gordon.dewis.ca - Random musings from Gordon


The pitfalls of free blog themes

January 12, 2011 @ 14:42 By: gordon Category: Meta, Seen on the 'net, WordPress

@DaniGirl retweeted a link to an article about the pitfalls of installing free WordPress themes that you find by searching for them on Google. In a nutshell, the author of the article, Siobhan, found that all but one of the first ten links Google returned pointed at themes that were incredibly dodgey. Most of them used obfuscated code in the theme to insert links and ads that the owner of the blog had no control over.

The problem is very similar to the wordpress.net.in spam injection hijack that I encountered three years ago. In that situation, something modified the index.php file in my blog to include a file from a malicious site and also fiddled with the xmlrpc.php file. I never did figure out exactly how the initial compromise took place, but it could have been through a plugin or theme that I downloaded from somewhere other than the official repository of WordPress extensions. These days I only install plugins that I have found in the repository and I keep the number of plugins installed at a minimum to reduce the likelihood of there being a problem.

If you run a WordPress blog, you should give the article a read. This problem isn’t going to be specific to WordPress — any blog platform or other type of website that uses PHP or a similar scripting language almost certainly is vulnerable to malicious code. If you can’t vouch for the site you downloaded something from, you should definitely think twice before installing it. Check for things like chunks of base64 code — if they are there you might want to avoid the code. If you really don’t have any choice but to use the code, check it first by decoding the base64 code using one of the numerous free decoders out there, such as this one.

2 Responses to “The pitfalls of free blog themes”

  1. Paul Tomblin says:

    I made the mistake of using a free theme from an unofficial source once, and discovered the hidden spam in the header. It was invisible, you had to Show Source to see it. And it was impossible to find by grepping the php source code, because they’d used an decode thingy to hide it. I was annoyed.


  1. Tweets that mention gordon.dewis.ca | The pitfalls of free blog themes -- Topsy.com (January 12, 2011 @ 15:04)

Leave a Reply