Using TimThumb on Your Website? Either Patch It Or Ditch It Right Now

If your WordPress theme uses a TimThumb library or you are manually using the TimThumb script on your site’s template, stop reading this article and remove the script right now. Your website is in a state of serious security risk, as anyone can upload and execute arbitrary PHP code in your TimThumb cache directory.

About TimThumb:   TimThumb is a PHP script used for cropping, zooming and dynamically resizing images on websites. While TimThumb can be used on any website, it is ideal for blogs and other websites who use templates and themes (self hosted WordPress blogs, for example). Using TimThumb, you can dynamically fetch a cached copy of an image and proportionally resize it to fit in your blog template. Thumbnails, profile picture of users and signature images are typical examples where TimThumb script is used. Whilst TimThumb has found a home in WordPress themes, it is by no means limited to them – TimThumb can be used on any website to resize almost any image.

Here is how the TimThumb script works under normal conditions:

You get the TimThumb script from Google Code, upload it to a directory of your webserver, specify a cache directory and call the code from the source of your template. There are a lot of parameters which can be used with TimThumb, it depends on the requirements of your website and how you want to scale internal as well as external images.

Once your script is in place, it will continue to work in the background and store a copy of the original image in the cache folder. So if you are scaling a really large image to 100 X 100 using TimThumb, an exact match copy of the image will be saved in the cache folder. This image will be shown to your website visitors.

And here is how the recent TimThumb vulnerability goes to work.

Since the cache directory is public and is accessible to anyone visiting the website, an attacker can compromise your site by figuring out a way to get TimThumb to fetch a PHP file and put that file in the same directory. Now since the cache directory is preconfigured to execute any file ending with a .PHP extension, you are trapped.

The only way this security vulnerability can be avoided is to explicitly modify the permissions of the cache directory and tell your web server not to execute .PHP files from TimThumb’s cache directory. But in case of WordPress blogs and other websites, almost every web server is preconfigured to execute .PHP files on any directory.

Mark Maunder, discovered the problem when his own blog got hacked due to this TimThumb exploit. The hacker uploaded a file in the cache folder of Mark’s web server and added a malicious code with a base64_decode. Suddenly ads were popping out on every page of Mark’s website, the results could have been more alarmic. Some common possibilities are – serving malicious content, redirecting to a random website, loading advertisements or putting up a fake login page for users.

How To Keep Your Website Safe From TimThumb’s Security Exploit

There are quite a number of ways you can avoid such situations on your website.

1. Don’t use the script at all: This is probably the best and recommended option for anyone who don’t know how to tweak the WordPress theme of his site. Ask your theme developer to permanently remove TimThumb script from your WordPress theme or find the files which are calling that TimThumb script. Delete those codes and don’t forget to delete the TimThumb directory as well (be careful, take a backup of your theme first).

2. TimThumb is not exclusive: There are quite a number of alternatives to consider. For example: you can use jquery plugins to resize internal images on your website.

3. Patch it: If You must use the TimThumb Script, first patch the script to it’s latest version. Before using the script, open the timthumb.php file for editing, jump to line number 27 and remove the options for $allowedSites. The array should have no elements and it should look something like this:

//external domains that are allowed to be displayed on your website
$allowedSites = array();


Save the file and upload it back. This will disable timthumb.php’s ability to load images from external sites and the attacker wont be able to compromise your site using an external image

4. HTACCESS: Open up Notepad and dump the following code in it:

Options -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

Save the file as .HTACCESS and upload it to TimThumb’s cache folder (remember to save as All Files and not as a text file). This HTACCESS file will prevent PHP and other scripting languages from being executed and anyone trying to access the files will get a 403 forbidden access denied message.

5. Why not WordPress? WordPress already has a very decent image handling system and there is a chance that you might not need TimThumb in the first place. The way WordPress handles images is far more secure, never creates cached files or writes them to a directory and keeps the images in the same place where they were uploaded by default. And since WordPress releases security and feature enhancements on a time to time basis, your WordPress powered functions will automatically stay secure as you update WordPress.

Ben Gillbanks, the developer of TimThumb is working on a fix and a more secured version of TimThumb should be released soon. [changelog is here]

Bonus tip: Unless you know the code and their corresponding output, never use free WordPress themes  for your site. A lot of them contain base_64 decoded codes embedded within the source, which can hurt in more ways than one.

