So, you go to Google and type in a search for “WordPress themes.” You skip past the official WordPress theme directory because out of the 1,000+ themes hosted there, you couldn’t find one you liked.
So you move on to another site that has a great collection of free themes, you download one you like and install it on your site. It has 50 random irrelevant spam links in the footer, and you can’t edit them out because there’s weird encrypted code in footer.php, but who cares? It looks good so that’s all that matters. And chances are your visitors won’t ever scroll down that far anyway.
Using a theme with encrypted code would be a big mistake, and unfortunately most users using them don’t even know or care that the themes they’re using can open their entire blog or even server up to malicious attacks.
Unless you want to end up like Bart, I suggest you read on to find out:
- What types of sites to avoid when downloading themes
- How to spot encrypted code in a theme without manually checking
- How to decrypt code (if you really want to use a theme)
- A list of trusted sites to download themes from with confidence
Stay far away from sites like these
These are two main types of sites you should avoid while looking for any sort of WordPress theme to use on your blog.
- Torrent/warez sites
- Random sites you find in Google
Okay, torrent/warez sites are kind of a given. You should know better if you’re downloading themes from a site like that. It’s no secret downloads from those types of sites can be bundled with malware or other viruses, and WordPress themes are no exception.
Using a theme from a site they find on Google on the other hand, is probably a mistake a lot of people unknowingly make, and it can be a costly one if you don’t know what you’re doing. Take a look at this video just to demonstrate how Google’s top results for “WordPress themes” are dominated by shady sites that use encrypted code.
As you can see in the video, 4 out of 4 of the sites I checked did in fact have encrypted code somewhere in the theme, usually in the footer.php file, but it could be hidden anywhere (and do just as much damage too).
How to spot encrypted code
Remember, encrypted code can be hidden anywhere in your theme and it really doesn’t matter where. In order to efficiently check a theme for encrypted code, without manually checking each file, I highly recommend using the Theme Authenticity Checker. I’ve written about this before, but it really is an invaluable tool if you have a lot of themes and haven’t had time to check each one for encrypted code.
Basically what it does is automatically scan your themes for (potentially) malicious and unwanted code, including pretty much all of those code obfuscation techniques you saw in the video, plus all outgoing link information. This can save you a lot of time and from my tests, it is pretty effective in detecting that kind of junk. For more information you can also check out Jeff Chandler’s post on the exact same plugin (who was also nice enough to mention Theme Lab as a good source for free WordPress themes).
This would involve actually setting up a WordPress installation though, and like I said in the video you should really check out the themes before uploading. If you know how, it would probably be best to set it up on a local test site, and not a live production site.
How to decrypt code
Like I mentioned in the video, if you found a theme with encrypted code, it’s usually best to avoid it altogether. Maybe you can do some digging and find the same theme on the original author’s website (which I hope wouldn’t have encrypted code either).
However, sometimes you really want to use a theme, and can’t find any other option to get it from the source. It is possible to decrypt the code if you really need to. Take a look at this WordPress.org support forum post called Encrypted Theme? Here’s how to decode it.. In the post, Otto42 goes over ways to decrypt several types of encrypted code.
- For code that looks like
$o=whatever:you can use this tool to decrypt it: http://ottodestruct.com/decoder.php - For code that looks like
$_F=__FILE__:you can use the following tool to decrypt it: http://www.tareeinternet.com/scripts/byterun.php - For code that looks like
eval(gzinflate(base64_decode('...')));:you can use the following tool to decrypt it: http://www.tareeinternet.com/scripts/decrypt.php
Now, I think I noticed some sites using multiple methods to encrypt their code, which might be a little more tricky. I would suggest decrypting each part one at a time and then putting all the pieces together if that’s the case.
A list of trusted theme sites
The following list of sites, you can rest assured you won’t be getting any encrypted code with their theme downloads.
- WordPress.org – Themes from WordPress.org have to pass a number of automated checks, including checks for encrypted code, before being uploaded. Before they go live, they are also moderated by a real human just to double check your theme is fully functional and free of dirty code.
