How To Use timthumb.php with Multi-sites

by on August 22, 2011

Many themes for WordPress, particularly commercial and premium themes, make use of the handy timthumb.php utility for resizing images dynamically (on the fly). In recent weeks, major security flaws were discovered with the popular utility. These were promptly repaired, but it still didn't provide support for multi-site installations. So … we've added this capability to the latest 2.8 version.

Now, you have enhanced security … plus you can use our minor update as a direct replacement on single or multi-site installations. You can view the source code here.

Before we cover the updates, let me apologize for my recent lack of blog posts. Health issues have slowed me down a bit and made it more difficult to concentrate. But, this long-missing multi-site capability only requires 11 lines of additional code.

The Security Issues and Update

Because timthumb.php is commonly embedded in themes, it's not easy to discretely update like it would be if the code were a plug-in. This fact coupled with the severity of the flaw, means that this was one of the more serious issues with WordPress in a long while … because it wasn't in the core engine of files (or a plug-in).

However, the incident brought out the best in the WP community. The core team sprang into action searching through the free themes directory to inoculate any themes that contained the dangerous code. Community blogs quickly got the word out about the problem so people were aware of it.

Mark Maunder, who originally discovered and described the problem, created a fork of the code called WordThumb that rewrote TimThumb from the ground up … an amazingly quick and well-executed feat. However, forking is not usually ideal because it fragments the market for users. So … Mark soon connected with Ben Gillbanks, a long-time WordPress community member, and they joined forces to release TimThumb 2.0 … a collaboration that exemplified Open Source at its finest.

This process also illustrated the original vision Matt Mullenweg had behind VaultPressreporting early and emailing customers with vulnerable code. The following morning, the core team began surgically correcting vulnerable code on over 700 affected websites. This fixing-problems-while-you-sleep delighted users and is exactly the kind of problem Matt hoped VaultPress would solve for people … and it underscores the value of the service.

You can visit the project home for TimThumb to get the very latest version … which is 2.8. However, as stated in our introduction, this version still only works with single site installations.

Locating timthumb.php

The file is usually in the root folder of a theme that uses it. However, some themes have it renamed to thumb.php.

Because the security risk with older versions is high, it's a good idea to search through all themes on your WP installation.

Also, most themes simply use TimThumb on the fly. However, a few themes retain a cache of the post thumbnails using TimThumb only when the blog post is saved or updated. If your theme makes use of post thumbnail images in this manner, you'll probably want to regenerate all of the thumbnails at once (after the TimThumb upgrade) using a plug-in like this one.

Implementing the Easy Multi-site Patches

You can view the source code here. And, you can download the ZIP file here: (size: 14.6 KiB | hits: 741)

This is a direct replacement. But, you might want to rename your theme's current file to timthumb_ORG.php before uploading to your server. It would also be a good idea to clear TimThumb's cache folder of all resized images since they'll be recreated (using the newer file naming syntax) as needed.

Below, you'll find the easy code to enable the multi-site capability. These php source revisions are detailed so that you can more readily update future releases of TimThumb, if you like.

Find the three commented lines (lines 1 thru 3 here) in the latest timthumb.php file (lines 127 thru 129 in version 2.8) … then INSERT the next two (lines 5 and 6 here) right after them. This allows an external (non-wordpress) utility like timthumb.php to have access to core WP data. In this case, we need to determine (later) if the multi-site feature is enabled and to be able to get the Blog ID for the current multi-site.

Code: PHP (plus WordPress)TimThumb: MS Patch Part #1

// -------------------------------------------------------------
// -------------- STOP EDITING CONFIGURATION HERE --------------
// -------------------------------------------------------------
// MULTISITE FIX by LukeAmerica 2011-08-22 (part 1 of 2) (2 at line #805)
require( $_SERVER['DOCUMENT_ROOT'] . '/wp-load.php' );

Now, find the first two lines listed below (the class function declaration and variable assignment, lines 792 and 793 in timthumb.php v2.8). Then, just INSERT the subsequent 9 lines of code (lines 4 thru 12 here).

First, we determine if multi-site is enabled. If so, we get the current blog's ID. Finally, we append the document root (server path) with the multi-site location of the original image file (PNG, JPG, or GIF).

Code: PHP (plus WordPress)TimThumb: MS Patch Part #2

    protected function calcDocRoot(){
        $docRoot = @$_SERVER['DOCUMENT_ROOT'];
// MULTISITE FIX by LukeAmerica 2011-08-22 (part 2 of 2) (1 at line #134)
if (is_multisite())
    global $blog_id;
    if (isset($blog_id) && $blog_id > 0)
        $docRoot .= '/wp-content/blogs.dir/' . $blog_id . '/';

Again … these simple lines of code allow the very popular image resizing utility to work with both single-site and multi-site installations. However, WordPress 3.0 or greater is required.

N O T E S:

Loading wp-load.php does require a little extra overhead (a few microseconds more per image transformation). But, there are three alternatives.

One would be to search through every blogs.dir folder for the named image file … but, this could take even longer to accomplish. Also, we could modify the calling query string to include the Blog ID, but that would require re-writing every single call to timthumb.php in every theme file that invokes it (across multiple themes). Third, we could make use of the list of allowed external sites to add our own site … but this would mean re-writing timthumb.php for every new TLD blog in your multi-site installation.

So … we compromised with a little added overhead … retaining simple file replacement convenience … enabling the #1 requested feature for the popular … and now much more secure … dynamic image resizing utility for WordPress.


Share This Article: “How To Use timthumb.php with Multi-sites”

(Also Available: Press CTRL+D to Bookmark this Page)


Share Your Thoughts  6 Responses to “How To Use timthumb.php with Multi-sites”
  1. 1
    anie says:

    okay, now i
    know… thaks for this post.. i’ve learned something great specially about timthumb.php terms..

  2. 2
  3. 3
    LeCiel says:

    натяжные потолки тут

  4. 4
    Chris says:

    I have this working with this code change, however it seems that the cached thumbnails are always being regenerated on each page load.  You can see the images regen each time you refresh even though the cached files are there.  Is that due to this fix?  Is there a way to ensure the cached files are used?


Check out what others are saying about this post...

Share Your Thoughts

(Some editor features are restricted unless you're logged in.)

(When replying to a specific comment, your browser may require Shift+Enter instead of just Enter.)

(get a gravatar)

Notify me of followup comments via e-mail. You can also subscribe without commenting.