WordThumb is now TimThumb 2.0

News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

On the suggestion of Matt Mullenweg (wordpress founder) Ben Gillbanks (timthumb author) and I have been working for the last day to merge my work on WordThumb into TimThumb 2.0.

That work is now complete and TimThumb 2.0 is now available for download from the TimThumb site.

I’m going to be working with Ben going forward to continue to have TimThumb be the easiest to use, fastest, most popular and most secure thumbnail script on the Web.

Here are a few enhancements in TimThumb 2.0:

  • Includes the ability to take website screenshots if you have Xvfb and CutyCapt installed. (Instructions included how to do this)
  • All filters and resizing can be applied to website screenshots.
  • The cache directory is now secure and is still public for flexibility across platforms.
  • TimThumb creates index files in your cache to prevent directory listings.
  • Filenames are more randomized using data that a hacker doesn’t have access to, making it very hard to guess filenames in cache and access them.
  • Cache files have a .txt extension which means the web server won’t execute them.
  • All cached files have a fixed length record at the beginning which, if a web server tries to execute them, will be interpreted as PHP code and will cause an immediate exit.
  • It includes file locking when files are created in cache to avoid conflicts.
  • The entire code base has been rewritten and refactored for better code scaleability.
  • Lots of other improvements.
So give it a whirl and if you have any suggestions or find any bugs, please file them on the TimThumb issues page. Thanks.

41 thoughts on “WordThumb is now TimThumb 2.0

  1. Torrent Video Player can’t be better to use thanks
    to its user-friendly interface and obvious navigational
    features. CHVRCHES released a highly successful EP
    earlier this nonetheless it wasn’t until a few months ago once the
    single Gun hit the airwaves that they made a huge splash. Torrents really are a popular method to watch TV, movies, and
    pay attention to music online.

  2. I think that what you typed made a lot of sense. But,
    think about this, suppose you were to create a awesome headline?
    I am not suggesting your information is not solid, however what
    if you added a post title that makes people want
    more? I mean WordThumb is now TimThumb 2.0 – mmmm is a little vanilla.
    You could peek at Yahoo’s home page and watch how they create news headlines to
    grab people interested. You might add a related video or a
    related picture or two to get readers interested about everything’ve got to say.
    In my opinion, it might bring your blog a little livelier.

  3. Hello! This is my first comment here so I just wanted to ggive a
    quick shout out annd say I really enjoy reading your blog
    posts.Can you suggest any other blogs/websites/forums that deal with
    the same subjects? Thanks a lot!

  4. Nice post. I was checking cokntinuously this blog and I am impressed!

    Extremely useful information specially the last part :)
    I carfe for such information a lot. I was seeking this particular information for a long time.
    Thank youu and good luck.

  5. I llike the helpful information you provide in your articles.

    I’ll bookmark your weblog and check again here
    regularly. I am quite certain I wipl learn plenty of new stuff right here!
    Besst of ljck for the next!

  6. The show features some of the world’s exceptional fashion models such
    as Tyra Banks, Adriana Lima, Alessandra Ambrosio and lots
    of more. The gems where rays usually do not fall are the graces for which souls forget to ask.
    Today bark rope making can be a lost art in lots of communities, although it is still
    practiced for decoration or used being an art media by many tribal artists.

  7. This web site is known as a stroll-through for the entire data you wished about this and didn�t know who to ask. Glimpse right here, and also you�ll positively uncover it.

  8. This is the appropriate blog for anyone who needs to seek out out about this topic. You understand so much its virtually arduous to argue with you (not that I truly would wantHaHa). You undoubtedly put a new spin on a topic thats been written about for years. Great stuff, just great!

  9. Nice post. I learn something more challenging on different blogs everyday. It should always be stimulating to read content from other writers and follow a bit of something from their store. I�d want to use some with the content on my blog whether you don�t mind. Natually I�ll give you a link on your web blog. Thanks for sharing.

  10. I was told to set allow_external=true in my php.ini file. I do not see that command anywhere within my php.ini file. With out this my images are unable to display correctly on my slider. Please Advise.

  11. It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….

  12. Hey Guys,
    Hey Guys, I recently got an email from my hosting company stating:

    This is a courtesy notice that we have found exploitable timthumb.php file(s) on your account. It is highly recommended that you update these files to the latest available version to prevent possible compromise. This is best done by updating all scripts, plugins, modules and themes on your account to the latest version.

    As the owner of the account, you are responsible for keeping your hosted content free of malicious software.

    The timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more. After a site has been exploited, it may lead to becoming labeled a “Malicious Website” by Google or other security authorities.

    After checking out several of my sites it seems they have been compromised. I have searched for the timthumb.php on my sites but I cant find it. I am told that the Socrates theme that I am using does not even use this script. I am looking for someone that can help me out??
    thanks ford

    • This minor update (11 lines of additional code) allows the latest version, 2.8, to work with both multi-site and single-site installations. It’s a direct replacement for the existing theme’s timthumb.php file.

      How to Use timthumb.php with Multi-Sites

      It can be freely included in the future, official updates (with attribution to the author for the minor … but often requested … update).

  13. Hi. I downloaded tim2 yesterday from
    On line 302 there is some base64 code. What is this? Please let me know. Thanks!

    $imgData = base64_decode(“R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=”);
    header(‘Content-Type: image/gif’);
    header(‘Content-Length: ‘ . sizeof($imgData));
    header(‘Cache-Control: no-store, no-cache, must-revalidate, max-age=0′);
    header(“Pragma: no-cache”);
    header(‘Expires: ‘ . gmdate (‘D, d M Y H:i:s’, time()));
    echo $imgData;
    return false;

    • The base 64 code is an encoded image that is served up if you have enabled the config option in timthumb that prevents hotlinking, and someone hotlinks to your images. It’s part of the app, so don’t worry about it.

    • Chris the WP core team is considering adding dynamic thumbnailing capability to WP core. I’m chatting to Andrew Nacin and Otto in the core team about this and we’ve bounced some code back and forth.

      The functionality would be very basic. Just resizing and a basic crop without center specified. TimThumb has support for a lot more currently. It also has the ability to take website snapshots.

      I suspect the way forward will be that TimThumb will lead in features and WP will gradually and carefully implement the basic functionality over time.

  14. Thank you for working on this!

    Is there anything that needs to be done in regards to the old cache folder? Is it being reused, but more securely? If so, do we nee dto keep permissions the same? If not, should we delete it?

  15. I suggest using shell_exec() instead of the backtick operator (for better overview), but also shellescapecmd, because last one’s supposed to be working multi-platform wise (basically anything unix-like) AND should kill a bit more of those nasty chars.

    cu, w0lf.

  16. Thanks for the quick updates & great effort!

    So now, If I need to update the timthumb php file that is already on my site via some theme or extension (ie. a security update), what is the recommended method to do that?
    Do I just download & overwrite the existing copy & hope that the developer will update his copy in his distribution separately (for future updates)?

  17. Thanks to both of you for this speedy and excellent work. Wish list: if there’s some way to perhaps hook into WP’s own update mechanism, that would be great — that way things like these can be updated easily in the future. (I know it’s thorny, since TimThumb is installed by indie themes.)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.