3468 posts
  • Elite Author: Sold more than $75,000 on Envato Market
  • Has sold $750,000+ on Envato Market
  • Located in United States
  • Helps us moderate the forums
+10 more
sevenspark Moderator says

Hey guys,

I agree that the native WordPress image functionality should be favored over timthumb for a variety of reasons.

However, to my knowledge, when a current version of timthumb is installed and configured correctly, there is no security risk. (Of course there could be something new, though I’d be skeptical until it was thoroughly tested).

If you have any folder set to 777, that is a security hole – not the script itself. Timthumb does not require 777 permissions to run properly. There’s a lot of bad information out there suggesting this from people who don’t understand the implications, but obviously it shouldn’t be followed.

If your server was 100% properly configured and you’re convinced the timthumb script itself was to blame, I definitely recommend reporting the issue to the timthumb developers so they can investigate and release a patch.

Regardless, I do think it’s better for theme authors to use native WordPress functionality whenever possible. The native image resizer is definitely more limited than timthumb, but I think we can work within that system.

548 posts
  • Has been part of the Envato Community for over 4 years
  • Has referred 1+ members
  • Has collected 100+ items on Envato Market
tonvie says

@sevenspark – you are always the voice of reason!

161 posts
  • Has sold $10,000+ on Envato Market
  • Has collected 1+ items on Envato Market
  • Located in Europe
  • Has been part of the Envato Community for over 1 year
+1 more
themebros says

I don’t understand why would a theme need to resize images that are not in the uploads directory (and the WP media library of course).

Can someone give me an example?

3468 posts
  • Elite Author: Sold more than $75,000 on Envato Market
  • Has sold $750,000+ on Envato Market
  • Located in United States
  • Helps us moderate the forums
+10 more
sevenspark Moderator says

@tonvie haha thanks, I try. Things can get overly heated around here sometimes :)

@themebros – timthumb can resize on the fly – and I don’t think authors use it on images outside the uploads directory (at least not primarily). While the WordPress native resizing is less resource-intensive, since everything is processed on upload, timthumb can potentially require less images/space on the server, as images are only generated as needed. Timthumb’s flexibility makes it easier to work with, and easier if you want to change sizes. But like I said, I still think using the native functionality is preferable, even if it’s not as flexible.

161 posts
  • Has sold $10,000+ on Envato Market
  • Has collected 1+ items on Envato Market
  • Located in Europe
  • Has been part of the Envato Community for over 1 year
+1 more
themebros says

@sevenspark

Just asking because FinalFantasy ( :P ) mentioned resizing images outside of the uploads folder.

Yes, WP resizes them on upload but if you want to change the sizes later on you can use the Regenerate Thumbnails plugin.

About the “resizing on the fly” and not making too many unnecessary versions of an image i still do not think TimThumb is the way to go with WP themes. I’m using vt_resize by Victor Teixeira for a long time now. Does the same thing as timthumb but uses WP functions to do so.

3468 posts
  • Elite Author: Sold more than $75,000 on Envato Market
  • Has sold $750,000+ on Envato Market
  • Located in United States
  • Helps us moderate the forums
+10 more
sevenspark Moderator says

Just asking because FinalFantasy ( :P ) mentioned resizing images outside of the uploads folder.

Ah my bad, I missed that. I don’t have an example for that then :)

Yes, WP resizes them on upload but if you want to change the sizes later on you can use the Regenerate Thumbnails plugin.

Of course. But it’s easier on customers not to have to. Now, I choose to explain to my customers that they need to do this, but not all customers understand. It certainly creates more support requests than it would if I were using timthumb.

About the “resizing on the fly” and not making too many unnecessary versions of an image i still do not think TimThumb is the way to go with WP themes. I’m using vt_resize by Victor Teixeira for a long time now. Does the same thing as timthumb but uses WP functions to do so.

Yup, again, not saying timthumb is the way to go, just explaining why it’s desirable. vt_resize is a good alternative; there’s also aqua resizer and freshface’s resizer. They all have the same purpose.

9 posts
  • Has been part of the Envato Community for over 2 years
  • Has referred 1+ members
  • Has collected 10+ items on Envato Market
Aphro says

That plugin was created just when there was that major vulnerability of timthumb in the previous versions, but that one was fixed, 99,5% of the websites that are hacked via timthumb are because they didn’t update the timthumb version.

you are absolutly right.

