Well if you just listened to my rant about the importance of open source to wordpress, what I’m about to say is not a surprise… if you download a theme from anywhere but Wordpress.org, you risk doing really bad things to your web site.
It seems that if you google for wordpress themes, almost all of the top results host modified versions of wordpress themes, with obfuscated code inserted in them. This code might do something benign like just adding backlinks to other sites, but it could potentially do terrible things, like installing malware on your viewer’s computers.
I’ve said it before and I’ll say it again: Never install plugins or themes from any site other than wordpress.org!
Check out the video and links to some articles below…
Stop downloading Wordpress themes from shady sites
How Downloading a Premium Theme/Plugin From the Wrong Place Can Ruin Your Site
Watch Where You Download That
sometimes that code is very cleverly hidden. it can look like code that should be there. it could be in a javascript library that you see all the time like lightbox.js or jquery13.js. or it could be the google analytics footer that has googgle speeled wrong. so you wouldn’t see it right away.
so if all looks well it’s imperative to test the theme using a sandbox installation. after installing it look at page source for starters. look at the “activity” window to see all the things that are active on that page. there shouldn’t be any graphics loaded from outside your server. javascript is often loaded from other sources. follow those links to make sure it’s whatwhere is really the source. and if you trust that using FireFox run No Script to what exactly what is being loaded from the javascript.
okay so if all that seems overly complicated be sure to check out Theme Authenticity Check that does the looking for you.
Hi John thanks for the comment. I had never thought of malicious code being stored In those files but of course that would be a way better way to hide code than purring it in the index.php or header.php. I could probably recognize bad or encrypted code in php but I would have no idea what I was looking at in a JavaScript file.
That theme authenticity checker is a nice plugin- I will mention it on my podcast. Thanks!