Comments on: Where You Download a Theme Matters

By: David Pankhurst

David Pankhurst — Thu, 27 Mar 2008 04:03:22 +0000

In the case of the theme mentioned on 4thrityone, the theme had encoded PHP on it (using eval(…)) - the code would either load and run code from one of three other sites, or at least display it - either of which is a huge security issue.

As a general rule, if you look at the theme in a text editor, and you see a lot of odd PHP, ask someone knowledgeable before using it - or don’t use it at all. And make sure to check ALL the theme files, in case on e of the other files has all the code in it…

By: Mel

Mel — Tue, 25 Mar 2008 13:20:40 +0000

Thanks for the tip!

By: Jason

Jason — Mon, 24 Mar 2008 02:38:03 +0000

@Jeffro2pt0 - Encrypted PHP files in a theme used on an open-source package seems like a conflict of interest. Encrypted PHP is expected in closed source applications, as it’s typically used to protect intellectual property or sensitive functions (like you would see in medical or government applications). Unless a theme is bought and paid for with a very clear understanding that it’s a closed-source theme with no options for modification, there should never be any encrypted PHP in place.

Of course, this is just my opinion, but it seems to be shared by several others.

As for “what we should look for”, there are quite a few things that we need to be careful of, such as the use of integrated plugins. While integrated plugins can give us several great features in a theme and really bring a site to life, it can also present an opportunity to gain access to your site through malicious means.

An example of this would be the necessity for a plugin to have file permissions of 777 in order to operate. 777 means that the file can be accessed, read and modified by anyone, which could give someone the opportunity to re-write a .php file to copy/delete/damage your database, change user passwords, upload damaging posts or worse. It’s best if directories are given permissions of 755 and files 644.

This is just one example. If you would like, I can go into further detail about how someone can hijack a site through themes and plugins. My only concern with doing such a thing, though, would be sharing that knowledge with people who have nothing better to do than hijack a site through themes and plugins

By: Jeffro2pt0

Jeffro2pt0 — Sun, 23 Mar 2008 23:47:09 +0000

Can any of you help me out by telling me what it is we should all be looking for within a theme? How do we know if something is malicious or not? Should encrypted PHP code or files be involved in any theme?

By: Rap

Rap — Sun, 23 Mar 2008 22:49:59 +0000

It’s for reasons like this I examine the code in themes that I download. Unfortunately, most people can’t do this.

Most of the theme providers that I’ve visited recently have been pretty good, offering the very same file as the original author, and most have a link back to the original site. Andrea is right when she says that many of these sites are created out of need, rather than greed or other shady purposes.

By: Justin

Justin — Sat, 22 Mar 2008 14:38:38 +0000

Good post! What also shares me is when I download a theme and there is encrypted PHP in it. I definitely won’t use that theme if I feel the author or someone is trying to hide something from me.

By: Show Notes for the Wordpress Weekly Segment | Podcaster Training

Show Notes for the Wordpress Weekly Segment | Podcaster Training — Sat, 22 Mar 2008 02:19:09 +0000

[...] http://weblogtoolscollection.c.....me-matters [...]

By: Viviane

Viviane — Sat, 22 Mar 2008 00:21:39 +0000

Like, Len, I have seen this theme viewer before too, at http://themes.wordpress.net/. Not recently but a few months ago, and it happened more than once. Not sure what it was all about but it was real and it was definitely “the” theme viewer, so I don’t think these screen shots are fake either. I also remember getting this version and then later another version (the same day, just on a later visit), it was a bit strange but not strange enough for me to make screenshots.

By: adam

adam — Fri, 21 Mar 2008 18:34:39 +0000

@ jez -
for most people, that’s a question you should be asking their hosting provider. theme development targets hundreds of different server configurations - so no, it’s the responsibility of the theme designer to harden their theme.

By: Beth

Beth — Fri, 21 Mar 2008 13:18:45 +0000

I have seen way too many blogs using sponsored themes, which has who knows what in the code. I try to download from the author’s site, if I find a repository, I download and go through the code-I’m so surprised at what I have found. I’ve always been one to change the code to fit the needs of my blog, and I’ve started to recycle old themes and putting 2, or 3 together to get what I want. I’m not a coder and I can’t afford a premium theme, so this is the only thing I can do.

By: Lloyd Budd

Lloyd Budd — Fri, 21 Mar 2008 01:33:37 +0000

Just wante to publicly apologize to Steve for what I wrote. I was in a bit of a mood for unrelated reasons, and got carried away.

Others have pointed out that is an a very old version of the theme viewer, from before Automattic actively managed it, that is why it isn’t in our code repository.

Anyway, that is no excuse for what I wrote. Steve, you have my sincerest apology (though I wonder why there would be any other type.)

By: Moses Francis

Moses Francis — Thu, 20 Mar 2008 22:15:38 +0000

I agree with Mark Ghosh, i too have seen that site before but again..can’t remember the URL.

I also think that’s it’s important to download a theme from a reputable source, the official WordPress theme viewer is a good place to start but it’s not been updated in ages which means the next best stop is the author’s site itself.

By: WordPress Theme Viewer - 7 Months and Counting - WordPress SEO and Blog Marketing

Thu, 20 Mar 2008 16:45:49 +0000

[...] spurred an entry at Weblog Tools Collection entitled Where You Download a Theme Matters. In that flurry, one major fact was overlooked while doling advice to readers only to download [...]

By: jez

jez — Thu, 20 Mar 2008 16:45:33 +0000

no offense (not intended), but it’s not too much asked for to harden your server or get at least decent hosting so that crap like that does not own you too bad, is it?

By: adam

adam — Thu, 20 Mar 2008 16:20:36 +0000

+1 @ Teli
considering that there was a MAJOR SECURITY HOLE in most Kubrick-based themes since the last time the theme viewer was accessible, it’s best to consider that place dead. only download from the theme author’s site, or an official mirror listed there.

By: Malan

Malan — Thu, 20 Mar 2008 14:40:55 +0000

I just wish the official Theme Viewer ran better…

By: jez

jez — Thu, 20 Mar 2008 12:29:32 +0000

same with me andreas. I posted this some while ago: http://www.h4×3d.com/word.....-can-help/

By: Andreas

Andreas — Thu, 20 Mar 2008 10:13:26 +0000

The theme viewer looked like that years ago (I have similar screenshots myself but mine are like 3 years old), so it is very likely the previous version that appeared for some reason. I do hope that the site is refreshed soon, as I want to have my themes there to make sure users know that they are safe and free from hidden links and other ugly code. Right now, my themes there are terribly outdated…

By: jez

jez — Thu, 20 Mar 2008 06:59:49 +0000

I wonder what takes them so long (more than seven months now!) to finish the coding for the themeviewer. I have some 20ish themes and updates stashed here that I cannot upload. I posted various times about the themeviewer and that I am sure that if asked the community would gladly help out to speed things up, however no one (matt?) seems to care.

By: Is Your Blog Theme Kosher? | nobullwebmastering.com

Is Your Blog Theme Kosher? | nobullwebmastering.com — Thu, 20 Mar 2008 06:47:49 +0000

[...] Read the Weblog Article Here Tags: blog themes, code risks, dangerous blog themes, risky blog themes, unwanted code, unwanted referrals [...]