I’ve just published “WordPress Theme Malware Prevention and Protection on WordCast, covering the recent WordPress Theme dissection of malware by Otto.
The article sums up his revealing analysis of how a Theme malware code integrates itself into your site, even down to the server level, through a twisting path of imaginative code. The code reminds me of insidious bombs featured in an episode of Star Trek: Deep Space Nine called “Houdinis.” The bombs vanished in and out of subspace, each less than a meter from another one in a grid. At any time it could appear and explode if it detected movement near it, surprising and killing the victims. This code has the ability to activate, create trouble, then erase its path, making it tough to detect, test, and eliminate.
The article also offers some tips and WordPress Plugins for checking your site for security vulnerabilities, as well as possibly test a Theme before you become too invested in it. There is no one full-proof, one step thing you can do yet, though there are many working on some advanced site armor and prevention tools which I will cover in an upcoming article on WordCast.
In general, use the built-in auto update feature to upgrade WordPress immediately when a mandatory security update is released, and upgrade Themes and Plugins.
Remember, prevention is cheaper and easier than dealing with a hack after the fact.
We live in “interesting times,” and I dream of the day when those who dance with the dark put their creative energy, discipline and determination into projects of light, peace, and joy…and that good would pay better than bad.
Related Posts
- Good Reasons to Upgrade WordPress
- Fighting Registration Spam in WordPress
- Are You Risking Your Blog With an Unofficial or Vulnerable WordPress Theme?
- Protecting Your WordPress Blog
- WordPress Security Prevention, Reactions, and Scares
- WordPress Blogs and More Hacked by Google Redirects
- Warning: Fake WordPress Malicious Site
- Web Hacks, Worms, Infections, and Viruses: Is Your Blog Prepared?
- Firewalling and Hack Proofing Your WordPress Blog
- Old WordPress Versions Under Attack
- Prevention: Protecting Your Online and Internet Security
Via Feedburner
Subscribe by Email
Lorelle on WordPress 
25 Comments
nice article lorelle.
I do use google search to find quite a bit of themes, but I never activate them until i have gone through functions and footer, plus the other template files just to make sure nothing evil is in them.
for beginners its something to read, even people packaging up original themes and adding their own codes.
A search just “anyone” could miss these. I cannot recommend using Google as a “trusted” source for finding WordPress Themes. It’s like the lottery. 😀
Some people really need a day job. I agree with the sentiment about maybe these numbskulls could use their skills for better things other then ruining people’s blogging and webdesign experiences.
Otto covered this topic few days ago and it impressed me, now this from you Lorelle and it’s definitely worth reading and spreading around. People who want free themes should be very careful while downloading them from shady sites, every theme that i.e. footer.php isn’t readable should be good sign that there is something wrong and in many cases regular user will have no knowledge of this.
When you download “free” theme you get much more than just a theme.
It’s almost always good idea to get your theme from people that everyone knows, even bigger plus is if their site is listed on WordPress.
Thanks,
Emil
Interesting.
What about a black list of those themes?
Additionally how can I be sure that the ones listed on WordPress are Malware free?
If you would like to create such a list, go ahead, however, I wouldn’t recommend going out looking for such Themes. 😀 Anyone can change the name of a Theme instantly, so such a list would be worthless.
The WordPress Themes in the WordPress Theme Directory are reviewed and scanned thoroughly, which is why you can trust them.
Thank you for this reminder. I recently shifted to WordPress theme blogs because of the flexibility and the available plugins. Thanks.
I’ve use the theme checker plugin for a while now. Really good for spotting “free” themes that are loaded with hidden code and links too.
WP plugins worry me. As I’ve seen one or two on WP.org that have forum posts saying they have malware or hidden links.
Always pays to read the plugin support forums on WP before installing I think!
Lorelle,
Found this link from my dashboard, how truly important to choose clean free theme.
I always recommend my readers to select their themes carefully.
Heading to Otto’s article now,
Thanks,
Kimi.
Thanks for sharing your thoughts about your article Lorelle. It gives me another idea now to be more careful in choosing such Themes. I hope someone can create a plugin does act like an Anti-virus that protects our blog for any threats such as this one.
