Part of the reason why this happened is because I wanted to change things up. I upgraded to WordPress 2.5 – no probs there. And I looked for a different theme to mark the change.

So I looked for a freebie to act as a stop-gap and found a theme that was GNU-licensed and open-source, which would allow me the flexibility to change things up. I found one at a free WP theme meta-site, which seemed fine, and I installed the theme.

Then I got around to looking at the PHP code to see where I could tweak things, and I noticed some strange, base-64 encoded strings in some of the files.

Commence mental alarm bells.

So I look at some of the WP developer blogs (those referenced in the default RSS feed on the WP admin page of almost every WordPress-driven site) and found this post from an open-source theme developer. It seems that some of his themes had been swallowed up by a free theme meta-site and doctored with this base-64 code. This developer did some snooping and asking around, and found that the inserted code was definitely not WP standard, and was very likely malicious:

I think the potential for abuse of this script is huge. I see it as a covert channel to setup Word Press enabled sites as thin zombies. The code being sent back to the server and eval’d could be a mailing script for spam or phishing.

So I decided to reverse-engineer the whole damn thing, stripping out all malicious code, and seeing how it turned out. It’s not bad – looks and acts the same, without all the scary eval calls and potential for hacks to my site.

So to anybody developing for WordPress (or Joomla, which is equally vulnerable to these exploits), the safe bet is to use the WordPress theme directory from WordPress.org.

Caveat emptor means more and more in the days of the internet.

This is a post from randomduck.com. Copyright © 2010 R.D. Riet. Covered under Creative Commons.

using wordpress? be careful with free themes