How to Make Sure Your WordPress Theme Isn't Shady

8 min. read
William Craig

CEO & Co-Founder
President of WebFX. Bill has over 25 years of experience in the Internet marketing industry specializing in SEO, UX, information architecture, marketing automation and more. William’s background in scientific computing and education from Shippensburg and MIT provided the foundation for MarketingCloudFX and other key research and development projects at WebFX.

I can still remember how excited I was back in 2008 when I first discovered WordPress (late-adopter, I know). What was particularly impressive for me was that I could change the designs of my WordPress sites with minimal effort. And so the hunt for the perfect theme began!

As far as I can recall, there weren’t that many paid/premium themes back then. And, to be honest, I wasn’t even taking the possibility of paying for a theme into consideration (since money was a bit tight) so I was kind of stuck with free themes by default. All was well for a while.

My test sites and personal blogs were running just fine, until, one day, I noticed some strange links in the footer. Those unusual links pointed not only to the theme creator’s site, but also to some questionable sites that had spammy anchor texts like “pay day loan”, “cheap home insurance”, “seo services“, and so forth. No problem, I thought, removing these should only take a minute. But, to my surprise, those links were neither in the theme’s Widgets screen nor anywhere in the theme’s source code.

I searched all of the theme’s files in bulk with a source code editor, looking for those anchor texts. I even went through the database using a SQL SELECT statement. Nothing.

So how was it possible for these links to remain under the radar? Well, as it turns out, this is the story of my first encounter with encrypted code in WordPress themes.

Shady WordPress theme practices

Encrypted code is just one piece of the puzzle; there are other distasteful WordPress theme development practices going on.

Static links pointing to suspicious websites

Not all static links (or embedded links) in WordPress themes are bad. A lot of times, they are just links that acknowledge the developer of the theme.

As long as the links are decent, and granted that the theme user is informed that the links will be displayed on their site, then they might be alright. However, in some instances, they may be going to spammy websites. When links start pointing to casino sites, online pharmacies or some shady biz-op products, all without the site owner’s knowledge, then it’s a different story.

Search engines simply won’t be pleased to find out that your site is linking to the dark side of the internet, and they may penalize you for it even if you’re an unwitting participant.

Theme-locking

Some links and code blocks in shady WordPress themes are “locked in” with JavaScript and/or PHP. Removing these links or code blocks will make the entire WordPress site go blank, displacing your content with a message telling you that you need to put the links/code blocks back in place to be able to remove the message from your site.

Encrypted code

Encrypted code is a term in the WordPress community for code snippets that are purposely being obfuscated from the user of the theme. The intent of encrypted code is to hide portions of the theme’s source code and to make these portions difficult to remove.

Encrypted code can do a variety of things, such as generating links to third-party sites and interfering with the user experience.

Why these things are happening

Some companies go out of their way to include harmful elements in their WordPress themes. Why would they do this? You might ask. Because WordPress themes are a great online marketing tool.

The market for themes keeps growing year over year. It’s been reported that 18.9 percent of all sites are built with WordPress. And, at one point, all those site owners will go out looking for nice themes.

The way some people capitalize on this opportunity is by creating a great-looking WordPress theme and then including hidden links and obfuscated code in the theme. Imagine what their reach could be like if they get even a few hundred domains installing their theme.

How to make sure you’re using a trustworthy theme

If you’re considering the use of a new WordPress theme, below are some steps that can help you stay out of trouble. Of course, the first best option is to use a theme obtained from a reputable source and created by a trustworthy theme developer, both of which can significantly reduce the potential of these shady practices being employed.

It wouldn’t hurt to go through these steps despite the reputation of your candidate theme.

Step 1: Install theme-checking plugins

It is very possible to investigate every theme by hand just by going through its files. But doing so with a trusty plugin is much quicker, and potentially more thorough. You’ll need two plugins for this step.

TAC scans all of your installed WordPress themes for potentially malicious code.
Theme-Check tests your themes for compliance with all the latest WordPress standards and best practices.

Step 2: Test the theme for encrypted code

Before activating a WordPress theme, you should first test it in a safe development environment. One such environment is on your PC. However, if you don’t have time for that, you should still be fine as long as you don’t activate the theme before running your tests.

To see what the TAC plugin has to say about your new theme, in the WordPress administration screen, go to Appearance > TAC. Scroll down to your theme to see if there are any issues. Screenshot of a TAC test result. If TAC says that everything’s fine (and you’re using a theme from a trusted source) then it probably is.

However, if it indicates the presence of any encrypted code then you need to be cautious. It’s recommended to never use themes that have encrypted code. The main reason for this is that you have absolutely no control over what’s inside the encrypted block of code.

It could be anything: third-party scripts, data-mining, ads, link-building schemes, etc. Some PHP and JavaScript functions associated with encrypted code are designed to help developers perform difficult but benign processes, such as data-encoding conversion or parsing. But in the wrong hands, and in the context of WordPress theme development, they are often used to hide shady source code.

If you want to do some sniffing around on your own, you can batch-search theme files with a text editor like Notepad++. Look for the keyword “base64_decode”. The base64_decode() PHP function, together with the eval() function, is commonly used to execute encrypted code. For example, if the encrypted code you find looks anything like this (just an example, not actual code) stay away:

$o="eHQvamF2YXNjcmlwdCI+PC9zY3JpcHQ+"; eval(base64_decode("PHNjcmlwdCBzcmM9Ii8vYS1zaGFkeS1zaXRlLmNvbS9qcy9zcGFtbGlua3MuanMiIHR5cGU9InRl" . $o));

Step 3: Evaluate all the static links

TAC will also let you know when it stumbles upon any static links inside the theme.

When you click the Details button, you will see the exact files and lines where those links occur. Find embedded static links with TAC. Static links are common in free WordPress themes, and they’re not necessarily bad. For instance, some themes require attribution.

The first thing you should do is decide whether or not you’re okay with those links being on your site. In the end, if you’re not okay with any link, you just shouldn’t use the theme. When it comes to static links, most of the time the party’s going on in the footer.php file.

For instance, the theme I checked when doing research for this piece had links pointing to a site titled “Botox Tel Aviv” with an anchor text consisting entirely of non-Latin characters: An example of an embedded static link in a WordPress theme. For testing purposes, you can check what happens if you remove an embedded link. Sometimes, you will discover that your entire site will stop working as a result of this action. And that is exactly what happened to my test site; when I removed the link, the site stopped working and the content was replaced with this message: The message being displayed on all pages when a static link is removed. If you want to investigate some more, this is where the other plugin, Theme-Check, comes into play.

Go to Appearance > Theme Check and run a test for the theme in question. Most likely, the plugin will report a lot of stuff, so you will have to browse around for a while to find what might be causing the problems. In my case, the instructions found in line 124 of the functions.php file were to blame: Theme-check finding a WordPress theme error.