I personally follow a few simple rules to make sure that I never fall for a social engineering or covert code trap on my blogs.

• Always download core WordPress code from http://WordPress.org. Type the link into your browser address bar rather than following a link from another blog or site. This includes updates and security fixes. If your web host offers one click installs or upgrades through their control panel, they are probably safe (they are safe if they are on a current version). I still suggest either installing a fresh copy from WordPress.org or using WordPress.com, but I do understand that one click installs are convenient.
• Try to download plugins and themes only from the official WordPress Extend. There are way too many themes and plugins (though much less plugins) that contain convert code and new WordPress theme download sites seem to be popping up everyday. We have covered shady themes many times on this blog.
• Never download “hacks” or “patches” to WordPress from anywhere. If you are unfamiliar with PHP, I would suggest that you ask people in the WordPress forums for help or contact us through our form on this blog for help. Always download official patches, updates and installs from the WordPress.org site.
• If you find a cool new trick, theme, plugin or hack for WordPress via a Google search, please be careful. I know the following is a cliche’, but if it looks too good to be true, it probably is.

Do you have any suggestions for our other readers? Have you found strange code on your blog or theme?