Plenty of WordPress themes, and many plugins, scripts and add-ins now make use of the great TimThumb script to modify images on-the-fly. I have used the script numerous times on my own sites, and for clients – either within a custom written Theme/Plugin or pre-attached within a theme. This results in a lot of different versions of the script over the year – which caused a bit of a panic when I read Cleaning Up the TimThumb Hack | WP Theming outlining the possible threat that an out of date script would cause.

The handy walk-through put together by Devin helped me find firstly; where my scripts were buried, and secondly; which versions required updating (in the end, I updated them all to the latest release)

My condensed version of Devins instructions which were applicable to me are below :

Make Backup of Everything

Always, always make backups prior to changing scripts / server files etc – as one day you will thank yourself!

Fix TimThumb Vulnerability

You can download the latest version of TimThumb with the security fixes here: (Just save the file out).

Replace any instances of TimThumb.php on your server with the new version. WooThemes used the name “thumb.php” for this file, so you should also look for that.

Locate all instances of timthumb using the following command (within your /var/www/vhosts/ folder):

find * -iname 'timthumb*' -ls


find * -iname 'thumb.php' -ls

(commonly used within WooThemes)

In many cases I found themes that were not being used and just deleted them directly:

rm -rf path/to/theme

Most theme companies have also already released fixes, so you could also get the latest version directly from them and replace your current theme.

Clean Up After the Hack

Luckily – I had not found any hacked files, checked by searching the vhosts directory for any files with base64_decode. There are legitimate reasons to have base64_decode in a file, but if you don’t know where the file came from, or what it does, find out!

Here’s how you grep a directory:

cd /var/www/vhosts/
grep -r base64_decode *

If you want to grep your entire server, try

grep -r --exclude={wp-app.php,class-simplepie.php,class-IXR.php} base64_decode *

Above adapted from a great post: Cleaning Up the TimThumb Hack | WP Theming.