Google Page Speed Service Wants To Rewrite Your Site’s Code For Faster Performance

Even kids know that faster sites converts well and creates an enjoyable user experience.

You may have superb content on your blog or great products on your ecommerce site but at the end of the day, most users will abandon your site and go elsewhere if your site takes 15 seconds to load.

Google has been excessively obsessing about speed these days. They launched a new image format, added page speed integration in Google Webmaster tools and introduced an online tool to measure the loading time of any webpage for desktop and mobile browsers. These tools were made to help webmasters fix technical issues on their sites, so that they can improve the glitches on their own and make their sites faster.

Looks like that wasn’t enough, as Google has just introduced a new tool called Google Page Speed Service which will rewrite your site’s code and apply performance tweaks to make it faster.

How Google’s Page Speed Service Speeds Up Your Site

Here is how it works.

You sign up for a Page speed account and point your site’s DNS entry to Google. Google’s Page speed service will fetch your page on their servers and rewrite them by applying web performance best practices. Once the remote copy of your page is ready, it will be served to end users who request your page from their browser.

Basically Google Page speed service acts as a content delivery network for websites which analyzes your code, fixes performance issues and serves the optimized copy to your users and customers. You don’t have to worry about browser caching, CSS compression and other technical stuff, Google Page speed will handle everything for you.   Since Google’s servers are located all around the globe, and are typically extremely fast and reliable, this will increase both performance and availability of your website.

The best thing here is that these optimizations will be carried out in the background, so this will help those webmasters who don’t have enough technical knowledge of web development.

The only catch here is that unlike majority of Google products and services, Google Page speed is not free and users will have to pay a fee to use it. At this time, Page Speed Service is being offered to a limited set of webmasters free of charge (request an invite here).


Additionally, you may want to compare the loading time difference before and after the optimization tweaks at

Google Page Speed in No Magic. If Your Code Is Bad, Your Site Will Still be Slow

Some webmasters who don’t have the knowledge of web development have this concept that using the best products, plugins and services should automatically make their site faster. I am sorry but this isn’t entirely true.

Here is an example.

Last week, I was talking with one of my friends who had issues with his site’s loading time. His site was hosted on a virtual private server, he was using caching plugins but still his site was very slow. I had a look at his WordPress theme and found the following problems:

1. A lot of scripts and Jquery files were called from the head section of the template. These Jquery files were required by a carousel of posts shown only on the homepage, so there is practically no reason to call those bulky scripts from every other page of the site.

2. A lot of the PHP codes used in the theme could be easily converted into static HTML. There is no point in using a PHP query to fetch the URL of your site’s homepage. Why use an extra query when you can just replace it with static HTML?

3. Internal CSS is so 1999. I mean, why would anyone use a div style element and hog down each and every page?

4. Using a social bookmarking plugin does not ensure better speed in any sense. It’s exactly the opposite. Why? Because these plugins would fetch the same code which you could have embedded right into the template yourself. Why use an extra plugin?

5. The way your content management system and servers are setup play a huge role on how your site responds to end users. If you don’t know the codes yourself, you can’t optimize it. Hence, your site will end up having a good amount of junk codes which are not required at all.

The short answer is: you have to work on the code first, optimize it and reduce the overall response time of your site. Using any CDN will help only 10%, the rest 90% depends how your site is built and coded.

Do read: Techie buzz server architecture.

Google Testing A Single Column Search Layout?

Digital Inspiration is reporting that Google is testing a brand new one column layout on search result pages. Both the left and right columns have been dropped while the search options appear between the search box and the search results, as seen in the following screenshot:


Just like the previous design change of Google, there is plenty of whitespace between the results and font sizes have been reduced slightly. Here is another screenshot of regular Google search, notice that the links to view cached copies and instant previews are nowhere to be found:


From the past couple of months, Google has been heavily experimenting with the design and overall look and feel of their search result pages. Prior to the release of Google Plus and the infamous black navigation menu bar, they removed the classic I am feeling luckybutton and added support for author thumbnails next to specific results. Google claims that the series of redesign is part of their strategy to provide more focus to users, so that they can quickly find the content they are looking for.

