How to Stop Timthumb Hacks Using .htaccess

/How to Stop Timthumb Hacks Using .htaccess

How To Block Timthumb Hack Attempts

Like many developers I manage a large number of WordPress sites, and in days gone by I’d use TimThumb to handle my images.

Sadly, a few years back this became a huge problem since a TimThumb hack surfaced which allowed fairly easy access to your site and the contents.   Of course something had to be done and it was after the script was updated, but it spawned a new generation of hack-bots and people are still having sites hacked.

Furthermore, being bots of course they have nothing better to do than travel round sites that could be compromised and flood them with a huge number of file requests.   Obviously this can cause problems too.

Here’s what you can do to close the timthumb vulnerability.

1.  Change your .htaccess file to block the requests at server level. This is my WordPress root .htaccess file.

[Download Link]
# Block External Timthumb Requests
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|flickr|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|flickr|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (some-other-thumb-script-filename\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . - [S=1]
# End timthumb access blocking

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

2.  Download a firewall plugin such as OSE Firewall or WordFence.  Both are great at reporting and blocking requests.

For the record, my firewall was reporting 80-100 requests to my timthumb file each day which became extremely annoying.  AFter creating a .htaccess file to block the timthumb hacks, it’s down to zero.



2018-02-02T03:09:37+00:00April 1st, 2013|Programming Tips, WordPress Snippets|2 Comments

About the Author:

Warren Chandler is a freelance web programmer and web developer, based in Frinton on Sea, Essex. Warren specialises in web programming, web design, corporate identity, copy writing, SEO, logo and print media for home, work, and mobile platforms.


  1. Carl Wison April 13, 2013 at 12:27 pm - Reply

    This is VERY useful. Thank you.

  2. Jecinta Onyeka April 15, 2013 at 1:21 pm - Reply

    This is a very nice article on htaccess, one can also generate htaccess files online.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.