Home | Advertise | Contact

RSS Feed | Email RSS

Tip: Use Caution When Shopping for a WordPress Theme

By | Filed Under Security
Tag(s): , , ,

300x250 Tip: Use Caution When Shopping for a WordPress Theme

Whether you are in the market for a new custom WordPress theme, premium WordPress theme, or a free WordPress theme, their is one often forgotten factor that you should be considering when shopping for a new WordPress theme.  That factor is the reputation of the theme author.

Why is author reputation so important?   In addition to things like quality, theme support, etc., you’ve also got to worry about potential problems such as unknown links (these are usually hidden and could get your blog banned from search engines if discovered) and things like malicious code being run via your WordPress theme.

Recently Viper007Bond wrote about a theme that was discovered with hidden links (not the same thing as sponsored links):

What I found inside the theme’s footer.php file though was tons of malicious code. The entire contents of the file was heavily encoded (it was encoded with gzinflate(), str_rot13(), and base64_decode() around 150 times) and a ton of eval()’s. Since I was curious what it was doing, I wrote some PHP to decode it without using the nasty (and unsafe) eval()’s and I finally ended up with the HTML for the footer file (I assume to stop people from removing the code) and some more crazy eval() PHP code to display links to websites.

Luckily the code was just there to insert links (although using such a theme is a good way to get banned from Google), the PHP could just as easily have stolen passwords and other things. Remember, themes are exactly like plugins — they can execute code. You wouldn’t download a random program off and Internet and run it on your PC, so why would you do it with a plugin or theme?

So please, only download themes and plugins from reputable sites such as WordPress.org. If in doubt, don’t use it.

The author cites QualityWordPress.com as the source of this theme, so I would recommend avoiding this site if you are looking for a new theme.

Conclusion

There is a good chance that no matter which theme you end up going with (free, premium, or custom) you are going to be fine, but author reputation is just one more thing that should factor into your decision.   Find a theme made by an author you can trust.  I’ve seen many situations over the past couple years where people unknowingly get banned from Google or run into other problems because they made a bad choice when picking their theme.

Do you factor an authors reputation (word of mouth) and theme support into your decision before downloading/buying a WordPress theme?   I know I do and I also try to keep that in mind whenever I support a theme by adding it to our WordPress theme galleries.

Want automatic updates? Subscribe to our RSS feed or
Get Email Updates sent directly to your inbox!
  • Print This

    • Kyle Eslick is WordPress enthusiast who took his passion for WordPress to the next level in 2007 by launching WPHacks.com as a place to share hacks, tutorials, etc. Connect with Kyle on Twitter or Google+!

    There Are 10 Responses So Far »

    • Ryan – MarketFrog

      Thanks for this informative post. Author reputation is the key point you mentioned. For new authors, it would mean they have to show their work at places that are trusted like wordpress.org

    • Pingback: Themes Wordpress et code malicieux

    • http://www.catswhocode.com jbj

      It isn’t the first time I hear about embeded malicious code in themes or plugins. Basically, I would say that users who knows PHP should always review the code before installing.

    • http://www.bowillis.com bowillis

      Just a couple of things to pass on.

      If the theme isn’t from a trusted source get it from the orig author. I have found that most themes with malicious intentions were downloaded from another source.

      Of course if you code you are most likely going to catch some funny looking snippets but if you don’t code and easy(but not necessarily absolute)way to inspect your site is to use an analytics tool (as simple as igoogle) and check your external links. If it’s a new site and it’s high or even if it’s just higher than you suspect, dig deeper. I’ve found sites with hidden links by right clicking a live site and viewing the page source. Scan the file and double check the header and footer.

      Sorry to have rambled but I have seen this a FEW times. The safest things is to go to WP, the orig Author, a trusted source and, well, learn to code. Even if just to be familiar with what your looking at.

      Thanks.

    • http://www.themelab.com Leland

      Some sites will take other people’s themes and re-release them on their own site with malicious code added. Some of these sites rank very highly for lots of WordPress-related search queries, so unfortunately these malicious themes are used quite a bit.

      I would have to say the “safest” place to get themes would be the official WordPress Themes Directory. There they have a few automated checks for malicious code, plus a manual approval by a human moderator.

      You can also get clean themes from other trusted sites. Just to name a few off the top of my head: Justin Tadlock, Brian Gardner, ThemeShaper, WPDesigner.

    • http://blogdesignstudio.com/ Blog Design Studio

      Hey Kyle.. Thanks for the mention. You are absolutely right, one has to ensure that themes should be downloaded from trusted source.

      There have been a couple of cases, like you mentioned. Generally it’s not the theme designer, sometimes it’s just that hackers tend to sneak in and they alter the themes. So, one should only download the theme from the actual developers website or from wordpress themes directory.

    • http://www.melissaeaton.com Melissa

      You couldn’t be more correct. Implementing a bad theme happens to people more often than any of us will ever know. That’s why I’m very picky about where I get my themes as well as recommend that others find them.

      Great reminder for everyone to not just automatically download something without doing a little research first.

    • http://www.futurenerd.net Rony John

      I got a theme from woothemes.com i hope they haven’t done anything like that !!

    • John Hoff – eVentureBiz

      Hello Kyle. I just finished a 7 post series on protecting your WordPress blog and one of the things I mention is about trusting these plugins.

      Plugins are great and add great functionalities to your blog, but these programs have access to your blog’s files and database. So you’re giving someone’s program free access to all this. (same with themes, like you said)

      This is a great reminder to everyone that you can’t really trust everything on the web.

    • http://www.pitch.tv/ Adam baker

      Yes, very good one! Just awesome, will get it for my site ;)

    • http://cjeweb.com Jennifer

      I remember the first time I found a mass of php eval encoded junk in the bottom of a template a client of mine had bought from one of the many monthly template clubs.

      Fortunately for him, it was just code like the case in your post, meant to include back-links to the author. I think the practice of embedding encrypted junk like this just to self-promote is one of the worst kinds of sneaky, underhanded things a developer can do, and I personally won’t use templates or plugins produced with “hidden” code.

      I have seen templates downloaded from those mass aggregators of thousands of free templates with encrypted php source that does more than stuff a link on a page. Even if you can’t read source code yourself, always open up your themes and glance through them before you install them. If you see something suspicious, ask an expert, or find another option. There are thousands of great themes out there!