WordPress Security: Urgent TimThumb Vulnerability Fix

wordpress timthumb vulnerability fix

Right Mix Blog

wordpress timthumb vulnerability fixWordPress is an amazing tool that has given millions of individuals and businesses the ability to quickly and cheaply implement a robust website or blog. This allows people to have more control over the most critical element of their online marketing strategies, what I call their “home base” (their website/blog combination). Implementation of capabilities that would previously have taken months and thousands of dollars in web design fees can now be put in place in hours and at much lower cost (if not for free) via WordPress. The self-hosted version of WordPress (versus the “hosted” version) allows for the most control and functionality.

WordPress and Hackers

As one of the most widely adopted content management platforms, self-hosted WordPress is attractive to hackers due to the large “target market” of sites. This is similar to how Windows PCs and Facebook profiles are favorite targets of hackers partially due to the massive number of users of each. When hackers find a new vulnerability in self-hosted WordPress, they will spread the word about how to take advantage of that vulnerability via hacker community websites and forums. When the hackers take that information and start to look for sites to hack, your site could become a target.

Be Vigilant – Keep Things Up To Date

Vigilance is very important – this means keeping your WordPress version up-to-date, using only trusted plug-ins, keeping those plugins up-to-date, and taking regular back-ups of your WordPress database. WordPress is “open source” which means that a community of developers (not one company) creates new functionality and fixes issues, such as security vulnerabilities. When new vulnerabilities arise, the fixes are often included in WordPress updates.

The TimThumb Vulnerability

Recently, there was a vulnerability in a key element of many plugins. This element is called “TimThumb” and it helps a variety of plugins generate thumbnail pictures for use within your site. This vulnerability allows hackers to break into your site and add files that do things such as create “phishing” sites like fake log-in pages for banks used to steal people’s usernames and passwords.

Securing Your WordPress Site

In my opinion, it’s important that you secure your self-hosted WordPress site against this vulnerability right away. Luckily there’s a simple tool to do that, and it takes about 5 minutes to find and fix the vulnerable files if you haven’t been hacked yet. I have no association with Code Garage, the maker of the scanner below and I assume no liability or implied warranties from the use of their TimThumb Vulnerability Scanner (research and decide for yourself)!

How To Secure Your Site Against TimThumb Hacks

Follow these steps to see if you have vulnerable files, to update them, and to find if your site is already infected. Click the pictures to see larger versions.

1) From within your WordPress Dashboard, go to ‘Plugins’

2) Click ‘Add New’

3) Search for ‘timthumb’ (all one word, no quotes)
how to find timthumb
4) Add ‘TimThumb Vulnerability Scanner’ plug-in
timthumb vulnerability scanner
5) Activate the plugin

6) Go to ‘Tools’ and then ‘TimThumb Scanner’

7) Press ‘Scan!’ button
find vulnerable wordpress tim thumb files

8) Select any vulnerable files and click ‘update selected files’

9) If you are already infected, see a WordPress security expert right away

Please pass this on to anyone you know that has a self-hosted WordPress site. They will thank you!

Let me know any comments or corrections below. Have you used the scanner? What did you find?

Tom Treanor is the founder of the Right Mix Marketing blog. He’s the author of the Search Engine Boot Camp, the co-author of Online Business Productivity, and regularly speaks at industry and corporate events. His writing has been featured on the Content Marketing Institute, Social Media Examiner, Copyblogger and other leading industry blogs.


  1. This was a great post. Security of one’s site is very important – and it is the most utmost of importance if it is a self-hosted wordpress website You really never know when people can try to hack in and it cannot always be promised that they will be nice towards you and your files. My friend had all of their wordpress content deleted. How sad!

Comments are closed.