As you probably know, WordPress is one of the most customisable CMS’s available. With over 22,000+ plugins, and thousands of themes, it may be a surprise that many of them rely on the same widely available open-source scripts.
So of course, when a vulnerability comes along affecting one of these scripts, we have major problems. You may have guessed it, but if not, I’m talking about Timthumb.
Timthumb is great. It has given us instant image resizing through an easy to use PHP script. So many themes and plugins rely on it. However, some vulnerabilities in the past have turned those very plugins and themes into a hackers paradise, creating gaping holes in the WordPress environments of unsuspecting users.
So why have we relied on it for so long? Simple, WordPress hasn’t provided us with anything better, or even remotely as good. As the developer of both the Easing Slider and Riva Slider plugins, I’ve always felt strongly about the lack of a proper image API within WordPress itself.
Thankfully, WordPress 3.5 will change this as an image API is (finally) being added. However, it still doesn’t provide use with a single-function successor to Timthumb.
As a developer, especially of a premium plugin, I felt it was my responsibility to explore every possibility in hope to find an alternative. I did come across a great function, vt_resize by Victor Teixeira, but extensive testing found that it wouldn’t upscale images, or crop in the same way Timthumb does. This wouldn’t cut it, and so I went out to create my own solution.
And now, after some brief testing, I’m here to release it for all to use freely with the simple goal of providing us all with a safe alternative to Timthumb. Use it in your themes, plugins, or however you like.
It resizes an image to the specified dimensions, saving the resized image in the WordPress uploads folder as per usual. This is great, because we can serve the user a static image, rather than a PHP script, which helps to speed things up a bit (and use less resources). It also supports the upcoming WordPress 3.5 update, for which a separate function is used (that utilizes the new image API), and has been tested with the nightly builds of recent.
I’ve created a Github page as well, so please have a look at it. Fork it, improve it, fix any bugs within it, and more importantly, tweet about it and tell your friends! It may take some time (and effort) before everyone becomes aware of it, but I feel it is important that we as a WordPress community do so.
Github Page | WordPress Timthumb alternative
Got some questions or feedback? Feel free to direct them to me on Twitter: @matthewruddycom or @rivaslider. Also, please download and follow the development of my two WordPress plugins. My heart, soul and livelihood has gone into the work I’ve been doing on them! Both will be receiving some major updates very soon that I know will really enhance their user experience. It has taken a long time, but its been worth it.
Thank you for this great plugin! But check the github link, it’s broken.
For now, the GitHub URL appears to be here:
https://github.com/MatthewRuddy/Wordpress-Timthumb-alternative
Thanks gonna fix this.
Thanks. A Github frontpage has been created as well. See:
http://matthewruddy.github.com/Wordpress-Timthumb-alternative
To my knowledge it’s been over a year since timthumb was last exploited and I haven’t seen any security issues listed on the timthumb google code page. With that being said, what would be the benefit of using a script that hasn’t been tested for exploits and is new as opposed to using a script that has been tested and patched?
Good question. The Timthumb vulnerability came from the ability to use images from external, untrusted sources. Only a select few ‘trusted’ sources were supposed to be allowed; flickr.com, blogger.com, but a particular section of code didn’t prevent a user from using a file from a domain such as ‘flickr.com.hacker.com’, etc. This gave them access.
The function I’ve created loads the file locally as a resource before it starts the resizing. This requires the absolute path to the image, which obviously won’t work with an external image. The function will fail. You could also add a little snippet of code to the top of the function to check the current images domain against your WordPress sites domain, to be extra safe.
That said, you are correct about Timthumb being pretty safe as of recent. However, hosts still send out vulnerability reports to users when even the most up to date version is used. I found this out the hard way when customers using Bluehost came flocking to me about an email they received saying Riva Slider used Timthumb and therefore they were at risk. The email said it has updated Timthumb to the most recent version for them, even though it was the same version as before!
It may be safe at the moment, but the scare mongering still exists. I still often get asked if Riva Slider uses Timthumb before users purchase. When users who don’t fully understand the logistics of the previous vulnerability hear about the potential threat, they are hard to convince otherwise.
Plus, some hosts blatantly block Timthumb. There can also be a lot of permission errors and 400 errors on various hosts. This function tends not to suffer from those issues. Put simply, if the ‘uploads’ directory has safely been created with the WordPress install, and you can upload to the Media Library fine, this function should work.
Just a minor annoyance, but the function name is too long. Did you really have to prefix the function with your first and last name? Why not, “better_image_resize” or “secure_image_resize” instead? Just feels silly and unnecessary is all using your name. Other than that, tested this and it works well, so thank you.
The long prefixed name makes sure it doesn’t collide with a function that may be called “image_resize”. Probably a bit much but better safe than sorry. Feel free to change it in your projects
I agree, which is why I renamed this function to “mr_image_resize”, “mr” as in “mister” but which also happens to perfectly match his initials instead of the overly long function name.
I would tend to agree on this, while it’s easy to change, I would rather have it done in a more generic and shorter fashion so I have one less step to implement.
Change it as you wish guys, it is easy to change as isn’t set in stone. Hack it up, change it around, and/or simply rename it to ‘image_resize’. There are no limitations
The overly long function name is just an extra safe measure to avoid conflicts. Although a function called ‘mr_image_resize’ is extremely unlikely, a lot of other themes/plugins use initials prepended to function names. Most likely overkill, but again feel free to change it
Stop nit picking and get using it
Just my opinion on the matter, not necessarily about your particular plugin
On the other hand, it’s great that you’ve got this on Github, so we can easily fork it and change whatever we want.
Definitely. Feel free to do whatever you like with it
Great to see what people can do with it 
Interesting issue since the release of WP 3.5, only the fist slide show in RSP displays. The others on the site endlessly load unless I uncheck ‘resize images’. Is this a unfortunate problem with 3.5 now?
Probably an error of some sort. 3.5 has been tested with 3.5 betas and appears to be working fine. Fire an email to info@matthewruddy.com and we can resolve it there
probably something simple we can resolve quickly 
and now the most stupid question of all, how do i use this php file ?
Include the file using PHP, then use the function as you would use any other function. Of course, you’ll need some PHP knowledge to do this.
Hi Matthew, Greate plugin!
Can I use it for commercial wordpress plugins?
Sure, that’s no problem at all