Outside of the WordPress.org theme repository and the GPL commercial theme vendors, there are few spots where you can download a variety of themes which do not contain some sort of sponsorship or encrypted code. One site still cranking out great, quality free themes is Themelab run by Leland. However, in most of the theme release posts that are published on WeblogToolsCollection.com, the theme has to be downloaded from the authors website. We do not install and test every theme mentioned in these release posts. However, if you are worried about downloading a theme that contains malicious code or obfuscated code, this somewhat new tool called Theme Authenticity Checker may help you out.
The Theme Authenticity Checker is a plugin that scans all of the files for all installed themes looking for links, malicious code, etc. Not all obfuscated code is bad but generally, it is not placed in a WordPress theme. By the way, obfuscated code is that stuff you see in themes with BASE64 encoding typically used to mask spam links and content into posts. Giving the plugin a spin on my local server where I have about six different themes installed, all of them came back as ok. In fact, the WordPress Default theme aka Kubrick contains five static links. TAC tells me which file the links are in along with the line number.
I ended up finding a site that provides free WordPress themes that contains encrypted code. Here is what TAC tells me.
While I don’t know what the encrypted code is doing, I know where to find and remove it if I feel the need. We can also see that there are two static links in the sidebar.php of the theme that I could remove as well.
TAC is free to use and is currently at version 1.4 which is compatible with WordPress 2.8. If new vulnerabilities or malicious ways of putting bad stuff into themes is discovered, they will update the plugin accordingly. I’m not sure how often this plugin updates but at the very least, this is a good way to quickly discover static links that haven been coded into a theme.
If you install TAC on your own blog, let me know if you discover any themes you have installed that report either encrypted code or bad stuff in the comments!