Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else: Siobhan on WPMU.org has a nicely illustrated, researched and explained article on why users should never search for “Free WordPress Themes” in Google or any other search engine. Not enough can be said to avoid the malicious theme hawkers on the Internet and I appreciate the work and the explanation.
The problem is that most users, who are new to the ways of WordPress, will still use Google to search for themes and will download the first link that provides them with a free theme that catches their fancy. I would go so far as to say that somewhat knowledgeable users might still be tempted to ignore any possible bad effects from these themes; e.g. users continue to flock to sites that provide collections of serial numbers online in spite of being riddled with porn and adware. My opinion is that there are two ways to solve the problem or at least throttle down the preponderance of malicious themes installed on hapless WordPress blogs. Both options come with their pros and cons but one is a resolution closer to home.
- The WordPress application automatically checks installed themes for malicious content and notifies the blogger of the problem, still leaving it up to them to continue installing it or not. This solution is a double edged sword because malicious theme vendors could use the feature to test and hide their malice better. It also smack of “big brother” and is judgmental of a business model that is not explicitly illegal. This test could be run from local code and could have an auto update feature that updates rules from Trac. There are lots of ways to accomplish this.
- Google stops being legally blind and does something (better) about malicious sites. I know that there is a lot of talk about Google search providing worthless results for searches that attract a lot of attention and that they are looking to re-invent themselves. No matter how soon the search engines change their order of doing business, it will be outside of our control and malicious theme vendors will voodoo SEO kung fu are a dime a dozen.
Have you installed a theme without caring whether it contained malicious code or not? Would you pay attention to theme warnings if there was one? Are we going to offer an official Theme Checker?
I couldnt agree more – I have a friend that installed this really nice looking wordpress theme and after a few weeks when searching for his site on Google he saw this strange warning. After contacting his hosting company they found out that the problem was with some file in the theme. I am not sure it was a free wordpress theme but I think it was. Also this lady has a strange story about her themes – http://jessicabyrne.com/i-trie.....y-but.html
I believe that free is almost always more expansive in the long run so better pay for something with value.
Just my $0.02
Use TAC plugin would help to detect something bad.
Actually, at the moment, the best resource to use is the Theme Check Plugin.
It is synchronized with the uploader script that is used to check Themes submitted to the WordPress Theme Repository, and is used to check Themes as part of the Theme Review process. Among (many) other things, it will detect and warn regarding malicious code, encoding, hard-coded links, and the like. Most importantly: it can be used to test Themes before activating them. It can test any installed Theme, and not just the active Theme.
This advice is not half-bad; then again, it is only half good. There are hundreds of nice free (and malware-free) themes out there. I know of more than 130 WordPress sites running free themes. The majority are not from the WP.org repository. No problems from the themes nor their code. (From hosts, well, that is a different story.) An absolute prohibition is unfounded. (I have strong issues with embedded links but that is a different post comment.)
Just because some one says don’t use any free themes that are found by Googlin’, the cowboy yell site search engine, or other search vehicles, doesn’t make it so. Don’t take those (or any one’s) words to the bank. They are not 100% valid. For uniqueness and creativity, those themes out of the WP “accepted” loop surpass the repository by head and shoulders. (Out of every hundred at WP.org, 3 are passable.)
The point to be taken is: caveat emptor. If you don’t know, don’t understand or can’t check your theme code (in search for plugins, try “TAC”), then extraneous sites pose a marginal risk. More likely you have the malware on your computer and you infect the site with your PC (or in the future with your MAC, since the winOS is going nowhere).
Having downloaded more than 500 “free” themes, none has proven infected. So if the next one is bad, one in 501 is hardly an onslaught of bad themes. If you have suspicions, scan the file download, check the whois of the site, and avoid any site for any purpose that does not provide a concrete (non-POB) address. And, after you the up-load the theme, use the TAC plugin.
Finally, realize there are no absolutes on the Internet. It is more wide open than the wild west of 1800’s (which actually was only about 16 years long). Like any metropolis in the world, there are those on the Internet looking to do others harm. People moving blindly or not paying attention are likely to get burned.
Keep your mind engaged, your eyes open, ears on, your gut involved and always carry a little suspicion with all activities. In short, savor the external freebie themes…. cautiously.
This is scary, I was one of those people who searched for a free theme and installed it without giving it a thought, I am now coming to appreciate the power of wordpress and what damage a malicous theme could have.
Thank you for posting this info.
Roger
http://www.rogerlapin.co.uk/ma.....mouth.html
These articles seem strangely reluctant to admit that the problem might be with third-party repositories offering free themes rather than with free themes per se. You wouldn’t download a commercial theme from a third-party site, because the likelihood is it’s going to be pirated and riddled with malware; you’d go direct to the original developer. Why should free themes be any different?
How do you explain that to the Google searcher that never reads this discourse?
Well, you can’t explain anything to someone who’s not reading you, and I somehow doubt that the top sites in Google are going to rush to post disclaimers telling people not to download from them. So by that logic there’s nothing you can do and it was a waste of your time posting about it.
I am suggesting an alternative method of identifying issues with themes that is built into WordPress and cannot be circumvented by anyone, including the top sites on Google. Thus the post and thus the reason for this conversation. We both care, but show it on our disparate ways.
I’ve suggested adding a theme checker to core and publishing lists of safe theme sources and sites to avoid on wordpress.org, but that got pooh-poohed by Otto so it’s a fairly safe bet it’s not going to happen.
