How Stuff Gets on Your WordPress Site

I have a personal blog that I don’t blog on much, but I randomly thought today I might decide to change that. I don’t have much time to devote to it so I wasn’t very interested in creating my own theme but I knew wanted something techy, dark, and simple, and I really liked this one:

wordpress theme

So even though I didn’t get it from the WordPress site, I downloaded it out of curiosity. Things almost immediately started to look suspicious – all the PHP files were password protected, so I couldn’t extract the files from the zip file.

password protect

Well, that’s ok – I can just upload the zip file to WordPress. Maybe they just don’t want people messing with their design. It uploads fine, and it loads…wait, what’s that in the footer?

cheapdrugs

Oh my gosh – I don’t want to advertise an overseas pharmacy! People get arrested for that stuff in the U.S.! Crimeny! I’ll just take that link off…

encryptedfooter

Hmm. I guess not.

And of course, if you delete the entire encrypted footer code, the entire design breaks – and on top of that you really have no idea what code these folks have put on your site, or what else it may be capable of doing besides selling Viagra because it’s encrypted.

Just another reminder of precisely how you, sometimes, can thwart your own site’s security.

I really liked that theme, too. :)

2 Responses to How Stuff Gets on Your WordPress Site

  1. Rob Funk says:
    July 16, 2010 at 3:13 am.

    It looks more obscured than encrypted. Copy that footer file to e.g. footer-decode.php, then change the eval to echo, and run the file (command-line php should be sufficient). You should see their code.

  2. Jen Lepp says:
    July 16, 2010 at 3:20 am.

    Actually, it's encoded but to most folks it's all the same – encrypted, encoded, obscured – most folks that host here won't know how to get to the command line.

    You can use an online decoder like this:

    http://www.opinionatedgeek.com/dotnet/tools/bas

    to decode the string – though personally, we prefer people to just not use the templates if they're not familiar enough with code to clean them well.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>