going to have a website you can expect things like this to happen whether your site runs on WordPress or not.
Hackers and script issues are everywhere. Unfortunately, we’re all at their mercy when it comes to what site will be found to have a security problem or what site hackers will attack next and how. You should consider this kind of thing to be part of the cost of having a website and that this time it just happens to affect users of TimThumb. If I were a client I would expect to be charged the designer’s hourly rate to apply whatever fix is appropriate for your theme. Check with your designer on the cost.
Help Protect Your Website!
For those of you who don’t make it a habit to visit your own website regularly — you must make this a priority on your To-Do list! You may not be lucky enough to have some kind soul notify you that your site is down or has been hacked. Visiting your own site may be the first or only way to know. If you don’t follow this one simple step — your site could be down or trashed by hackers for a very long time before you notice it — but your site visitors will! I visit each of my websites at least weekly and sometimes more often just to be sure everything is ok.