- ThemeShaper – Although they had a little hack scare recently, I would still consider this a highly trusted site when it comes to WP themes. If still in doubt, you can always get Ian Stewart’s themes at WordPress.org.
- Theme Hybrid – A site from Justin Tadlock, and home of the Hybrid theme framework and a number of great child themes developed on top of that.
- StudioPress – A site from Brian Gardner and home of several well-designed paid WordPress themes. Since the majority of themes available from StudioPress are paid, be vary wary if you come across one of their themes available for free download on some other site.
- Premium Mod – A site which offers free modified versions of premium themes. Although I said you should be wary about downloading free themes that are normally paid, there are (very rare) exceptions to the rule. I have personally checked out all of Premium Mod’s theme releases and there is no encrypted code that I can find.
Obviously there are a ton more “trusted” sites, but I can’t list them all. Please do your research and make sure you’re getting themes from reputable sites and companies, if not from WordPress.org.
Conclusion
I’ve been meaning to write a post like this for a while now, but it really hit close to home when someone emailed me about a theme from Theme Lab which they encountered encrypted code in the footer.
I know this isn’t exactly new news, but I hope this brings more awareness to the issue that still is a big problem today. Most people lately are talking about the encrypted code problem with premium themes but I’d argue the problem is much more widespread when it comes to free themes.
Think about it for a sec, if someone downloads a paid theme from a torrent site, they are going completely out of their way to do so and have some experience using torrent clients, file sharing sites, etc. just to save a few bucks. They’re probably already aware of the risks involved when it comes to that sort of thing.
People searching for free themes in Google likely have a more “innocent” mindset and probably don’t even realize the mistake they’re making when they use themes from these random sites. Like someone mentioned on Twitter to me: Most users never read, only see download button. This is a sad fact that I’d unfortunately have to agree with. The only thing we can do is spread more awareness and educate users about the dangers of using themes from rogue sites.
I’d love to hear your thoughts in the comments. Going to have to ask everyone in the comments to not mention the “GPL” whatsoever, because this has nothing to do with theme licensing or if a theme has a price tag or not. It has to do with scummy sites taking advantage of unsuspecting WordPress users.
Yea the people do this just so they can have a link to their site, or which ever site in the footer or where ever in the template it may be.
In saying that, this normally happens with the likes of premium themes etc.. There is ways to decode this crap if you really want to use one of these themes and cant find the original source, but its a pain.
To be honest, there should be something done about these sites, firing out these wp themes for download with their link in the footer or where ever. But it will never happen, so all we can do is rant =)
Yep, pretty much the only thing we can do is spread the word on avoiding these types of sites. I’ve done my part but unfortunately tons of people are already using these themes, and people will keep using them too as long as the sites are online.
Stupid people. What are we going to do. tut tut
Yeah, that shit is getting quite ridiculous. Sometimes the link is quite ridiculous. People will do just about anything to get some free PR.
Glad you did this article. Having recently come across your website looking for templates (free or premium) and subscribed to your blog, I am glad you made a note on the encrypted code. I recently ran across this from a template website called “wordpress template archive” or something to that effect. Saw the encrypted crap in the footer.php & was like “WTH?” so I just deleted it and rewrote it. But using the links you supplied in the article, I took a look at the decoded crap & there sure enough were casino link galore! None the less, I’m trashing the template and going to a more reliable place. My hunt for the perfect template continues. I’ve been eying elegant templates’ website. Working on a media production website. Recommend any site? or template?
Hey Matt, I’m sure there are countless other sites like that distribute encrypted themes out there. Like I mentioned in the post, 4 out of the first 4 sites listed in Google for “wordpress themes” (excluding WordPress.org of course) are guilty of it.
That was a good move to delete the code and rewrite it. I didn’t decode all of the code myself, but most of it is just to hide spam links, like for casinos and such.
Anyway, for the theme recommendation, I’m pretty partial towards totally custom themes.
Great post Leland!
