X

Stop Downloading WordPress Themes from Shady Sites

So, you go to Google and type in a search for “WordPress themes.” You skip past the official WordPress theme directory because out of the 1,000+ themes hosted there, you couldn’t find one you liked.

So you move on to another site that has a great collection of free themes, you download one you like and install it on your site. It has 50 random irrelevant spam links in the footer, and you can’t edit them out because there’s weird encrypted code in footer.php, but who cares? It looks good so that’s all that matters. And chances are your visitors won’t ever scroll down that far anyway.

Using a theme with encrypted code would be a big mistake, and unfortunately most users using them don’t even know or care that the themes they’re using can open their entire blog or even server up to malicious attacks.

Bart thinks before using themes

Unless you want to end up like Bart, I suggest you read on to find out:

  • What types of sites to avoid when downloading themes
  • How to spot encrypted code in a theme without manually checking
  • How to decrypt code (if you really want to use a theme)
  • A list of trusted sites to download themes from with confidence

Stay far away from sites like these

These are two main types of sites you should avoid while looking for any sort of WordPress theme to use on your blog.

  • Torrent/warez sites
  • Random sites you find in Google

Okay, torrent/warez sites are kind of a given. You should know better if you’re downloading themes from a site like that. It’s no secret downloads from those types of sites can be bundled with malware or other viruses, and WordPress themes are no exception.

Using a theme from a site they find on Google on the other hand, is probably a mistake a lot of people unknowingly make, and it can be a costly one if you don’t know what you’re doing. Take a look at this video just to demonstrate how Google’s top results for “WordPress themes” are dominated by shady sites that use encrypted code.

As you can see in the video, 4 out of 4 of the sites I checked did in fact have encrypted code somewhere in the theme, usually in the footer.php file, but it could be hidden anywhere (and do just as much damage too).

How to spot encrypted code

Remember, encrypted code can be hidden anywhere in your theme and it really doesn’t matter where. In order to efficiently check a theme for encrypted code, without manually checking each file, I highly recommend using the Theme Authenticity Checker. I’ve written about this before, but it really is an invaluable tool if you have a lot of themes and haven’t had time to check each one for encrypted code.

Small Studio TAC

Basically what it does is automatically scan your themes for (potentially) malicious and unwanted code, including pretty much all of those code obfuscation techniques you saw in the video, plus all outgoing link information. This can save you a lot of time and from my tests, it is pretty effective in detecting that kind of junk. For more information you can also check out Jeff Chandler’s post on the exact same plugin (who was also nice enough to mention Theme Lab as a good source for free WordPress themes).

This would involve actually setting up a WordPress installation though, and like I said in the video you should really check out the themes before uploading. If you know how, it would probably be best to set it up on a local test site, and not a live production site.

How to decrypt code

Like I mentioned in the video, if you found a theme with encrypted code, it’s usually best to avoid it altogether. Maybe you can do some digging and find the same theme on the original author’s website (which I hope wouldn’t have encrypted code either).

However, sometimes you really want to use a theme, and can’t find any other option to get it from the source. It is possible to decrypt the code if you really need to. Take a look at this WordPress.org support forum post called Encrypted Theme? Here’s how to decode it.. In the post, Otto42 goes over ways to decrypt several types of encrypted code.

Now, I think I noticed some sites using multiple methods to encrypt their code, which might be a little more tricky. I would suggest decrypting each part one at a time and then putting all the pieces together if that’s the case.

A list of trusted theme sites

The following list of sites, you can rest assured you won’t be getting any encrypted code with their theme downloads.

  • WordPress.org – Themes from WordPress.org have to pass a number of automated checks, including checks for encrypted code, before being uploaded. Before they go live, they are also moderated by a real human just to double check your theme is fully functional and free of dirty code.
  • ThemeShaper – Although they had a little hack scare recently, I would still consider this a highly trusted site when it comes to WP themes. If still in doubt, you can always get Ian Stewart’s themes at WordPress.org.
  • Theme Hybrid – A site from Justin Tadlock, and home of the Hybrid theme framework and a number of great child themes developed on top of that.
  • StudioPress – A site from Brian Gardner and home of several well-designed paid WordPress themes. Since the majority of themes available from StudioPress are paid, be vary wary if you come across one of their themes available for free download on some other site.
  • Premium Mod – A site which offers free modified versions of premium themes. Although I said you should be wary about downloading free themes that are normally paid, there are (very rare) exceptions to the rule. I have personally checked out all of Premium Mod’s theme releases and there is no encrypted code that I can find. UPDATE: Site no longer active.

