Be Careful With Where You Get Free WordPress Themes From
This is just a reminder: please only download WordPress themes from reputable sources such as WordPress.org.
Someone just came into #wordpress asking for help modifying their theme a few hours ago. I found the URL to the theme’s website via their style.css and downloaded the theme in an attempt to help them figure out which file to edit to do what they wanted.
What I found inside the theme’s footer.php file though was tons of malicious code. The entire contents of the file was heavily encoded (it was encoded with gzinflate(), str_rot13(), and base64_decode() around 150 times) and a ton of eval()’s. Since I was curious what it was doing, I wrote some PHP to decode it without using the nasty (and unsafe) eval()’s and I finally ended up with the HTML for the footer file (I assume to stop people from removing the code) and some more crazy eval() PHP code to display links to websites.
Luckily the code was just there to insert links (although using such a theme is a good way to get banned from Google), the PHP could just as easily have stolen passwords and other things. Remember, themes are exactly like plugins — they can execute code. You wouldn’t download a random program off and Internet and run it on your PC, so why would you do it with a plugin or theme?
So please, only download themes and plugins from reputable sites such as WordPress.org. If in doubt, don’t use it.
And if you’re wondering, qualitywordpress.com is the site where the user got the theme from. I have only posted the URL to that website in an attempt to prevent people from using it’s themes. Do not use the themes from that website.
This entry was posted by
Viper007Bond on
September 11th, 20082008-09-11T16:21:12ZF jS, Y at
9:21 AM2008-09-11T16:21:12Zg:i A, and is filled under
WordPress. Follow any responses to this post through
RSS 2.0. You can
leave a response or pingback from your own site.
September 12th, 20082008-09-12T17:58:44ZF jS, Y - 10:58 AM2008-09-12T17:58:44Zg:i A
Thanks for pointing this out I’m always trying to tell people watch what you put on your web server and computer. Also looking for a new theme and this was just something to help remind me to not make this kind of mistake.
September 12th, 20082008-09-12T21:14:33ZF jS, Y - 2:14 PM2008-09-12T21:14:33Zg:i A
Unfortunately most people seem to learn this lesson the hard way. Very few people would take a candy from a stranger on the street but they don’t have a problem downloading stuff from anyone on the net if it’s free, even tho it could totally mess up their computer, their website or their business.
September 12th, 20082008-09-13T00:57:36ZF jS, Y - 5:57 PM2008-09-13T00:57:36Zg:i A
Thanks for the heads up. I use a wordpress.com theme I’ve been having a lot of trouble with text widgets on my sidebar lately. They don’t seem to like HTML for buttons or anything. I was thinking of tooling around with a new theme and I will stick to safe sites. Thanks!
September 13th, 20082008-09-13T12:19:17ZF jS, Y - 5:19 AM2008-09-13T12:19:17Zg:i A
No problem guys.
Reading back over my post, I realize I was a bit technical though, but it seems my point still came through.
September 16th, 20082008-09-16T22:21:19ZF jS, Y - 3:21 PM2008-09-16T22:21:19Zg:i A
I have never ever thought of that! Thanks for the tip… I use themes from reputable artists/ coders etc. because I enjoy the support (and I only use free themes).
September 17th, 20082008-09-17T21:01:30ZF jS, Y - 2:01 PM2008-09-17T21:01:30Zg:i A
Free is what always seems to get people.
P2P + FREE software = virus
Torrents + MP3 = spyware/bots
WP + Free Themes = malicious code.
I actually had a site up and not any better used a free theme from a bad source and had to learn the hard way. The code they used dug into my dbase and no matter what I did I couldn’t rid myself. Sucks. Had to blow it all away and start over. Great learning lesson though. It’s cool to use free but get it from the orig author, WP gallery, a trusted source and learn enough about code to know what you want to avoid.
September 21st, 20082008-09-21T17:42:20ZF jS, Y - 10:42 AM2008-09-21T17:42:20Zg:i A
This is why I moved my themes to WordPress.org. It is a quality assurance, and in cases where sites get hacked and the site owners blame me (yes, that has happened a few times), it is easy to know that the malicious code was not coming from me.
I have seen my themes getting copied and re-distributed with lots of added links hidden in code that was not understandable to me – and less understandable for a common user. But in those cases, the theme was downloaded from a scam site and not from WordPress.org which I always recommend people to use…
Anyways, good thing you point this out. I wish more people would do it, because knowledge really makes a difference. Now I’m off to explore your video quicktag plugin, which I’m hoping go use on a new site. Will you support break.com in a future verion?
September 21st, 20082008-09-22T00:53:47ZF jS, Y - 5:53 PM2008-09-22T00:53:47Zg:i A
Ooo, Andreas commented on my blog.
Andreas on September 21st, 2008 at 10:42 AM2008-09-21T17:42:20ZF jS, Y \a\t g:i A wrote:
Sweet.
Andreas on September 21st, 2008 at 10:42 AM2008-09-21T17:42:20ZF jS, Y \a\t g:i A wrote:
Their embed HTML doesn’t have anything in common with the URL in your address bar, so that’s why I haven’t been able to previously support it. However my Javascript skills have improved and I think I should now be able to parse the embed HTML, i.e. you paste in the embed HTML and it grabs just the embed ID and puts it into your post.
So yeah, look for it in a future version.
February 1st, 20092009-02-01T19:39:03ZF jS, Y - 11:39 AM2009-02-01T19:39:03Zg:i A
After reading this im off to go check out my code. Thanks for the tips
January 15th, 20102010-01-15T12:32:09ZF jS, Y - 4:32 AM2010-01-15T12:32:09Zg:i A
OK, I was using the EXACT same Mystique theme you’re using and I kept getting this issue. I’ve now reverted to a standard (default) WP Theme since I can’t trust Mystique.
January 15th, 20102010-01-15T21:14:48ZF jS, Y - 1:14 PM2010-01-15T21:14:48Zg:i A
In Reply To vmdoug:
This post has nothing to do with the theme I am currently using. Mystique is fine.
January 15th, 20102010-01-15T22:00:01ZF jS, Y - 2:00 PM2010-01-15T22:00:01Zg:i A
In Reply To Viper007Bond:
Well my Mystique theme keeps getting malicious code added to it, only visible when java script is disabled using Firefox. I’m glad you’re finding Mystique OK, but for now I’ve switched until I have my new custom WP theme completed (hopefully next week).
I understand the malicious code may have nothing to do with Mystique, but I’m not taking any chances.