We have been following the updates on the security vulnerability of TimThumb – an image resizing script used by many themes. To ensure all of our client sites are protected, we highly recommend doing one of the following:
Method 1: Update Theme
Download the latest version of the theme using the same download link sent to you upon purchase. All of our latest themes have a secure version of the script.
Method 2: Replace timthumb script via FTP
Delete your current timthumb.php file and replace it with the latest version of timthumb in your theme folder via FTP. Upon doing so, we also recommend this additional change:
Edit the $allowedsites variable and remove all sites referenced – it should look like this after the edit:
// external domains that are allowed to be displayed on your website $allowedSites = array();
Method 3: Update timthumb via WP Editor
Follow these steps to update your existing timthumb file:
- Login to your WP site. Go to Appearance => Editor.
- Open timthumb.php and delete all of its contents.
- Copy/Paste the contents of the latest version of timthumb. Perform the additional recommendation shown above in method 2.
- Click Update File (save).
If you have any questions, please let us know on the support forums and we’ll get you sorted.
Thank you for alerting us to the threat and solution.
At your recommendation, I downloaded the most current versions of the themes I use. And, will update the servers with the newest version.
Thanks again.
where to find the "$allowedsites" variable ?
Sven, Open timthumb.php with a text editor -> click on CTRL + F and look for
$ALLOWED_SITES = array (
Is it possible to replace/ not using it/ timthumb ?
I had problems whit timthumb before ….
Yes, our themes have default WordPress thumbnails support option is built in. All you need to do is to click on Disable TimThumb check box within theme control panel.
I updated to 2.8.3 version of timthumb.php and I find this string:
$ALLOWED_SITES = array (
‘flickr.com’,
‘picasa.com’,
‘img.youtube.com’,
‘upload.wikimedia.org’,
‘photobucket.com’,
‘imgur.com’,
‘imageshack.us’,
‘tinypic.com’,
);
Must I delete all of those referenced sites??? Thanks…
2.8.3 is secure version of timthumb. You don’t have to edit that file.
thanks it has helped me a lot…
Yes, that did it! I have almost 2 hours since I am trying to look for a solution for this timthumb issue!
Thank you!