Plugin Releases

WordPress Timthumb.php Vulnerability Scanner Plugin

September 2, 2011   ·   By   ·   133 Comments   ·   Posted in Plugin Releases, Security, Wordpress

Over the past few weeks, I’ve been absolutely inundated with requests to clean up hacks that have exploited the much publicized Timthumb.php vulnerability. I have to assume that the reason most people aren’t plugging up this security hole on their sites is either

  1. They don’t feel confident in their ability to find the problem
  2. They feel like the process to fix it is too complicated

To combat this, I took a couple of hours this morning to write a plugin that will do the dirty work for you. The WordPress Timthumb Vulnerability Scanner will check your entire wp-content directory (including all themes, plugins, and uploads) for any vulnerable (pre-2.0) instances of the timthumb script, and give you a one-click upgrade to upgrade each script to the latest, secure version.

The process is simple:

  1. Download the plugin here:
  2. Install and activate using either FTP, or the built in WordPress uploader
  3. Go to the “Timthumb Scanner” page, under the “Tools” menu

  4. Click the “Scan” button.

  5. View your scan results

    In this case, I’ve got one vulnerable (outdated) file, and 2 that have been updated, and are safe. I’m going to want to upgrade that one vulnerable file – to do that, I just need to hit the “Fix” button next to it.
    You may not have any instances of timthumb on your site, or all of yours may be upgraded – if so, you’re all done!
  6. After hitting “Fix” for my one problem file, I’m showing “No Vulnerabilities Found”, which means I’m all set.

Just like that, you’re done. Quick and painless.

Note: If you’ve already been hacked, this will NOT clean up your site. This plugin fixes your door lock – which doesn’t matter if the burglars are already in your house.

Let me know of any problems or questions you have in the comments.

Good luck!

Looking for a solution to scan a whole server, or a site not running on WordPress? By sort-of-popular demand, here it is:
It’s much less polished, and much less tested, so use at your own risk.

  1. Andreas

    I have a good timthumb script that it is just fine (as someone else reported here too) so I ignore the ubiquitous warning that appears here and there: “1 vulnerable Timthumb file found. Fix it here.”

    However, suddenly I got this warning today:

    Warning: Cannot modify header information – headers already sent by (output started at /home/example/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php:251) in /home/example/public_html/wp-includes/pluggable.php on line 866

    There is no signs of hacking so I disabled the plugin and the warning disappeared. There seems to be no problem in the site, but I’m not 100% sure.

    Then I deleted the plugin and reinstalled it again. The warning vanished. What happened?



    If anyone can help because i havent find an answer yet !

    Thanks a lot

    • JFC


  3. Hi,

    Thanks for the plugin. Had to fix quite a few problems..


  4. marco

    Many thanks for your work!
    Hope to see you soon in Italy.

  5. Thank you for this helpful plugin. And thank you for you service.
    Poorly your plugin found some vulnerabilty. :)
    Kind regards,

  6. much appreciated. Only a couple of hours to build? nice!

    It would be really good to have a general “secure my website” plugin that scanned for a bunch of outdated stuff :o p

    Really this should be part of WP update

  7. Many thanks from Germany, your Plugin works great!! ;-)

  8. Hi really helpfull article and plugin. I just confuse why all my images not apear then asking server they tell me that they turn off cache/upload directory cause of somebody trying to hack my site via Timthumb.php

    Now this plugin is helfull to monitoring Timthumb.php file.

    Thanks a lot for this usefull article and plugin.

  9. I am using the “Better Word Press Security” Plug-in, as a step in securing the site the “wp-content” directory is changed to something other than the default. (i.e. from “wp-content” to “hackers-blow”)

    Does the scanner look in the directory that the name has been changed to?

    If not is it possible to direct your plug-in to a non default content directory?

Submit a Comment