Be Careful With Where You Get Free WordPress Themes From

This is just a reminder: please only download WordPress themes from reputable sources such as WordPress.org.

Someone just came into #wordpress asking for help modifying their theme a few hours ago. I found the URL to the theme’s website via their style.css and downloaded the theme in an attempt to help them figure out which file to edit to do what they wanted.

What I found inside the theme’s footer.php file though was tons of malicious code. The entire contents of the file was heavily encoded (it was encoded with gzinflate(), str_rot13(), and base64_decode() around 150 times) and a ton of eval()‘s. Since I was curious what it was doing, I wrote some PHP to decode it without using the nasty (and unsafe) eval()‘s and I finally ended up with the HTML for the footer file (I assume to stop people from removing the code) and some more crazy eval() PHP code to display links to websites.

Luckily the code was just there to insert links (although using such a theme is a good way to get banned from Google), the PHP could just as easily have stolen passwords and other things. Remember, themes are exactly like plugins — they can execute code. You wouldn’t download a random program off and Internet and run it on your PC, so why would you do it with a plugin or theme?

So please, only download themes and plugins from reputable sites such as WordPress.org. If in doubt, don’t use it.

And if you’re wondering, qualitywordpress.com is the site where the user got the theme from. I have only posted the URL to that website in an attempt to prevent people from using it’s themes. Do not use the themes from that website.

13 thoughts on “Be Careful With Where You Get Free WordPress Themes From

  1. Thanks for pointing this out I’m always trying to tell people watch what you put on your web server and computer. Also looking for a new theme and this was just something to help remind me to not make this kind of mistake.

  2. Unfortunately most people seem to learn this lesson the hard way. Very few people would take a candy from a stranger on the street but they don’t have a problem downloading stuff from anyone on the net if it’s free, even tho it could totally mess up their computer, their website or their business.

  3. Thanks for the heads up. I use a wordpress.com theme I’ve been having a lot of trouble with text widgets on my sidebar lately. They don’t seem to like HTML for buttons or anything. I was thinking of tooling around with a new theme and I will stick to safe sites. Thanks!

  4. Pingback: Tip: Use Caution When Shopping for a WordPress Theme

  5. I have never ever thought of that! Thanks for the tip… I use themes from reputable artists/ coders etc. because I enjoy the support (and I only use free themes).

  6. Free is what always seems to get people.

    P2P + FREE software = virus
    Torrents + MP3 = spyware/bots
    WP + Free Themes = malicious code.

    I actually had a site up and not any better used a free theme from a bad source and had to learn the hard way. The code they used dug into my dbase and no matter what I did I couldn’t rid myself. Sucks. Had to blow it all away and start over. Great learning lesson though. It’s cool to use free but get it from the orig author, WP gallery, a trusted source and learn enough about code to know what you want to avoid.

  7. This is why I moved my themes to WordPress.org. It is a quality assurance, and in cases where sites get hacked and the site owners blame me (yes, that has happened a few times), it is easy to know that the malicious code was not coming from me.

    I have seen my themes getting copied and re-distributed with lots of added links hidden in code that was not understandable to me – and less understandable for a common user. But in those cases, the theme was downloaded from a scam site and not from WordPress.org which I always recommend people to use…

    Anyways, good thing you point this out. I wish more people would do it, because knowledge really makes a difference. Now I’m off to explore your video quicktag plugin, which I’m hoping go use on a new site. Will you support break.com in a future verion? :)

  8. Ooo, Andreas commented on my blog. :D

    Andreas on September 21st, 2008 at 10:42 AM wrote:

    Now I’m off to explore your video quicktag plugin, which I’m hoping go use on a new site.

    Sweet. :)

    Andreas on September 21st, 2008 at 10:42 AM wrote:

    Will you support break.com in a future verion? :)

    Their embed HTML doesn’t have anything in common with the URL in your address bar, so that’s why I haven’t been able to previously support it. However my Javascript skills have improved and I think I should now be able to parse the embed HTML, i.e. you paste in the embed HTML and it grabs just the embed ID and puts it into your post.

    So yeah, look for it in a future version. :)

  9. OK, I was using the EXACT same Mystique theme you’re using and I kept getting this issue. I’ve now reverted to a standard (default) WP Theme since I can’t trust Mystique.

      • Well my Mystique theme keeps getting malicious code added to it, only visible when java script is disabled using Firefox. I’m glad you’re finding Mystique OK, but for now I’ve switched until I have my new custom WP theme completed (hopefully next week).

        I understand the malicious code may have nothing to do with Mystique, but I’m not taking any chances.

Leave a Reply