A couple years back, there were two instances where I warned Joomla users and WordPress users about their theme sources or where they downloaded their themes from. This was because some sites who redistribute free WordPress themes are hijacking and repackaging these themes and inserting malicious codes into the functions.php or footer.php files. If undetected, these codes can compromise your blog or make it link to unfriendly sites and can get your blog banned by Google.
Because of these incidents, the guys from builtBackwards saw a need for something to solve this issue and decided to create a plugin that can check and scan theme files for potentially malicious or unwanted code.
TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. As of v1.3 TAC also searches for and displays static links.
Installing the Theme Authenticity Checker plugin is easy as A-B-C. Just download the zip file, extract it, upload the tac folder into your wp-content/plugins folder on your web server and activate the plugin via the WP dashboard. Once its activated, you can access the Theme Authenticity Checker plugin via Appearance > TAC.
How it works:
The Theme Authenticity Checker plugin is simple and straightforward. Once this plugin is installed, it automatically checks your theme files for potentially malicious or unwanted code. If it detects any types of those codes, it will display the path to the theme file, the line number and a short snippet of the suspicious code. Making it fast and easy for the user to trace and remove those pieces of code.
If you install the Theme Authenticity Checker plugin and it detects some suspicious or unwanted code on your theme files, first thing you need to do is contact the theme author about it and ask if that piece of code is supposed to be there. In most cases, that piece of code wasn’t put there by the author but in some cases like “sponsored” WordPress themes, the code is purposely placed by the theme authors themselves. Sometimes, removing the piece of “code” can cause your theme to crash or stop working so you’re better off changing your theme to a different one.
I’ve installed it here on my blog and it works great. Unfortunately, after I installed it I found out that one of the free WordPress themes that I’ve recently reviewed contains hidden code in its footer.php file. I’m talking about the Milano theme. I’ve disabled the download link from that review and posted an update, suggesting users who’ve downloaded and installed the theme to remove/uninstall it and replace their theme with a different one.
I love the Theme Authenticity Checker plugin and I wish I found out about it sooner. Its a very handy tool when I do my WordPress Theme reviews, because I can check the theme first before I do my review and make sure that the theme I’m sharing is safe for my readers and its users. This type of plugin is not only useful for blog authors who use WordPress but also for people who deal with a lot of WordPress themes and build WordPress blogs for their clients.
A word of warning, always make sure that you only download WordPress themes from reliable sources or only direct from the theme author’s site. If you really want to try out a new WordPress theme from a new or unreliable source, then you can use the Theme Authenticity Checker plugin to check the theme.
I strongly recommend the Theme Authenticity Checker plugin to anyone who runs a WordPress-powered blog. This is one of those must-have plugins for any WordPress blog.
Have you experienced downloading and installing a WordPress theme with suspicious code in it? Anyone else using or have tried the Theme Authenticity Checker plugin? What other features would like to see added to it? Please share your thoughts.