Not So Innocent WordPress Themes

The ease of setting up a WordPress blog is fairly common knowledge. WordPress themselves talk about the easy 5-minute installation. And it really is that easy! What isn’t so easy, and what a lot of people often overlook, is the maintenance and security of their blog after the initial installation.

WordPress security is about as exciting as–well, it’s not exciting at all. But like most unpleasant, but necessary things in life, your blog’s security shouldn’t be shuffled into a dark corner and never considered. This post aims to bring to light, one of the most overlooked aspects of running a WordPress blog: Malicious Themes.

While a large portion of malicious themes are free, there are some paid themes that might not be quite so innocent either. Your best defense against having your blog compromised is knowledge and the understanding that no matter how large, small, popular, or private your blog is, malicious code can infiltrate it.

I run a very small blog, do I still need to worry?
Yes. Compromised blogs don’t have to be big or popular. Most people’s blogs get infected with malicious code because they inadvertently installed something bad–not because they were directly targeted. It doesn’t matter how small your blog. Not even if you write in a blog solely for your family and friends, if you download and run a lot of unverified plugins and themes, you run the risk of compromising your blog’s security.

Do I need to a security plugin for my WordPress blog?
Some people run security plugins for their blogs, some people don’t. I can’t advise whether you should or not. It’s a personal decision with pros and cons. If you do choose to use security plugins for your blog, make absolute sure you are installing and using a trusted plugin. Read all the reviews, read reviews on different sites, make sure you are downloading the plugin from a trusted site, see what kinds of problems users have with it. Security plugins can be a lot of work, sometimes they ingrain themselves deeply into your WordPress installation so uninstalling them might be tricky. What you can do if you don’t want to run security plugins is know the risks that are out there and be vigilant about what you install.

With those two questions out of the way, let’s talk specifically about malicious themes. A theme might seem harmless enough. After all, customizing the appearance of your new blog is probably one of the more fun parts of the setup. But not all themes are created equal and not all themes are innocent.

Some theme authors will embed code that redirects, links to, or otherwise manipulates the theme to an unscrupulous website. There’s nothing wrong with a theme author linking back to their own website, and a link back to the original author is common practice. But there are some authors to embed links to sites with poor reputations. Sometimes these links can drag your own blog down, so if you’re trying to get into Google’s good books, having links to bad sites embedded in your free theme that you don’t know about won’t look good. Sometimes it isn’t easy to find these links in your theme because they might be encoded.

Base64 encoding is one of the things to be vigilant about. Very often, the presence of Base64 encoding implies that the theme author has something to hide. Perhaps it’s malicious code, perhaps it’s a link to a bad website, sometimes the purpose is legitimate but can you really take that chance? Decoding Base64 is straightforward. You can plug it into any number of websites you find on Google and discover exactly what’s being hidden from you. I recommend this site: Base64 Decode and Encode. There are a lot of reasons why Base64 encoding exists, but there better be a very good reason for it to exist on your website in the form of a theme.

Another sad development resulting from the glut of free WordPress Themes are ripoff themes. We have counterfeit handbags, counterfeit perfume, counterfeit toys, why not counterfeit WordPress Themes? These are themes that may have been offered as pay themes or were good free themes that were taken, altered to add some malicious code then released as “fresh, new, unique” and of course, “free”.

So how do you avoid downloading a bad theme?

1. Stick to official channels. Googling, “Free WordPress Theme” might yield tons of results, but who’s to say those websites are legitimate and offering good themes? Stick to whose theme repository contains a ton of perfectly nice free themes, Smashing Magazine and other trusted websites often recommend good free themes. But like with all things, you shouldn’t rely solely on a recommendation alone. Read other reviews, and do your own investigations before downloading and installing anything.

2. Consider paid themes. ThemeForest and WooThemes have huge selections of WordPress themes available, many of them are feature-rich, SEO optimized, supported by the authors/developers who made them, are versatile, and look beautiful.

3. Hire a designer or developer. Of course, I have to include this! 😉 Hiring a designer/developer to make you a theme isn’t for everyone–especially not for most personal blogs, hobby blogs, or blogs you keep just for fun. This can get expensive and it still requires plenty of research, but if you’re setting up a business and want to represent yourself well, a free theme that’s got malicious code in it most certainly isn’t going to cut it.