I am wondering why there is no update from DIY Themes about new version of Thesis Theme as timthumb file is making Thesis Theme Websites vulnerable to hackers. It has been reported that certain version of Timthumb script http://code.google.com/p/timthumb/issues/detail?id=212 holds security hole and Thesis Theme uses Timthumb.php file for re-sizing an image. I have no clue when new Thesis version will arrive, hence being on safer side why don’t we just update Timthumb file manually. 😉

timthumb-hacked

Timthumb file prone to hackers

Therefore this vulnerability may also exist in your WordPress Theme or a Thesis Theme. For people who have followed this article How to auto generate thumbnail in Thesis Theme without Plugin, I strongly recommend you to update timthumb.php file, before a hacker ruins your morning, or make your sleepless nights.

In this article, you will learn how to update TimThumb file in WordPress Theme.

Step 1: Get Latest Timthumb.php for WordPress

As mentioned about the security flaws with the timthumb.php, so our first step will be to get the latest version thumb file. You can download Timthumb.php source code from here. Another option, is to copy entire source code and edit existing Timthumb.php file. Move on to the next step which is to find timthumb file location.

Step 2: How to find Timthumb file location ?

As mentioned above about timthumb.php, which is a script used by developers to resize post images / slider images, so it can be found within the Theme/Plugin Directory. Depending upon various plugin and theme developers, name of the file can be either thumb.php or timthumb.php.

For Thesis users, location of timthumb file in thesis theme is wp-content/thesis_18/lib/scripts/thumb.php

Step 3: Why wait, replace new timthumb file asap!

If you know the location of timthumb.php file, without any further delays, just  replace timthumb with its newer version and upload it on server using ftp. Once done, take a breather and relax! What next ?

Did you check  other web directories ?

timthumb-update-we are not done yet

Analyse all web directories

Well, I just told you to relax but we are not done yet. Make sure that you have not skipped any inactive themes directory or plugins, as this vulnerability applies to each timthumb file, regardless of whether it is active or executed by the server. I recommend you to delete all inactive themes and update existing ones to the latest versions.

Phew! And with this you have saved your valuable asset from being hacked, but not until next time. 😛

If you have any query or further assistance required then you can leave your comments below.