@DaniGirl retweeted a link to an article about the pitfalls of installing free WordPress themes that you find by searching for them on Google. In a nutshell, the author of the article, Siobhan, found that all but one of the first ten links Google returned pointed at themes that were incredibly dodgey. Most of them used obfuscated code in the theme to insert links and ads that the owner of the blog had no control over.
The problem is very similar to the wordpress.net.in spam injection hijack that I encountered three years ago. In that situation, something modified the index.php file in my blog to include a file from a malicious site and also fiddled with the xmlrpc.php file. I never did figure out exactly how the initial compromise took place, but it could have been through a plugin or theme that I downloaded from somewhere other than the official repository of WordPress extensions. These days I only install plugins that I have found in the repository and I keep the number of plugins installed at a minimum to reduce the likelihood of there being a problem.
If you run a WordPress blog, you should give the article a read. This problem isn’t going to be specific to WordPress — any blog platform or other type of website that uses PHP or a similar scripting language almost certainly is vulnerable to malicious code. If you can’t vouch for the site you downloaded something from, you should definitely think twice before installing it. Check for things like chunks of base64 code — if they are there you might want to avoid the code. If you really don’t have any choice but to use the code, check it first by decoding the base64 code using one of the numerous free decoders out there, such as this one.