Timthumb.php is a popular script that is used to resize images dynamically in WordPress sites. This can be usually found in some popular premium themes and image related plugins. Last week, a serious security issue was found in Timthumb. Unless, you update Timthumb to its latest version at once, your site is vulnerable for hacking. This is a serious threat affecting thousands of websites and even the WordPress founder Matt blogged about this. So, please act now.
Here are few simple steps to fix timthumb security flaw:
Update: Use Timthumb Vulnerability Scanner plugin.
1. Deactivate unwanted plugins.
2. Delete all inactive plugins and themes. If you have customised any of these themes or plugins, do take a backup in your computer.
3. Go through your active themes and image related plugins and look for a file called thumb.php or timthumb.php . This can be usually found in the root folder of the theme or in folders like scripts, lib etc., If you are looking at the right file, you will see the name of Ben Gillbanks and a link to this project. Woothemes, Gorilla themes, Thesis, early versions of Elegant Themes are some of the theme shops that make use of this script.
Please make sure that the timthumb file is not a modified one provided by the theme or plugin provider. Now, replace this file with the updated and safe script here.
If the file has been modified by the theme or plugin author for additional functions, please follow these steps to update timthumb.
If you need professional help cleaning up your hacked site, I recommend Sucuri security
Note: Timthumb is vulnerable even if it is not present in an active theme or plugin. That is why I recommeded deleting inactive plugins and themes. It is easier than checking them one by one. Besides your active WordPress site, do you also have inactive WordPress installations in your server? Repeat these steps for them also. Some might have created a test installation or left a website long inactive and it is easier to forget these. If you have too many themes to check in these installations, it is better to uninstall the site totally than fixing each theme. Please think twice before doing this and take backup if necessary. Once uninstalled, the data may be lost for ever.