ThemeLab's Blog

Stay up to date with our newest WordPress themes, WordPress plugins, WordPress tutorials, and other announcements.

Stop Downloading WordPress Themes from Shady Sites

Last Updated on by

So, you go to Google and type in a search for “WordPress themes.” You skip past the official WordPress theme directory because out of the 1,000+ themes hosted there, you couldn’t find one you liked.

So you move on to another site that has a great collection of free themes, you download one you like and install it on your site. It has 50 random irrelevant spam links in the footer, and you can’t edit them out because there’s weird encrypted code in footer.php, but who cares? It looks good so that’s all that matters. And chances are your visitors won’t ever scroll down that far anyway.

Using a theme with encrypted code would be a big mistake, and unfortunately most users using them don’t even know or care that the themes they’re using can open their entire blog or even server up to malicious attacks.

Bart thinks before using themes

Unless you want to end up like Bart, I suggest you read on to find out:

  • What types of sites to avoid when downloading themes
  • How to spot encrypted code in a theme without manually checking
  • How to decrypt code (if you really want to use a theme)
  • A list of trusted sites to download themes from with confidence

Stay far away from sites like these

These are two main types of sites you should avoid while looking for any sort of WordPress theme to use on your blog.

  • Torrent/warez sites
  • Random sites you find in Google

Okay, torrent/warez sites are kind of a given. You should know better if you’re downloading themes from a site like that. It’s no secret downloads from those types of sites can be bundled with malware or other viruses, and WordPress themes are no exception.

Using a theme from a site they find on Google on the other hand, is probably a mistake a lot of people unknowingly make, and it can be a costly one if you don’t know what you’re doing. Take a look at this video just to demonstrate how Google’s top results for “WordPress themes” are dominated by shady sites that use encrypted code.

As you can see in the video, 4 out of 4 of the sites I checked did in fact have encrypted code somewhere in the theme, usually in the footer.php file, but it could be hidden anywhere (and do just as much damage too).

How to spot encrypted code

Remember, encrypted code can be hidden anywhere in your theme and it really doesn’t matter where. In order to efficiently check a theme for encrypted code, without manually checking each file, I highly recommend using the Theme Authenticity Checker. I’ve written about this before, but it really is an invaluable tool if you have a lot of themes and haven’t had time to check each one for encrypted code.

Small Studio TAC

Basically what it does is automatically scan your themes for (potentially) malicious and unwanted code, including pretty much all of those code obfuscation techniques you saw in the video, plus all outgoing link information. This can save you a lot of time and from my tests, it is pretty effective in detecting that kind of junk. For more information you can also check out Jeff Chandler’s post on the exact same plugin (who was also nice enough to mention Theme Lab as a good source for free WordPress themes).

This would involve actually setting up a WordPress installation though, and like I said in the video you should really check out the themes before uploading. If you know how, it would probably be best to set it up on a local test site, and not a live production site.

How to decrypt code

Like I mentioned in the video, if you found a theme with encrypted code, it’s usually best to avoid it altogether. Maybe you can do some digging and find the same theme on the original author’s website (which I hope wouldn’t have encrypted code either).

However, sometimes you really want to use a theme, and can’t find any other option to get it from the source. It is possible to decrypt the code if you really need to. Take a look at this WordPress.org support forum post called Encrypted Theme? Here’s how to decode it.. In the post, Otto42 goes over ways to decrypt several types of encrypted code.

Now, I think I noticed some sites using multiple methods to encrypt their code, which might be a little more tricky. I would suggest decrypting each part one at a time and then putting all the pieces together if that’s the case.

A list of trusted theme sites

The following list of sites, you can rest assured you won’t be getting any encrypted code with their theme downloads.

  • WordPress.org – Themes from WordPress.org have to pass a number of automated checks, including checks for encrypted code, before being uploaded. Before they go live, they are also moderated by a real human just to double check your theme is fully functional and free of dirty code.
  • ThemeShaper – Although they had a little hack scare recently, I would still consider this a highly trusted site when it comes to WP themes. If still in doubt, you can always get Ian Stewart’s themes at WordPress.org.
  • Theme Hybrid – A site from Justin Tadlock, and home of the Hybrid theme framework and a number of great child themes developed on top of that.
  • StudioPress – A site from Brian Gardner and home of several well-designed paid WordPress themes. Since the majority of themes available from StudioPress are paid, be vary wary if you come across one of their themes available for free download on some other site.
  • Premium Mod – A site which offers free modified versions of premium themes. Although I said you should be wary about downloading free themes that are normally paid, there are (very rare) exceptions to the rule. I have personally checked out all of Premium Mod’s theme releases and there is no encrypted code that I can find. UPDATE: Site no longer active.

