Skip navigation

Are You Risking Your Blog With an Unofficial or Vulnerable WordPress Theme?

WordPress ThemesRecently, Automattic and WordPress decided to clean up the WordPress Themes Viewer, removing all the “sponsored Themes” from its database.

There has been a lot of debate over the definition of a sponsored WordPress Theme. In theory, any WordPress Theme design which was “paid” for development and construction is a sponsored Theme. Those aren’t the problem.

The WordPress Themes that were stuffed full of ad links, company links, and code that generated ads and more nasty stuff are the trouble-makers. These are the WordPress Themes that have now been removed from the WordPress Theme Viewer, the official source for WordPress Themes, and slapped with the generalized term “sponsored”, though this is an inappropriate label. I’d call them evil WordPress Themes as their intent is for greed and trouble.

There are many places where you can find WordPress Themes and templates, free or paid, which may or may not include evil “sponsored” links. And how would you know?

Indeed, some evil Themes have been found in unofficial Theme distributors, as I reported in the most recent WordPress Wednesday News on the Blog Herald.

There have been a variety of reports about WordPress Theme suppliers offering free Themes, but users finding a ton of advertising links and spam links in these downloaded Themes. Some are obvious, and others are buried in included template files, javascripts, and PHP code, easily overlooked unless you really know code.

Your WordPress Theme May Be Vulnerable to Security Flaws and Errors

Added to this worry is the announcement by Blog Security of their “Top 10 Vulnerable WordPress Themes”, a list of Themes which feature some of the common WordPress template flaws.

These are not evil deeds and links but design and code elements within a WordPress Theme that make it vulnerable to hacking, defacing, and even entering your blog’s Administration Panel. These are most often found in Themes due to ignorance by the designer who uses code found in other WordPress Themes, not knowing there are errors or flaws in the code. Rarely are these put there on purpose, but it still puts your WordPress Theme at risk.

This isn’t limited to newly downloaded WordPress Themes. Most of these security and structral flaws are found in older Themes which haven’t been updated as these issues were revealed. If you are using an older WordPress Theme, contact the original author for an update. If you designed your own, you may have copied in code that makes your Theme vulnerable, so get it checked.

Blog Security offers a “WordPress Theme Scanner” which is designed to check your WordPress Theme to see if it has some of these common vulnerabilities. According to the documentation, it searches for:

  • WordPress Version Check (currently supports 7 version checks). Future releases will include a file existence version check, for those blogs that have removed their version details.
  • Tests the WordPress theme template for basic XSS vulnerabilities.
  • Enumerates WordPress Plugins. Future releases will perform additional tests in this area.

If you choose to download Themes from “unofficial” sites, take care. These are not the responsibility of WordPress or Automattic. Download these Themes at your own risk. I recommend that if you cannot find a WordPress Theme from the official sites, you check the code thoroughly before using, or have someone do it for you. And consider testing them against the scanner.

And take care with all WordPress Themes you are using and pass your WordPress blog and Theme through the Blog Security WordPress Scanner Plugin to help it detect possible security flaws, especially if your WordPress Theme is more than a few months old.

Member of the 9Rules Blogging Network


Site Search Tags: , , , , , , , , , , , , ,
Feed on Lorelle on WordPress Subscribe Feedburner iconVia Feedburner Subscribe by Email

Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.

40 Comments

  1. Posted August 9, 2007 at 10:09 am | Permalink

    As a beginning theme developer I appreciate the efforts taken by the community and Automattic. But on the other hand, I would like to offer my themes for download from my own site as well as the official themesite.
    Perhaps the could be some way one could achieve a “verified WordPress theme developer” badge or some such?

  2. Posted August 9, 2007 at 10:12 am | Permalink

    I think its over the top to generalize all the themes removed from the WordPress Theme Viewer as “evil themes”. Removing any theme containing suspicious code was the priority, but Matt described taking a consistent approach to it and removing themes with any “sponsored links” or funny licensing — most often these themes are far from evil.

  3. Posted August 9, 2007 at 10:16 am | Permalink

    I do all my own themes (cept for my current one. it’s a modified premade). But thanks for the links. I’ll definately check them all out.

