I am wondering why there is no update from DIY Themes about new version of Thesis Theme as timthumb file is making Thesis Theme Websites vulnerable to hackers. It has been reported that certain version of Timthumb script http://code.google.com/p/timthumb/issues/detail?id=212 holds security hole and Thesis Theme uses Timthumb.php file for re-sizing an image. I have no clue when new Thesis version will arrive, hence being on safer side why don’t we just update Timthumb file manually. 😉
Timthumb file prone to hackers
Therefore this vulnerability may also exist in your WordPress Theme or a Thesis Theme. For people who have followed this article How to auto generate thumbnail in Thesis Theme without Plugin, I strongly recommend you to update timthumb.php file, before a hacker ruins your morning, or make your sleepless nights.
In this article, you will learn how to update TimThumb file in WordPress Theme.
Step 1: Get Latest Timthumb.php for WordPress
As mentioned about the security flaws with the timthumb.php, so our first step will be to get the latest version thumb file. You can download Timthumb.php source code from here. Another option, is to copy entire source code and edit existing Timthumb.php file. Move on to the next step which is to find timthumb file location.
Step 2: How to find Timthumb file location ?
As mentioned above about timthumb.php, which is a script used by developers to resize post images / slider images, so it can be found within the Theme/Plugin Directory. Depending upon various plugin and theme developers, name of the file can be either thumb.php or timthumb.php.
For Thesis users, location of timthumb file in thesis theme is wp-content/thesis_18/lib/scripts/thumb.php
Step 3: Why wait, replace new timthumb file asap!
If you know the location of timthumb.php file, without any further delays, just replace timthumb with its newer version and upload it on server using ftp. Once done, take a breather and relax! What next ?
Did you check other web directories ?
Analyse all web directories
Well, I just told you to relax but we are not done yet. Make sure that you have not skipped any inactive themes directory or plugins, as this vulnerability applies to each timthumb file, regardless of whether it is active or executed by the server. I recommend you to delete all inactive themes and update existing ones to the latest versions.
Phew! And with this you have saved your valuable asset from being hacked, but not until next time. 😛
If you have any query or further assistance required then you can leave your comments below.
Thanks for helping to announce this important info.
English Please!
Erros!
That really helpful dude, thanks a lot..
Can we still update theme if we don’t have license of theme and we have downloaded free from website?
It’s generally not recommended and is critically important that you buy license before publishing it online.