ThemeLab's Blog

Stay up to date with our newest WordPress themes, WordPress plugins, WordPress tutorials, and other announcements.

Stop Downloading WordPress Themes from Shady Sites

Last Updated on by

So, you go to Google and type in a search for “WordPress themes.” You skip past the official WordPress theme directory because out of the 1,000+ themes hosted there, you couldn’t find one you liked.

So you move on to another site that has a great collection of free themes, you download one you like and install it on your site. It has 50 random irrelevant spam links in the footer, and you can’t edit them out because there’s weird encrypted code in footer.php, but who cares? It looks good so that’s all that matters. And chances are your visitors won’t ever scroll down that far anyway.

Using a theme with encrypted code would be a big mistake, and unfortunately most users using them don’t even know or care that the themes they’re using can open their entire blog or even server up to malicious attacks.

Bart thinks before using themes

Unless you want to end up like Bart, I suggest you read on to find out:

  • What types of sites to avoid when downloading themes
  • How to spot encrypted code in a theme without manually checking
  • How to decrypt code (if you really want to use a theme)
  • A list of trusted sites to download themes from with confidence

Stay far away from sites like these

These are two main types of sites you should avoid while looking for any sort of WordPress theme to use on your blog.

  • Torrent/warez sites
  • Random sites you find in Google

Okay, torrent/warez sites are kind of a given. You should know better if you’re downloading themes from a site like that. It’s no secret downloads from those types of sites can be bundled with malware or other viruses, and WordPress themes are no exception.

Using a theme from a site they find on Google on the other hand, is probably a mistake a lot of people unknowingly make, and it can be a costly one if you don’t know what you’re doing. Take a look at this video just to demonstrate how Google’s top results for “WordPress themes” are dominated by shady sites that use encrypted code.

As you can see in the video, 4 out of 4 of the sites I checked did in fact have encrypted code somewhere in the theme, usually in the footer.php file, but it could be hidden anywhere (and do just as much damage too).

How to spot encrypted code

Remember, encrypted code can be hidden anywhere in your theme and it really doesn’t matter where. In order to efficiently check a theme for encrypted code, without manually checking each file, I highly recommend using the Theme Authenticity Checker. I’ve written about this before, but it really is an invaluable tool if you have a lot of themes and haven’t had time to check each one for encrypted code.

Small Studio TAC

Basically what it does is automatically scan your themes for (potentially) malicious and unwanted code, including pretty much all of those code obfuscation techniques you saw in the video, plus all outgoing link information. This can save you a lot of time and from my tests, it is pretty effective in detecting that kind of junk. For more information you can also check out Jeff Chandler’s post on the exact same plugin (who was also nice enough to mention Theme Lab as a good source for free WordPress themes).

This would involve actually setting up a WordPress installation though, and like I said in the video you should really check out the themes before uploading. If you know how, it would probably be best to set it up on a local test site, and not a live production site.

How to decrypt code

Like I mentioned in the video, if you found a theme with encrypted code, it’s usually best to avoid it altogether. Maybe you can do some digging and find the same theme on the original author’s website (which I hope wouldn’t have encrypted code either).

However, sometimes you really want to use a theme, and can’t find any other option to get it from the source. It is possible to decrypt the code if you really need to. Take a look at this WordPress.org support forum post called Encrypted Theme? Here’s how to decode it.. In the post, Otto42 goes over ways to decrypt several types of encrypted code.

Now, I think I noticed some sites using multiple methods to encrypt their code, which might be a little more tricky. I would suggest decrypting each part one at a time and then putting all the pieces together if that’s the case.

A list of trusted theme sites

The following list of sites, you can rest assured you won’t be getting any encrypted code with their theme downloads.

  • WordPress.org – Themes from WordPress.org have to pass a number of automated checks, including checks for encrypted code, before being uploaded. Before they go live, they are also moderated by a real human just to double check your theme is fully functional and free of dirty code.
  • ThemeShaper – Although they had a little hack scare recently, I would still consider this a highly trusted site when it comes to WP themes. If still in doubt, you can always get Ian Stewart’s themes at WordPress.org.
  • Theme Hybrid – A site from Justin Tadlock, and home of the Hybrid theme framework and a number of great child themes developed on top of that.
  • StudioPress – A site from Brian Gardner and home of several well-designed paid WordPress themes. Since the majority of themes available from StudioPress are paid, be vary wary if you come across one of their themes available for free download on some other site.
  • Premium Mod – A site which offers free modified versions of premium themes. Although I said you should be wary about downloading free themes that are normally paid, there are (very rare) exceptions to the rule. I have personally checked out all of Premium Mod’s theme releases and there is no encrypted code that I can find. UPDATE: Site no longer active.

Obviously there are a ton more “trusted” sites, but I can’t list them all. Please do your research and make sure you’re getting themes from reputable sites and companies, if not from WordPress.org.

Conclusion

I’ve been meaning to write a post like this for a while now, but it really hit close to home when someone emailed me about a theme from Theme Lab which they encountered encrypted code in the footer.

I know this isn’t exactly new news, but I hope this brings more awareness to the issue that still is a big problem today. Most people lately are talking about the encrypted code problem with premium themes but I’d argue the problem is much more widespread when it comes to free themes.

Think about it for a sec, if someone downloads a paid theme from a torrent site, they are going completely out of their way to do so and have some experience using torrent clients, file sharing sites, etc. just to save a few bucks. They’re probably already aware of the risks involved when it comes to that sort of thing.

People searching for free themes in Google likely have a more “innocent” mindset and probably don’t even realize the mistake they’re making when they use themes from these random sites. Like someone mentioned on Twitter to me: Most users never read, only see download button. This is a sad fact that I’d unfortunately have to agree with. The only thing we can do is spread more awareness and educate users about the dangers of using themes from rogue sites.

I’d love to hear your thoughts in the comments. Going to have to ask everyone in the comments to not mention the “GPL” whatsoever, because this has nothing to do with theme licensing or if a theme has a price tag or not. It has to do with scummy sites taking advantage of unsuspecting WordPress users.

About

Leland Fiegel was the original founder of ThemeLab. He is a web developer who loves WordPress and blogging.