There are tens to hundreds of different WordPress themes being created each day.
Different themes can be found on official repository of WordPress themes, companies and theme designers’ blogs, different webmaster forums and other blogs and websites. One might even say that there’s an oversupply of WordPress theme, and with that follows the risk of downloading and using a theme that is infected with malicious code or even Trojans and other executable files.
So you might ask why would people put malicious codes on your theme and why do you need to check it?
Here are a few reasons:
Keywords are the gem of Internet Marketing and SEO. Marketing and SEO strategy starts with the right keywords, and some people don’t want to spend time and effort on finding these gems, they rather steal them – just like in the real world.
In the mind of these hackers and people who would put those malicious codes on your template, the manner on how they can receive conversions and sales don’t really matter, as long as they get their commissions, so they will stuff your pages with affiliate links in hope that your readers would buy products through their links.
A lot earn from advertisement and these sneaky people can put codes that will show their ads on your pages, without you even realizing it.
People can get links from your site without your permission through these malicious codes. These can be used to build up PR or simply increase their backlinks. Why there’s nothing wrong to link out to the creator of the theme it could be dangerous to your website if the link points to a bad neighborhood like porn and gambling.
Your theme is stored on themes folder but some scripts can be run to access your database information, which includes database username and password and if the hacker’s really skillful, you’ll just be surprised to find that you hosting account now harbors websites and blogs other than yours.
So if you’re convinced now that you need to if the WordPress theme you’re about to use or your already using is clean read on.
Of course this method is daunting and I usually only do this when I need to customize a theme for a certain campaign. I download my themes only on trusted sources so I know I’m pretty sure there’s nothing bad on the theme, but of course quick browsing of the theme files won’t do you any harm.
If you have a WordPress installation that you run locally you can activate the theme you want to check. Once activated, check the main page, single post page, archive and other pages to check for malicious codes and links. A simple search for the keystring “a href=” can make you aware if your theme points to a bad website, if it does, you can edit corresponding theme file or simply opt to use a different theme.
This plugin scans your WordPress installation, including the themes for viruses. Having this plugin increases overall protection of your blog. It can do manual checking of your WordPress files and can also do daily automatic checking so you won’t have to worry of virus injections on your blog.
Fromg the Plugin’s page:
AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. AntiVirus protection for your blog.
Using this plugin is pretty easy. If you’re having problems
installing and using this one, don’t hesitate to email the
developer or me, I’d be happy to answer your question
if I have the time.
From the Plugin’s page:
What TAC Does TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. As of v1.3 TAC also searches for and displays static links.
Theme Check is another WP Plugin that can well, check your theme. It isn’t really a tool to check your theme for malicious codes but I found out that these malicious codes often affect the integrity of the theme’s core files and checking whether the theme is up date with the correct theme standards can potentially tell you if the theme has been compromised.
From the Plugin’s page:
The theme check plugin is an easy way to test your theme and make sure it's up to spec with the latest theme review standards. With it, you can run all the same automated testing tools on your theme that WordPress.org uses for theme submissions. The tests are run through a simple admin menu and all results are displayed at once. This is very handy for theme developers, or anybody looking to make sure that their theme supports the latest WordPress theme standards and practices.
This is actually basic. Everytime you download a file, scan it. You can use your anti-virus scan on your desktop. If you don’t have one I suggest you get one fast. You can also opt for online virus scanners like VirusTotal.
You can also opt for Web Hosts that can offer protection for your website and blog against hackers and viruses. If your super cheap web host fails on this aspect then think again, you will certainly lose more money in the future.
I think I forgot to mention that I have personally come across a few themes that contain malicious codes. There is this one theme that used an encrypted code for Link Insertion to a gambling website, there was also one that pulls a php file from his website to display ads on my sidebar. How about you? Share your experiences below.