The once popular image resizing script known as TimThumb is no longer supported according to co-creator, Ben Gillbanks. In 2011, TimThumb made headlines when a major security vulnerability was discovered and used to hack into several websites.
The exploit that was found was a bug with the external image resize functionality and the fact it could be used to download and execute files. There was code in place that restricted the downloads to a whitelist of clean sites, but it wasn’t strict enough and so a hole was found that could inject php onto your server.
In 2009, Gillbanks estimated that 95% of commercial WordPress themes supported TimThumb. Several major commercial theme companies such as WooThemes, used the script in most of its products. This set the stage for thousands of sites to be affected by the vulnerability.
The outcome of the event has weighed heavily on Gillbanks and is one of the primary reasons he’s giving up development.
In particular in 2010 there was a major security exploit found and it hurt a lot of websites, my own included. There are still people who are suffering because of it. I’ve felt incredibly guilty about this for years now, and so my enthusiasm for TimThumb has dropped to nothing.
Because of this lack of enthusiasm, and a fear of doing something else wrong, I have barely touched the code in years.
If you’re using TimThumb, Gillbanks recommends removing it and using something else. An excellent alternative is the WordPress TimThumb Alternative on Github. Created by Matthew Ruddy, the function uses WordPress’ native resizing functions to mimic TimThumb resizing.
Timeline of Notable Events
The following is a timeline of notable events surrounding TimThumb. Feel free to add more in the comments.
- March 27th, 2008 – TimThumb added to Google Code
- July 6th, 2009 – Ben Gillbanks takes over development of the script
- August 1st, 2011 – Mark Mauder reports a major vulnerability in TimThumb and releases WordThumb, a fork of TimThumb with the necessary patched files. The patches are merged into TimThumb during the development of 2.0
- August 8th, 2011 – Matt Mullenweg chimes in on the TimThumb saga
- August 11th, 2011 – TimThumb 2.0 Released
- June 24th, 2014 – Zero-Day vulnerability discovered in TimThumb script dealing with Webshots
- September 27th, 2014 – Ben Gillbanks announces that he will no longer support or maintain TimThumb
With the development of TimThumb being discontinued, it’s the end of an era for WordPress theme development. Are you happy or sad to see it go? Since TimThumb has an open source license, will developers pick up where Gillbanks left off?