Obviously there are a ton more “trusted” sites, but I can’t list them all. Please do your research and make sure you’re getting themes from reputable sites and companies, if not from WordPress.org.

Conclusion

I’ve been meaning to write a post like this for a while now, but it really hit close to home when someone emailed me about a theme from Theme Lab which they encountered encrypted code in the footer.

I know this isn’t exactly new news, but I hope this brings more awareness to the issue that still is a big problem today. Most people lately are talking about the encrypted code problem with premium themes but I’d argue the problem is much more widespread when it comes to free themes.

Think about it for a sec, if someone downloads a paid theme from a torrent site, they are going completely out of their way to do so and have some experience using torrent clients, file sharing sites, etc. just to save a few bucks. They’re probably already aware of the risks involved when it comes to that sort of thing.

People searching for free themes in Google likely have a more “innocent” mindset and probably don’t even realize the mistake they’re making when they use themes from these random sites. Like someone mentioned on Twitter to me: Most users never read, only see download button. This is a sad fact that I’d unfortunately have to agree with. The only thing we can do is spread more awareness and educate users about the dangers of using themes from rogue sites.

I’d love to hear your thoughts in the comments. Going to have to ask everyone in the comments to not mention the “GPL” whatsoever, because this has nothing to do with theme licensing or if a theme has a price tag or not. It has to do with scummy sites taking advantage of unsuspecting WordPress users.

About

Leland Fiegel was the original founder of ThemeLab. He is a web developer who loves WordPress and blogging.

  • http://imanto.com Anto

    Yea the people do this just so they can have a link to their site, or which ever site in the footer or where ever in the template it may be.

    In saying that, this normally happens with the likes of premium themes etc.. There is ways to decode this crap if you really want to use one of these themes and cant find the original source, but its a pain.

    To be honest, there should be something done about these sites, firing out these wp themes for download with their link in the footer or where ever. But it will never happen, so all we can do is rant =)

    • Leland

      Yep, pretty much the only thing we can do is spread the word on avoiding these types of sites. I’ve done my part but unfortunately tons of people are already using these themes, and people will keep using them too as long as the sites are online.

      • http://imanto.com Anto

        Stupid people. What are we going to do. tut tut :P

  • http://itsjayl.in Jaylin

    Yeah, that shit is getting quite ridiculous. Sometimes the link is quite ridiculous. People will do just about anything to get some free PR.

  • http://www.MattSawyers.com Matt Sawyers

    Glad you did this article. Having recently come across your website looking for templates (free or premium) and subscribed to your blog, I am glad you made a note on the encrypted code. I recently ran across this from a template website called “wordpress template archive” or something to that effect. Saw the encrypted crap in the footer.php & was like “WTH?” so I just deleted it and rewrote it. But using the links you supplied in the article, I took a look at the decoded crap & there sure enough were casino link galore! None the less, I’m trashing the template and going to a more reliable place. My hunt for the perfect template continues. I’ve been eying elegant templates’ website. Working on a media production website. Recommend any site? or template? :-)

    • Leland

      Hey Matt, I’m sure there are countless other sites like that distribute encrypted themes out there. Like I mentioned in the post, 4 out of the first 4 sites listed in Google for “wordpress themes” (excluding WordPress.org of course) are guilty of it.

      That was a good move to delete the code and rewrite it. I didn’t decode all of the code myself, but most of it is just to hide spam links, like for casinos and such.

      Anyway, for the theme recommendation, I’m pretty partial towards totally custom themes. :D

  • http://themes.jestro.com Drew Strojny

    Great post Leland!

    We have run into some problems with innocent people downloading illegitimate copies of our themes by mistake.

    If you see a theme and you like it, be sure to visit the actual author’s site and download it from there. This can be tough if the malicious site has removed the link, but a quick Google search for the theme name will oftentimes reveal the real source.

