The timthumb.php automatic thumbnail script can automatically cut pictures and generate thumbnails. It is mostly used for Wordpress magazine type topics. The script is widely used in foreign topics to automatically generate thumbnails, which is very convenient to use. But recently, Timthumb has exposed a serious vulnerability. Hackers can take advantage of this vulnerability (probably caused by a flaw in the verification when calling external images) to upload arbitrary malicious programs to your website, and the author's website has been hacked.
This is the author's original text: Zero Day Vulnerability in many WordPress Themes 。
How do I know if the theme uses the autothumbnail timthumb.php script? You can open the theme directory to check whether there is a file named timthumb.php or thumb.php and the image cache folder cache. If there is, it means that the script is loaded on the theme you are using, which may be used by hackers.
A netizen asked whether the HotNews Pro theme used the timthumb.php script. The hot news theme used this script to generate thumbnails before version 2.3, and then 2.4, 2.5, and 2.6 did not use the timthumb.php script. Instead, they used WordPress's own feature image function to generate thumbnails of locally uploaded pictures, However, themes before version 2.3 cannot be used in programs after WP3.1, so users of HotNews Pro themes need not worry about this vulnerability.
Of course, if you find that your theme uses the timthumb.php script, don't be surprised. The timthumb.php script integrated with many themes has been simplified and has no function to call external images, so this vulnerability does not exist. You can also download it here Timthumb.php script 1.33 latest version Replace the script in the topic.
PS: Although timthumb was exposed to serious vulnerabilities, I will use this script again in my next topic to generate thumbnails, because Wordpress's built-in feature image function feels like a chicken bone. The following is a comparison of the two functions:
| Timthumb script | Featured image function of WordPress |
| Whether the external chain is supported | Seems to support only the images of specific websites | I won't support it |
| Whether there is compression function | Yes, and the compression ratio can be controlled | Yes, but the compression ratio cannot be controlled |
| Store thumbnails separately | sure | No, it can only be put together with other attachment pictures |
| Whether it can be cleared | Can and will automatically generate again Don't worry about losing thumbnails | No, it will not be generated again after clearing |
| Convenience | Backup website can be easily managed without backup thumbnail | The thumbnail must be backed up at the same time when the website is backed up, which will cause confusion in the management of the attachment directory |
Through the above comparison, The timthumb.php script is better than the feature image function provided by Wordpress in terms of use and function.
Most of the articles on this site are original and used for personal learning records, which may be helpful to you, for reference only!
