timthumb.php not working in WordPress

June 2, 2010 Charles Calvert 5 comments

A client had a WordPress theme that made use of timthumb.php to generate thumbnail images on the fly. If you check the documentation for the script, it tells you to set the permissions for the cache folder to “777″. This is short-hand for “all users are allowed to read, write, create and execute files in this directory”. This blog post from Chad Coleman provides a rather useful guide for using the script in a WordPress theme. It goes one step farther and tells you to set the permissions for both the cache folder and the script’s containing folder to “777″.

This is bad advice. The WordPress Codex has an explanation of the dangers of 777 permissions. Don’t do it. It may be necessary to use them on some badly configured hosts, but if you run into that situation, get a new host with a competent administrator quickly.

Some web hosts prohibit the execution of scripts that reside in folders with 777 permissions in order to protect their users from such bad advice. If you are using a WordPress theme that makes use of timthumb.php and are not seeing the thumbnails, I suggest that you alter the permissions of the folder containing the script and the cache folder to at least 755 (only the owner can write/create files in the folder). Frankly, I think that 600 (owner can write and read, but not execute, no one else has any access) is a good default for anything except anonymous FTP folders.

Software, Web Applications, WordPress security, WordPress

#1 | Written by digitalcamera on February 27, 2011. Reply

i used hostgator and found this http://www.elegantthemes.com/hostgator.pdf to fix the problem.
- #2 | Written by Charles Calvert on February 28, 2011. Reply
  
  Thanks for the link to the document. It basically says the same thing as my post above, except that they also recommended a slight modification to the script.
  
  One thing about this document that bothers me is the author’s lack of understanding of what was going on. He refers to the file permissions as “CHMOD settings”. First, it’s “chmod”, not “CHMOD” (Linux is case sensitive) and chmod is an abbreviation for “change mode”, where “mode” is referring to the file system permissions for the file or folder.
  
  While using the wrong terminology doesn’t necessarily make the rest of the information incorrect, it’s definitely a flag that you should double check the advice, as the author may or may not have any idea what he’s talking about. Think about it like this: would you think twice about taking advice on baseball from someone who kept referring to a baseball bat as a “sphere whacker”?
#3 | Written by Jeannie on April 19, 2011. Reply

Yes, my web host prohibits using the 777 permissions for this sort of thing. Thanks for alerting everyone to this.
- #4 | Written by Peg Rhodes on April 26, 2011. Reply
  
  who was your web host? I have been using Yahoo! hosting and they don’t allow a lot of things I can access my .htaccess file
  - #5 | Written by Charles Calvert on April 26, 2011. Reply
    
    In my case, it was a client’s site on fatcow.com. I avoid Yahoo as a web host. See this post for why: http://www.celticwolf.com/blog/2010/03/12/yahoo-small-business-web-hosting-has-outdated-software/

Charles on Software

About Charles Calvert and Celtic Wolf

Categories

Blogroll

Meta

timthumb.php not working in WordPress

Leave a Comment

Charles on Software

About Charles Calvert and Celtic Wolf

Categories

Blogroll

Meta

Tags

timthumb.php not working in WordPress

Leave a Comment