  4. Posted August 9, 2007 at 10:40 am | Permalink

    I think that any one who puts greed-driven, and trouble-making code in anything has a strong touch of evil in them. Bad to the core. :D

    However, the labeling of all such themes as “sponsored” was terribly misleading and unfair to many good Themes that were paid for, which is why there was such an uproar. If another label had been applied, call them “malicious code Themes”, I don’t think there would be any discussion about this.

    If I were in charge of naming things in the world, the world would be a much better place. ;-)

  5. Posted August 9, 2007 at 10:53 am | Permalink

    Lloyd: by ‘funny licensing’ I take it you mean anything other than GPL?

    I did ask Matt to tell people on themes.wordpress.net how to check their themes were secure, but he hasn’t got around to it, so I’m glad that Blog Security have stepped up to the plate and that you’ve ensured their guidelines are widely circulated.

    Unfortunately, it’s currently impossible for people hosting themes on wordpress.net to update them; so although themes from there won’t have any sponsored links, they won’t necessarily be secure, and they may not even be the most current version. So even if your theme is from an ‘official’ source, you still need to check it, and it’s also a good idea to go to the designer’s own site to see if there are any updates there.

  6. Posted August 9, 2007 at 10:58 am | Permalink

    I would love to encourage folks to download my themes on the Official Theme Viewer; however, when I last updated my themes there some problem occurred where some of the theme files were updated and some weren’t. So when you download a theme, it may be broken from the get-go and not for any reason the theme author can control.

    And I have used the contact form three times to ask for this to be fixed with never a single response.

    I get at least one email every day from someone who has downloaded a theme from themes.wordpress.net and the solution is always, “Just delete the files you downloaded and redownload them from my site.”

  7. Posted August 9, 2007 at 11:01 am | Permalink

    The report from wp-scanner is kind of cryptic IMO, it says mine has not XSS vulnerabilities but what does all the rest of the data mean? Anyone?

  8. Posted August 9, 2007 at 11:11 am | Permalink

    Addendum: what would be especially awesome would be if Automattic could licence blogsecurity’s wp-scanner script or code their own version. I’m not 100% comfortable with security-related stuff being farmed out to third parties.

  9. Posted August 9, 2007 at 11:16 am | Permalink

    Thanks for the mention Lorelle, i do agree that there has been many themes out there with spammy links and malicious code in the footer of the theme, hopefully more and more WordPress users will be a little more aware after this article.

    On a sidenote, how in the world do i get in touch with you? hahaha,i’ve been wanting to talk to you about your book.

    Thanks

  10. Posted August 9, 2007 at 11:39 am | Permalink

    Moses: It’s called a Contact page for a reason. :D

  11. sunburntkamel
    Posted August 9, 2007 at 12:45 pm | Permalink

    just echoing the excellent statements from TGA and Scott above me;
    I think automattic would be very unhappy with the idea that the themes on themes.wordpress.net are somehow official, sanctioned, or even secure. matt’s made mention of alerting theme authors to XSS vulnerabilities, but as yet there’s no mechanism for him to do so.

    as far as a solution, i’m looking forward to the idea of sandbox being in the core of wordpress, and scrutinized and secured by the developers. the SDC shows that theming wouldn’t suffer for not touching PHP, and the vulnerabilities brought out by blogsecurity’s scanner make it clear that PHP-based themes are more than just an aesthetic decision.

  12. Posted August 9, 2007 at 3:21 pm | Permalink

    This warning is very helpful, who knows.. these free wordpress templates have some codes within the template that can jeopardize your blog.. Well theres nothing wrong on being cautious. thanks for the advice

  13. Monika
    Posted August 9, 2007 at 3:42 pm | Permalink

    Hello Lorelle,
    I can’t understand why there are *official themes* and inofficial themes?
    I agree with Lloyd Bud.

    I understand that http://themes.wordpress.net/ would not like to promote themes with sponsored links.

    But I can’t understand to say all of this themes are *evil*. Nobody must use them.

    Search for *free templates* and you will find thousands of free templates for every open source cms – and most of them have sponsored links. Because this is the deal to get a beautiful theme for free.

    I can’t understand why you are at war with sponsored themes but promote a funny tool. This tool says nothing for a coder but to much for a layman.

