post-page

Where You Download a Theme Matters

40
responses

Over the weekend, I caught a glimpse of what was supposedly a new design for the WordPress Themes Repository. As was explained by Steven Hodson, the screen shots were taken from his browser when he visited the theme repository. The screen shots showcase a carousel view for browsing through themes, icons for navigating and downloading themes, a single page view which displays detailed information regarding the theme ect. No matter how hard I and many others tried, we couldn’t get the theme repository to display in the same way that it did for Steve.

Lloyd Budd stopped by my blog post and left this as the comment:

Hi Jeff, those screen shots are fake. I’m 100% certain. I just checked and there isn’t any code, nor has there been, to produce that type of experience.

I’ve been subscribed to Steve’s blog for quite some time and he is not one to post fake images or fake content. I believe that one of two things happened. The first is that, this is quite possibly a fluke. I don’t know how I would explain it, except that it’s wrong. The second thing is that this could be a theme repository setup on a website to mimic the current repository albeit with a different way of browsing themes. After browsing the web for quite some time looking for themes, I have come across numerous sites which have a theme showcase which is nothing more than a different setup for the theme repository.

Then, a fellow WordPress blogger Mike sent me an article that was written by 5thirtyone which reminds users that you have to be careful where you download your WordPress themes from. I must of missed the boat back when this event took place, but there was an incident where themes that were hosted on the official theme repository were being hosted on 3rd-party theme galleries such as WP Sphere. These themes were the same with the exception that the themes that were being hosted on the 3rd-party theme gallery websites were riddled with malicious code/malware.

I think now would be a good time to remind current users, especially new ones of WordPress to only download themes from the author’s website or from the official WordPress Themes Repository. Please note that not every site hosting a WordPress theme is bad. However, downloading a theme that is outside of the authors website or the repository is a risk that may not be worth taking.

heading
heading
40
Responses

 

Comments

  1. Mark Ghosh (386 comments.) says:

    I know I have seen that particular WordPress theme viewer before, but I cannot place it.

  2. Lance says:

    Isn’t that the old version of the theme viewer?

  3. Neil (9 comments.) says:

    Thats good to hear, i frequently download themes from other sites and know i know to keep my eyes open. Cheers for the tip as always!;)

  4. George (7 comments.) says:

    I’m sure I’ve seen that before, but I don’t think it’s at wordpress.. it looks like a rebranded version of some sort, i’m not sure :|

  5. Andrea (40 comments.) says:

    I thought it was the old version as well.

    Also, haven’t theme authors been unable to upload new themes for months? i know there are a few bad theme repositories out there, but there seem to be some legit ones springing up purely out of need – not greed.

  6. Shelby says:

    That is indeed an old version of the theme viewer. I remember it quite well, back when I did a very small number (I think 2) of simple WP themes and new theme authors were still accepted there, and able to upload. It’s been a long while, but … that’s exactly what it USED to look like.

  7. Jason (75 comments.) says:

    It’s for reasons like this I examine the code in themes that I download. Unfortunately, most people can’t do this.

    Most of the theme providers that I’ve visited recently have been pretty good, offering the very same file as the original author, and most have a link back to the original site. Andrea is right when she says that many of these sites are created out of need, rather than greed or other shady purposes.

  8. Shelby says:

    Additionally: try the “WayBackMachine” at archive.org and you can SEE that there was so code on the theme repository to produce that kind of experience. You can’t get the stylesheet to load, but you can see the dropdown selectors, etc… here: http://web.archive.org/web/200.....press.net/

    Fake screenshots indeed. :\

  9. Mark Ghosh (386 comments.) says:

    Shelby: Lloyd might not have been aware of that version of the Theme Viewer (as I was not, there were too many at one point).

  10. Len says:

    Guys, I have no idea what the heck is going on but Steve is not imagining things or making things up. I too have seen that exact theme viewer a couple of times recently when clicking a link from the WordPress main site. The first time I saw it was a couple of weeks ago and just assumed it was some kind of prototype. There was even a contact email addy for Shadow if anyone was interested in helping tag the themes.

  11. Len says:

    And yes everyone please be careful where you download themes from. I’m always stressing this on the WP Support Forums.

