WordThumb project merges with TimThumb, Mullenweg comments


Last week we reported that Mark Maunder, the developer who discovered the security issue with TimThumb, had forked TimThumb into WordThumb which he hoped would fix the problems found within TimThumb. Shortly after forking the project he decided to move the project back into TimThumb, making TimThumb 2.0 a collaborative project between he and Ben Gillibanks.

Maunder says he was convinced to merge the project back into TimThumb by Matt Mullenweg. Mullenweg commented on the events on his blog, saying “the incident brought out the best in the community” and the merging of the projects is “a collaboration that exemplifies Open Source at its finest.”

Mullenweg’s thingamajig service VaultPress took the initiative last week to fix over 700 of their users’ compromised websites running the TimThumb script, emailing compromised users to notify them of the updates.

Commenting further on the prevalance of the TimThumb script in commercial WordPress themes, Mullenweg said:

I’ve seen no correlation between how much something costs and its code quality. This is getting better as more people become familiar with the coding standards of core, and PHP in general, but there is still a long way to go. If you want to avoid this in your own code, check out Theme Check and Log Deprecated Notices to start. If you’re looking for code to base your own theme on, it’s best to start with something like 2010 or 2011.

As the dust settles on the TimThumb events of last week, what do you think? Do the events say anything special about the state of commercial WordPress themes, or is it just another security issue that the community wrapped up and repaired?

7 thoughts on “WordThumb project merges with TimThumb, Mullenweg comments

  1. We develop premium themes for WordPress and I for one is totally embarrassed about the whole ordeal. Even though we were diligently enough to update our themes almost right away, we should’ve checked more carefully any code that we utilize in our themes and not blindly just include them just because they are well known or popular.

    I hope all theme providers were able to resolve this for all their customers without too much of an issue.

  2. Well as I have been following this saga, I was extremely impressed that VaultPress fixed it and notified us. Makes me feel loved. Little closer connection to the .org ers.

  3. Even though I’ve never used the script in my own theme work ( just use add_image_size() ) I do see how some niche themes find it very handy.

    With the high number of themes that use(d) the script, it’s rather strange this issue didn’t turn up a long time ago. Better late than never I suppose. While it did sound like some sites got hacked and injected with spam I think the fallout is rather miminal compared to what it could have been.

    • I think the WP community in general has done a good job getting the word out about what the problem is and how to fix it, but I think people will be suffering the affects of this for months to come.

      The number of people who
      a) Download themes from someplace that isnt the wp repository (and unlikely to get updated)
      b) Don’t follow WordPress news
      c) Don’t feel comfortable modifying theme files to update the problem

      has got to be massive.

      On the bright side, I got an email from my host (mediatemple) yesterday saying one of my sites COULD be infected. I think hosts taking initiative like this is probably the best (only?) way that lots of people are going to be made aware of the problem/solution.

  4. Have to watch plugins, too. vSlider plugin apparently incorporated TimThumb and caused one of our sites to be compromised and injected with several things. We removed vSlider and all is well now.

  5. I think timthumb was great when there was no alternative in core, but now i believe with the theme API we’re able to achieve the same functionality. Is there anything timthumb does that core cant?

    Also its Gillbanks, theres only 1 “i”

Comments are closed.