    If wordpress community don’t stop the war at sponsored themes, I’m sure we’ll lose the good designer –
    Take a critical look at sandbox competition and you know what I mean.

    Monika from
    webdesign-in.de

  14. Posted August 9, 2007 at 4:31 pm | Permalink

    that girl again: is it GPL-only? I wasn’t sure about that. Maybe, I missed where that is described. I’m not currently directly involved in that project. I was referring to the many themes that I had looked at with strangely worded licenses awkwardly requiring invariant sections, imposing on the experience of the blog.

    Lorelle, you wrote, “The WordPress Themes that were stuffed full of ad links, company links, … have now been removed from the WordPress Theme Viewer”. Stuffed full of? But I thought it was simpler than that, a single ad link would be enough. I don’t think it is right to vilify these people and judge them as greed-driven, though unfortunately I am sure there are some of those bad apples in the bunch.

  15. wpmuuu
    Posted August 9, 2007 at 4:54 pm | Permalink

    Lorelle, to deal with scum’s shit is bad but to leak somebody’s bottom is even worst.
    What do I mean?

    I don’t see my trackback here, which means that you moderate the discussion, not allowing different than yours and your friends opinion.

    If you don’t moderate this comment, your visitors will be able to read my opinion here

  16. Posted August 9, 2007 at 5:48 pm | Permalink

    Lorelle, I’ve always found your insight and advice about WP matters to be right on target. I’m a right-brained artist and much of the complicated coding stuff is over my head, so I really appreciate the fact that you are looking out for people like me. You are a wonderful (and much needed) voice in the WP community. I sincerely thank you. *HUG*

  17. Posted August 9, 2007 at 7:58 pm | Permalink

    The only consistency is the inconsistency

    There is still at least one theme in the top10 that if there was some consistency wouldn’t be there.

    Removing it would be a loss to the community, just like removing a lot of other themes.

    What is worse is if you have a unique theme of your own, you can submit it.
    If you have it cleaned up by a professional designer, and have joint credit, it gets removed from the theme directory.

  18. Posted August 9, 2007 at 8:41 pm | Permalink

    Thanks Lorelle, I’ll definitely pay attention when I design my own theme :)

  19. Posted August 9, 2007 at 9:49 pm | Permalink

    “Official” to mean means managed by WordPress “staff” and volunteers with the approval of WordPress/Automattic, and “controlled” by the same. The WordPress Theme Viewer has been approved and managed by WordPress volunteers (who did a great job) since the beginning and now is managed by WordPress proper.

    It doesn’t mean it’s “sanctioned” or better-than-thou. It’s just run by WordPress, which now has stronger controls over what is included. Anything that isn’t run by WordPress control is “unofficial”, not “bad”.

    I agree that there should be a system of “certifying” or “approving” WordPress Themes and their authors for consistent “good” behavior, but I’m not sure the WordPress Community is ready for that. It would require “rules” and “regulations”, something that sends many in WordPress and Open Source running for the bushes. :D

    As for the “rules” for what is included and not included in the Theme Viewer, I’m still waiting for some specifics, which may include two or more designers in the footer. Give credit where credit is due is my opinion.

    As for the rest of the assumptions and accusations, as usual, I provide information and you do with it what you will. I thought this was important for you to know, especially about the vulnerabilities in WordPress Themes (I’m checking my own to see what’s been overlooked!).

    And as for the semantics, I thought “evil” was more gracious than the rest of the terms to describe what I really think of those who take advantage of others through underhanded methods.

  20. Posted August 9, 2007 at 10:46 pm | Permalink

    I use my own theme which I designed from scratch, so I guess mine might not be vulnerable??

  21. Posted August 9, 2007 at 11:05 pm | Permalink

    Hari: How much of a WordPress Theme is from “scratch” is always debatable. Depending upon the version of PHP and WordPress template tag code, and any WordPress Theme that you grabbed the code from, like Kubrick or a Kubrick-based Theme or another, you might have “inherited” code at risk.

    I’m looking into the specifics, but do not assume. Check.

    And if you release your WordPress Themes to the public, this is something you must know how to detect and defend. This is why it is important to keep updating your WordPress Themes. New vulnerabilities are being found all the time, and I need to do more to keep up with them, that’s for sure.