We have run into some problems with innocent people downloading illegitimate copies of our themes by mistake.
If you see a theme and you like it, be sure to visit the actual author’s site and download it from there. This can be tough if the malicious site has removed the link, but a quick Google search for the theme name will oftentimes reveal the real source.
Yep, that’s true. The one I came across from my site had the URL and every link back to my site removed. The person had to Google the theme name to find out it originated from here.
Quality post.
Thing is, bloggers who don’t have the required ‘know-how’ to know where to download themes, such as Theme Lab and Theme Shaper, could easily be caught up in these encrypted themes.
Where there’s a possible ‘market’ to take advantage of (free themes), you can bet your ass someone will be there to exploit it.
Oh well.
“…You skip past the official WordPress theme directory because out of the 1,000+ themes hosted there, you couldn’t find one you liked.”
could be rewritten thus:
“…You skip past the official WordPress theme directory because despite there allegedly being 1,000+ themes hosted there, you found the navigation and search facility so dreadful you gave up in favour of poking your eye out with a sharp stick.”
You do have a point, “Wordpress theme fan”.
Uuhh yeah! I discovered this problem back in September when I started my baseball card blog and looked for a baseball theme. I could’ve made my own, but I just wanted to get the site up quick and work on it when I found spare time. But this awesome theme I found, inserted these insane links into the pages and when I went to the code to remove them…I couldn’t find them until I discovered the problem was in some encoded code.
Extremely annoying thing to unhook without destroying the design!
So I removed it with some work. Then I ended up making my own anyway.
You guys shouldn’t discourage visiting a site from google. I owned http://vasthtml.com for 3 years and just sold it and about to open http://wpchoice.com and i have never sold anything but clean and quality products and you make it sound liek all sites from google or bad. For 90% of us google is the only way people can find us other than word of mouth.
Eric, I’m not trying to make it seem like all sites from Google are bad, I’m saying people should be more aware of where their themes are downloaded, and should be more careful before uploading a theme they got from a site without checking it thoroughly for dirty code.
Obviously you can find some great themes through Google, but I think the fact that the top 4 sites for “wordpress themes” (except WordPress.org) all have encrypted code bundled with their theme downloads speaks for itself.
Really a nice read. I am late to read this post but when I actually take a look, it’s really detailed and very well written.
You obviously nailed out every good reasons. personally I think people who are not taking their business seriously, do go for this shady sites and unauthorized version. The cost they pay is big when their data is lost. I’ve got several mails when someone do face these problems.
Also when they panic when such issues occur, the cost to hire an expert is much bigger than they would pay for original product.
I agree with what Keith said. I learned the hard, by way of ‘newbie ignorance”. And I have downloaded two themes from wordpress.org that my AntiVirus plugin found ‘eval’ code hidden within the footer. I was very lucky to come across Justin Tadlock’s site. Nothing but Hybrid for me.
Thanks for an excellent article, and bestowing the knowledge. You have a great style.
If you downloaded themes from WordPress.org with encrypted code, I’d report them immediately.
That’s definitely not allowed there and I’m surprised it was able to sneak past the automated checks and moderator.
Well iI don’t want to be man but look at this site you included in your list premiummod.com
What they actually do
Redistributing Premium theme under GPL after damaging it ( under title Modded) isn’t this another way for cheap back-links.
Yes damaging it without adding any new to it this worst than encrypted footers at least some of those encrypted footers done by professional designer and with one or two links in footer. You don’t have to use them if you don’t want to display this links in the site. Don’t you think the Blogger have choice to chose between free encrypted, Premium and stolen modded themes??
Who doesn’t want free back-links ask your self this question before asking the other? look at your newest themes all have two links in the footer. we can’t deny how this free themes open the door for creativity of wordpress themes.
Conclusion If blogger doesn’t want to use free themes with encrypted footer then go to premium if you cant afford premium then go to free premium themes in Wparchive.com
HeHe
Really don’t get your point. It’s not really about getting “cheap backlinks” …it’s about hiding those links, and who knows what else, behind encrypted code.