    • Leland

      Yep, that’s true. The one I came across from my site had the URL and every link back to my site removed. The person had to Google the theme name to find out it originated from here.

  • http://iamkeith.com Keith

    Quality post.

    Thing is, bloggers who don’t have the required ‘know-how’ to know where to download themes, such as Theme Lab and Theme Shaper, could easily be caught up in these encrypted themes.

    Where there’s a possible ‘market’ to take advantage of (free themes), you can bet your ass someone will be there to exploit it.

    Oh well.

  • Wordpress theme fan

    “…You skip past the official WordPress theme directory because out of the 1,000+ themes hosted there, you couldn’t find one you liked.”

    could be rewritten thus:
    “…You skip past the official WordPress theme directory because despite there allegedly being 1,000+ themes hosted there, you found the navigation and search facility so dreadful you gave up in favour of poking your eye out with a sharp stick.”

    • http://www.diletante.net Calítoe.:.

      You do have a point, “WordPress theme fan”. ;)

  • http://cards.devonyoung.com/ Devon

    Uuhh yeah! I discovered this problem back in September when I started my baseball card blog and looked for a baseball theme. I could’ve made my own, but I just wanted to get the site up quick and work on it when I found spare time. But this awesome theme I found, inserted these insane links into the pages and when I went to the code to remove them…I couldn’t find them until I discovered the problem was in some encoded code.

    Extremely annoying thing to unhook without destroying the design!

    So I removed it with some work. Then I ended up making my own anyway.

  • http://erichamby.com Eric

    You guys shouldn’t discourage visiting a site from google. I owned http://vasthtml.com for 3 years and just sold it and about to open http://wpchoice.com and i have never sold anything but clean and quality products and you make it sound liek all sites from google or bad. For 90% of us google is the only way people can find us other than word of mouth.

    • Leland

      Eric, I’m not trying to make it seem like all sites from Google are bad, I’m saying people should be more aware of where their themes are downloaded, and should be more careful before uploading a theme they got from a site without checking it thoroughly for dirty code.

      Obviously you can find some great themes through Google, but I think the fact that the top 4 sites for “wordpress themes” (except WordPress.org) all have encrypted code bundled with their theme downloads speaks for itself.

      • http://premiumthemes.net R.Bhavesh

        Really a nice read. I am late to read this post but when I actually take a look, it’s really detailed and very well written.

        You obviously nailed out every good reasons. personally I think people who are not taking their business seriously, do go for this shady sites and unauthorized version. The cost they pay is big when their data is lost. I’ve got several mails when someone do face these problems.

        Also when they panic when such issues occur, the cost to hire an expert is much bigger than they would pay for original product.

  • http://hypyklrz.net d.o.Foreman

    I agree with what Keith said. I learned the hard, by way of ‘newbie ignorance”. And I have downloaded two themes from wordpress.org that my AntiVirus plugin found ‘eval’ code hidden within the footer. I was very lucky to come across Justin Tadlock’s site. Nothing but Hybrid for me.
    Thanks for an excellent article, and bestowing the knowledge. You have a great style.

    • Leland

      If you downloaded themes from WordPress.org with encrypted code, I’d report them immediately.

      That’s definitely not allowed there and I’m surprised it was able to sneak past the automated checks and moderator.

  • http://wparchive.com Ahmed

    Well iI don’t want to be man but look at this site you included in your list premiummod.com

    What they actually do

    Redistributing Premium theme under GPL after damaging it ( under title Modded) isn’t this another way for cheap back-links.
    Yes damaging it without adding any new to it this worst than encrypted footers at least some of those encrypted footers done by professional designer and with one or two links in footer. You don’t have to use them if you don’t want to display this links in the site. Don’t you think the Blogger have choice to chose between free encrypted, Premium and stolen modded themes??
    Who doesn’t want free back-links ask your self this question before asking the other? look at your newest themes all have two links in the footer. we can’t deny how this free themes open the door for creativity of wordpress themes.
    Conclusion If blogger doesn’t want to use free themes with encrypted footer then go to premium if you cant afford premium then go to free premium themes in Wparchive.com

    HeHe

    • Leland

      Really don’t get your point. It’s not really about getting “cheap backlinks” …it’s about hiding those links, and who knows what else, behind encrypted code.

