First things first: Yes, you can just replace your old timthumb.php file with the new version of timthumb, found here. If that’s all you were after, move along – if you want a little more explanation, read on:
With all of the hubbub around the recent timthumb vulnerability, lots of people are looking for some easy instructions on how to get it taken care of. You should be, because I’ve cleaned up more hacks in the past 2 weeks related to this vulnerability than I have in the last 2 months – people ARE getting hacked due to this.
Unfortunately, if you’re not totally comfortable with code, upgrading this file can be a little scary. Good news, I’m here to help.
This one isn’t too hard – the easiest way to figure this out is to use a scanner of some sort to search your server for the timthumb script. I’ve written a timthumb scanner that runs as a WordPress Plugin – you can find that here.
If you’re not comfortable with that process, you might be able to just give your blog a once over and figure it out yourself. Are you showing thumbnails on the homepage? If so, you might be using timthumb. Right click one of the thumbnails, and click “open image in new tab” (or the equivalent – that’s what it says on chrome on a mac).
In the new tab that opens, check out the url bar – does it say timthumb.php anywhere in the url (check the text right before the question mark, if there is one)? Note – this might also just say “thumb.php”
Fortunately, this one is pretty easy. Open up the file in the wordpress theme editor, or using FTP (it’s probably in your theme directory, called timthumb.php or thumb.php – the previous step should tell you that). Look for this code, near the top:
// external domains that are allowed to be displayed on your website $allowedSites = array ( 'flickr.com', 'picasa.com', 'blogger.com', 'wordpress.com', 'img.youtube.com', 'upload.wikimedia.org', ); // STOP MODIFYING HERE! // --------------------
To clarify (or make things more confusing): If you see this:
// If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains.
if(! isset($ALLOWED_SITES)){
$ALLOWED_SITES = array (
'flickr.com',
'picasa.com',
'img.youtube.com',
'upload.wikimedia.org',
'photobucket.com',
'imgur.com',
'imageshack.us',
'tinypic.com'
);
}
// -------------------------------------------------------------
// -------------- STOP EDITING CONFIGURATION HERE --------------
// -------------------------------------------------------------
You’re ok. $allowedSites = Bad, $ALLOWED_SITES = Good. For another way to check, if you look up near the top of the file and see this:
define ('VERSION', '2.8'); // Version of this script
You’re good. Version 2.0 and greater are safe to use.
If it doesnt look like you’re using the right version, it’s time to clean it up!
400 words later, we finally get back to the question posed in the title. Can I just replace the old, vulnerable code with new, safe code, and have everything still work? Yes, you can.
From the previous step, you’ve got the file open in your WordPress theme editor. All you need to do is replace the entire contents of the file with the code found here:
http://timthumb.googlecode.com/svn/trunk/timthumb.php
Save the file, and you’re done! Your thumbnails still work, and you can sleep a little easier at night.
Plug Time: I do this service for subscribers to my WordPress backup and security monitoring service – so if you’re not sure you want to take it on yourself, have a look here. If you just have a question, or need some guidance, I’m happy to give that away for free. Get in touch with me at peter@codegarage.com. Good luck!
Here’s a problem I run into every few months with a customer: Their site is suddenly showing strange characters (strange question marks, accented characters, general gibberish) in place of quotation marks, dashes, etc. Oftentimes this happens after a move, but it could also be the result of a few other things.
The problem is generally a result of pasting straight from Microsoft Word (or similar) into WordPress. Word generates lots of evil characters that WordPress and web servers don’t deal with properly. As a result, you end up with gibberish. And frustration.
The best solution is to stop pasting formatted text from Word into WordPress. That is, however, not useful if you’re already dealing with the problem. You could manually replace the problem characters, but that takes FOREVER, and writing a script to get into the database and do it for you is a chore I havent been confident enough to take on, because of the relative obscurity of the problem ( and how difficult it is to find every problem instance ). So, I generally take the easy way out, which is this:
Yep. Just trick wordpress/web browsers to treat the content with Microsoft’s character set, brush your hands off, and be on your way. Here’s how:
There you go: Band aid applied. Again, this isn’t an ideal solution, it’s more like the “quick, dirty, I’m tired of dealing with it solution”.
I finally took the plunge and redirected apartmentonesix.com here to yourcodegarage.com/blog. This is where I’ll be doing all of my code and tech help related blogging from here on out. Expect much more frequent content over here.
Thanks for visiting!
Here’s a little tidbit I can NEVER find when I need it: If you need to get all the tags that belong to a current post, here’s the function:
$tags = get_the_tags($post_id);
This will return an associative array of tags, with all their relevant info.
BONUS
If you need the same thing with categories, here’s your function:
$args['fields'] = 'all';
$categories = wp_get_post_categories($post_id, $args);
Including the args bit allows you to retrieve all the category info. If you leave that out (and use only the $post_id argument), you’ll get an array of relevant category ids, but no other info.
Big thanks to Clay Lua at hungred.com and his post Get Tag with Post ID in WordPress for pointing me in the right direction.
Recent Comments