You’re free to remove any of those backlinks in Premium Mod’s themes, but when you’re dealing with themes with encrypted footers, that freedom is severely limited.
My Point is every one has chance to use the best method to give him the largest number of free back-links.
Encoding is widely spread now they use it to keep their rights on the theme they work hard to make it. So this their rights you can’t blame them to encode their themes. The same on the premium themes they selling it also this their rights to make some profits from the themes. both using different methods to get some cash. And the
Bloggers has chance to chose whatever they need.
Your video is kind of frightening. I knew this kind of things existed of course, but the first 4 you pick have it! That really shows the problem there is here.
Thanks for the quality article. I relayed the message on my own blog, because in my opinion we should try to spread this message and let everybody know about the issue.
Thanks Jeremy, I think the more people who know about this sort of thing, the better.
Good stuff, thanks for posting!
I had a bunch of free themes in my dev environment I use for some miscellaneous and I checked them out. Lo and behold, 3 of them had encrypted a boatload of links to miscellaneous affiliate sites or whatever they are doing.
I have seen these same templates in use on other sites and I’m guessing they are “hosting” these links there.
I guess this is a good argument for supporting premium theme developers!
I’m a little surprised that you are warning people away from shady wordpress theme sites and yet you are happy to promote premiummod which is a site that takes premium commercial wordpress themes, “modifies” them and then releases them for free. Call me crazy but modifying a commercial theme a little doesn’t give you the right to distribute it for free.
Allow me to take an excerpt from the second to last sentence of the post: this has nothing to do with theme licensing or if a theme has a price tag or not
I was simply saying Premium Mod does not have encrypted code embedded in the themes hosted there. If you wanted to argue about Premium Mod you missed your chance.
Interestingly, now that I have gone to revisit premiummod the site has vanished. Hmmm…
I wrote about this on the Designmoo blog about 10 days before you posted this and I really like how you’ve added detail on links and encrypted PHP in your article.
To me, it’s not worth it to even try decrypting code or messing with pirated themes – just buy it from a trusted source!
Hey Chris, I actually didn’t see that article. Yours covers a couple of other interesting points like lack of theme support and themes being outdated.
Anyway, I’d have to agree with you. If I ever came across a theme with any encoded code in it, I’d just move on. Not to mention the other benefits, like support, that typically come with purchasing a copy of a theme direct from the source.
Great minds think alike Leland. By the way, thanks for the review on Aperturious, I truly appreciate it!
Not a problem. It’s a great theme, not to mention the review made me $9 in ThemeForest commissions…lol.
Guilty of never ever giving it a thought until now
Thanks for taking the time to explain this – the video was great.
Since using a free theme is a popular starting point for novices using wordpress.org, TAC should get more notice. It’s a great plugin and should be part of the wordpress download, along with Hello Dolly and Akismet.
I think the fix may need to be server side (in wordpress). Something to parse the theme. If it finds this encrypted code just warn the (l)users that they may be at risk… That should be brain dead simple to code.. But while most (l)users dont read odds are they wouldnt read the warning either, or they would just ignore it..
can someone tell me even easier way to do that..kinda confused as i’m a newbie in the industry but want to get rid of those links that arrives with free wp templates..any easy-to-use software or something like that…anybody else ..???
The easiest way is to use another theme without encrypted code. Chances are you can find the exact same theme from the original creator without encrypted footers.
http://www.themes2wp.com/ is a good site for downloading themes, however I’ve noticed that they have a fair amount of “premium” themes available as well, including rocket themes, how are they managing to get away with it?
Well its funny that you highlighted this issue.
I found it while I was searching google for a fix to the encrypted footer.php (which was hiding a link to some laptop sales site).
Now the funny part, the theme that I am using is the UNDERWATER THEME from THEMELAB.
Forgive me if I am mistaken.
But this sounds like hypocrasy to me.
