One of the things that make WordPress great and popular is the huge number of available free themes and plugins. Unfortunately, the popularity of free WordPress themes have been used by scammers, spammers and malicious users, as an opportunity to cash in and/or wreak havoc. Many of the free WordPress themes available on the Internet today have already been altered by these users, adding base64 encrypted codes into the theme’s functions.php file which when decrypted, contain spammy links or malware.
Recently, a new type of malware was found on some free WordPress themes that are being distributed by a site called top-themes.com (site no longer available). The malware-ridden theme’s functions.php file contains code that inserts a zip file on a theme’s screenshot file. Once activated, the file unzips itself into a new directory and executes the malware file, adds itself (the malware code) and infects other themes in the user’s wp-content/themes directory. This type of malware is really clever because once it accomplishes it’s goal, the file erases itself so it won’t be traceable.
To learn more about how this type of malware works, check out Otto’s post entitled – Anatomy of a Theme Malware. As an additional resource, please make sure to read Lorelle VanFossen’s article – WordPress Theme Malware Prevention and Protection.
To all WordPress users out there, make sure you only download free WordPress themes from reliable sources/websites like the WordPress.org Theme Repository. If ever you’re gonna download a theme outside the official WordPress theme Repository, make sure you only download from the theme author’s website and to use a plugin like the Theme Authenticity Checker, that checks theme files for any encrypted codes.
There are lot of free WordPress themes out there that are not only spam and malware-free but also beautiful and premium-quality. I try to post as many of these themes here on JaypeeOnline so users can find them easily. You can check out the themes I’ve reviewed from the WordPress themes category. If you can afford it, you can also purchase premium WordPress themes from reliable sources like StudioPress, WooThemes, Elegant Themes, Theme Forest, WP ZOOM and many others.
Where do you guys get or download your WordPress themes from? Have you ever been victimized by a malware-ridden theme? Anyone here ever come across this new type of WordPress theme malware? Please share your thoughts.