  22. Posted August 9, 2007 at 11:11 pm | Permalink

    Mine was created from scratch as in fully coded by me. I looked at the WP tutorials for theme-building and the whole theme was made from scratch. Later I started developing on it and created more themes, but the underlying code is originally mine.

    I would love if somebody could check my theme for errors/problems, but I haven’t released it to the public.

  23. tarcus
    Posted August 10, 2007 at 12:10 am | Permalink

    I am curious – when will the themeviewer be open to updates again? It seems like it is frozen at the moment!

  24. Monika
    Posted August 10, 2007 at 12:50 am | Permalink

    Hi Lorelle you have said:
    ““Official” to mean means managed by WordPress “staff” and volunteers with the approval of WordPress/Automattic, and “controlled” by the same. The WordPress Theme Viewer has been approved and managed by WordPress volunteers (who did a great job) since the beginning and now is managed by WordPress proper.”

    This times I can’t register to theme viewer and so I have to realize that there are groups of designers they have more chance to promote their themes and some they have no chance ..
    -without any statement, without no answer per email – they would be ognored -nobody knows why –I can’t understand.

    And with this background your statement:
    “Anything that isn’t run by WordPress control is “unofficial”, not “bad”.”

    sounds good but I’m sure new user don’t realize the difference.

    I’m a business woman and understand that someone would like to control all behaviours from WP/add ons/ and so on – but WP is open source.

    Maybe I read too much between the lines, but this summer so many coder stop to code or support plugins for WP – most of them say: we are not welcome at WP – only special persons and we are not in this group.

    Resumee:
    The only official website for my WP themes “must be” my website because WP is open source -I haven’t read that WP has the legal rights to define new rules for open source projects.

    kindly regards
    Monika from webdesign-in.de /texto.de

    And I have to realize WordPress would have to define a new licence for open source,because the only official website of my themes is my domain!

  25. Posted August 10, 2007 at 2:15 am | Permalink

    Lorelle, great post, perhaps we could have a chat offline about wp-scanner from BlogSecurity in more detail, it actually checks for so much more then just Theme vulnerabilities, and we have some exciting projects planned that you may be interested in.

  26. Posted August 10, 2007 at 5:15 am | Permalink

    Lorelle, I assume that in comment #19 you answer my comment #15.
    You don’t get it.
    WordPress can not officially represent anything but its own software.
    WordPress/Automattic can only guarantee for a certain product (theme, plugin, widget…), which does not make WordPress OFFICIAL distributor of the guaranteed product.

    As I said in my article (http://wordpress.mu/137.html), we are facing campaign which is trying to take the control over all WP add-ons.

    That is BAD.
    As bad as stilling your content and traffic.

  27. sunburntkamel
    Posted August 10, 2007 at 6:16 am | Permalink

    just because there’s a supposedly “official” theme viewer, doesn’t mean it works well, or that the themes on it are official.

    and there’s no way of making “unofficial” not sound like “bad”.

    your headline is unclear and misleading.

  28. Posted August 10, 2007 at 7:48 am | Permalink

    Honestly, I don’t think that all these semantic name games change anything.

    There are WordPress users who are at risk if they don’t update WordPress when a security version is released, and many are at risk if they don’t know what to look for in a WordPress Theme that might be code they do not want on their blogs.

    This information is vital for users to know. What they do with it is up to them.

    I also believe firmly that WordPress is not into “controlling” but “protecting” users, thus the expunging of inappropriate, copyright violating, duplicate, and spam link-filled Themes from the Theme Viewer is to protect the users. In turn, by removing duplicate and copyright violating WordPress Themes, of which I’m told by the two volunteers who ran the Theme Viewer for so long, the effort protected the rights of the original designers, a good thing in my opinion.

    I have long been an advocate for clear policies and guidelines for WordPress Plugins and Themes as regards to protection of users. I know that the welfare of the end-user is upper most in the minds of Automattic staff and WordPress volunteers.

  29. Posted August 10, 2007 at 7:57 am | Permalink

    David Kierznowski: is there a help page for wp-scanner? If so, I could not find it.

  30. Posted August 10, 2007 at 9:54 am | Permalink

    remotecontrolceo, there is, but the project is still BETA. A new version of wp-scanner will be released over the weekend, which will also offer more clear instructions as well as alot of other updates and tweaks.

