16 Comments


  1. I guess this will be happening a long time into the future.

    Thanks for the link to http://codegarage.com/, I hadn’t heard of them before. Looks like an interesting service, although the “backups kept for 30 days” business seems a bit crappy. I’d want access to much older backups in case I didn’t notice a problem for more than 30 days (entirely possible if something subtle was altered).


  2. TimThumb exploits can be a pain in the ass. Took me nearly to weeks to really get to that bottom of it. And still, the problems only ended when I stopped using the script.

  3. chrismccoy

    i use/used a shell script that will download a fresh copy of timthumb for all sites that use it, was a way to replace it without a headache

    wget -q -O ~/newtim.php http://timthumb.googlecode.com/svn/trunk/timthumb.php
    find . -name “timthumb.php” -exec bash -c “echo patching {} && cp ~/newtim.php {}” \;
    rm ~/newtim.php

  4. Steve Bank

    This continues to expose issues with the THEME > PLUG-IN model that WordPress employs.

    If the core could handle a correlation between themes and the plug-ins, then frameworks and child-like functionalities could be updated without any harm to theme/template/core versioning.

    Sadly plug-in functionality is consistently overwritten by theme functionality, even when that has nothing to do with templating/front-end. It completely falls foul of the most basic MVC-type separation of data, formatting and processing. Thus almost every theme front-loads it’s functionality into the VIEW aspect rather than the CONTROLLER.

    For wordpress users who are not plugged in to the core or development, that makes it exceptionally difficult to keep both up to date and track of. In the short term (1 day) this was a TimThumb issue, in the long terms, it’s a WordPress Core issue about the management of it’s data. A decision that has completely gone the way of WP.com and bloggers.

    I’m secretly laughing because when I googled for an article I read which backed this up it came from “he who shall not be named” 14 months ago: http://kevinjohngallagher.com/2011/03/now-theme-disconnect/


  5. Hey Ryan –

    Peter from Codegarage here.

    We hear you. Longer backup retention periods in some form (i.e. daily backups to 30 days, monthly backups up to a year) is on our list, and I’m hoping we’ll have it implemented within the next 6 weeks or so. Thanks for having a look!


  6. Be sure to read the tips that Dan and his security adviser provides on protecting your site.

    I’m not familiar with the eSarcasm site, so it’s not obvious to me where on that site to find these tips you’ve mentioned—and there doesn’t seem to be a direct link to them in your article :-(

  7. Michael

    This is why I stopped using the script all together. Why take the risk … it is always being updated, which is a pain and you are never sure if it is stable or not and for how long.



  8. Note: the Theme Check Plugin will also alert that a Theme is using TimThumb.

    This is the Plugin used by the Theme Review Team, and TimThumb alerts as a warning-level notice, which means that a Theme with TimThumb bundled won’t even pass the Theme Repository uploader script checks. Themes using TimThumb are no longer accepted in the official repository, so if you want to be certain that you are not vulnerable, I recommend using a Theme from the official repository.


  9. @Brian Krogsgard – It’s a little off topic, but there’s also a plugin called Theme Updater that will allow anyone who hosts their themes on Github to allow automatic updates through the use of Git Tags. That way any security patches can be fixed and pushed out even if the theme isn’t in the official Repo.

    I think that a non-repo third-party service that verifies themes that are deemed “safe” would be useful, especially since a lot of the best themes use non-GPL compliant parts (Shadowbox, Skeleton Framework, just to name a few)


  10. Lol. I was just contracted to clean a multi site (192 subblogs total) hit with the timthumb exploit not more than 5 days ago… Problem was an out of date script in the nivio slider plugin (outdated version)… I was astounded that people don’t update regularly.. or backup for that matter..

    Funny thing is, that after the site was infected, it ran probes on a long list of dreamhost accounts for the same timthumb exploit…


  11. if you have ever used Swift Theme you need to check you image folder. I discovered Tim Thumb files left behind after I deleted the theme.

Comments are closed.