Obviously there are a ton more “trusted” sites, but I can’t list them all. Please do your research and make sure you’re getting themes from reputable sites and companies, if not from WordPress.org.

Conclusion

I’ve been meaning to write a post like this for a while now, but it really hit close to home when someone emailed me about a theme from Theme Lab which they encountered encrypted code in the footer.

I know this isn’t exactly new news, but I hope this brings more awareness to the issue that still is a big problem today. Most people lately are talking about the encrypted code problem with premium themes but I’d argue the problem is much more widespread when it comes to free themes.

Think about it for a sec, if someone downloads a paid theme from a torrent site, they are going completely out of their way to do so and have some experience using torrent clients, file sharing sites, etc. just to save a few bucks. They’re probably already aware of the risks involved when it comes to that sort of thing.

People searching for free themes in Google likely have a more “innocent” mindset and probably don’t even realize the mistake they’re making when they use themes from these random sites. Like someone mentioned on Twitter to me: Most users never read, only see download button. This is a sad fact that I’d unfortunately have to agree with. The only thing we can do is spread more awareness and educate users about the dangers of using themes from rogue sites.

I’d love to hear your thoughts in the comments. Going to have to ask everyone in the comments to not mention the “GPL” whatsoever, because this has nothing to do with theme licensing or if a theme has a price tag or not. It has to do with scummy sites taking advantage of unsuspecting WordPress users.

Comments  Leave a Reply

  1. ThemeLab Acquired By Syed Balkhi | Magazine Demo April 23, 2014 at 6:32 pm

    […] since 2007. Leland Fiegel, the site’s previous owner made a positive mark within the community when he published an in-depth post explaining why users shouldn’t download and use themes from shady sites discovered in […]

  2. Great post, To be honest, I did download a template some time back and had to go through this issue. I then had to hire a professional to clean my site, thus paying more than what I would have had I purchased a template from a genuine site..Cheers

  3. Yes this is very true. I also had some bad experiences. Thanks Theme Lab for bringing such posts in notice. Great job!!!

  4. big thanks for the useful post and help.
    i was looking for theme to install on my new website and then i met you .
    finally i decide to install official wordpress them ,
    some of them are very customizable and can be changed to look great.
    without risk of phishing or attacking.

    many thanks

  5. Mohit Kukreja June 9, 2011 at 10:30 am

    Yes this is very true. I also had some bad experiences. Thanks Theme Lab for bringing such posts in notice. Great job!!!

  6. There are ways to reverse encrypted the code. They use base64 to encrypt. All you have to do is find and use one of the many free base64 decoders (search Google). Look for a decoder that explains where the code starts and ends otherwise it might not work. A friend of mine who doesn’t know any web design had downloaded a free theme that had the code. We successfully decoded the encryption, removed the hack link, and restored the footer.

    With that said, I agree that that the whole thing is shady. Personally, I prefer to contribute to the theme authors.

  7. If you buy a developer license from the vendor, you can pretty much do anything with the themes. So people give them away and get a backlinks to their sites or whatever sites they want. In this case, there’s not much the vendor can do.

    I do know that many people do not look at the footer and have no idea there are links there.

    My point is, encoded the footer isn’t necessary evil. But the user had better understand the risk they are taking.

  8. Just want to let people know that worst than some backlinks to websites (be it spam sites or the developers site) shady websites may HAVE VIRUS (technically it’s a worm) installed in them, and sometimes IT`S NOT ENCODED and you may mistake it for genuine code.

    One of my colleagues at work installed such a theme and I’m trying to fix things out now.

    It didn’t happen, but anybody could have logged in as admin to my site and delete all my content.

  9. Thank you for the warning, I will be more careful when searching, and downloading. I found this to be very helpful.

    Sincerely,

    Karen C.

  10. I have come across a few sites like you speak of. I am sure you have all heard of Woo Themes right? Well.. I contacted them, to let them know of 1 site specifically that was giving their paid theme’s away for free.

    They responded, said thanks, but there was nothing they could actually do legally, mainly because of the type of licensing. After someone buys the theme from them, they are free to do with it whatever they want. Even if that means putting a encrypted file in the footer, and giving it away for free.