  31. sunburntkamel
    Posted August 10, 2007 at 11:41 am | Permalink

    if semantics are meaningless, then there’s no point in writing.
    since that means blogging is a waste of time, you might as well start designing themes. except no one will use them because words don’t have meanings.

  32. Posted August 10, 2007 at 12:32 pm | Permalink

    that girl again: is it GPL-only?

    Matt has so far refused to clarify, but the posts he has made on his personal blog strongly suggest that non-GPL themes will be removed or at the very least strongly discouraged, even if the required links are to the theme developer rather than an advertiser.

    From a business perspective, I absolutely see why Matt needs to establish ‘official’ repositories for themes and plugins and discredit those run by other people. All the rest of us are saying is that themes.wordpress.net is nowhere near trustworthy yet, and won’t be until somebody is in place to run the site and uploads are re-enabled.

  33. Posted August 10, 2007 at 4:53 pm | Permalink

    I created (from Wolfgang’s design) one of the 10 themes listed on the post “Top 10 Vulnerable WordPress Themes”. The theme is WP-Multiflex-03 that appears at number 10.

    Having emailed them, I’m still waiting for an explanation of the vulnerability that exists in the theme.

    I have tested the theme in the “wp-scanner” and there is not a vulnerability???? On what authority are you accepting thier judements???

  34. Posted August 10, 2007 at 5:08 pm | Permalink

    You will have to contact the author of the article and site you are referring to.

  35. Posted August 10, 2007 at 11:25 pm | Permalink

    An equally important consideration is the vulnerabilities caused by casual trust of both theme and plugin providers.

    konfabulieren has a very interesting illustration with his “WP Surprise” plugin here: do you trust all wordpress plugins? http://tinyurl.com/2uddln

    Is WordPress going to be just as diligent with regard to plugins? Is WordPress going to work cooperatively with Blog Security to attain some level of trust re: plugins (I’m referring to the note above: “…Future releases will perform additional tests in this area.”)

    Thank you.

  36. Posted August 11, 2007 at 1:50 am | Permalink

    I think there is a lot more to this than your sensational headlines suggest.

    I am quite sure that wp-multiflex-03 does not have a vulnerability and *never* has had a vulnerability.

    More research needs to be done to see what is actually causing the “theme” vulnerability.

  37. Posted August 11, 2007 at 6:03 am | Permalink

    Thanks. I didn’t know blog security and I’ll test my self-made template ASAP ;)

  38. Stacy
    Posted June 20, 2010 at 1:51 pm | Permalink

    I recently downloaded, installed, and tweaked a new blog theme. Then I noticed an ad for ‘weight loss pills’ in my footer and I can’t find the code to remove it. It’s… coded. Gah. There isn’t any mention of footer links in the css and the footer.php looks like one loooooooong bit of code (in a form I’m unfamiliar with). Could this be where the evil ad culprit lies?

    I’m off to search for the answer.

    Btw, your blog tips are awesome. Thanks!

    • Posted July 6, 2010 at 9:03 pm | Permalink

      Don’t use any WordPress Theme with ads in it. Please use an official site to download your Themes. Don’t try to remove the ads, just get rid of the Theme as there may be more evil in there than just what is visible.

  39. Posted January 23, 2011 at 12:28 pm | Permalink

    I use the exploit scanner plugin to get an overview if anything is wrong. I am not an expert if anything is found, I just make sure if a theme is not terribly messy. But, I must admit, we all must learn about this most important part of wordpress blogging. I remember, when I was new to WP, I used to search Google, I used to try every attractive theme – without knowing if it can harm my blog.


28 Trackbacks/Pingbacks

  1. [...] believe this issue is more geared towards the WordPress community as WP Founder Matt Mulleweg announced on his blog earlier. As to the issue of black hat SEO, my [...]

  2. [...] Are You Risking Your Blog With an Unofficial or Vulnerable WordPress Theme? Its your time to talk: Have you implemented something in your blog that you want to share to us? [...]

  3. [...] BlogSecurity » Top 10 Vulnerable WP Themes The link has more info about this. Thanks to Lorelle for the heads up! (Note: I love Tarski and have used Freshy in the past, too. Yikes!) Share and [...]