Some users have reported that this one column search layout of Google is only visible on tablet devices e.g iPad. Its possible that Google wants to test the usability of this layout on tablet devices first and then push a global  roll out  for everyone in coming days.

And not just the layout or columns, there is another report that Google might make the navigation bar sticky. That’s right, the black menu bar will get stuck at the top of the page while search results will be plastered within an infinite scrolling section in the middle. Here is the video:

Simple Presentation on Getting Started with Google+

It’s exactly one month since Google Plus was introduced on a field trial basis. Until today, 10 million users have joined Google Plus and many users are signing up every day, which proves that Google Plus is here to stay.

Google Plus looks pretty similar to other social sites such as Facebook or Twitter but have some unique features and better privacy settings. There are no walls in Plus and neither there is a separate inbox folder where you can send or receive private messages. Communicating with Google Plus friends is a completely new experience so before you sign up for Google Plus, we suggest you to read our step by step guides: Google Plus for dummies and getting started with Google Plus

As I said, Google Plus has introduced a completely new way to sort friends and contacts into different groups called Circles. A single person can be present in one or more circles and you can customize the visibility of a post by sharing it with specific circles of your choice. For the past couple of weeks, I have heard a lot of questions from my non-geeky friends about the different features of Google Plus and how to get the hang of it.

What is this circle thing in Google Plus and why do I need to create one? I would share everything with everyone, that’s how it works right?

How do I write something on my friends profile? Today is her birthday but I can’t find a way to write a message on her wall, poke her or throw her a virtual birthday gift.

I am sure newbies have a lot of similar questions, which should be answered by this presentation that follows.

The Google Plus Experience Explained through Photos

One Google Plus user has created an awesome presentation, explaining the basic concepts of Google Plus using Photos. The presentation contains 49 photos, arranged sequentially to give you a basic run down of how things work in Google Plus.


Here is the link of the photo album – (clicking the first photo will start   the slideshow in full screen mode). Once you have started the slideshow, use the left and right arrow keys on your keyboard to browse through the presentation.

So if you have a friend who keeps asking you about Google Plus, circles and hangouts, ask him to see this presentation and get his doubts cleared. We thought it would be a nice idea to create a video screencast of the above presentation. The video is embedded below:

Google Plus One Votes Being Sold By SEO Firms And Social Media Shops, Should You Buy Them?

Google’s +1 service helps people discover relevant content.

It can be a website, a photo, an advertisement or a video, content that gets plus one’d from people present in your social circles are showcased on top of search results. This is Google’s attempt to offer personalized content on search result pages, so that users can find content based on their social recommendations.

The game of search has changed. And changed for good.

No longer can any particular site dominate the search results by buying tons of links, the playing field has been leveled by human engagement. Social signals are a strong factor now.

The way Google search is evolving, web marketers are increasingly focusing on engaging people and drifting away from classical link marketing. Does that mean SEO firms have to close shop and find alternative ways to foster their business?

Apparently, no. Instead, they have now found a new way to game clients Buy social signals for $249, Cheap google Plus one votesand 50 Google Plus onesare new one-liners.

How Some SEO Firms Are Selling Google +1 Votes

Just a simple Google search for buy Google Plus onesand you will end up finding quite a good number of sources selling Google Plus ones.

buy-google-plus-ones and are the two sites who are selling Google Plus ones in exchange of hard cash, I am sure more social media shops will join them in coming days. Their pitch is simple, buy Google plus one votes from real people (or spammers) and see the impact of these plus ones on your ranking.


Here is a quote from which sounds lucrative

Buying Plus Ones can help your site stand out by showing Google that the content featured on it or the page being Plussed is of value to real people and not spammy. Similar to Facebook’s LIKE, the Twitter FOLLOW or Digg’s DIGG it adds a human aspect to the ranking algorithm used by search engines and social bookmarking sites

buying-plus-onesNot getting enough plus one’s on your sales page? These services claim that all their plus ones come from human computers, no bots are used. Core principles are listed below:

  1. All +1′s come from people with a Google account that has been verified by phone (Phone Verified Accounts)
  2. All +1′s come from real people. No bots are being used!
  3. All +1′s are being given by manually going to your website and clicking the +1 button
  4. It’s untraceable because the +1′s are being given from different IP’s
  5. All +1′s are given dripped over a couple of days so it looks natural

Sounds good? Let me tell you, this is CRAP!