  11. Yogi - ThemeWarrior October 10, 2010 at 10:30 am

    I found a site several days go that was listing our free theme but to my surprise they add encrypted links on our theme’s the footer. Is there a way to prevent those sites not appearing on search engines? Maybe like reporting the site to Google (dunno if this kind of service is available) so it will be flag as some sort of ‘Reported Attack Site’.

  12. This is a really useful post. I hadn’t previously been aware of this issue and I’ll definitely be more careful about selecting themes.

  13. I only recently came across this phenomenon, I’d heard of it but never really seen it until a client hired me to fix various issues on his site that was using one of these themes.

    Unfortunately my advice to switch is so far going unheeded.

    Useful post, and I hope it makes some people think twice.

  14. People that add encrypted footers on their themes piss me off. Especially since WordPress Themes are GPL and encrypting WordPress code such as “the_footer” is a violation of the license. Honestly, if you theme is awesome enough people will not remove the link and even more people will link to you.

  15. Wow, I’m glad I stumbled on this post. I’m currently searching for a new site theme and had no idea this happened. I may or may not have found the encryption once I looked at the files but even if I did I’m not sure I would know it was something potentially dangerous. Thanks!

  16. @Jotrys – it was posted on the 8th Dec, zero 9.

    This is a timeliness post, so it doesnt need the date – this issue will still be around in 5 years time.

    1. @ Chris, Thanks

  17. Forgot to say, since I was thrown off due to the datelessness but,

    This is a great post. It describes a way to check if there are problem (I installed TAC and all OK), but also defines a manual way to perform a manual check.
    This post is a keeper.

  18. From which December is this? December 2008? December 2009? How can I tell?

    And when were the comments made?

    Without this I can not judge the timeliness of the information.

    1. It was 2009. I know this theme doesn’t display a year on posts but you can tell by the URL of the permalink (/2009/12/08/).

      As far as the comments go, there are no dates at all displayed which is a decision I made. The post is still “timely” since this stuff is still going on today.

      1. Thanks for the tip as to the permalink. Can clearly see the post publication date there.

  19. Hey, I’m downloading some themes from Bestwpthemes.com. I recommend it since it has quality themes and it’s not “shady”. You should add it on this list too! 🙂

  20. apart from theme… is there any tool to check authenticity of a wordpress add-on…

    add-ons are the most dangerous scripts available for free luring webmasters with exciting tools. These tools exploits the blog to hand-over the complete command to hackers….

  21. Wow, I feel like a babe in the woods. I didn’t know about this. Although I only have downloaded themes directly from WordPress, it is possible that I may have some day in the future branched out. So thank you for the warning!

  22. Great article! It disappoints me that sites like these exist because it makes people question upcoming legitimate websites.

    Also, for those who are unfamiliar about WordPress theme sites, how would a novice know whats a “source” website? I mean these dodgy sites weren’t designed too badly and look somewhat legitimate..

  23. If no one else was curious, I decoded some of the garbage from the themes in the video.

    I found a lot of links to websitetransfer.net

  24. Wow, am I glad to have found this post while surfing for two WP themes! I’m planning to move two blogs to WP now that Blogger has shut off their old school FTP publishing. You have just saved me a lot of potential heartache. Thank you!!

  25. Nice post! Technically, it’s encoded not encrypted, but I’m sure most people would understand what you mean (or even not know the difference :P). A few months ago I decoded some of that code for someone, by hand though (I couldn’t find any tools for it). Looking at the encoded code, it was pretty much just standard WordPress code, so I have no clue why it was encoded. As far as I know, the reason the footer is often encoded is so people can’t remove the copyright. It’s still pretty dodgy, and I’d personally stay away from any theme that had encoded code anywhere in it.

    You can see my post on it at http://forums.whirlpool.net.au/forum-replies-archive.cfm/1326644.html

    1. Yeah I know “encoded” or “obfuscated” is more accurate than encrypted, but basically wanted to make sure anyone reading this would understand what I meant, so I used them all.

      Completely agree with staying away from any theme with encoded code. Thanks for your insights.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

WordPress Launch Checklist

The Ultimate WordPress Launch Checklist

We've compiled all the essential checklist items for your next WordPress website launch into one handy ebook.
Yes, Send Me the Free eBook!