  4. [...] Are You Risking Your Blog With an Unofficial or Vulnerable WordPress Theme? [image]Recently, Automattic and WordPress decided to clean up the WordPress Themes Viewer, removing all the […] [...]

  5. [...] Does your WordPress blog contain hidden security vulnerabilities? [...]

  6. [...] Tom rethinks “the Importance of Screenshots, Diagrams, and Other Visuals” . . . Lorelle on WordPress: “Are You Risking Your Blog With an Unofficial Or Vulnerable WordPress Theme?” – [...]

  7. [...] free wordpress themes that found online can be dangerous like what I read from Lorrelle Blog. Are You Risking Your Blog With an Unofficial or Vulnerable WordPress Theme? I gotta ask myself this question now. I usually just simply search the free wordpress themes online [...]

  8. [...] there is a good reason for this. A number of theme owners have engaged in immoral practices lately, hiding different codes and links from the unsuspecting user. Codes and links that could compromise security, or sink your [...]

  9. [...] (Inspiración: Lorelle) [...]

  10. [...] this year, a lot of people were angered when they found their downloaded WordPress Theme stuffed with ad links and other unwanted content. The issue became very hot and Matt Mullenweg asked the WordPress [...]

  11. [...] WordPress Themes: The Ignored Footer Have you looked lately at the average WordPress Theme footer? That little bit of color and text at the bottom of a WordPress Theme? Lately, it seems that the only time it gets any attention is when people are looking for design credit, embedded links and ads, and other nasties. [...]

  12. [...] are plenty of themes out there with security risks. Without the authors having the ability to upgrade, users are put in danger by using the WordPress [...]

  13. [...] the WordPress Theme Viewer access was closed down was for a major cleaning of the Theme Viewer, removing Themes with spammy ad links, copyright violations, and duplicate Theme designs. The WordPress Community let the developers know that they didn’t want junk in the [...]

  14. [...] Vía | Lorelle [...]

  15. [...] realize that the WordPress Themes they had recently downloaded and installed on their blogs had hidden links, unwanted advertising, and other nasty stuff. So here’s a couple of suggestion and application I google around the [...]

  16. [...] Are You Risking Your Blog With an Unofficial or Vulnerable WordPress Theme? [...]

  17. [...] WordPress Themes were banned from the official WordPress Theme Directory due to inclusion of ads, spam, and malicious links in [...]

  18. [...] WordPress Themes and Plugins from known and respected sources like the official WordPress Plugin Directory and WordPress Theme [...]

  19. [...] WordPress Themes and Plugins from known and respected sources like the official WordPress Plugin Directory and WordPress Theme [...]

  20. [...] couple years ago there was a rash of spam and scam WordPress Themes. They included hidden or visual unwanted ads and links, but rarely malware, programming code that [...]

  21. Did you check if you are you using a vulnerable wordpress theme?…

    Downloading free wordpress themes from unknown wordpress theme gallery websites can be harmful for your blog. And, without a doubt, pirated premium themes made freely available by many unholy warez sites can be a terrible experience. These themes may c…

  22. [...] seen a growing number of scams, phishing, and malware with WordPress, specifically WordPress Themes, Plugins, and out-of-date versions of WordPress. WordPress expert, Otto of OttoPress investigated a [...]

  23. […] (Inspiración: Lorelle) […]

  24. […] are those who stand up and say don’t risk your site with an unofficial WordPress Theme as many were stuffed with hidden or blatant advertising links, spam links, and security […]

  25. […] WordPress regularly, but also update your WordPress Theme and Plugins as these can also include security flaws or vulnerabilities. The WordPress Theme […]

  26. […] Are You Risking Your Blog With an Unofficial or Vulnerable WordPress Theme? […]

  27. […] Are You Risking Your Blog With an Unofficial or Vulnerable WordPress Theme? […]

  28. […] 2007, there was a surge of WordPress Themes stuffed with hidden or visible advertising links called “Premium” or “Sponsored” Themes. People would download free Themes only to find their sites plagued with unwanted spam ads, […]

Post a Comment

Follow

Get every new post delivered to your Inbox.

Join 19,707 other followers

%d bloggers like this: