WordPress Not Safe Anymore? Make It Safe.

Thanks to the advancement in the technology and the simultaneous growth of human knowledge, technology does not seem safe anymore. One of the leading blogging tool and publisher tool, WordPress is no exception to it. The free-to-use publishing tool, which according to #-Link-Snipped-# has 25million+ users, is just not that immune to hackers. The easily deployable default form is not vulnerable to attack in its original form. It’s only when people want to change the appearance of the site and use any of the available 1,417 themes that the barrier may breach. Most of them are coupled with an image resizing and cropping tool called timthumb. Its working gives the hackers privilege to execute codes on your site. Considering the number of people using the platform it is indeed a worrying issue.

The concerning part of the working of timthumb is that it allows files to be written on to a directory on the site accessible to everyone. That is sufficient for the hackers to gain access of your site’s control. But fret not, for Mark Maunder who identified this vulnerability has suggested a way to fix this security hole.

His method will disable timthumb.php’s ability to load images from external sites but that should not be a drawback sinbce most users use the tool for locally stored pics only.


  1. SSH into your web server. You can use “putty” if you use windows and you’ll need to know your username and password.
  2. cd into your wordpress installation directory. That is going to vary according to which host you’re using or how you've installed it.
  3. You need to find every copy of timthumb.php on your system. Use the following command without double quotes: ” find . -name ‘timthumb.php’ “
  4. It will show you a list of where timthumb.php is located. You may want to repeat this command using “thumb.php” as some users have reported that’s what it’s called on their systems.
  5. Edit timthumb.php using a text editor like pico, nano or (if you know what you’re doing) vim. You would type (without double quotes) ” nano directory/that/tim/thumb/is/in/timthumb.php ” for example.
  6. Go down to line 27 where it starts $allowedSites = array (
  7. Change it to remove all the sites listed like “#-Link-Snipped-#” and “Find your inspiration. | Flickr”. Once you’re done the line should look like this from $allowedSites to the semi-colon:
  8. $allowedSites = array();
  9. Note the empty parentheses.
  10. The next line should be blank and the following line will probably say “STOP MODIFYING HERE”
  11. That’s it. Save the file and you’re done.
Source: #-Link-Snipped-#


You are reading an archived discussion.

Related Posts

Hi Guys, I am person not on java platform still I have to develop J2ME application which has became mandatory for me , so please can you tell any j2me...
thu 5:26 ​i am using the windows 7 to my sys from last 1week i got the error message when i am trying to open the my sys...
we are organizing a inter-college cultural & technical fest .I gotta coordinate my college's annual techfest this year. this cosists of events like tech & science quiz , robotics events...
hello everyone... actually i am placed in 2 companies--> tech mahindra and OFSS( Oracle Financial Services Software Ltd, earlier- Iflex Solutions) and now am confused to join which one😕 please...
Dear friends, I m an electronics student plez guide me to create a well designed project which ever be created by u and verified by ur institution ........................plez guys it...