Why does JIG use TimThumb?

­

Thumbnail creation is necessary for the various needs of the plugin and here you can read a full technological explanation that should cover all your concerns. Please note that you are free to disable it any time, however there would be a performance hit as the large or original images would be used as thumbnails, letting the browser resize them.

No alternative for this kind of use

After looking at plenty of other solutions, it seems that there is no proper alternative besides Jetpack Photon. Thumbnail creation for JIG needs to fulfill this needs:

  • Works with external images from various sources, such as Facebook, Flickr, RSS feeds (YouTube, Vimeo, 500px, DeviantArt and so on).
  • The retina ready feature needs thumbnails to be created on demand at an optimal size for different pixel densities.
  • Any change in row height settings (or presets) requires a thumbnail with a new size.
  • Works on past galleries, for which the thumbnails haven't been built.
  • Does not upscale.
  • Caching with a way to easily clean up.
Problems with the built-in WordPress thumbnail creation

Articles often bash TimThumb and cite the the availability of tools and functions that rely on the built-in image handling of WordPress. Yes, it's suitable for themes where the developer knows what thumbnail sizes they will require across the various layouts. However, there are several problems with it when used for a plugin like JIG:

  • Does not work with external images.
  • Thumbnails would need to be pre-built, but the row height you may desire in the future is not known in the present.
  • Normally, thumbnails are generated on image upload only. Hence the many "thumbnail rebuild" plugins.
  • It clutters your /wp-content/uploads/ folder, wasting space with no way to easily clean up. Without intervention, the different and often unnecessary sizes are saved at a high quality too high, often causing the thumbnail to be larger (or at least disproportionate) in filesize than the original, hopefully optimized, originally uploaded version. Take a look at /wp-content/uploads/ directory, isn't there 10 copies of every picture, just because your theme defined various thumbnail sizes carelessly? Often this is the case.
Security and discontinuation

One could argue that TimThumb is allegedly not secure and is discontinued by its developer.

  • It wasn't actively developed since 2012 anyway, as it has reached maturity. Since then, very few updates have been released that only consist of little fixes. So in that sense, it doesn't make much difference that it's discontinued.
  • It is customized for JIG and the developer keeps a close eye on the script regarding its security. The last exploit found (webshots) wasn't even enabled or used by JIG, however since then it's been fixed either way. In general, whenever a security exploit is found in any script, it's done via ethical hacking where a possible solution is also proposed. It's expected that JIG will include community fixes should any security issue would occur.
What about the future, how do you make thumbnail creation sustainable?

As part of planned development, JIG will come up with diversified ways to create or access thumbnails:

  • It would depend less on TimThumb and offer options to use thumbnails sizes already available. Sources often create thumbnails at pre-defined sizes JIG could make use of. These would be a close enough match to your row height settings (which directly influence thumbnail size).
  • The possibility of better caching that would not cause any PHP script to run, just to access a cached thumbnail.
  • Nicer thumbnail URLs without visible query string parameters.
  • Superfluous blocks of code will eventually get removed from TimThumb, making it smaller, more compact, less prone to security issues.
This FAQ entry was posted in Technical on July 2, 2015