Ben Gillbanks Announces The End of TimThumb

TimThumb Ends Development
photo credit: katybirdcc

The once popular image resizing script known as TimThumb is no longer supported according to co-creator, Ben Gillbanks. In 2011, TimThumb made headlines when a major security vulnerability was discovered and used to hack into several websites.

The exploit that was found was a bug with the external image resize functionality and the fact it could be used to download and execute files. There was code in place that restricted the downloads to a whitelist of clean sites, but it wasn’t strict enough and so a hole was found that could inject php onto your server.

In 2009, Gillbanks estimated that 95% of commercial WordPress themes supported TimThumb. Several major commercial theme companies such as WooThemes, used the script in most of its products. This set the stage for thousands of sites to be affected by the vulnerability.

The outcome of the event has weighed heavily on Gillbanks and is one of the primary reasons he’s giving up development.

In particular in 2010 there was a major security exploit found and it hurt a lot of websites, my own included. There are still people who are suffering because of it. I’ve felt incredibly guilty about this for years now, and so my enthusiasm for TimThumb has dropped to nothing.

Because of this lack of enthusiasm, and a fear of doing something else wrong, I have barely touched the code in years.

If you’re using TimThumb, Gillbanks recommends removing it and using something else. An excellent alternative is the WordPress TimThumb Alternative on Github. Created by Matthew Ruddy, the function uses WordPress’ native resizing functions to mimic TimThumb resizing.

Timeline of Notable Events

The following is a timeline of notable events surrounding TimThumb. Feel free to add more in the comments.

  • March 27th, 2008 – TimThumb added to Google Code
  • July 6th, 2009 – Ben Gillbanks takes over development of the script
  • August 1st, 2011 – Mark Mauder reports a major vulnerability in TimThumb and releases WordThumb, a fork of TimThumb with the necessary patched files. The patches are merged into TimThumb during the development of 2.0
  • August 8th, 2011 – Matt Mullenweg chimes in on the TimThumb saga
  • August 11th, 2011 – TimThumb 2.0 Released
  • June 24th, 2014 – Zero-Day vulnerability discovered in TimThumb script dealing with Webshots
  • September 27th, 2014 – Ben Gillbanks announces that he will no longer support or maintain TimThumb

With the development of TimThumb being discontinued, it’s the end of an era for WordPress theme development. Are you happy or sad to see it go? Since TimThumb has an open source license, will developers pick up where Gillbanks left off?

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

9 Comments


  1. I was using an Elegant Themes WordPress theme at the time the vulnerability was announced, which used TimThumb #funandgames

    Report


  2. Honestly it isn’t that hard to just use the native WP functions. Also less likely to have these issues.

    Report


    1. I’m willing to bet that’s also a factor in the decision to end development. I feel for Ben though, managing a script that was responsible for so many sites being hacked. That would eat away at me every night. Not sure how I’d cope with it and be able to move on. In many ways, that’s what Ben is doing ending development. This is his way of being able to move on.

      Report


  3. Its sad to see that Ben is no longer going to maintain the script but he definitely deserves an appreciation for his time that he spent keeping Timthumb up to date for all those years.

    Btw, another alternate to Timthumb could be https://github.com/bfintal/bfi_thumb We used it for couple of projects at Gabfire and it seemed to be working very well.

    Report


  4. I have some plugins which have reached this point in their life cycle too. Sometimes it’s best to put things down than to let them keep lingering and causing problems for users, even if there are a few passionate users who still insist on using them.

    Report


  5. I can’t imagine the pressure that one feels for something like that. He should be commended for his accomplishment and that should be the point that is remembered. It is a shame that there was some vulnerability that was exploited in his code – it could have happened to anyone (heck – it is possible to happen in the core code!)

    Two Thumbs Up (two TimThumbs up!) for Ben!

    Report


    1. Definitely two thumbs up for Ben. His attitude and response to issues with TimThumb is very commendable and makes me a lot more likely to trust his code in future. It’s the people who don’t take this stuff seriously or learn from it who worry me the most. Making a mistake, realising it, and moving on is much better than the usual response.

      Report


  6. I think, it’s finally an end to timthumb. I loved the script. It was easy to use and had very good support for handling images. I’ve check out BFI_Thumb and it’s a good replacement for timthumb since it uses WordPress images.

    For now, I’ve chosen to just use add_image_size to control the images as the first step in my plugins and allowing users to choose existing images as the first preference.

    http://ajaydsouza.com/archives/2014/09/27/timthumb-free/

    Report

Comments are closed.