How to Fix Vulnerable Timthumb Script in WordPress?

In last couple of days I have seen many websites getting hacked due to vulnerability and we have already discussed about the same in the past. If you are still not aware of timthimb hack and running a WordPress blog, you should refer to these 2 posts:

Usually any blogger/webmaster will look into the theme folder and update the script with updated timthumb script. But chances are that some plugin might be using a timthumb script and you are not aware of. Here is a very useful WordPress security plugin call Timthumb Vulnerability Scanner which check your WordPress wp-content directory for timthumb.php file and it also shows if your existing timthumb.php file (

In case if your timthumb.php file is not safe, it will give you option top fix it. You don’t need to login to FTP to update the timthumb script, but by clicking Fix button it will automatyically replace the old one with updated script.

Timthumb scanner WordPress

As soon as you click on Fix, it will update the file and your screen will start showing this:


How to use Timthumb Vulnerability scanner plugin?

Go to official download page and download & Install the plugin. Alternatively you can install plugin from dashboard by searching for Timthumb Vulnerability Scanner. Once this plugin is installed and activated, go to Tools >Timthumb scanner and run the scan. As mentioned above within seconds you will see the list of all timthumb script running on your server and if it’s vulnerable to hacker, you can fix it directly as shown in image above.

In my opinion, every WordPress blogger should use this plugin once for now, as timthumb hack is taking down many WordPress blogs every day and once your site is hacked, fixing it won’t be very easy.

Do let us know if you found any hacked timthumb file using this plugin? And don’t forget to share this post on your Facebook and Twitter to let your WordPress blogger friends to know about this useful plugin and safeguard  themselves from hackers.

Subscribe on Youtube

Article By
Harsh Agrawal is a blog scientist and a passionate blogger. He is blogging since 2008 & writes about Blogging, SEO, Make money online & tech. His blog, ShoutMeLoud receives 1 million Pageviews/month and have over 700K subscribers.


COMMENTs ( 9 )

  1. says

    Cool, When i upgraded the vulnerable file, it shows this “CAN’T OPEN VULNERABLE FILE FOR WRITING” what to do now?

  2. Jasmine says

    Oh, this is a very good plugin to check for timthumb vulnerability. I will download and use this plugin right away!

  3. Peter says

    Thanks for the mention, Harsh! I’m the plugin author, and it’s been great to see people are spreading the word about this plugin – it can save you huge headaches down the road.

    @Isha – You should be fine to uninstall the plugin after running the scan – in fact, it’s a good idea to deactivate/delete any plugins you dont need at the moment. However – if you install new themes/plugins down the road, it wouldnt be a bad idea to scan them for issues, just to be sure.

  4. Vijay says

    that’s the beauty of open source.. thanks to plugin author for the initiative.
    the other easy way to find I update timthumb file is to log in into your hosting account Cpanel and search for file with name “timbthumb.php” this will give you all locations of this fil. you can visit one by one to update it. Also make sure to search with name thumb.php and update it as well

  5. umashankar says

    Thanks Harsh for this article:) My question is,it necessary to run this Timthumb Vulnerability Scan now and then,or a single time will be enough ??