How To Block Timthumb Hack Attempts

Like many developers I manage a large number of WordPress sites, and in days gone by I’d use TimThumb to handle my images.

Sadly, a few years back this became a huge problem since a TimThumb hack surfaced which allowed fairly easy access to your site and the contents.   Of course something had to be done and it was after the script was updated, but it spawned a new generation of hack-bots and people are still having sites hacked.

Furthermore, being bots of course they have nothing better to do than travel round sites that could be compromised and flood them with a huge number of file requests.   Obviously this can cause problems too.

Here’s what you can do to close the timthumb vulnerability.

1.  Change your .htaccess file to block the requests at server level. This is my WordPress root .htaccess file.

[Download Link]

# Block External Timthumb Requests
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|flickr|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|flickr|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (some-other-thumb-script-filename\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . - [S=1]
# End timthumb access blocking

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

2.  Download a firewall plugin such as OSE Firewall or WordFence.  Both are great at reporting and blocking requests.

For the record, my firewall was reporting 80-100 requests to my timthumb file each day which became extremely annoying.  AFter creating a .htaccess file to block the timthumb hacks, it’s down to zero.