Limited-Time Sale, up to 30% off! Go Pro, offer ends in | see announcement

Bye TimThumb, we’ll (somewhat) miss you!

Posted on December 5, 2014

TimThumb is a great PHP script used to resize images on the fly. Events Manager has used TimThumb for a few years now with great success, but unfortunately due to various security scares (none which affected the script included in Events Manager, thankfully) the script has developed a pretty bad rep.

As a consequence of these multiple security scares, and deteriorated reputation, in September 2014, Ben Gilbanks announced that he has decided to stop supporting TimThumb.  Due to this, as of version 5.5.4 we will not be packaging the script with our plugin.

How does this affect you?

This will only potentially affect you if previously you’ve not disabled TimThumb in your settings by enabling Settings > General > Performance Options  > Use WordPress Thumbnails (which was the setting before 5.5.4)

If you are using Events Manager to generate thumbnails for Events, Locations, Event Tags or Categories such as with a placeholder like #_EVENTIMAGE{123,123} this may affect you if the image sizes are not proportional to the image sizes generated by WordPress. The reason for this is because WordPress does not crop and resize images on the fly like TimThumb, so if you’re using odd image dimensions you’ll start seeing different image dimensions on your web pages.

How do we fix this?

We’ve spent a great deal of time pondering what the best approach would be…. we’ve decided on a few potential options which are all available to you:

Recommended – Do what Ben does!

Ben, the author of TimThumb, stopped using his own script long before he stopped supporting it. He wrote a pretty comprehensive post about it, which we recommend you read. In short, your options are:

Use the WordPress image resizer, and consider changing the default image sizes to match those sizes you actually use on your site using a plugin like Regenerate Thumbnails by Alex Mills. This is certainly a good way to go, and can be complemented by the use of caching plugins and CDNs.

Enable Photon, which is a free image caching service available as part of the Jetpack plugin. This is a very interesting option because we’ve actually optimized Events Manager so  that if you enable Photon and disable WordPress thumbnails in our new option in  Settings > General > Performance Options  > Disable WordPress Thumbnails , your images will still be resized and cropped in a similar fashion to TimThumb, but the work is all done by the JetPack servers! In a way you get the best of both worlds here…. scaled images that are cached for fast loading!

Keep Using TimThumb

Whilst we don’t ‘recommend’ it anymore, the latest versions of TimThumb at the time of writing are not known to have any vulnerabilities and can still be used effectively on your website. Therefore, we moved the code previously using TimThumb into a separate plugin you can download and install on your WordPress site. If you activate the plugin, it’ll continue serving up TimThumb images just like in previous versions!

That said, we recommend you find another solution or at least make sure you have a reliable security scanning software (which you should have anyway!), like VaultPress, to help keep your site safe.

A final goodbye message….

Personally, I am quite sad to see what happened to TimThumb. It was a victim of its own success, a good piece of script which as a consequence of being open source was able to be scrutinized line by line and security vulnerabilities were found.

Security vulnerabilities are often found in the best open source projects, including WordPress, and even though they are patched quickly (just like TimThumb was) it doesn’t mean that everyone immediately updates their site and therefore there are vulnerable websites out in the wild. The fact that TimThumb was shipped with many themes and plugins that often DON’T even update themselves, this left an astoundingly high number of websites susceptible to being hacked. Funnily enough I myself actually had one of my test servers hacked last month, because it had an inactive theme with an old and vulnerable TimThumb version.

More so, I’m sad to hear the toll it seems to have taken on Ben, he has worked very hard on maintaining the script all these years, fixed security holes as and when they were discovered yet the burden of the few security scares that arose prevented him from developing it further.

I’d like to personally  thank Ben for the wonderful effort he’s made and for all the lovely thumbnails we’ve seen on the many sites running Events Manager. Hats off to you, wishing you luck on your new endeavors!

– Marcus (lead developer of Events Manager)

 

8 Comments

  1. Pam Blizzard says:

    The instructions about this are a little confusing. There’s quite a few double negatives, so I’m trying to figure out exactly what my settings should be.

    I don’t have:
    Settings > General > Performance Options > Use WordPress Thumbnails

    I DO have:
    Settings > General Tab> Performance Optimization (Advanced) > Disable WordPress Thumbnails? y/n

    I should set that to “NO”?

    • marcus says:

      Hi Pam, are you on the latest update of Events Manager (5.5.4)? The ‘Use WordPress Thumbnails’ options is available there, ‘Disable WordPress Thumbnails’ was removed in that version. Essentially, setting the old value to ‘NO’ will achieve the same effect, although cropping won’t work well with Photon.

    • Pam Blizzard says:

      Just double checked, it’s

      Event registration and booking management for WordPress. Recurring events, locations, google maps, rss, ical, booking registration and more!
      Version 5.5.4 | By Marcus Sykes | View details

      We’re not on caching or anything. Weird :)

      Then it’s this:
      Performance Optimization (Advanced)>
      Thumbnails
      Disable WordPress Thumbnails? Yes No
      If set to yes, full sized images will be used and HTML width and height attributes will be used to determine the size. Setting this to yes will also make your images crop efficiently with the Photon feature in the JetPack plugin.

    • Glenn G says:

      I’m seeing exactly what Pam is seeing in Events Manager 5.5.4, and what’s described 5 paragraphs down in the same article above (“Disable” as opposed to “Use”). Makes this a little confusing.

      I already had “Disable WordPress Thumbnails” set to No, so I’m guessing that we want it to stay that way, unless we choose to use Photon? Photon is great when it works, but I’ve seen it fail completely on some sites, showing 1×1 pixel photos, many broken images, etc.

      If a future version of Events Manager does change this label to “Use WordPress Thumbnails”, will it also flip the setting itself, since it’s essentially the opposite? Or should we check it again?

    • Hobbsy says:

      I am seeing the same as Glenn and Pam. Newly updated to 5.5.5 from 5.5.3.1 a few minutes ago and in the settings screen under “Performance Optimization (Advanced)” I see:


      Thumbnails

      Disable WordPress Thumbnails? Yes No

      If set to yes, full sized images will be used and HTML width and height attributes will be used to determine the size. Setting this to yes will also make your images crop efficiently with the Photon feature in the JetPack plugin.

      (ps this is for a different site than my linked website)

    • marcus says:

      Oops, sorry I mixed up the setting names in the comment, the wording in the post is correct though, but I’ve made the first reference a little more obvious that it was in <5.5.4

      USE WordPress Thumbnails was pre 5.5.4

      DISABLE WordPress Thumbnails is the new option.

      I would suggest setting the new setting to NO, meaning that WP will choose the most appropriate image to resize to. If you use Photon, cropping will work pretty well.

      We'll look into other image resizing options, but most likely the viable solution would be to create new WP thumbnail sizes so the Media Manager does the processing first time you upload and use those sizes in your events (which in turn can be cached with a CDN).

  2. Sharul says:

    I have a lots of wordpress using this plugin, and also some scripts i made are heavily depending on timthumb, dropping TimThumb is currently not an option. Why?
    1. Having to regenerate media every time i make changes (change theme, change layout) is not efficient.
    2. Regenerate images will left a lots of leftover images that may not be use forever, thus consuming the storage space.

    • marcus says:

      Hi Sharul,

      TimThumb going away is a bummer, and we’ve been under pressure to drop it way before Ben even ended it. We started using TT after the first major vulnerability report, the second one wasn’t relevant to us either, so you could still use it ‘safely’ with the alternative plugin we wrote and linked to in the post above.

      We’re looking into the alternatives, whilst dynamic thumbnail generation without Photon isn’t as easy anymore, if you’re not changing thumbnail sizes all the time then WP’s thumbnail generation with custom sizes is a good option. Storage space is the obvious drawback here, but it’s certainly cheaper than processing power to resize images on the fly.



Interested in Events Manager?

Sign up to our newsletter, receive a free add-on and an additional 10% discount for Pro!

You will receive a confirmation email which you must click on, you will then be sent another welcome email with links to your discount and free add-on.