Read an article about Timthumb script being compromised making WP installations vulnerable. Source here
Taking a look at timthumb.php, There is the following function, which I presume is the culprit.
function checkExternal ($src) {
$allowedSites = array(
'flickr.com',
'picasa.com',
'blogger.com',
'wordpress.com',
'img.youtube.com',
);
Since my site is highly customized (therefore is complicated to update timthumb), would it suffice to delete those external domains as all the images are hosted on my server and hence doesn’t require any of the 3rd party domains?
4 Answers
Best way: Remove the timthumb script from your server and change your theme so as to not require it in the first place.
Timthumb isn’t really necessary with newer versions of WordPress. The add_image_size() function can be used to create custom image sizes in the theme. And most older themes I’ve seen still using it were using it to create a “thumbnail” type of functionality, which is now built into WordPress itself.
The only thing TimThumb really does that WordPress makes hard is the custom cropping, where you can crop images to one side or another instead of doing a middle based crop method. And most themes aren’t using this functionality.