Why Buying Google Plus One’s Might not Help But Hurt

This concept is not new, we have seen retweet clubs, 3 way Facebook fan pages and Digg groups created solely for the purpose of pushing each others content on social sites and search engines.

You tweet each and every link from my blog and I will do the same for you

You give me 500 Diggs from your network and I will give you 500 in return. Hence, both of us will end up having 1000 Diggs and we will be at the first page

These forced social sharing concept is nothing but a fallacy. Its just a fancy name of spamming, if you are doing this to your followers – I beg of you STOP IT.

And neither they help you get higher ranks for your content. It’s a myth and you should understand a few things before trying to game a search engine:

1. Search engines work universally for everyone.   If someone doesn’t have a Google account, will he see completely different results for a given search query? No.

2. Google Plus ones, retweets, Facebook likes are strong social signals but they help only on the social recommendation level. Getting a thousand plus one’s on any given page will not push your content for everyone.

Example: If I am connected to John on Twitter and John plus one’s a page about WordPress, there is a chance that I will see John’s link on Google; the next time I search for something related to WordPress.

Now if that page receives 500 Plus ones from different users, will it get a permanent spot on Google search results for a given search query? No.

So what is the point of buying Google Plus ones, retweets or Facebook likes? The spammers who are voting your content for money are not present in the social circle of everyone.

And here is why this behavior might hurt rather than helping you.

Google can precisely detect the user engagement of a given page, over a given period of time. How much time do visitors spend on your page, what other pages they are reading, where are they coming from,   search queries and everything.

Take it from me – its impossible to manipulate or compensate for   the organically generated data, you can’t do it with 10,000 spammers working for you on a given page over a course of 1 year.

Instead, Google can detect spammy behavior and whether a site owner is engaging in over optimization techniques.

Some examples:

1. This site was nothing the other day and suddenly, we have 40,000 pages in the index.
2. This is an ecommerce site and for the past couple of months, all their backlinks have the exact same anchor text.
3. The people who have +1’d pages on this site have also +1’d thousands of pages on other sites. Interestingly, these pages do not match and they have nothing in common.

A high school drop out can do the math from the above equations, forget complex search algorithms.

Google Toolbar For Firefox 5 and Future Versions Will Be Discontinued

After a surge of updates on Google Plus, it looks like Google wants to do a little housecleaning.

Yesterday, Google announced that they are ending support for Labs because the company wants to focus their resources and efforts on existing products. Now Google has announced that they are ending support for Google Toolbar for Firefox 5 and future versions.

Google says

For Firefox users, many features that were once offered by Google Toolbar for Firefox are now already built right into the browser. Therefore, while Google Toolbar for Firefox works on versions up to and including Firefox 4 only, it will not be supported on Firefox 5 and future versions.

google-toolbar-firefox-discontinuedI am not a power Google toolbar user and I uninstall it right away, whenever I see one. But there are a lot of people who regularly use the Google Toolbar in Firefox, because the toolbar provides handy shortcuts to Google services and provides easier sharing options. Google says that many features that were once offered by Google Toolbar for Firefox, are already built right into the browser.

I beg to differ. Here is why:

1. There is no way to know the toolbar PR of a webpage in Firefox, unless you have Google Toolbar installed. I know there are a dozen SEO add-ons and third party sites for knowing the PageRank, but remember that none of them come shipped from the Google factory.

2. There is no way to perform a site specific search in Firefox, unless you know the operator.

3. The sharing options in Google Toolbar are super easy to use and supports almost any social networking site on earth. I agree there are a lot of Firefox add-ons for social sharing but they are not complete and are speed and performance hogs.

Other Toolbar features such as Gmail notifications, page translations and auto fill options are also close to dead. Firefox users who previously enjoyed using Google Toolbar, have to use a different add-on for each of them.

Being a Google Chrome user, I am a bit surprised on Google’s decision to phase out Google Toolbar for Firefox 5 and future versions. How are they going to track user behavior, site speed and other usability tests for Firefox users? Being a data driven company, why do they no longer want the data? A major portion of the Internet population still uses Firefox, I hope Google is well aware of that.

Or is it Let’s push the market share of Chrome by killing our features on competing products?