Sorry, but you are mistaken, and I think you misunderstood the point of my post. You’re somehow implying “hypocrasy” on my part because you downloaded a theme from a random site in Google (the exact type of site I warned about) that happened to be a hacked up version of a theme from here?
I had nothing to do with that. If you download the Underwater theme from here, you’ll notice the footer isn’t encrypted at all.
Very good post Leland, thankyou so much for sharing this useful information with your readers. I have noticed this sort of behavior: hidden codes in themes. When I was new to Wordpress, I used to download any theme that I liked. Of course, I never cared about authenticity of the website from where I was downloading the themes. Later, one of my blog got hacked and I had no idea how that happened. I lost 6 months of work. The hacker first left a lot of links on each and every page of my blog. When I tried to remove his nonsense, he locked me out and deleted all my posts. Anyway, lesson to learn, NEVER download a theme from websites you are not sure of.
Nice post! Technically, it’s encoded not encrypted, but I’m sure most people would understand what you mean (or even not know the difference
). A few months ago I decoded some of that code for someone, by hand though (I couldn’t find any tools for it). Looking at the encoded code, it was pretty much just standard WordPress code, so I have no clue why it was encoded. As far as I know, the reason the footer is often encoded is so people can’t remove the copyright. It’s still pretty dodgy, and I’d personally stay away from any theme that had encoded code anywhere in it.
You can see my post on it at http://forums.whirlpool.net.au/forum-replies-archive.cfm/1326644.html
Yeah I know “encoded” or “obfuscated” is more accurate than encrypted, but basically wanted to make sure anyone reading this would understand what I meant, so I used them all.
Completely agree with staying away from any theme with encoded code. Thanks for your insights.
Wow, am I glad to have found this post while surfing for two WP themes! I’m planning to move two blogs to WP now that Blogger has shut off their old school FTP publishing. You have just saved me a lot of potential heartache. Thank you!!
If no one else was curious, I decoded some of the garbage from the themes in the video.
I found a lot of links to websitetransfer.net
Great article! It disappoints me that sites like these exist because it makes people question upcoming legitimate websites.
Also, for those who are unfamiliar about Wordpress theme sites, how would a novice know whats a “source” website? I mean these dodgy sites weren’t designed too badly and look somewhat legitimate..
Wow, I feel like a babe in the woods. I didn’t know about this. Although I only have downloaded themes directly from WordPress, it is possible that I may have some day in the future branched out. So thank you for the warning!
apart from theme… is there any tool to check authenticity of a wordpress add-on…
add-ons are the most dangerous scripts available for free luring webmasters with exciting tools. These tools exploits the blog to hand-over the complete command to hackers….
Hey, I’m downloading some themes from Bestwpthemes.com. I recommend it since it has quality themes and it’s not “shady”. You should add it on this list too!
From which December is this? December 2008? December 2009? How can I tell?
And when were the comments made?
Without this I can not judge the timeliness of the information.
It was 2009. I know this theme doesn’t display a year on posts but you can tell by the URL of the permalink (/2009/12/08/).
As far as the comments go, there are no dates at all displayed which is a decision I made. The post is still “timely” since this stuff is still going on today.
Thanks for the tip as to the permalink. Can clearly see the post publication date there.
Forgot to say, since I was thrown off due to the datelessness but,
This is a great post. It describes a way to check if there are problem (I installed TAC and all OK), but also defines a manual way to perform a manual check.
This post is a keeper.
@Jotrys – it was posted on the 8th Dec, zero 9.
This is a timeliness post, so it doesnt need the date – this issue will still be around in 5 years time.
@ Chris, Thanks
Wow, I’m glad I stumbled on this post. I’m currently searching for a new site theme and had no idea this happened. I may or may not have found the encryption once I looked at the files but even if I did I’m not sure I would know it was something potentially dangerous. Thanks!
People that add encrypted footers on their themes piss me off. Especially since Wordpress Themes are GPL and encrypting Wordpress code such as “the_footer” is a violation of the license. Honestly, if you theme is awesome enough people will not remove the link and even more people will link to you.