Support » Plugin: iThemes Security (formerly Better WP Security) » Filter Suspicious Query Strings blocks timthumb images

  • Resolved Ksaveras


    Using 3.4.7 plugin version.
    Filter Suspicious Query Strings when is enabled, it blocks images that are generated by timthumb
    URL example:


    I get 403 – Forbidden

    Please add rule to pass links that are used in themes and check if timthumb link contains same domain as defined in WP: pass when image is link with my sitelink and forbid when link is not my sitelink:

    OK should be for this


    BLOCK this:


Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter Ksaveras


    something like this:

    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*mysite.tld.*

    You should turn off “filter suspicious query string” if you intend to use timthumb. I will not correct this in the plugin due to the number of sites I still fix that were compromised via timthumb. This is definitely one of those features that might need to be turned off in some sites.

    Isn’t there a way to disable this just for thumb.php? like in htaccess? for example, to allow requests from or other custom sites?

    Of course there is. Remove from htaccess

    RewriteCond %{QUERY_STRING} http\: [NC,OR]

    thats awesome. Now… will this conflict with the plugin?

    No it doesn’t conflict with the plugin, but the disadvantage is that you have to remind yourself removing this line every time you update the plugin. I just found out myself that I forgot, so visitor’s time on site dropped.

    Thanks for sharing your tips Okoth1 and Ksaveras, I’ve not deleted the whole rule filtering QUERY STRINGS starting with http, but only those not pulled by the timthumb script specific to the theme I’m using, for best reference, I’ve used this:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} ^http\://(www\.)?example\.com/wp-content/uploads/(.*)(jpe?g|png|tiff?) [NC]
    RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-content/themes/MYTHEME/timthumb.php
    RewriteRule ^(.*)$ - [F,L]
    # We use only http protocol, thus blocking anything starting w/https
    RewriteCond %{QUERY_STRING} ^https\: [NC]
    RewriteRule ^(.*)$ - [F,L]

    I’m trying to limit this way the vulnerabilities introduced by timthumb, and understanding how to allow specific plugins/themes still working, without disabling entirely features offered by Better WP Security.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Filter Suspicious Query Strings blocks timthumb images’ is closed to new replies.