[[LINK href="http://codewi.se/2010/05/13/chris-clarke-helps-codewise-running/"]]Chris Clarke[[/LINK]] wrote to tell me that one of my blogs had been hacked. He thought the hack had come through the Tim Thumb vulnerability. He suggested disabling TimThumb.
I am curious, what breaks if I disable TimThumb?
Sébastien | French WordpressDesigner answers:
You don't need to desable timthumb
Just open this file AND replace this code
$allowedSites = array (
By this code
$allowedSites = array();
If this code doesn't exist in your file you have an olé version of timthumb AND there is nô problem with this version
You CAN change too true by false like that :
define( 'ALLOW_EXTERNAL', false );
Navjot Singh answers:
If your current theme is using TimThumb then your images will stop loading if you disable Timthumb without making appropriate code changes. Best way is to upgrade your version of Timthumb by replacing your copy with latest one from [[LINK href="http://code.google.com/p/timthumb/source/browse/trunk/timthumb.php"]]Google Code[[/LINK]].
Latest version of Timthumb is secure enough.
Timthumb helps create thumbnails of images you upload.
To fix the vulnerability in Timthumb that may have lead to your site getting hacked, install and run the TimThumb Vulnerability Scanner plugin - it automagically patches any timthumb.php files.
Maor Barazany answers:
TimThumb's old version had a lot of security big holes. It has been completely re-written, and you may download [[LINK href="http://timthumb.googlecode.com/svn/trunk/timthumb.php"]]the latest version here[[/LINK]] and use it after fixing your site.
It should continue working as it was. You may want to edit some of the configuration variables.
If your blog was hacked, it is also better to delete WordPress and reinstall a fresh one (except of the wp-content folder, which should of course stay as it is).
You may also want to check your site with the the [[LINK href="http://wordpress.org/extend/plugins/exploit-scanner/"]]Exploit Scanner[[/LINK]] plugin
Maor Barazany comments:
Highly recommended also to update WP to latest version.
Luis Cordova answers:
if there is an option to disable of course not.
If you are disabling it through code or other function then check if there is a fallback.
If there is no fallback and your functions are not wrapped with if_exists type of statements then it will definitely give warnings or errors. If you wrap them then it will not give errors of course.
Now the feature for thumbnails will be gone so some images will just not appear.
Hardeep Singh answers:
Sébastien | French WordpressDesigner
+1 - Right solution
Link below with fix & list of plugins having TimThumb
Do keep th WP upgraded to latest version too.