How to Fix and Cleanup the TimThumb Hack in WordPress
So if you remember correctly, there was a security issue with the TimThumb script in August which was fixed. However still to our surprise, many sites are still using the old version. We have fixed three sites so far in the past month, one being yesterday. So it makes sense to simply write a step by step article, so our users can just follow it. All of the three users that we fix this issue for did not even know what TimThumb was or whether they were using it or not.
Hackers often hide their backdoor in themes and plugins in WordPress websites. You should look at your WordPress website and delete any inactive WordPress themes and plugins. You can learn more about the “Backdoor method” here. Once you have deleted the plugins, you should rescan your WordPress website to get an updated list of issues. Our free and safe WordPress Scanner will provide the status of all of the core WordPress files to tell you where the hack may be occuring.
The most common places are WordPress themes and WordPress plugin directories, upload directories, wp-config.php, wp-includes directories, and .htaccess files. You should also run your website through a Theme Authenticity Checker, which is linked here. The theme authenticity checker will show a details button next to the theme with the reference to the infected file. It will also show you the malicious code that it found.
You have two options for fixing the hack here.