Before you do anything else, you need to determine whether or not your WordPress website uses the affected script. Not every WordPress site has this vulnerability. The TimThumb.php script is mostly used in more advanced WordPress themes that have features related to dynamically resizing images. The script itself is freely available and can be used by anyone on any website thanks to its GPL 2.0 licensing.
How can you tell if your site uses it?
- Look for a file in your WordPress theme's folder called timthumb.php. If it's there, you need to fix it.
- All WooThemes utilize the script, although as I pointed out in the video clip they have renamed the file itself to "thumb.php." WooThemes has created a fix for the issue by moving the thumb.php into their "framework" and allowing you to update the framework to the latest version. Be warned, however, that using this "easy fix" may also break other functions on your site, depending upon what has changed in the Woo framework since your website was built and launched.
How to replace timthumb.php in your WordPress Theme
The easiest, safest and fastest way to eliminate this vulnerability to your website without risking breaking other functions is to follow these basic steps:
- Download the latest version of TimThumb from its Google Project site.
- Connect to your web server via FTP . I use the free Filezilla client , but any FTP software will do the trick. You will need to obtain the FTP hostname, username and password from your web hosting provider if you do not already have it handy. You can usually find it by logging into your web hosting control panel. Contact your hosting provider if you get stuck on this.
- Navigate to the affected file . Locate your WordPress installation on your website, then look inside the wp-content folder. From there, go to the themes folder, then locate the name of the folder for the theme you are currently using. It's a good idea to go ahead and fix any unused themes you have uploaded as well. If you are using a theme from WooThemes, the file is called thumb.php.
- Delete the file . I actually tend to rename things rather than deleting them. This is a good idea if you're not sure that you have the right file, since you can always rename it back to the correct file name if you need to put it back.
- Upload the new version . Keep in mind that the actual name of the file needs to match the name of the one you deleted. In most cases, the file will just be called timthumb.php and will be fine when you upload it. If you have a WooTheme, make sure to rename it to thumb.php.
- Test . Usually, just refreshing whatever page on your site uses the script will tell you if it's working. For Woo Themes that use sliders on the home page, just refresh the home page. Every theme will be different, however, so click around and make sure you refresh as you do so you can be sure everything went according to plan.
Source by David G. Johnson