Free Themes, Getting More Than You Bargained For

The WordPress community is one of the most prolific and generous groups in the open source community. There are countless themes and plugins all available for no more than the recognition of improving the form and functionality of a platform they believe in.  So what happens when a few bad apples decide to take advantage of that community?  From time to time, I come across a theme that seems a little too good to be true or that feels just a little off. Fortunately, the open source nature of WordPress makes it much easier to find and identify irregularities… if you know what to look for.

One tactic found in malicious themes is the inclusion of encrypted or obfuscated code. These range from simply “credit links” inserted by third party distributors (rather than the original creators) all the way up to exploits that can open back doors up on a site and expose personal data.

Some basic measures you can take to protect yourself include:

• Acquire free and paid themes from reputable sources.  Although, vulnerabilities can slip through even the most diligent repositories, you can dramatically decrease your chances of exposing yourself by using the official WordPress Theme Repository and other community vetted public collections and respected designers.
• Search through the source code for tell-tale signs: blocks of encrypted code (example:  eval(base64_decode) , calls or references to external sites and unusual files. Popular places for this sort of tactic is the footer.php and functions.php files, but frankly, it could be placed anywhere.
• Executable files claiming to be “installers”.

Additionally, there are some precautions you can take inside your existing WordPress installation to help identify potential threats early.

• Database and Contents Backup: Regular backups are a good idea under any circumstances, but in particular, a backup prior to installing a new theme or plugin can give you a safe restore point in case the worst should happen.  One of our most popular add-ons at ItsWordPress.com is adding backup functionality to existing sites.
• TAC  (Theme Authenticity Checker): Searches the source files of themes for malicious or unusual code, displaying its findings for you to review.
• AntiVirus: Capable of scanning WordPress files for suspicious files. Includes the ability to white list, automatic daily checks and manually initiated checks.
• WordPress File Monitor: This plugin monitors the files of your WordPress installation and when changes, deletions or additions are made issues a warning via email for you to examine.
• Exploit Scanner: Purely a diagnostic plugin, but satisfyingly throrough in its checks for concerns in your files and database. It can err on the side of false positives, particularly if you are employing exotic plugins or custom coding, but since actions are left entirely up to the user, your WordPress install will not be alter unless you specifically take action.

In closing, nothing here is meant to discourage or disparage the hard work of those that develop legitimate WordPress resources. These individuals are in the vast majority. WordPress remains one of the most respected and accessibly balances of security and accessibility in the open source Content Management field, and the presence of counter-measures like those above is testament to the hard work of those wanting to keep it a popular and practical solution.