The other day we were talking over a coffee about site security and was it really wise to trust plugins and without a second inspection, or a look at the code.
Now i am sure that many of us have gone and installed a plugin or two without actually looking at the code, but does it really mean we are at risk? I think the undeniable answer is yes, and this is for the very reason of the widespread, and almost unrestricted release of themes and plugins for WordPress. The allure of “free” themes and plugins often leaves the casual blogger or website developer at risk for being exposed by these various sites that offer “free themes”.
Background
I think the even though it is slightly dated many of the points in the post remain valid:
Do not download WordPress themes distributed by 3rd party sites – 5thirtyone.com
Even though the article is dated 2007 it still contains very valid points. I have worked in theme development many years for WordPress and when themes do not need any sort of encryption or otherwise to be functional.
A lot of the times this is the method that those who are trying to get access to your private data may choose to go.
There are a number or reasons why this method is pretty prevelent
- The code is often an encrypted string of data so filters for spam and malware may not immediately be able to detect them.
- The encoded strings are harder to trace than plain-text because a file-search or grep may not be able to parse the encoded script.
- To the unknowing eye an eval() of an encrypted script may seem no more harmful than any other PHP snippet in the code.
Scenario
This actually became an issue on a discussion on linkedIn where someone there was having a problem installing a theme. At first inspection he was getting this error:
Parse error: syntax error, unexpected ‘{‘ in /www/webroot/foo/wp-content/themes/Wood3/functions.php on line 149
Which is usually symptomatic of a couple of things:
- The theme author may have accidently added in an extra brace when the theme was released.
- The user had taken to the code and maybe deleted a line or added in.
Seeing as the theme was released i decided to go and download it and take a look and i opened the coded and perused to line 149 and found something slightly disturbing, here is a snippet.
eval(str_rot13('shapgvba purpx_sbbgre().....
I am not sure what it does in once evaluated and i shall not be trying to find out. I think it is good it broke before it executed because it could have done a number of malicious things, especially if it had been installed in production environment.
For example if you had an e-commerce site and you stored Credit card information on your server for some reason, it would be easy to grab any and all data.
Conclusion
I am sure there will be those that say this is true of any theme, but i usually look at the code of mine before installing. Perhaps it should be a more common practice, or for those who are not as well versed avoid less reputable sites for themes and plugins.
I think one of the easiest ways is to see what the various aspects of the themes are, such as links in the footer, or if you can take a look at the source code for anything that may seem suspicious.
Pingback: Wordpress blogs getting HACKED! no fix as of yet? | Timani
Pingback: Wordpress hack fix – Check your permissions | Timani