Update:  Workaround to Run Google Toolbar in Firefox 5 and Firefox 6

Pakistani Website Hacked By Indian Hackers In Response To The 2011 Mumbai Bomb Blasts

Remember the last time an Indian hacker group calling itself Indian cyber armyhacked 35 Pakistani Government websites? The same group is back again, this time targeting a Pakistani songs website


This hack attack is in direct conjunction with the very recent Mumbai bomb blasts that occurred on 13th July 2011, killing at least 21 innocent people and injuring more than 121 civilians. Sources and intelligence agencies claim that the bomb blasts were carried out by Pakistani terrorist groups which is the reason why an unknown Indian hacker group hacked the Pakistani website. Sort of a revenge!

Here is another screenshot which reveals that the FTP server of was indeed compromised by Indian hackers:


After gaining root access to the servers, the hacker group posted this message on the homepage of

Pray for all the innocent victims of Mumbai attack .This is a small answer from All Indians. Remember we are together, you can just kill innocent people, women and children..But there is no future for you, we are coming with huge speed. Corruption will be under control, every Indian will have money and power.Then there will be no one to save you, you are a dirty stamp on pure Islam. Try to understand and respect it, just remember we are coming.Bye.Exit

India Pakistan Cyber War

India Pakistan cyber war is not a new story. We have earlier witnessed how Pakistani hackers quickly responded to the Indian aggression by hacking the Indian CBI website. The back to back hack attacks ceased after the PCA group offered a one sided ceasefire [read the media statement they sent us]. the Pakistani website which was hacked demands a little more explanation.


This site gets 80% of it’s traffic from India because what they offer is nothing but pirated downloads of Indian music albums, Bollywood songs and MP3’s. Every day, thousands of Indian users flock into the site to download pirated MP3’s because the site has a huge collection of Indian songs, which they offer as free download.

Their business model is completely different from legitimate sites. When a novice user enters to download pirated music, he is greeted with at least half dozen popup advertisements. Most of these advertisements have nothing to do with music and they are geared towards novice users who fall for lotteries, Internet scams and the other so called lucrative offers.

Pakistani hackers have created websites such as the, which are infested with software to hack data from targeted computers- an Indian cyber expert said. “Nowadays new virus and worms are detected while downloading songs from these websites, which could be just a dry run to manage a bigger attack,” he added.

With these websites being highly popular, it will take only a few minutes for the owner of a malicious site to take command of over 12 lakh Indian computers and the number of such computers can multiply. And since the website offers pirated music for free, their marketing and reach happens automatically due to word of mouth. The underlying truth – users are unaware of the fact that they can be potential victims.

If you think practically, users can’t be blamed either. Online commerce of Indian music is yet to pick up because 99% of the targeted Indian audience do not have credit cards. They are always looking for free ways to download music and movies from the Internet, which lays the welcome mat rolling for infested sites such as

[h/t Apurva Chaudhary]

Reverse Engineering Google’s Panda Slap, Hubpages Seeing Improvements After Offloading Content To Subdomains

It has been over four months since Google’s famous Panda algorithmic update, also known as Farmer update went live globally. This Panda update is one of the most devastating algorithmic changes ever, crippling site traffic of thousands of sites in a flash. There are so many forum threads where webmasters   have said that their site has just disappeared from Google search. Publishing platforms, article directories, content sites, blogs, forums or any other web property which has a lot of content were most affected by this algorithmic change.

Why this new algorithm? Because Google has been under attack from content farms and spam aggregators and they had to do something about it.

To this day, most of the webmasters have no idea what is the exact problem which led to the penalization of their site(s). Here are some case scenarios:

  • Is it just the content on the site which is considered thin and shallow in nature?
  • Or the incoming links have lost their weight post panda?   Because the sites linking to you have lost their value (assumption).
  • Were the pages been knocked off because of competition?
  • Duplicate content or canonical issues within the source code?
  • Scraper sites outranking the source for the content they have written?
  • Too many advertisements on the site   or the Ad to content ratio is way above the line.
  • A large volume of user generated content which was hastily produced and don’t serve any value.

Many possibilities.

Since no one has yet recovered from Google’s Panda slap, it makes sense to conclude it’s not just one factor.

Google Plus Enhancer Shows Unread Count Of Gmail And Google Reader On Google’s Menu Bar

The best thing about recent redesign of Google homepage is probably the black navigation menu bar.

