How to fix Timthumb security issue?

Get a free website secuirty scan from

Timthumb.php is a popular script that is used to resize images dynamically in WordPress sites. This can be usually found in some popular premium  themes and image related plugins. Last week, a serious security issue was found in Timthumb. Unless, you update Timthumb to its latest version at once, your site is vulnerable for hacking. This is a serious threat affecting thousands of websites and even the WordPress founder Matt blogged about this. So, please act now.

Here are few simple steps to fix timthumb security flaw:

Update: Use Timthumb Vulnerability Scanner plugin.

1. Deactivate unwanted plugins.

2. Delete all inactive plugins and themes. If you have customised any of these themes or plugins, do take a backup in your computer.

3. Go through your active themes and image related plugins and look for a file called thumb.php or timthumb.php . This can be usually found in the root folder of the theme or in folders like scripts, lib etc., If you are looking at the right file, you will see the name of Ben Gillbanks and a link to this project. Woothemes, Gorilla themes, Thesis, early versions of Elegant Themes are some of the theme shops that make use of this script.

Please make sure that the timthumb file is not a modified one provided by the theme or plugin provider. Now, replace this file with the updated and safe script here.

If the file has been modified by the theme or plugin author for additional functions, please follow these steps to update timthumb.

If you need professional help cleaning up your hacked site, I recommend Sucuri security

Note: Timthumb is vulnerable even if it is not present in an active theme or plugin. That is why I recommeded deleting inactive plugins and themes. It is easier than checking them one by one. Besides your active WordPress site, do you also have inactive WordPress installations in your server? Repeat these steps for them also. Some might have created a test installation or left a website long inactive and it is easier to forget these. If you have too many themes to check in these installations, it is better to uninstall the site totally  than fixing each theme. Please think twice before doing this and take backup if necessary. Once uninstalled, the data may be lost for ever.

16 thoughts on “How to fix Timthumb security issue?”

  1. Hi there – thanks for helping to spread the word and encouraging people to fix TimThumb. the fix mentioned on the VaultPress site is no longer valid. The best solution is to upgrade to the latest version of TimThumb. TimThumb has been rewritten from scratch and the improvements added resolve all known security issues.

    1. Hi Ben, Thanks for the update. Some theme shops like Gorilla themes have a modified timthumb script. Do you have any updated fix like the one given by VaultPress to fix such modified timthumb files?

  2. i Use thesis theme like you, i was looking into the timthumb
    file on thesis but it doesnt shows any of the situations that
    you recommend to modify, and the file its only 12k,.,

    Do you still recommend to change my timthumb file of thesis theme 1.8.2
    to the lastest version??

    Or thesis theme its already safe of this situation?

    1. The consensus in the Thesis user forum is that Thesis is not affected by this as it is using a very old version of Timthumb which is not vulnerable. Anyway, I upgraded the code to latest Timthumb and no problem so far.

  3. Hi Ravi
    “Note: Timthumb is vulnerable even if it is not present in an active theme or plugin.”

    Never thought of that – I have old versions of Elegant Themes still uploaded.

    Thanks for the reminder.

    BTW – note that you are a Genesis man.
    Love the theme and no timthumb.

    1. Hi Keith, You are welcome. We too love Genesis and base most of our work on top of it. It uses most of the native WordPress functions which makes it secure and easy to use.

  4. Sorry for second comment Ravi but I’ve just deleted an old Elegant Themes theme and noticed the Twenty ten and Twenty eleven themes.
    Presumably those themes do not use Timthumb and are OK.

    Just thought I’d ask.

    1. Yes, both 2010 and 2011 are safe. They may be the safest as they are the official WordPress themes 🙂

    1. Keith, does thumbnail.php has a link to Ben Gillbanks and timthumb project? If not, it may be a different script and you can leave it. Otherwise, backup both the files to your PC and upgrade them to latest TimThumb version. Make sure the theme / plugin continues to work. If you encounter a problem, please discuss in the concerned plugin or theme support forum.

  5. Pingback: Timthumb

Comments are closed.