      You’re free to remove any of those backlinks in Premium Mod’s themes, but when you’re dealing with themes with encrypted footers, that freedom is severely limited.

      • http://wparchive.com Ahmed

        My Point is every one has chance to use the best method to give him the largest number of free back-links.

        Encoding is widely spread now they use it to keep their rights on the theme they work hard to make it. So this their rights you can’t blame them to encode their themes. The same on the premium themes they selling it also this their rights to make some profits from the themes. both using different methods to get some cash. And the
        Bloggers has chance to chose whatever they need.

  • http://www.werewp.com Jeremy

    Your video is kind of frightening. I knew this kind of things existed of course, but the first 4 you pick have it! That really shows the problem there is here.

    Thanks for the quality article. I relayed the message on my own blog, because in my opinion we should try to spread this message and let everybody know about the issue.

    • Leland

      Thanks Jeremy, I think the more people who know about this sort of thing, the better.

  • http://www.jimfmunro.com Jim Munro

    Good stuff, thanks for posting!

    I had a bunch of free themes in my dev environment I use for some miscellaneous and I checked them out. Lo and behold, 3 of them had encrypted a boatload of links to miscellaneous affiliate sites or whatever they are doing.

    I have seen these same templates in use on other sites and I’m guessing they are “hosting” these links there.

    I guess this is a good argument for supporting premium theme developers! :)

  • http://www.nulloid.com Rob

    I’m a little surprised that you are warning people away from shady wordpress theme sites and yet you are happy to promote premiummod which is a site that takes premium commercial wordpress themes, “modifies” them and then releases them for free. Call me crazy but modifying a commercial theme a little doesn’t give you the right to distribute it for free.

    • Leland

      Allow me to take an excerpt from the second to last sentence of the post: this has nothing to do with theme licensing or if a theme has a price tag or not

      I was simply saying Premium Mod does not have encrypted code embedded in the themes hosted there. If you wanted to argue about Premium Mod you missed your chance.

  • http://www.nulloid.com Rob

    Interestingly, now that I have gone to revisit premiummod the site has vanished. Hmmm…

  • http://www.designmoo.com/blog/ Chris Wallace

    I wrote about this on the Designmoo blog about 10 days before you posted this and I really like how you’ve added detail on links and encrypted PHP in your article.

    To me, it’s not worth it to even try decrypting code or messing with pirated themes – just buy it from a trusted source!

    • Leland

      Hey Chris, I actually didn’t see that article. Yours covers a couple of other interesting points like lack of theme support and themes being outdated.

      Anyway, I’d have to agree with you. If I ever came across a theme with any encoded code in it, I’d just move on. Not to mention the other benefits, like support, that typically come with purchasing a copy of a theme direct from the source.

      • http://www.designmoo.com/blog/ Chris Wallace

        Great minds think alike Leland. By the way, thanks for the review on Aperturious, I truly appreciate it!

        • Leland

          Not a problem. It’s a great theme, not to mention the review made me $9 in ThemeForest commissions…lol.

  • Elle

    Guilty of never ever giving it a thought until now :( Thanks for taking the time to explain this – the video was great.

  • http://newwpthemes.net Susan

    Since using a free theme is a popular starting point for novices using wordpress.org, TAC should get more notice. It’s a great plugin and should be part of the wordpress download, along with Hello Dolly and Akismet.

  • http://www.errr-online.com/ Michael

    I think the fix may need to be server side (in wordpress). Something to parse the theme. If it finds this encrypted code just warn the (l)users that they may be at risk… That should be brain dead simple to code.. But while most (l)users dont read odds are they wouldnt read the warning either, or they would just ignore it..

  • http://www.tarastation.net Edward R

    can someone tell me even easier way to do that..kinda confused as i’m a newbie in the industry but want to get rid of those links that arrives with free wp templates..any easy-to-use software or something like that…anybody else ..???

    • Leland

      The easiest way is to use another theme without encrypted code. Chances are you can find the exact same theme from the original creator without encrypted footers.

  • http://furfur.org FurFurRising

    http://www.themes2wp.com/ is a good site for downloading themes, however I’ve noticed that they have a fair amount of “premium” themes available as well, including rocket themes, how are they managing to get away with it?

