@tonvie you know before the snake bite that was not really a problem. In fact the last version “seems” to be ok ‘until the next issue is found…) but my problem came from an updated theme but using an old version.
As any extenal script if you dont verify that, you may capt an old version.
Moreover there is something else. I use multisite as hosting plateform for temp/demo projects and in that case the themes MUST include multi site compatibility when using timthumb, which is not done in all themes, and modifications are not so easy.
For me now its clear : no go ! And it is the first presale question i ask now.
Lets keep pure Wordpress…
I consider that is “gadgetery” and many wonderfull thems dont use it.
if you buy a theme thats running an old version of Timthumb report it to support so they can fix it/disable the item
This is done. Found even a 1.2.4 version…
Anyway, thanks to all for attention and tips, but sure now i will be more paranoiac and definitely wont use anymore themes using this “thing”, that mean you have lost a client since many themes use it here (all i bought in fact) and will get themes out-there, specially because TT does NOT fit a multisite environment.
That plugin was created just when there was that major vulnerability of timthumb in the previous versions, but that one was fixed, 99,5% of the websites that are hacked via timthumb are because they didn’t update the timthumb version.
you are absolutly right.
And what when i buy a themeforest theme, including timthumb version 2.8 ? Downloaded TODAY in its last version ?
Sur you can tell me just look up”. Ok, i am paranoiac, and I do it.
What about those hundred people buying themes here, confidents, and get old versions of timthumb without knowing well about this and who enven wont look at the theme files ?
You guy are perhaps specifically serious. I dont know since i did not yet bought one of your themes. Lets assume it and that all your TT files if you use it are up to date.
But if you want me to accuse someone i will do it. And, Oooh surprise, still the same guy. Wont tell it here but surely will write a nice review (once again…) on this guy.
Moreover, even if TT adds cool features about image resizing, it does NOT work without manual changes (unless the creator did it) under multisite correctly.
Anyway to conclude about MY specific problem you where right, and the problem wad a conjonction of an old TT version (2.8) got in a recently updated theme (here… updated 13/12/2012), and a direct call on a cached file. The attack came from russia & 5 specific/known blacklisted IP not localized.
This is not a NEW issue about TT so.
Anyway, as bitten by the snake i will be more paranoiac and definitely not use any theme timthumbified. That will be my first criteria to buy any theme for a project that i SELL, i cannot sell to a customer something that is definitely not sure. I prefer security instead of “possible fancy functionalities”.
Oh by the way. TT still require a 775 Chmod. Sure not 777 but no way. I WONT 775 any folder.
it is not buggy… It is unsecure. Not thesame….
well if bringing inside the WP install files from outside sources is not a problem for you, you are ok.
but this is exactly what must be avoid specially in a multisite install, moreover using an external script !
Yep the issue has been solved by suppressing ALL themes using timthumb (more than 50, up to date, free wp.org themes), and restoring all the server account, purged of all themes before restoring. And the server has bee stable immediatly.
Specialists are now analysing the logs to see what happened exactly. But i wont share anything with them. There is absolutely no need to duplicate a core, secure function of WP by an external application. No need to use an external folder. Put images where they must be, as in 95% of themes, as Elegant thees has done.
And by the way, many sites ARE hacked. We have that all days on forums. Because of timthumb ? Possibly. What is sure is that I will never user anymore theme with timthumb and will write a review about that.
I am not an “amateur” but a sysadmin of several multisite networks AND had the proof that direct requests on timbthumb was the cause of injections on files.
So before telling someone is an “amateur” begin to code your themes correctly and use WP guidlines correctly.
I accuse no one i just request themers not to use timthumb and a PRO coders should just NOT use it. I accuse Timthumb to be a very huge security issue which is worldwide known.
So if YOU still use it in your theme, YOU are the amateur, dear.
and sorry for the “h”, keyboard error from non english speaking user
Hi to all great themers here.
Once again a WP site attacked AND destroyed thanks to Thimthumb, even last version and well setup. One of my network has been hacked using the last version of thimthumb.
WP Include his propoer thumbs generator please use it and definitly forget thimthumb, even update all your themes if using it and suppress it spimply.
Elegant Themes done it for all their themes, this is urgent and very unsecure to continue using that shit.
Thanks to all of you !!!!
I will answer you : this is not possible. And the support of this theme is just awfull.
The only answer igot is “this is not in the demo so not in the theme.”
This theme, despite it is very nice apparently, is just a SEO nightmare, and have major coding issues. For exe any page such as site.com/contact/ indexed in google will return the only page WITHOUT the menu. And same for all munus items. The support makes days to answer in a so unfriendly maner that tis is definitly unworthy.
Just CHANGE theme you wont do anything professional for a client with this one.