Personally, I am not a big fan of the fancy black background color but considering the fact that this menu bar integrates tightly with Google Plus and other Google services, I think it’s highly useful.

When you are using other Google services like Gmail, Google Reader or Google blog search, you get real time notifications from your Google Plus account. You can read and reply to comments directly from Google’s notification bar, without having to open your Google Plus account over and over again.

This concept can be extended to Gmail and Google Reader, thanks to the Google + Enhancer Greasemonkey script

Google Plus enhancer lets you see unread email count of Gmail and unread count for Google reader items right from Google’s menu bar. Once the script is installed and you are signed in to your Google account, the script will show real time notifications of Google Reader unread items and number of unread email in Gmail, as shown below:


The script works universally, no matter which Google service you are using. In addition to showing unread email count from Gmail, the script will also shows you notifications from Google Calendar, Google Maps, iGoogle, Google News and Google Images.

Please note that the script wont work if you are using multiple or separate Google accounts for Gmail, Google Reader or Google Plus. The script can fetch notifications for the currently active session of the logged in user, so if you are using Google Apps for Gmail and a regular Gmail account with Google Reader the notifications won’t work for all services. The notifications will only be shown for that Google account which is being used last.

And since this is a Greasemonkey script and not a browser specific extension, it will work in most modern browsers e.g Google Chrome, Firefox, Opera. Also read our earlier tutorial on how to run Greasemonkey scripts in Opera, Internet Explorer or Safari.

Note: Keith has earlier developed Google Black bar hider another Greasemonkey script which completely disables the black navigation bar across all Google services. If you hate Google’s new black menu bar and have installed the Google black bar hider script, this Google Plus enhancer one won’t work at all. This is because Keith’s script will completely remove the notification bar, so the Google Plus enhancer script will never be shown in the first place.


Gmail Will Soon Introduce New Inbox Styles For Managing Email Overload

When it comes to managing email from 6 different accounts at one place, I always prefer using Gmail over Yahoo, Hotmail and other free webmail providers.

That’s because Gmail is so clean, easy to use, has a priority inbox, better search features and supports custom filters. It’s not that other webmail providers don’t have these features but I have always found Gmail to be more user friendly and easy to use.

The earlier week, Gmail announced a redesign of their inbox which is still a work in progress and will be rolled out in a few weeks from now. Looks like Gmail developers are also focusing on organization and easier management, as they are testing different inbox styles to help users manage their mail in the way that works best for them.

Different users have different style of handling email and Gmail wants to provide you an inbox which is in harmony with your habits and requirements. Some users never delete old email, some frequently star important messages while some of us prefer a zero inbox. This is the reason why Google will soon roll out inbox stylesin Gmail which will let users choose a different style for their inbox, as shown in the following image:

Gmail Inbox styles

Once Gmail inbox styles are activated for your account, you can choose any of the inbox style that meets your requirements and habits. Gmail is kicking off this feature with 4 inbox styles, as described below:

1. Classic Gmail Inbox: This is the general UI of Gmail inbox that most users see and use. Incoming messages are organized chronologically from top to bottom in the order they are received. Almost 90% of users I know use this inbox without any labels or filters and they have like more than 1000 messages lined up one after another in their Gmail inbox.   Though very unproductive, it’s a fact that some users are too lazy to learn all the advanced features that Gmail offers.

2. Priority Inbox: This one is ideally suited for those, who get tons of email every single day. Enabling the priority inbox feature of Gmail will add a second inbox on top of your regular Gmail inbox. Gmail will automatically filter important messages and will move them to the priority inbox folder of your Gmail account.

3. Important first: While the priority inbox is only for unread messages, the Important firstinbox will hold both read and unread messages. This inbox will contain only those messages which you have marked as Important, rest of the stuff will go to your normal inbox.

4. Unread first: This inbox style will put a separator between unread messages and read ones. Not so useful for me but it will be surely useful for those who get hundreds of email every day and prefer reading some messages on weekends.

5. Starred first: This one will put all the starred messages on the top, everything else will be at the bottom pane.

After you have selected your preferred inbox style in Gmail and have settled with it, rest of the tabs will automatically go away. Gmail will roll out this feature in a matter of few weeks so let us know your favorite Gmail inbox style in the comments section.