Free Themes, Getting More Than You Bargained For

Free Themes, Getting More Than You Bargained For

No Comments

beer_free_featured-300x171The WordPress community is one of the most prolific and generous groups in the open source community. There are countless themes and plugins all available for no more than the recognition of improving the form and functionality of a platform they believe in.  So what happens when a few bad apples decide to take advantage of that community?  From time to time, I come across a theme that seems a little too good to be true or that feels just a little off. Fortunately, the open source nature of WordPress makes it much easier to find and identify irregularities… if you know what to look for.

One tactic found in malicious themes is the inclusion of encrypted or obfuscated code. These range from simply “credit links” inserted by third party distributors (rather than the original creators) all the way up to exploits that can open back doors up on a site and expose personal data.

Some basic measures you can take to protect yourself include:

  • Acquire free and paid themes from reputable sources.  Although, vulnerabilities can slip through even the most diligent repositories, you can dramatically decrease your chances of exposing yourself by using the official WordPress Theme Repository and other community vetted public collections and respected designers.
  • Search through the source code for tell-tale signs: blocks of encrypted code (example:  eval(base64_decode) , calls or references to external sites and unusual files. Popular places for this sort of tactic is the footer.php and functions.php files, but frankly, it could be placed anywhere.
  • Executable files claiming to be “installers”.

Additionally, there are some precautions you can take inside your existing WordPress installation to help identify potential threats early.

  • Database and Contents Backup: Regular backups are a good idea under any circumstances, but in particular, a backup prior to installing a new theme or plugin can give you a safe restore point in case the worst should happen.  One of our most popular add-ons at ItsWordPress.com is adding backup functionality to existing sites.
  • TAC  (Theme Authenticity Checker): Searches the source files of themes for malicious or unusual code, displaying its findings for you to review.
  • AntiVirus: Capable of scanning WordPress files for suspicious files. Includes the ability to white list, automatic daily checks and manually initiated checks.
  • WordPress File Monitor: This plugin monitors the files of your WordPress installation and when changes, deletions or additions are made issues a warning via email for you to examine.
  • Exploit Scanner: Purely a diagnostic plugin, but satisfyingly throrough in its checks for concerns in your files and database. It can err on the side of false positives, particularly if you are employing exotic plugins or custom coding, but since actions are left entirely up to the user, your WordPress install will not be alter unless you specifically take action.

In closing, nothing here is meant to discourage or disparage the hard work of those that develop legitimate WordPress resources. These individuals are in the vast majority. WordPress remains one of the most respected and accessibly balances of security and accessibility in the open source Content Management field, and the presence of counter-measures like those above is testament to the hard work of those wanting to keep it a popular and practical solution.

 

I'm the front-man of It's WordPress. I come from a diverse array of backgrounds, enjoying the opportunity to expand my knowledge base and skill set by re-inventing myself. I enjoy environments that focus on emerging information, technology and concepts. I put on the technical hat in my early 20s and never really looked back. I'm love technology and the internet, as well as the outdoors and avidly hike, kayak and camp every chance I get.

About Us

We can take you from concept, through design, development and deployment in one seamless process. Whether you choose a self-managed web site or need a continuing support relationship; we've got you covered.

CLICK TO EDIT

Request Consulation

Ready to transform your vision into a reality? Just looking to see what it takes to get the ball rolling. Tell us about your project and we can help. No spam. No obligation. Just answers.

WordPress Workflow With Rest API

Over the last decade we've seen the accelerating rise of dynamic JavaScript…
Continue reading

Three Must-Haves For Your WordPress Headlines

Simple headline best practices you can't afford to overlook. Don't bury the…
Continue reading

Hail to the King (of Content Management Systems)!

WordPress continues to grow as the CMS (Content Management System) of choice on…
Continue reading

Theme View – Cool Free Themes For WordPress Sites

In this post we look at three free themes that use the…
Continue reading

A Fist Full of Facebook… Plugins

Love or hate it, Facebook is still the 800 pound gorilla in…
Continue reading

Modifying the WordPress Admin Toolbar

The Admin Toolbar was introduced back in WordPress 3.1 (trivia points if…
Continue reading

Defer Ads by Date on WordPress Post and Pages

The topic of advertising on a website can be a sensitive one.…
Continue reading

Theme View – Cool Free Themes For WordPress Sites

In this Theme View update we feature themes that take advantage of…
Continue reading

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top