  • ohkaa

    Well its funny that you highlighted this issue.
    I found it while I was searching google for a fix to the encrypted footer.php (which was hiding a link to some laptop sales site).
    Now the funny part, the theme that I am using is the UNDERWATER THEME from THEMELAB.
    Forgive me if I am mistaken.
    But this sounds like hypocrasy to me.

    • Leland

      Sorry, but you are mistaken, and I think you misunderstood the point of my post. You’re somehow implying “hypocrasy” on my part because you downloaded a theme from a random site in Google (the exact type of site I warned about) that happened to be a hacked up version of a theme from here?

      I had nothing to do with that. If you download the Underwater theme from here, you’ll notice the footer isn’t encrypted at all.

  • http://www.toptenservices.net/ Andy

    Very good post Leland, thankyou so much for sharing this useful information with your readers. I have noticed this sort of behavior: hidden codes in themes. When I was new to WordPress, I used to download any theme that I liked. Of course, I never cared about authenticity of the website from where I was downloading the themes. Later, one of my blog got hacked and I had no idea how that happened. I lost 6 months of work. The hacker first left a lot of links on each and every page of my blog. When I tried to remove his nonsense, he locked me out and deleted all my posts. Anyway, lesson to learn, NEVER download a theme from websites you are not sure of.

  • http://dan.cx/ Daniel15

    Nice post! Technically, it’s encoded not encrypted, but I’m sure most people would understand what you mean (or even not know the difference :P). A few months ago I decoded some of that code for someone, by hand though (I couldn’t find any tools for it). Looking at the encoded code, it was pretty much just standard WordPress code, so I have no clue why it was encoded. As far as I know, the reason the footer is often encoded is so people can’t remove the copyright. It’s still pretty dodgy, and I’d personally stay away from any theme that had encoded code anywhere in it.

    You can see my post on it at http://forums.whirlpool.net.au/forum-replies-archive.cfm/1326644.html

    • Leland

      Yeah I know “encoded” or “obfuscated” is more accurate than encrypted, but basically wanted to make sure anyone reading this would understand what I meant, so I used them all.

      Completely agree with staying away from any theme with encoded code. Thanks for your insights.

  • Amanda

    Wow, am I glad to have found this post while surfing for two WP themes! I’m planning to move two blogs to WP now that Blogger has shut off their old school FTP publishing. You have just saved me a lot of potential heartache. Thank you!!

  • http://correza.com carlos

    If no one else was curious, I decoded some of the garbage from the themes in the video.

    I found a lot of links to websitetransfer.net

  • Rudra Saha

    Great article! It disappoints me that sites like these exist because it makes people question upcoming legitimate websites.

    Also, for those who are unfamiliar about WordPress theme sites, how would a novice know whats a “source” website? I mean these dodgy sites weren’t designed too badly and look somewhat legitimate..

  • http://thelighthouseonline.com/blog/ Marina

    Wow, I feel like a babe in the woods. I didn’t know about this. Although I only have downloaded themes directly from WordPress, it is possible that I may have some day in the future branched out. So thank you for the warning!

  • Ilyas Kazi

    apart from theme… is there any tool to check authenticity of a wordpress add-on…

    add-ons are the most dangerous scripts available for free luring webmasters with exciting tools. These tools exploits the blog to hand-over the complete command to hackers….

  • http://apas.gr Apostolos

    Hey, I’m downloading some themes from Bestwpthemes.com. I recommend it since it has quality themes and it’s not “shady”. You should add it on this list too! :-)

  • jotrys

    From which December is this? December 2008? December 2009? How can I tell?

    And when were the comments made?

    Without this I can not judge the timeliness of the information.

    • Leland

      It was 2009. I know this theme doesn’t display a year on posts but you can tell by the URL of the permalink (/2009/12/08/).

      As far as the comments go, there are no dates at all displayed which is a decision I made. The post is still “timely” since this stuff is still going on today.

      • jotrys

        Thanks for the tip as to the permalink. Can clearly see the post publication date there.

  • jotrys

    Forgot to say, since I was thrown off due to the datelessness but,

    This is a great post. It describes a way to check if there are problem (I installed TAC and all OK), but also defines a manual way to perform a manual check.
    This post is a keeper.