Basically, the development team are all for discouraging people from downloading themes outside the walled garden of wordpress.org because they don’t want them downloading non-GPL themes. As I tried to explain, this is short-sighted because a newbie who downloads a malicious theme is likely to end up blaming WordPress for any problems that ensue. Most end-users don’t realise how powerful a theme can be: as far as they’re concerned it’s just the template making their site look pretty.
I covered this a few times on my sites and I agree on most things. However, you can look and if you are not sure about the theme, you can go ahead and discard the theme.
I am already going to step into reviewing some of the places out there to avoid.
I will also be offering themes. The only thing is a credit link to me that the user can choose to keep in. (some of the themes I will be introducing are actual revamps of some of the older themes in the WP repository.)
My issue is the malicious coding and the encrypting that goes on with a lot of the themes given in the name of “free.” Technically – these themes are not free and come with a consequence if used.
I don’t see building a big brother system into the core as being an option, as it would require doing a whole stack of checks for code strings. Either that, or you would be using something like the Theme checker plugin, but that spits out errors with perfectly legit themes too so isn’t appropriate.
On second thoughts, I suppose you could have an external service like Akismet, which checked the theme name, then compared that to a list of reported “bad” themes and sent back a report based on that. That would allow for a massive database of information, without blowing the WordPress download size out.
If akismet can check spam, it can check a theme php. Just text after all.
@dgrut: Thanks for the Tac-plugin advice, i just googled for that 🙂
Thx, Robert
To say that people should never search for or download a free theme is ridiculous. Obviously, you should be careful and know what you are doing, but that could be said about anything else on the internet. Again, it’s the places that you get those themes from that you have to be careful of. Anyone with any sense will do some checking before downloading the first free theme they come across. The people who don’t are the same people who are getting viruses through facebook applications and emails that they aren’t careful to investigate first. You can’t stop people from being foolish, and you also can’t stop people from being malicious. But, you also shouldn’t throw the baby out with the bath water just because of those two facts.
WordPress.org is not the only place to get trusted themes from, and while I offer custom theme designs for a price, I’m also happy to offer some free themes that are solid and that a lot of people have used and enjoyed.
Sarah,
Are there particular reasons that you don’t want to submit your free Themes to the WordPress Theme Repository?
(I’m genuinely looking for all concerns and constructive criticism you have regarding the Repository.)
vos explications sont confuses pour un débutant, j’ai l’impression que vos conseils sont faits pour les initiés, je n’ai quasiment rien compris, mon beau-fils ingénieur en informatique a trouvé cela très facile pour lui. Quant à la traduction, bonjour les dégats. Mais je ne me décourage pas encore.
Christiane
In my opinion, the main problem is that the search function inside wordpress.org doesn’t work well enough. And probably many overlook the tag filter: http://wordpress.org/extend/themes/tag-filter/
This is even more important when searching for PLUGINS. If you don’t know the exact name of a plugin (or at least of some particular word used in the description), you’re lost. At least that counts for most non-English users, and there are many of us.
Then Google is much easier to use. A quite close search, and something shows up.
MAYBE the guys at wordpress.org should include a site-specific google search in the site.
I always use google typing “site:wordpress.org incredible new wordpress plugin” to find something. (The first part makes google look just inside wordpress.org – a feature too many are not aware of.)
PS
When tipping about plugins like the “TAC plugin” – why not include a link?
Hi Mark,
Thanks for linking back to me. I think in an ideal world Google would adequately deal with sites like this. Upon reflection and doing some reading up at Google I realise that using a theme like this could screw you twice:
1) Downloading a theme that contains spammy links at best and malicious code at worst.
2) Google’s anti-spam policy blacklists websites that contain hidden links. If you’ve downloaded a theme that contains hidden links this could negatively affect your SEO. This means that the unwitting WordPress user gets the spam penalty while the sites passing off these themes, and probably making money from link exchange programs, get odd scott free.
I contacted Google about it but they haven’t answered 🙁 I also tweeted Matt Cutts about it but no response there either. I would love to be able to talk to them about it!
I guess a theme install or a purchase should be done after doing some research on the author and people who are using that theme. Perhaps, it might be enough if people go through the topics on the help forum to identify what kind of problems others have faced and if the author has supported them.
But on my personal blog, I just use Twenty Ten. It helps, if the author of a theme is “Automattic Team” – That way, we can take an easy decision. Why not release more themes by Automattic? I tell ya, WP.org ought to be even selling some premium themes. Wonder why the WP.org team is not doing this, and charging for things like akismet instead!
Destination Infinity
You always have to check the source code whether there are external Javascripts or PHP-Scripts. Checking the external Javascripts is easy. You just have to type the URL in the browser and you see what it contains. But there is no possibility to see the content of a PHP-Script. Take care.
Very nice article.
Honestly I’m often to do that. Whenever I need something (including themes, plugin, etc) I’m always use google to find it and never had a thought whether it contain something that isn’t good. I’ll be more careful from now on.
There are a lot of nice non-malicious free themes out there too.
Personally, I’ve never had any problems width “bad” themes, but then on the other hand I try to check the code myself to see what goes on beneath. I do use a free template found on Google on my site, even if it wasn’t a WP-theme until I tweaked it.
Of corse You should always be careful with what You download.
“Thread lightly, here be dragons.”
When i find a good free theme , i scan manually all files … it´s not a good work, but i have found some malicius code in free themes …