Last week we reported that Mark Maunder, the developer who discovered the security issue with TimThumb, had forked TimThumb into WordThumb which he hoped would fix the problems found within TimThumb. Shortly after forking the project he decided to move the project back into TimThumb, making TimThumb 2.0 a collaborative project between he and Ben Gillibanks.
Maunder says he was convinced to merge the project back into TimThumb by Matt Mullenweg. Mullenweg commented on the events on his blog, saying “the incident brought out the best in the community” and the merging of the projects is “a collaboration that exemplifies Open Source at its finest.”
Mullenweg’s thingamajig service VaultPress took the initiative last week to fix over 700 of their users’ compromised websites running the TimThumb script, emailing compromised users to notify them of the updates.
Commenting further on the prevalance of the TimThumb script in commercial WordPress themes, Mullenweg said:
I’ve seen no correlation between how much something costs and its code quality. This is getting better as more people become familiar with the coding standards of core, and PHP in general, but there is still a long way to go. If you want to avoid this in your own code, check out Theme Check and Log Deprecated Notices to start. If you’re looking for code to base your own theme on, it’s best to start with something like 2010 or 2011.
As the dust settles on the TimThumb events of last week, what do you think? Do the events say anything special about the state of commercial WordPress themes, or is it just another security issue that the community wrapped up and repaired?