This is just a reminder: please only download WordPress themes from reputable sources such as WordPress.org.
Someone just came into #wordpress asking for help modifying their theme a few hours ago. I found the URL to the theme’s website via their
style.css and downloaded the theme in an attempt to help them figure out which file to edit to do what they wanted.
What I found inside the theme’s
footer.php file though was tons of malicious code. The entire contents of the file was heavily encoded (it was encoded with
base64_decode() around 150 times) and a ton of
eval()‘s. Since I was curious what it was doing, I wrote some PHP to decode it without using the nasty (and unsafe)
eval()‘s and I finally ended up with the HTML for the footer file (I assume to stop people from removing the code) and some more crazy
eval() PHP code to display links to websites.
Luckily the code was just there to insert links (although using such a theme is a good way to get banned from Google), the PHP could just as easily have stolen passwords and other things. Remember, themes are exactly like plugins — they can execute code. You wouldn’t download a random program off and Internet and run it on your PC, so why would you do it with a plugin or theme?
So please, only download themes and plugins from reputable sites such as WordPress.org. If in doubt, don’t use it.
And if you’re wondering,
qualitywordpress.com is the site where the user got the theme from. I have only posted the URL to that website in an attempt to prevent people from using it’s themes. Do not use the themes from that website.