How to Protect Against the Timthumb Vulnerability in WordPress Thesis Theme

by John

In an earlier article I wrote on WordPress Blog Security I noted the importance of frequently updating your WordPress plugins, and I also wrote that you should delete anything you don’t use like old themes.

One thing that I didn’t mention was how important it is to also upgrade the themes that you are using. But in addition to that, it is important to know that some themes utilize plugin-like files that could open your site up to a security breach.

That is exactly what happened recently to one of our clients who utilizes the Thesis theme. This theme came with an outdated version of the Timthumb image sizing utility that was found to have a serious vulnerability. Unfortunately, there were no theme updates that resolved this issue.

Fortunately, there are a number of simple ways to resolve this issue. The simplest we have found is to utilize a new plugin for WordPress called Timthumb Vulnerability Scanner 1.3.

Here are the simple steps to take to protect against the Timthumb exploit:

Timthumb Install

As normal, login to your WordPress admin console and under the Plugins section of the sidebar, choose Add New. Search for “Timthumb Vulnerability Scanner” and you’ll be presented with what you see in the image above. Click the Install Now link to install the plugin.

Timthumb Installed

This is what a successful install will look like. Now click the Activate Plugin link.

Timthumb Scanner

Once you have installed the Timthumb Vulnerability Scanner there will appear in the Tools section of your WordPress admin sidebar a link labeled “Timthumb scanner”. Give it a click to get started.

Timthumb scan

Here is the full intro text before the Scan button:

Here’s how this works: When you click “Scan”, we’ll gather a list of all the files in your wp-content directory, and then we’ll scan all of the php files looking for the timthumb script. If we find it, we’ll scan it to make sure it’s at least version 2 – which is the version that fixed the vulnerability. You’ll be notified here of any files that need to be updated.

Obviously, you want to click that scan button to get started.

Timthumb Found

If your theme has an old version of Timthumb then this is what you would see. Your next simple step is to click the Fix button. After doing this you will (hopefully) get a message that the scan was complete and the file has been updated. It will also show a message in green that says “No vulnerabilities found!”

At this point you would be safe to remove the “Timthumb Vulnerability Scanner 1.3″ plugin you used to resolve this problem. Or you could keep it, but if you do remember to update it when prompted.

I hope this was helpful to you in learning how to protect against the Timthumb vulnerability. Note that while in our case this vulnerability was part of the Thesis theme that there are many other themes that utilize timthumb.php as well.

Is yours one of them?

{ 0 comments }

2 Methods for Checking for Faked Page Rank

November 29, 2010

Have you ever received an email like this? Note: Names have been changed to protect the innocent. Hello John, I would like to do a three way link exchange with you. my site ultra-serbs.com (pr6) will link to yoursite.com which will link to my client’s site: www.myclientsite.com (i.e. ultra-serbs -> yoursite.com ->myclientsite.com) This way, there [...]

Read the full article →

11 Must-Do Tips for Securing Your WordPress Blog

September 12, 2010

I was prompted to write this article after helping a new client who contacted us when his blog was infiltrated by spammers who inserted thousands of hidden spam links on his blog. It was only when Google dropped his blog from their index that he noticed something wasn’t right and contacted us for help. Here [...]

Read the full article →