With all of the hubbub around the recent timthumb vulnerability, lots of people are looking for some easy instructions on how to get it taken care of. You should be, because I’ve cleaned up more hacks in the past 2 weeks related to this vulnerability than I have in the last 2 months – people ARE getting hacked due to this.

Unfortunately, if you’re not totally comfortable with code, upgrading this file can be a little scary. Good news, I’m here to help.

How do I know if I’m using timthumb?

This one isn’t too hard – the easiest way to figure this out is to use a scanner of some sort to search your server for the timthumb script. I’ve written a timthumb scanner that runs as a WordPress Plugin – you can find that here.

If you’re not comfortable with that process, you might be able to just give your blog a once over and figure it out yourself. Are you showing thumbnails on the homepage? If so, you might be using timthumb. Right click one of the thumbnails, and click “open image in new tab” (or the equivalent – that’s what it says on chrome on a mac).
In the new tab that opens, check out the url bar – does it say timthumb.php anywhere in the url (check the text right before the question mark, if there is one)? Note – this might also just say “thumb.php”

How do I know if my timthumb script is vulnerable?

Fortunately, this one is pretty easy. Open up the file in the wordpress theme editor, or using FTP (it’s probably in your theme directory, called timthumb.php or thumb.php – the previous step should tell you that). Look for this code, near the top:

// external domains that are allowed to be displayed on your website
$allowedSites = array (
	'flickr.com',
	'picasa.com',
	'blogger.com',
	'wordpress.com',
	'img.youtube.com',
	'upload.wikimedia.org',
);

// STOP MODIFYING HERE!
// --------------------

To clarify (or make things more confusing): If you see this:

// If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains.
if(! isset($ALLOWED_SITES)){
	$ALLOWED_SITES = array (
			'flickr.com',
			'picasa.com',
			'img.youtube.com',
			'upload.wikimedia.org',
			'photobucket.com',
			'imgur.com',
			'imageshack.us',
			'tinypic.com'
	);
}
// -------------------------------------------------------------
// -------------- STOP EDITING CONFIGURATION HERE --------------
// -------------------------------------------------------------

You’re ok. $allowedSites = Bad, $ALLOWED_SITES = Good. For another way to check, if you look up near the top of the file and see this:

define ('VERSION', '2.8');										// Version of this script

You’re good. Version 2.0 and greater are safe to use.

If it doesnt look like you’re using the right version, it’s time to clean it up!

How do I fix it?

400 words later, we finally get back to the question posed in the title. Can I just replace the old, vulnerable code with new, safe code, and have everything still work? Yes, you can.
From the previous step, you’ve got the file open in your WordPress theme editor. All you need to do is replace the entire contents of the file with the code found here:

http://timthumb.googlecode.com/svn/trunk/timthumb.php

Save the file, and you’re done! Your thumbnails still work, and you can sleep a little easier at night.

Plug Time: I do this service for subscribers to my WordPress backup and security monitoring service – so if you’re not sure you want to take it on yourself, have a look here. If you just have a question, or need some guidance, I’m happy to give that away for free. Get in touch with me at peter@codegarage.com. Good luck!

The Problem

The problem is generally a result of pasting straight from Microsoft Word (or similar) into WordPress. Word generates lots of evil characters that WordPress and web servers don’t deal with properly. As a result, you end up with gibberish. And frustration.

The Solution

The best solution is to stop pasting formatted text from Word into WordPress. That is, however, not useful if you’re already dealing with the problem. You could manually replace the problem characters, but that takes FOREVER, and writing a script to get into the database and do it for you is a chore I havent been confident enough to take on, because of the relative obscurity of the problem ( and how difficult it is to find every problem instance ). So, I generally take the easy way out, which is this:

Change your site’s character encoding

Yep. Just trick wordpress/web browsers to treat the content with Microsoft’s character set, brush your hands off, and be on your way. Here’s how:

1. Navigate to yoursite.com/wp-admin/options.php
   You’re goign to have to type this in, there are no links from the WP backend to this page.
2. Seach for “blog_charset”:
3. Change the value to “windows-1252″ and save.
4. Move on to more interesting problems

There you go: Band aid applied. Again, this isn’t an ideal solution, it’s more like the “quick, dirty, I’m tired of dealing with it solution”.

Thanks for visiting!

$tags = get_the_tags($post_id);

This will return an associative array of tags, with all their relevant info.

BONUS
If you need the same thing with categories, here’s your function:

    $args['fields'] = 'all';
    $categories = wp_get_post_categories($post_id, $args);

Including the args bit allows you to retrieve all the category info. If you leave that out (and use only the $post_id argument), you’ll get an array of relevant category ids, but no other info.

Big thanks to Clay Lua at hungred.com and his post Get Tag with Post ID in WordPress for pointing me in the right direction.