Malicious code in FREE WordPress Themes

Blogging

Malicious code in FREE WordPress Themes

I have been looking for a Theme for WordPress for a little while now, some are very close to what I’m after looks wise but they end up having some weird links in the Footer going to places like Chat Rooms or Online Pharmacy sites.

I actually discovered today that some WordPress themes may contain Malicious Code specifically Base64 code which may comprimise your WordPress site. Do a Google search on  “wordpress malicious footer code” and see what comes up.

You may find warnings like this

WARNING:

Anyone using the black buttons theme should DELETE footer.php

It contains base64-encoded php code that downloads trojans on to your server to open a back door.

Before you install any new Themes grab yourself the Plugin TAC (Theme Authenticity Checker) do a search for the Plugin via WordPress as TAC or grab it off their web site http://builtbackwards.com/projects/tac/ once installed click the TAC link under Appearance when logged in to the Admin page of your site.

As you can see by the above screenshot TAC picked up a Theme with Encrypted Base64 code. Clicking the details button shows you what it found.

Personally any Theme remotely having anything looking like this below is suspect…

Line 1: “base64_decode(‘JF9fQz1iYXNlNjRfZGVjb2RlKCRfX0…”

I’m all for the Theme Designers wanting links to their page showing they designed the Theme but when they they code it up with the Base64 lines what else are they trying to include.

It looks like it is a common practice going by the amount of free themes I have installed that TAC picked up with Base64 code.

TAC also allows you to go straight to the offending section in a Theme to edit that section, I found a site that explained how to view and then edit the code at http://www.templatelite.com/how-to-remove-footer-encryption/ It worked for me and the Theme then became green to TAC.

*Update* The above page no longer exists, the steps for removal can be found here http://www.wpconfig.com/2008/11/06/how-to-remove-footer-encryption/ or a more graphical explanation http://www.patwreck.com/removing-footer-encryption-from-wordpress-themes/ or do a Google search.

Remember always check free Themes via TAC or grab a Theme off a reputable site like http://www.wordpress.org/

Cheers

Aaron