This weekend, I realized that I had stopped our auto-updating script for TimThumb about two months ago. What this script does is look for files named timthumb.php, thumb.php and replaces them with the latest secure version from subversion. What this means to you is that if you’ve modified your copy of timthumb and it’s new, we may overwrite your changes, unless you send in a help request. This script runs every 12 hours.
We’re using this hammer fist for two reasons.
- Security for you and your website, you may have added a plugin or theme that still uses Timthumb, and it may have the older version of Timthumb.
- We’re migrating hundreds of websites every month from other hosting places, we need a sure fire way of ensuring that we’re not bringing over malware, or vulnerabilities.
If you host a bunch of WordPress sites, you can use the code here as an example for your systems as well.
This is also a reminder, that a lot of our code is always available on Github, for review and use by others. We welcome feedback and issues.