Many Wordpress Themes using Timthumb.php are Vulnerable to Hackers

You work hard to build a blog,
You get traffic,
After a few months of marketing and promoting,
You finally make your first dollar online.

Awesome
Your blog is now a revenue generating asset.

Your blog, just like every asset needs to be maintained to ensure smooth running. You need to secure your wordpress blog from being hacked. You don’t want your prized asset breaking down and affecting your business due to negligence or vulnerabilities.

This morning one of my clients called me and told me that his wp admin was giving an error message. On digging further I figured that the error message had something to do with a php script – there was a hack on his blog. The hacker has injected a script due to vulnerability in timthumb.php script

What is Timthumb.php and how does it impact your blog ?

– The Timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more. After a site has been exploited, it may lead to becoming labeled a “Malicious Website” by Google or other security authorities.

Timthumb.php is used by almost all free wordpress themes and some premium wordpress themes. Due to the vulnerability in the script most of the sites on wordpress are being hacked in recent times. The vulnerability of the timthumb.php script allows the hacker to get access of your wordpress panel and take control over your blog. He can now redirect your blog to his blog or any other site or completely change your home page or deny access to your wp-admin panel.

How can you prevent a Timthumb.php wordpress hack ?

I have two solid suggestions to avoid such hacks and keep your blog secure.
1 ) Avoid Free Wordpress Themes:
– Free Wordpress themes are not often updated and have no support, without any support your blog is vulnerable to such hacks. I recommend using the Thesis Theme, it has a solid framework and a great support community to help you in case of any issues. Get $477 in bonus with the Thesis Theme.

2 ) Get Hosted with a Top Web Host
– Blog security depends a lot on where you are hosted, avoid web host that are free or allow cheap hosting. There is no free lunch, you’ll pay for it in the long run. I recommend you host your blog or website on Hostgator, they are one of the top web hosts in business and will do their best to service you and ensure that your blog is risk free and secure.

Hostgator does a regular scan of your blog to ensure that vulnerabilities are spotted and cleaned before the damage is done. I would not risk my blog with a cheap web host. Get 25% discount on HostGator (use coupon code webtrafficroi )

If you are not on Thesis or on Hostgator, check with your host and tell them to immediately do a scan of your blog to point out any vulnerability issue.

Any timthumb.php file below version 1.35, but above version 1.09 is considered vulnerable, unless patched. To prevent being compromised, I advise you update all instances of timthumb.php to version 2.0, or patch the existing vulnerable files. Note that patching the files requires more in-depth knowledge of the PHP scripting language.

You can also install the the latest version of Timthumb.php manually from here. It is highly recommended that you update your blog theme, plugins, scripts and all other files to the latest recommended versions to prevent compromise. I also recommend you install the latest version of Timthumb to avoid any compromise of your blog.

Don’t wait for a hack, prevent it.

You can get in touch with me if you need help to install the patch on your blog.

Related posts

5 Simple Ways to Keep Your Blog Safe from Online Threats

10 Best Wordpress Ecommerce Themes

Shopify now on Wordpress

14 comments

Ebooks August 28, 2011 - 6:05 am
Thanks for letting me know about this. I just got your email! My blog is running a premium theme that does use "Timthumb.php" so I am working on this update right now. I have had my blog attacked before and it's no laughing matter when you forget to "back it up"! Thanks for the post ZK! Tweeted! Dave
Shanker Bakshi @Net Profit Mantra August 28, 2011 - 6:27 am
Yes, This is a BIG threat to those WordPress which are using a theme that uses timThumb auto re-sizing thumbnails
rakesh kumar August 28, 2011 - 7:55 am
Have seen it on many blog, Though i am not using timthumb in my wordpress theme still this information is valuable as i was planning to use it in my wordpess theme.
jack@paperorigami.blogspot.com August 28, 2011 - 8:32 am
wow..thanks for the info i'm planning to host my future website in wordpress, Because it is easy to set up then here i found that there are vulnerabilities..so i have this idea..thanks thanks great idea..
free online games August 28, 2011 - 10:54 pm
oh, so dangerous, my blog has timthumb.php. thanks for sharing I've heard about sql injection bugs are also very dangerous
Hugh August 29, 2011 - 8:49 pm
This is a great tip, I've never heard of it before. But then again, I am on HostGator so I do feel a little safer.
zeo @themes labs September 10, 2011 - 1:15 pm
i think there nothing to do with hosting company...theme vulnerability is a big problem I think...easy you can use some wp plugin to scan your wp theme..just take short time
Niche word List August 29, 2011 - 9:49 pm
Timthumb became a standard in premium theme and this is a major security hole in that theme. Now each of use who is using premium themes must check for this. Thanks ZK for posting this valuable information.
Joe@Santa Letters August 31, 2011 - 7:00 am
The post is like a warning for using free wordpress themes. always good to know and be aware of the themes we use.
Guitar Learning Classes September 2, 2011 - 8:39 am
Thanks for the the news and update about hackers, we appreciate your work
hinsel September 2, 2011 - 2:38 pm
Any info regarding whether or not having renamed your default database table names (wp_) will stop this attack?
Ebooks September 3, 2011 - 9:51 am
I think renaming the database would be useless. Becuase your blog will still be able to be found.
neo September 5, 2011 - 8:55 pm
there are wp plugin that can help you secure timthumb.php file - safe or not and help you fix it - maybe we can use this http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
zelot66 September 11, 2011 - 12:25 am
Thanks for the info. I experienced this a couple of times. The screen turned red with a message something like "Google has detected bla..bla..bla". However there is also a button says "proceed anyway". To find out what would happened, I clicked the "proceed anyway" button. Thus far, I had not come across any problem caused by so called malicious virus or the like.
Add Comment