How Stuff Gets on Your WordPress Site - Blogging, Small Business, Web Design & Hosting Tips - A Small Orange

How Stuff Gets on Your WordPress Site

I have a personal blog that I don’t blog on much, but I randomly thought today I might decide to change that. I don’t have much time to devote to it so I wasn’t very interested in creating my own theme but I knew wanted something techy, dark, and simple, and I really liked this one:

So even though I didn’t get it from the WordPress site, I downloaded it out of curiosity. Things almost immediately started to look suspicious – all the PHP files were password protected, so I couldn’t extract the files from the zip file.

Well, that’s ok – I can just upload the zip file to WordPress. Maybe they just don’t want people messing with their design. It uploads fine, and it loads…wait, what’s that in the footer?

Oh my gosh – I don’t want to advertise an overseas pharmacy! People get arrested for that stuff in the U.S.! Crimeny! I’ll just take that link off…

Hmm. I guess not.

And of course, if you delete the entire encrypted footer code, the entire design breaks – and on top of that you really have no idea what code these folks have put on your site, or what else it may be capable of doing besides selling Viagra because it’s encrypted.

Just another reminder of precisely how you, sometimes, can thwart your own site’s security.

I really liked that theme, too. 🙂

  • It looks more obscured than encrypted. Copy that footer file to e.g. footer-decode.php, then change the eval to echo, and run the file (command-line php should be sufficient). You should see their code.

  • Actually, it's encoded but to most folks it's all the same – encrypted, encoded, obscured – most folks that host here won't know how to get to the command line.

    You can use an online decoder like this:

    to decode the string – though personally, we prefer people to just not use the templates if they're not familiar enough with code to clean them well.