Outside of the WordPress.org theme repository and the GPL commercial theme vendors, there are few spots where you can download a variety of themes which do not contain some sort of sponsorship or encrypted code. One site still cranking out great, quality free themes is Themelab run by Leland. However, in most of the theme release posts that are published on WeblogToolsCollection.com, the theme has to be downloaded from the authors website. We do not install and test every theme mentioned in these release posts. However, if you are worried about downloading a theme that contains malicious code or obfuscated code, this somewhat new tool called Theme Authenticity Checker may help you out.
5 Links In Kubrick
The Theme Authenticity Checker is a plugin that scans all of the files for all installed themes looking for links, malicious code, etc. Not all obfuscated code is bad but generally, it is not placed in a WordPress theme. By the way, obfuscated code is that stuff you see in themes with BASE64 encoding typically used to mask spam links and content into posts. Giving the plugin a spin on my local server where I have about six different themes installed, all of them came back as ok. In fact, the WordPress Default theme aka Kubrick contains five static links. TAC tells me which file the links are in along with the line number.
I ended up finding a site that provides free WordPress themes that contains encrypted code. Here is what TAC tells me.
Encrypted Code Found!
While I don’t know what the encrypted code is doing, I know where to find and remove it if I feel the need. We can also see that there are two static links in the sidebar.php of the theme that I could remove as well.
TAC is free to use and is currently at version 1.4 which is compatible with WordPress 2.8. If new vulnerabilities or malicious ways of putting bad stuff into themes is discovered, they will update the plugin accordingly. I’m not sure how often this plugin updates but at the very least, this is a good way to quickly discover static links that haven been coded into a theme.
If you install TAC on your own blog, let me know if you discover any themes you have installed that report either encrypted code or bad stuff in the comments!
Thanks for the head-up on this. We use Anti-virus and have had good results. We were amazed how many themes had questionable code inserted in them on the WP themes extend. (sorry, we didn’t take names)We’ll just stick with Justin Tadlock’s Hybrid Theme.
This is the exact plugin I needed.
I run a number of blogs but I first like to install all the potential themes on one practice blog.
TAC searches for links in all the themes installed on that blog in one go. Saved my heaps of time.
I have ran into so many themes out there with funky coding in them that it is scary. Especially those footer ones can be pretty bad with links to porn sites and other sites people just wouldn’t usually link to on their own. It’s nice to know now that there is a checker for that and other hidden things that even with my ninja-like powers can’t find sometimes.
It is great to know there is tools for theme checking because there are many creepy theme out there.
If the WordPress.org theme repository editors would allow more developers’ themes to be accepted instead of shutting the doors on them for suspicion of evil sponsorship, there might not be such a market for themes outside these trusted sources.
I was shocked to find one theme on a small WPMU install with funky encrypted code in its functions.php: Newsby (I already had stripped some ad links from its footer but this one escaped me) 🙁
TAC is one of the BEST new wordpress tools. Thanks for letting me know about it!
Sorry, that should be “Newsbie” theme. It is not in the official WordPress theme directory.
Wow, great tool. It is necessary to check the theme before putting on the server and activating. It can also cause some security threat. And it is true that many people who start blogging are not related to web languages so they cannot go on tracking what is there in the code of each template file of the theme, so just they see the feature and use that theme. It can be dangerous even due to the malicious scripts, so nice that you revealed such a good tool. Thanks for sharing.
I do my best to test as many of the themes posted in the WLTC forums as I can but alas due to time constraints I can’t get them all. As well, I don’t do this in any official capacity for WLTC. Consequently, I see this plugin as a welcome tool in the fight against these trashy (and potentially dangerous) themes.
Len, you do a great job at catching encrypted/spam themes submitted here. You’ve definitely caught a few that I missed.
Len, any interest in doing so officially? Send me an email.
@gestroud – Thank you.
@Mark – Email sent.
Does it work on woothemes wordpress themes ?
Hi…
Looks like a “WordPress Emergency Response Team” would be a good thing to have (not just because “WERT” is the German word for “value” :-).
Through combining PHP-IDS (http://phpids.org/) with wordpress and watching logfiles, I see quite some strange things happening, even on near-zero-volume blogs. For example, there appear to be waves of systematic scanning for certain plug-ins, presumably to exploit vulnerabilities.
But once I have the insight, where can I go? I’ll certainly not post it to the world, like here in a comment 🙂
Obviously, such a team would have to deal not just with core vulnerabilities but would also have to reach out to the plug-in and theme communities.
Any feedback would be appreciated!
Josef
Here’s a recent article covering that issue:
The Correct Way To Report A Security Issue With WordPress
http://weblogtoolscollection.c.....wordpress/
Essentially, the article suggests that security problems be reported to security[at]WordPress.org
I am one of the two developers of tac. I would like to thank everyone for the positive feedback, if anyone has any questions of feature requests please let us know.
Thank you again!
I ran TAC on a blog with 56 themes. It found two that have encrypted code:
SeaShore 1.0 by Sadish Bala (Line 33 in contact.php)
Web Minimalist 200901 1.0 by Effi (Line 35 in contact.php)
Icould be wrong, but it looks as if the code in those two files is there to encrypt email addresses.
Before today, I didn’t know about TAC at all, and I have been using wordpress for years. I have done more than my fair share of downloading free themes from shady sites, and not once did I find any info like this on the wordpress site. WordPress should really promote TAC as this tool can help fix a lot of security loopholes in a lot of sites.
That said, I have never faced any security issues with the blogs I had (most of which are now shut). So I guess the hidden code is mostly just to generate pagerank flowing links, but malicious scripts could easily be there.
I will write about this on my webmaster blog as well.
Thanks for the info 🙂