And what when i buy a themeforest theme, including timthumb version 2.8 ? Downloaded TODAY in its last version ?

Sur you can tell me just look up”. Ok, i am paranoiac, and I do it.

What about those hundred people buying themes here, confidents, and get old versions of timthumb without knowing well about this and who enven wont look at the theme files ?

You guy are perhaps specifically serious. I dont know since i did not yet bought one of your themes. Lets assume it and that all your TT files if you use it are up to date. :)

But if you want me to accuse someone i will do it. And, Oooh surprise, still the same guy. Wont tell it here but surely will write a nice review (once again…) on this guy.

Moreover, even if TT adds cool features about image resizing, it does NOT work without manual changes (unless the creator did it) under multisite correctly.

Anyway to conclude about MY specific problem you where right, and the problem wad a conjonction of an old TT version (2.8) got in a recently updated theme (here… updated 13/12/2012), and a direct call on a cached file. The attack came from russia & 5 specific/known blacklisted IP not localized.

This is not a NEW issue about TT so.

Anyway, as bitten by the snake i will be more paranoiac and definitely not use any theme timthumbified. That will be my first criteria to buy any theme for a project that i SELL, i cannot sell to a customer something that is definitely not sure. I prefer security instead of “possible fancy functionalities”.

Oh by the way. TT still require a 775 Chmod. Sure not 777 but no way. I WONT 775 any folder.

3343 posts
  • Has sold $5,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Located in United States
  • Has been part of the Envato Community for over 4 years
+1 more
organicbee says


That plugin was created just when there was that major vulnerability of timthumb in the previous versions, but that one was fixed, 99,5% of the websites that are hacked via timthumb are because they didn’t update the timthumb version.

you are absolutly right.

And what when i buy a themeforest theme, including timthumb version 2.8 ? Downloaded TODAY in its last version ?

Sur you can tell me just look up”. Ok, i am paranoiac, and I do it.

What about those hundred people buying themes here, confidents, and get old versions of timthumb without knowing well about this and who enven wont look at the theme files ?

You guy are perhaps specifically serious. I dont know since i did not yet bought one of your themes. Lets assume it and that all your TT files if you use it are up to date. :)

But if you want me to accuse someone i will do it. And, Oooh surprise, still the same guy. Wont tell it here but surely will write a nice review (once again…) on this guy.

Moreover, even if TT adds cool features about image resizing, it does NOT work without manual changes (unless the creator did it) under multisite correctly.

Anyway to conclude about MY specific problem you where right, and the problem wad a conjonction of an old TT version (2.8) got in a recently updated theme (here… updated 13/12/2012), and a direct call on a cached file. The attack came from russia & 5 specific/known blacklisted IP not localized.

This is not a NEW issue about TT so.

Anyway, as bitten by the snake i will be more paranoiac and definitely not use any theme timthumbified. That will be my first criteria to buy any theme for a project that i SELL, i cannot sell to a customer something that is definitely not sure. I prefer security instead of “possible fancy functionalities”.

if you buy a theme thats running an old version of Timthumb report it to support so they can fix it/disable the item

9 posts
  • Has been part of the Envato Community for over 2 years
  • Has referred 1+ members
  • Has collected 10+ items on Envato Market
Aphro says
if you buy a theme thats running an old version of Timthumb report it to support so they can fix it/disable the item

This is done. Found even a 1.2.4 version…

Anyway, thanks to all for attention and tips, but sure now i will be more paranoiac and definitely wont use anymore themes using this “thing”, that mean you have lost a client since many themes use it here (all i bought in fact) and will get themes out-there, specially because TT does NOT fit a multisite environment.

Cheers

548 posts
  • Has been part of the Envato Community for over 4 years
  • Has referred 1+ members
  • Has collected 100+ items on Envato Market
tonvie says

@Aphro – You’ve been here a year, I’m still learning what questions to ask before buying a theme after over 2 years here ;) So, I’m glad you guys got in on this conversation about TT, it was on my mind but never followed up because it only happened once and was taken care of quickly…not enough buyers make it to the forums and provide any feedback for the authors (except the usually negative rants) but keep talking about substantive issues like this and they will listen :)

You didn’t see many white label admin panels until we started asking for them :D

by
by
by
by
by
by