40 thoughts on “TimThumb 2.0 Leave a comment

  1. I never thought that it will be very dangerous. I even more afraid when I read that Mark Maunder blog. Thank you for making TimThumb update to 2.0 version and make it has new features.

    Now downloading.. 😎


    1. I have always been conscious of security – hence my reluctance to allow any domain, however it seems I wasn’t strict enough. I’ve learnt a lot from this experience – and TimThumb 2 is looking fantastic πŸ™‚

  2. Hey Ben,

    Good to hear the updates on this. I, personally was a bit sad looking at how the issue was too much hyped. I’ve always admired how the timthumb has been an integral part of the themes we’ve developed so far and how useful it has been.

    It’d be a dream come true if timthumb becomes an integral part of the WordPress code. The only thing that bothers us at the moment is the cache folder permission πŸ™‚

    Once it gets into the WP core, there’s only good thing ahead.

    1. I’ve been really proud of TimThumb and plan to continue using and maintaining it for some time. The demo Mark has put together for WordPress itself is very clever but I don’t think it approaches the flexibility of TimThumb itself – at least not in it’s current state. Hopefully with the might of WordPress behind it we can get something better working.

  3. Thanks for the timthumb update.
    We’ve tried to implement it on some of our multisite installation blogs and found a few errors we can not solve. We are having issues related with the site root being a symlink (some of the new security checks don’t work) and/or with the fact that we have a constant that moves the uploads folder to a different name (“uploads_xxx”).
    All seem related with behaviour of the realpath php function but we had to give up… I’ll try to include them in your issue tracking but it seems down at the moment (!). You can email me if you want concrete details.

  4. Thanks for the prompt response but don’t think this is the case. I should have clarified we are not using MU or networked standard WP. We have a small patch to share a base dir with different confs that so far has never affected any libs or plugins including different versions of timthumb working great on some of the themes.

    I have posted and issue which hope clarifies and is of help.

    We so far have downgraded to a previous version.

  5. Pingback: TimThumb Security | Pro Theme Design
  6. Thank you for putting in the time and effort to rebuild for the benefit of everyone else. One of the sites I run was hacked through that exploit, and its really pretty awesome that you’ve got a patch for it up within a couple weeks. Great work.

  7. Pingback: Dealing with compromised Wordpress blogs via the timthumb vulnerability / Stickman Ventures Blog
  8. Since i use timthumb (lastest version) i cannot use cloudflare anymore because cloudflare is not able to cache the images.

    Any suggestion to fix this situation?

  9. I am curious if you have considered making the core of TimThumb into a wordpress plugin, and then just changing timthumb.php so that it calls a function in the plugin.

    This would make it very easy to distribute updates for the code, as well as make it possible for clients to do this without having to do a theme update.



    1. Thanks for the comment. I agree that this would make things simpler in terms of updates, but it would also rely on people integrating support for the plugin in their themes, and on users downloading the plugin and updating it when there are updates. All those things combined, IMO, will keep us in the same place we are in currently. The best solution would be for WordPress core to get something similar integrated (either TimThumb itself, or some custom code).

  10. Pingback: Pro Theme Design on the Timthumb security issue | WordCamp Cape Town
  11. Since i use timthumb (lastest version) i cannot use cloudflare anymore because cloudflare is not able to cache the images.

    Any suggestion to fix this situation?

    Please i need help if i activate cloudflare the images are not cached so are not showed!

    Please give me some help with this!

  12. Hi, for us non tecchies please tell us how to update our sites, step by step please?
    I’ve found the timthumb.php file in my site but what do I do next? I’ve seen the code at http://timthumb.googlecode.com/svn/trunk/timthumb.php but it’s full of scary talk about editing configurables and says nothing about what to do with the code. I’ve no idea what configurables are used by the plugin that uses timthumb and I don’t know what to do with the code. If I paste it into the timthumb.php file in my site will that do? But what if there are configurables in that file and this one overwrites them…
    Guidance would be really appreciated as my web host is about to shut all my sites that use timthumb unless I fix them straight away!

    1. It s a drop in replacement. Don’t worry about configuring things. Just replace the existing file with the new one and you’ll be up to date.

  13. Hi,

    I used Timthumb in many projects.
    On fast server everything is OK. No problems at all. (See http://www.hotelraya.it/photo-gallery.php)

    On slower ones (customer have cheap server sometime…) I have unpredictables broken images.
    See http://www.adelina-panarea.com/ or http://www.batik-mirinvento.it/la-galleria.php?galle=quadri&dida=quadri

    It seems that is a (random) Mime Type recognization issue. At every refresh thumbnails shown or not changes.
    I look around on the web and I can’t find a solution.

    Any help?



  14. Pingback: Auto Generate Thumbnail from First Image in Content – Thesis Theme
  15. Is timthumbs 2.0 the latest version? I was worried about hacking through timthumbs issues. But I have tried timthumbs and totally amazing function. But i think use it with a limited images to have a faster page load.

    1. Hi – TimThumb is currently on version 2.8.3 I think. Make sure to keep it up to date through Google Code as this always has the latest version.

  16. Thank you so much Ben, I appreciate your help. I will download it at google. great sharing. thanks again!

  17. May I know that will Cloudflare cache the timthumb images? Because I realize that the extension of images generated by timthumb is not .jpg/.gif./png anymore.

  18. Pingback: Don't Build WordPress Plugins Into Your Themes
  19. Hi Ben

    i am having trouble with timthumb and contacted my hosting provider first

    they tell me that WordPRess is done via the Application Vault the WordPRess install is actual in /webspace/siteapps/34466/htdocs and

    timthumb is looking in the directory /webspace/httpdocs/crgroup.ie You will need to find the config file to for timthumb to change

    i am not familiar with the tech side of php

    what would i enter into the timthumb-config.php to make the change



  20. Hi Ben,

    While I was working on trying to get timthumb working on a cdn I noticed the update on the php program. I also noticed the size difference between the files. I’ts 4 times the size of the previous one, is there any way to strip this down a bit?

    Also I can’t seem to change expires date of the images to be longer than 10 days. Any idea why this is?


    1. Hi Stephen. What is 4 times the size – not sure what you mean there?

      The expires date is on line 1033 of the most recent version of TimThumb

  21. Pingback: Don’t Build WordPress Plugins Into Your Themes
  22. Guidance would be really appreciated as my web host is about to shut all my sites that use timthumb unless I fix them straight away…!

  23. Hi Ben. I mean timthumb.php the most recent version is 4 times the size/weight of the previous one. But if you strongly recommend updating I will. Thanks for the note on expires date.

    1. Hi Stephen – the size of the php file shouldn’t matter since it doesn’t get downloaded. The size of the files it generates are what affect the download speed. Despite being larger, hopefully the current version of TimThumb will be at least as quick as the one you’re upgrading from.

  24. Pingback: Don’t Build WordPress Plugins Into Your Themes | Eagle Web Tech LLC :: Web Enabled Technical Solutions :: Martinsburg, WV
  25. Pingback: Don’t Build WordPress Plugins Into Your Themes : Express Master
  26. Great script Ben!
    Just a request, any plan to add a watermark feature using a TTF?
    Thanks for reply

Leave a Reply

Your email address will not be published. Required fields are marked *