  12. Teli (24 comments.) says:

    Well, considering that the official theme repository hasn’t been updated in well over 7 months and could be hosting outdated/potentially dangerous themes, I’d bypass it altogether and recommend people actually download the theme from the theme author’s website. Or, at very least, check the theme author’s site to see if any updates have been made to a theme before downloading it from the WP themes site.

  13. Teli (24 comments.) says:

    Forgot to mention that the views actually remind me of Alex King’s theme viewer from way back when he had the template contest.

  14. Len says:

    I didn’t take screenshots or save the source code because at that point in time I had no reason to. I never dreamed anything was amok. As I said, I just assumed it was a prototype being tested.

    From what I recall, there were several viewing options: thumbnails, a slideshow or scroller or something like that and possibly another. There was also a short paragraph which read (I’m paraphrasing) “We need a group of 5 or 6 people to help tag themes. If interested contact shadow 12 gmail) I’m not totally sure of the exact email addy but it was definitely a gmail address and the word “shadow” was in it.

    Another point, I have both the Codex and Forum stored as bookmarks in Firefox as I help out in the Forum a lot but I DO NOT have the Theme Viewer saved. I ALWAYS access the Theme Viewer via a link from the main WordPress site.

    What does this mean? I’m completely clueless but I know what I saw.

  15. Steven Hodson (4 comments.) says:

    Besides the fact that I have been called a liar and a faker all for the sake of a few stupid a#$ page views one of the points raised was lack of proof. Well I have just posted both the CSS file and the page source file for download

    http://www.winextra.com/2008/0.....ood-thing/

    now I realize that the chances of it happening are next to frikken nil but a few apologies from some folks (you know who you are) would be appreciated.

  16. Meredith says:

    Earlier today I was browsing themes on the WordPress repository and the server went down. I tried again later and I saw exactly what you guys are reporting — it had been changed to show the slideshow, thumbnails, etc. I figured they had taken the site down briefly in order to reconstruct it. I stopped in the middle of browsing and then returned later, and the server is now down again.

  17. Len says:

    Good stuff Steve. As I just stated on your blog I can’t help but feel vindicated as well. Please note the top of the screen shot where you will see the choice to select various view options – just as I mentioned in comment #15. How would I even know that?

  18. jez (56 comments.) says:

    I wonder what takes them so long (more than seven months now!) to finish the coding for the themeviewer. I have some 20ish themes and updates stashed here that I cannot upload. I posted various times about the themeviewer and that I am sure that if asked the community would gladly help out to speed things up, however no one (matt?) seems to care.

  19. Andreas (19 comments.) says:

    The theme viewer looked like that years ago (I have similar screenshots myself but mine are like 3 years old), so it is very likely the previous version that appeared for some reason. I do hope that the site is refreshed soon, as I want to have my themes there to make sure users know that they are safe and free from hidden links and other ugly code. Right now, my themes there are terribly outdated…

  20. jez (56 comments.) says:

    same with me andreas. I posted this some while ago: http://www.h4x3d.com/wordpress.....-can-help/

  21. Malan (1 comments.) says:

    I just wish the official Theme Viewer ran better…

  22. adam (39 comments.) says:

    +1 @ Teli
    considering that there was a MAJOR SECURITY HOLE in most Kubrick-based themes since the last time the theme viewer was accessible, it’s best to consider that place dead. only download from the theme author’s site, or an official mirror listed there.

  23. jez (56 comments.) says:

    no offense (not intended), but it’s not too much asked for to harden your server or get at least decent hosting so that crap like that does not own you too bad, is it?

  24. Moses Francis (11 comments.) says:

    I agree with Mark Ghosh, i too have seen that site before but again..can’t remember the URL.

    I also think that’s it’s important to download a theme from a reputable source, the official WordPress theme viewer is a good place to start but it’s not been updated in ages which means the next best stop is the author’s site itself.

  25. Lloyd Budd (22 comments.) says:

    Just wante to publicly apologize to Steve for what I wrote. I was in a bit of a mood for unrelated reasons, and got carried away.

    Others have pointed out that is an a very old version of the theme viewer, from before Automattic actively managed it, that is why it isn’t in our code repository.

    Anyway, that is no excuse for what I wrote. Steve, you have my sincerest apology (though I wonder why there would be any other type.)

