Monday, February 14, 2011

Free Wordpress themes considered harmful

It used to be that you could tell what was likely to give your computer a virus: if you stayed away from the porn and "free screensavers" then you were pretty much ok. Nowadays, though, with cross-site scripting, it's much harder to gauge which content might be unsafe.

So Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else caught my eye because it's a new example of how free... sometimes isn't. Why bother to exploit people's wordpress blogs, which is illegal in many places, when you can just give them the code and let them install and run it themselves? Mostly it looks like the code found is all about adding spammy SEO-boosting links for dubious properties, but there could definitely be worse elsewhere in those themes: that free theme could be using your blog to install malicious software on your visitors' computers!

Out of the ten sites on the first page of Google, here are the stats:

Safe: 1
Iffy: 1
Avoid: 8
8 out of 10 sites included base64 encoding in their themes. The average WordPress user no doubt knows that Google isn’t the best place to find themes but the stats on these sites show that there are thousands of people downloading them and using them on their websites. Someone who has come to WordPress on the first time is more than likely to type “free WordPress themes” into Google to find a site that gives them what they want. Unfortunately they’re more than likely to end up with spammy links, at best, on their site.

Read the whole article to hear about what might be hiding in that free template you just downloaded. Basically, if you see a bunch of random encoded stuff that you don't understand, you should be awfully wary... Thankfully, the author demonstrates the use of two tools for figuring out if that theme you'd like ot try is safe: Theme Authenticity Checker and Exploit scanner. I guess those are the new antivirus for Wordpress?

No comments: