WordThumb is now TimThumb 2.0

News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

On the suggestion of Matt Mullenweg (wordpress founder) Ben Gillbanks (timthumb author) and I have been working for the last day to merge my work on WordThumb into TimThumb 2.0.

That work is now complete and TimThumb 2.0 is now available for download from the TimThumb site.

I’m going to be working with Ben going forward to continue to have TimThumb be the easiest to use, fastest, most popular and most secure thumbnail script on the Web.

Here are a few enhancements in TimThumb 2.0:

  • Includes the ability to take website screenshots if you have Xvfb and CutyCapt installed. (Instructions included how to do this)
  • All filters and resizing can be applied to website screenshots.
  • The cache directory is now secure and is still public for flexibility across platforms.
  • TimThumb creates index files in your cache to prevent directory listings.
  • Filenames are more randomized using data that a hacker doesn’t have access to, making it very hard to guess filenames in cache and access them.
  • Cache files have a .txt extension which means the web server won’t execute them.
  • All cached files have a fixed length record at the beginning which, if a web server tries to execute them, will be interpreted as PHP code and will cause an immediate exit.
  • It includes file locking when files are created in cache to avoid conflicts.
  • The entire code base has been rewritten and refactored for better code scaleability.
  • Lots of other improvements.
So give it a whirl and if you have any suggestions or find any bugs, please file them on the TimThumb issues page. Thanks.

31 thoughts on “WordThumb is now TimThumb 2.0

  1. This web site is known as a stroll-through for the entire data you wished about this and didn�t know who to ask. Glimpse right here, and also you�ll positively uncover it.

  2. This is the appropriate blog for anyone who needs to seek out out about this topic. You understand so much its virtually arduous to argue with you (not that I truly would wantHaHa). You undoubtedly put a new spin on a topic thats been written about for years. Great stuff, just great!

  3. Nice post. I learn something more challenging on different blogs everyday. It should always be stimulating to read content from other writers and follow a bit of something from their store. I�d want to use some with the content on my blog whether you don�t mind. Natually I�ll give you a link on your web blog. Thanks for sharing.

  4. I was told to set allow_external=true in my php.ini file. I do not see that command anywhere within my php.ini file. With out this my images are unable to display correctly on my slider. Please Advise.

  5. It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

  6. Hey Guys,
    Hey Guys, I recently got an email from my hosting company stating:

    This is a courtesy notice that we have found exploitable timthumb.php file(s) on your account. It is highly recommended that you update these files to the latest available version to prevent possible compromise. This is best done by updating all scripts, plugins, modules and themes on your account to the latest version.

    As the owner of the account, you are responsible for keeping your hosted content free of malicious software.

    The timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more. After a site has been exploited, it may lead to becoming labeled a “Malicious Website” by Google or other security authorities.

    After checking out several of my sites it seems they have been compromised. I have searched for the timthumb.php on my sites but I cant find it. I am told that the Socrates theme that I am using does not even use this script. I am looking for someone that can help me out??
    thanks ford

    • This minor update (11 lines of additional code) allows the latest version, 2.8, to work with both multi-site and single-site installations. It’s a direct replacement for the existing theme’s timthumb.php file.

      How to Use timthumb.php with Multi-Sites

      It can be freely included in the future, official updates (with attribution to the author for the minor … but often requested … update).

  7. Hi. I downloaded tim2 yesterday from
    http://code.google.com/p/timthumb/
    On line 302 there is some base64 code. What is this? Please let me know. Thanks!

    $imgData = base64_decode(“R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=”);
    header(‘Content-Type: image/gif’);
    header(‘Content-Length: ‘ . sizeof($imgData));
    header(‘Cache-Control: no-store, no-cache, must-revalidate, max-age=0′);
    header(“Pragma: no-cache”);
    header(‘Expires: ‘ . gmdate (‘D, d M Y H:i:s’, time()));
    echo $imgData;
    return false;
    exit(0);
    }

    • The base 64 code is an encoded image that is served up if you have enabled the config option in timthumb that prevents hotlinking, and someone hotlinks to your images. It’s part of the app, so don’t worry about it.

    • Chris the WP core team is considering adding dynamic thumbnailing capability to WP core. I’m chatting to Andrew Nacin and Otto in the core team about this and we’ve bounced some code back and forth.

      The functionality would be very basic. Just resizing and a basic crop without center specified. TimThumb has support for a lot more currently. It also has the ability to take website snapshots.

      I suspect the way forward will be that TimThumb will lead in features and WP will gradually and carefully implement the basic functionality over time.

  8. Thank you for working on this!

    Is there anything that needs to be done in regards to the old cache folder? Is it being reused, but more securely? If so, do we nee dto keep permissions the same? If not, should we delete it?

  9. I suggest using shell_exec() instead of the backtick operator (for better overview), but also shellescapecmd, because last one’s supposed to be working multi-platform wise (basically anything unix-like) AND should kill a bit more of those nasty chars.

    cu, w0lf.

  10. Thanks for the quick updates & great effort!

    So now, If I need to update the timthumb php file that is already on my site via some theme or extension (ie. a security update), what is the recommended method to do that?
    Do I just download & overwrite the existing copy & hope that the developer will update his copy in his distribution separately (for future updates)?

  11. Thanks to both of you for this speedy and excellent work. Wish list: if there’s some way to perhaps hook into WP’s own update mechanism, that would be great — that way things like these can be updated easily in the future. (I know it’s thorny, since TimThumb is installed by indie themes.)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.