  26. Beth (4 comments.) says:

    I have seen way too many blogs using sponsored themes, which has who knows what in the code. I try to download from the author’s site, if I find a repository, I download and go through the code-I’m so surprised at what I have found. I’ve always been one to change the code to fit the needs of my blog, and I’ve started to recycle old themes and putting 2, or 3 together to get what I want. I’m not a coder and I can’t afford a premium theme, so this is the only thing I can do.

  27. adam (39 comments.) says:

    @ jez –
    for most people, that’s a question you should be asking their hosting provider. theme development targets hundreds of different server configurations – so no, it’s the responsibility of the theme designer to harden their theme.

  28. Viviane (1 comments.) says:

    Like, Len, I have seen this theme viewer before too, at http://themes.wordpress.net/. Not recently but a few months ago, and it happened more than once. Not sure what it was all about but it was real and it was definitely “the” theme viewer, so I don’t think these screen shots are fake either. I also remember getting this version and then later another version (the same day, just on a later visit), it was a bit strange but not strange enough for me to make screenshots.

  29. Justin (1 comments.) says:

    Good post! What also shares me is when I download a theme and there is encrypted PHP in it. I definitely won’t use that theme if I feel the author or someone is trying to hide something from me.

  30. Rap (1 comments.) says:

    It’s for reasons like this I examine the code in themes that I download. Unfortunately, most people can’t do this.

    Most of the theme providers that I’ve visited recently have been pretty good, offering the very same file as the original author, and most have a link back to the original site. Andrea is right when she says that many of these sites are created out of need, rather than greed or other shady purposes.

  31. Jeffro2pt0 (164 comments.) says:

    Can any of you help me out by telling me what it is we should all be looking for within a theme? How do we know if something is malicious or not? Should encrypted PHP code or files be involved in any theme?

  32. Jason (75 comments.) says:

    @Jeffro2pt0 – Encrypted PHP files in a theme used on an open-source package seems like a conflict of interest. Encrypted PHP is expected in closed source applications, as it’s typically used to protect intellectual property or sensitive functions (like you would see in medical or government applications). Unless a theme is bought and paid for with a very clear understanding that it’s a closed-source theme with no options for modification, there should never be any encrypted PHP in place.

    Of course, this is just my opinion, but it seems to be shared by several others.

    As for “what we should look for”, there are quite a few things that we need to be careful of, such as the use of integrated plugins. While integrated plugins can give us several great features in a theme and really bring a site to life, it can also present an opportunity to gain access to your site through malicious means.

    An example of this would be the necessity for a plugin to have file permissions of 777 in order to operate. 777 means that the file can be accessed, read and modified by anyone, which could give someone the opportunity to re-write a .php file to copy/delete/damage your database, change user passwords, upload damaging posts or worse. It’s best if directories are given permissions of 755 and files 644.

    This is just one example. If you would like, I can go into further detail about how someone can hijack a site through themes and plugins. My only concern with doing such a thing, though, would be sharing that knowledge with people who have nothing better to do than hijack a site through themes and plugins :???:

  33. Mel (1 comments.) says:

    Thanks for the tip!

  34. David Pankhurst (3 comments.) says:

    In the case of the theme mentioned on 4thrityone, the theme had encoded PHP on it (using eval(…)) – the code would either load and run code from one of three other sites, or at least display it – either of which is a huge security issue.

    As a general rule, if you look at the theme in a text editor, and you see a lot of odd PHP, ask someone knowledgeable before using it – or don’t use it at all. And make sure to check ALL the theme files, in case on e of the other files has all the code in it…



Trackbacks/Pingbacks

  1. [...] really appreciate Jeff for sticking up for me in this when he wrote a post relating to this today on Weblog Tools Collection: I’ve been subscribed to Steve’s blog for quite some time and he is not one to post [...]

  2. [...] ????????????????Dashboard??????Where you Download a Theme Matters???????????Theme Viewer [...]

  3. [...] Read the Weblog Article Here Tags: blog themes, code risks, dangerous blog themes, risky blog themes, unwanted code, unwanted referrals [...]

  4. [...] spurred an entry at Weblog Tools Collection entitled Where You Download a Theme Matters. In that flurry, one major fact was overlooked while doling advice to readers only to download [...]

  5. [...] Where You Download a Theme Matters [...]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php