Theme Malware Anatomy


One of the biggest problems facing users of WordPress today especially when it comes to themes is malware. I’ve seen my fair share of websites using themes whose functions.php file contains base64 encrypted code that when decrypted, shows spam links. However, there also a number of themes that have code within them that installs malware onto the web server. After Chip Bennett, one of the Theme Team Reviewers noticed at least one of his themes were being made available on a website that claimed to have free WordPress themes, he discovered that something was not right. All of the themes available on the website contained some sort of malware that would be installed onto the users site once enabled.

Otto does a great job going in-depth and explaining exactly how this particular piece of theme malware works. Most of the explanation is over my head but it gives you a sense of not only how desperate but also how clever these spam kings are getting in having their way with your website. This is why we preach that you always get your free themes from the Theme Repository because each theme is now reviewed with human eyes to make sure none of that garbage gets into the repository.

The theme repository contains almost 1,300 themes but quite a few of them look like they were designed in early 2000. So I can understand why users would want to expand their reach and check out the wider marketplace of freely available themes but just remember, when you download and use a theme that is outside of the repository, you do so at your own risk.

As an aside, this video which was produced by Leland of provides a great explanation as to why you want to stay away from using Google when searching for freely available themes.




  1. John Blackbourn (8 comments.) says:

    That video from Themelab is incredible. I had no idea that malware themes were so prevalent.

    I wonder what Google’s stance on this is. Surely those sites should be classified as sites distributing malware and therefore be blacklisted by Google’s anti-malware system (eg. the one that Firefox, Safari & Chrome hook into).

    • Jeff Chandler (171 comments.) says:

      Considering Google rarely alters search results, I don’t think they will change the way things work to de-list those sites offering up bad themes. However, a good compromise would be for browsers to display a malware warning message or at least a warning that says the website contains potentially harmful material.

      For a long time, the number 1 search result for Free WordPress themes was NOT the WordPress Theme Repository which I feel continues to contribute to the problem overall.

  2. gestroud (2 comments.) says:

    I’ve been guilty of downloading themes from sites I found on Google — usually when I’m trying to find a theme that’s not available anymore from the original designer. The majority of them have encryption in the footers, headers, function.php, sidebars, and even in the index.

    Luckily, there are a few methods for decoding the encryption. If it’s the footer or header, I just view the page source and copy and paste the relevant codes into my files. From there, I’ll check the readable code, see and see if there are any spam links to change. The only links I keep are the ones that credit the original designer.

    There are also some sites that provide means to decode base64. Here’s one:

  3. Chip Bennett (63 comments.) says:

    Ironic that you should post this; I just basically posted the same thing.

    I’d never seen Leland’s video before. It’s like deja vu from my past two days of trawling through that mess…

    • Jeff Chandler (171 comments.) says:

      Ouch, your post illustrates that the problem is much worse than even I thought it was. Yet, so many people search for Free WordPress themes and we always read or hear stories of peoples sites getting hacked or links showing up within their theme files. While server issues could definitely be the problem, I bet this is what is happening in a large majority of those cases. Using bad themes from bad places.

      • Chip Bennett (63 comments.) says:

        By the way, I’m getting duplicate (two distinct, rather than two identical) reply-notification emails from WLTC. Any idea why?

        • Mark Ghosh (386 comments.) says:

          There is a plugin causing email replication. Does this happen all the time, e.g. this reply?

          • Chip Bennett (63 comments.) says:


            Yes, I got two comment-reply notifications for your comment.

            One, I recognize as the output from the Subscribe To Comments Plugin.

            The other one is formatted differently (it includes the reply, my original comment, and some boilerplate text indicating that the email was automated).

      • Chip Bennett (63 comments.) says:

        I have little doubt that these sites are are frequent cause of “unknown” spam links into people’s sites – not to mention, sites getting hacked.

        I would go past the first 30 hits, but honestly, it gets tiring, and disheartening. It’s just hard to imagine that there’s that much crap out there…

  4. John Lizotte (1 comments.) says:

    Thanks for sharing this information. Although I was aware of the problem in general, the video was a real eye-opener about how wide-spread the problem is.

    Love your site. I check it often. Keep up the good work. Thanks to you and Leland for the eye-opening info about the malware.

    Be well.


  5. MC says:

    Very informative video! After watching it I checked out the footer and functions php files from various wordpress themes I have installed on my webpage and I noticed that even one that I downloaded from wordpress’s theme directory had some similar code. The theme in question is zBench. I’m unsure if this is malicious code but if it is it’s sad that even’s theme pages aren’t safe to download from.

    • gestroud says:

      Good catch. I added a post the WP forum alerting people about it.

    • Chip Bennett (63 comments.) says:

      Indeed, it is only the Theme developer’s Paypal donation code, which is of course perfectly acceptable.

      Please verify such things before spreading FUD about the WordPress Theme Repository. (And yes: I take such accusations somewhat personally; the Theme Review team has volunteered countless hours since this past June, reviewing Themes submitted for inclusion in the Theme Repository.)

      • gestroud says:

        Yes, sir. Whatever you say, sir.

        • Jaycee (6 comments.) says:

          Atta boy :)

        • Chip Bennett (63 comments.) says:

          FWIW, that was directed at MC, not you. You did the right thing: you brought the question of suspicious code to the Theme-Reviewers mail list so it could be investigated. Fortunately, this one turned out to be a non-issue.

          But yes, I am a bit offended to hear a comment like, “even’s theme pages aren’t safe to download from” – especially when that claim is completely unsubstantiated.

  6. Dave (1 comments.) says:

    After installing a new theme I always run the Theme Authenticity Checker (TAC) Plugin to check for unwanted code. Although I do make sure to download from what I consider to be relaible sources, I’ve found it very useful.

    I’m surprised nobody has mentioned this…

    It can be downloaded at


    • Chip Bennett (63 comments.) says:

      Very interesting Plugin; thanks for the link! I’ll pass this one along to the rest of the Theme Review team; I’m sure it will be very useful.

  7. Oliver says:

    IMO, the problem is that unknown ba64 encrypted code in a theme is by no means an evidence of malware content.

    Most of the time, it is to hide sponsored links in the footer and sidebar.

    Of course, it may cover actual malware injection attempt, and the whole problem is that there is no way to know if you can trust the base64 code, or not.

    In my present case, I’ve already been confronted to base64 encrypted code, and I never kept it, reading the public html output in the “theme demo” link, and my wordpress knoweledge, I “guessed back” what the proper php code had to be, and re-wrote it in the theme source.

    I definitely don’t want to make a rant, but I think the present article goes too far when mentioning malware without evidence. It would have been best to mention “potential walware without means of knowing if we are safe”, or something like that.


  1. Theme Malware Anatomy « Weblog Tools Collection…

    Earlier this week, I released version 1.0 of my Oenology Theme. As I tend to do occasionally, after the release I decided to browse the Google search results for “Oenology WordPress”, just to keep track of any mentions of the Theme…….

  2. […] theme malware on the rise, many users are left wondering where the safest place to find free WordPress themes is, or how to […]

Obviously Powered by WordPress. © 2003-2013

page counter