  • http://www.Chris-Clayton.com Chris

    @Jotrys – it was posted on the 8th Dec, zero 9.

    This is a timeliness post, so it doesnt need the date – this issue will still be around in 5 years time.

    • jotrys

      @ Chris, Thanks

  • http://www.addledlibrarian.com Lori

    Wow, I’m glad I stumbled on this post. I’m currently searching for a new site theme and had no idea this happened. I may or may not have found the encryption once I looked at the files but even if I did I’m not sure I would know it was something potentially dangerous. Thanks!

  • http://www.wpexplorer.com AJ

    People that add encrypted footers on their themes piss me off. Especially since WordPress Themes are GPL and encrypting WordPress code such as “the_footer” is a violation of the license. Honestly, if you theme is awesome enough people will not remove the link and even more people will link to you.

  • http://websiteologist.com Michelle

    I only recently came across this phenomenon, I’d heard of it but never really seen it until a client hired me to fix various issues on his site that was using one of these themes.

    Unfortunately my advice to switch is so far going unheeded.

    Useful post, and I hope it makes some people think twice.

  • http://www.unfoldingfire.com Blaise

    This is a really useful post. I hadn’t previously been aware of this issue and I’ll definitely be more careful about selecting themes.

  • http://www.themewarrior.com Yogi – ThemeWarrior

    I found a site several days go that was listing our free theme but to my surprise they add encrypted links on our theme’s the footer. Is there a way to prevent those sites not appearing on search engines? Maybe like reporting the site to Google (dunno if this kind of service is available) so it will be flag as some sort of ‘Reported Attack Site’.

  • http://http//reidable.com Chris

    I have come across a few sites like you speak of. I am sure you have all heard of Woo Themes right? Well.. I contacted them, to let them know of 1 site specifically that was giving their paid theme’s away for free.

    They responded, said thanks, but there was nothing they could actually do legally, mainly because of the type of licensing. After someone buys the theme from them, they are free to do with it whatever they want. Even if that means putting a encrypted file in the footer, and giving it away for free.

  • karen C.

    Thank you for the warning, I will be more careful when searching, and downloading. I found this to be very helpful.

    Sincerely,

    Karen C.

  • somebody

    Just want to let people know that worst than some backlinks to websites (be it spam sites or the developers site) shady websites may HAVE VIRUS (technically it’s a worm) installed in them, and sometimes IT`S NOT ENCODED and you may mistake it for genuine code.

    One of my colleagues at work installed such a theme and I’m trying to fix things out now.

    It didn’t happen, but anybody could have logged in as admin to my site and delete all my content.

  • http://www.fromadrianlee.com Adrian Lee

    If you buy a developer license from the vendor, you can pretty much do anything with the themes. So people give them away and get a backlinks to their sites or whatever sites they want. In this case, there’s not much the vendor can do.

    I do know that many people do not look at the footer and have no idea there are links there.

    My point is, encoded the footer isn’t necessary evil. But the user had better understand the risk they are taking.

  • Ristoz

    There are ways to reverse encrypted the code. They use base64 to encrypt. All you have to do is find and use one of the many free base64 decoders (search Google). Look for a decoder that explains where the code starts and ends otherwise it might not work. A friend of mine who doesn’t know any web design had downloaded a free theme that had the code. We successfully decoded the encryption, removed the hack link, and restored the footer.

    With that said, I agree that that the whole thing is shady. Personally, I prefer to contribute to the theme authors.

  • http://www.xtremedigitals.in Mohit Kukreja

    Yes this is very true. I also had some bad experiences. Thanks Theme Lab for bringing such posts in notice. Great job!!!

  • http://www.tutorial-ebook.com behnood

    big thanks for the useful post and help.
    i was looking for theme to install on my new website and then i met you .
    finally i decide to install official wordpress them ,
    some of them are very customizable and can be changed to look great.
    without risk of phishing or attacking.

    many thanks

  • http://gameschotabheem.com/ Chota Bheem

    Yes this is very true. I also had some bad experiences. Thanks Theme Lab for bringing such posts in notice. Great job!!!

  • http://www.onlinetestpapers.com Mike

    Great post, To be honest, I did download a template some time back and had to go through this issue. I then had to hire a professional to clean my site, thus paying more than what I would have had I purchased a template from a genuine site..Cheers