Yes, well said Lorelle.
It is so important to update not only WordPress but also the themes and the plug-in’s that are available for it as well, and this is an item that sadly is lost on a lot of people using the software
It is saddening that people ruin such a great product (WP) by doing things like this. Nice article though Lorelle, will definitely be wary.
While I blog fairly exclusively about WordPress, such malware is not limited to the WordPress Community of products and services. In fact, they tend to be less than found in a lot of other template suppliers for other publishing platforms and services.
It would more than likely be more effective to black-list these sites by domain, and not by theme name, for example, the theme in which this malware was found; was originally legitimate and by and large still is.
The theme had been downloaded from the WordPress site and re-uploaded to the scammers site after he/she had placed the malware into it.
It would be more inconvenient for these scammers to change their site address than the theme name and costly too.
While it sounds like another nice and easy idea, blacklisting doesn’t work as people can create proxies and domain names faster than running water. Domains are cheap.
There are two articles on plugins spam as well: New kind of WordPress Plugin Spam and part two.
anyway how to protect wordpress from malware.
This assumes you read the article on WordCast which offers tips.
Some months back I told a friend that I suspect it was my WP plugin giving my blog malware. He was quite shocked. Only thing is the plugin withe the malware was not an SEO plugin. I am going to heed the advise of not downloading any plugin outside WordPress.org Also, do check that all files do not contain something like .ru or pantscow.ru (My blog was hit with this twice. The 2nd time I was hit, I simply upgraded and the malware, was once again gone.)
Wow, I didn’t know this was out there! Scary!
As someone who has been hit by malware a bunch of times I think Automatic should look into creating an App Store that features plugins and themes along the lines of what the iTunes store does. It would offer free and premium themes and pugins that would be tested before being accepted. It would give theme and plugin authors great visibility, could be easily integrated into the WordPress ecosystem and would be a source of revenue for Automatic as well as the authors. They could even offer plugin packages for various combined functionality, again for a fee.
People that create malicious software really piss me off. Of course, now it’s no longer just a challenge to corrupt someone’s computer – there is the profit incentive behind it also. When the scammers start making money, we all lose. I use Malwarebytes to keep that crap out of my computer.
They anger me, too, but I stick to well-known virus and malware checking services. There has always been profit to evil, and the web, unfortunately, is no different in the evil economy. 😀
I got warned about possible malwares injected on certain themes.
Using Theme Authenticity Checker helps me a lot.
Thanks for reminding this..
Yes and now. I’ve had clients with malware in WordPress Themes and several Plugins that claimed to check thoroughly didn’t find them consistently, though the newer updated ones have improved. The issue is that truly criminal WordPress Theme and template providers have also improved their efforts.
And a Theme checker will not do much for a site infected by one of the malware trojans initiated by Themes, Plugins, and other methods that initiates and cloaks, one that I’ve battled on a couple sites. I long for the day when we have a tool that will dig in deep to find and prevent all of the evil on a WordPress blog. Until then, go with trusted resources and check using the tools available.
9 Trackbacks/Pingbacks
[…] more here: Malware Found in WordPress Theme – Protect Yourself Now « Lorelle on WordPress Tags: malware,, security, virus, wordpress,, […]
[…] Malware Found in WordPress Theme – Protect Yourself Now I’ve just published “WordPress Theme Malware Prevention and Protection on WordCast, covering the recent WordPress Theme […] […]
[…] full article can be found by clicking the link here. Categories : Apple, Computers, Linux, Microsoft Windows, Tech, internet, […]
[…] Malware Found in WordPress Theme – Protect Yourself Now […]
[…] around the world similar to the one that plagued many websites and blogs, including WordPress, a malware-style bot that can do damage and hide itself from detection, making it painful to remove. According to an announcement on ComputerWorld, the new massive botnet […]
[…] Malware Found in WordPress Theme – Protect Yourself Now […]
[…] Malware Found in WordPress Theme – Protect Yourself Now […]
[…] are those who report malware in WordPress Themes, digging deep into the code to reveal the mechanics of such nasties. They help us to understand how […]
[…] Lorelle on WordPress, Malware Found in WordPress Theme – Protect Yourself Now. […]