If you run one or more WordPress blogs, you might be tempted to use some of the thousands of free WordPress themes available on the web. Be aware that some may contain malicious code or links embedded in encoded sections of PHP code that may be detrimental to your web site.
We have always been suspicious about the numerous free WordPress themes available where the footer.php script contains an encoded section intended to prevent users from altering or removing outbound links embedded in the footer. Many authors of these themes sell links to site owners, embed them in the footer script, and then encode the script so that they cannot be removed. Some themes have embedded code that allows the authors to remotely change the links found in the footer.
According to a legal opinion about the WordPress GPL (General Public License) posted on the WordPress site, the PHP coding in themes fall under the GPL licensing, as well. Read it yourself and interpret it as you wish, but it appears that the coding in any WordPress theme cannot be copyrighted or protected. That therefore means that the code in any theme can be altered by the user.
Note the section in the legal opinion that states, “In conclusion, the WordPress themes supplied contain elements that are derivative of WordPress’s copyrighted code. These themes, being collections of distinct works (images, CSS files, PHP files), need not be GPL-licensed as a whole. Rather, the PHP files are subject to the requirements of the GPL while the images and CSS are not. Third-party developers of such themes may apply restrictive copyrights to these elements if they wish.” This opinion says that the images and the CSS code in a theme can be copyrighted, but any PHP code in the theme cannot.
Herein Lies the Problem With Some Free Themes
We found an article on a security blog that found tracking code hidden in a WordPress theme. The tracking code was only discovered after the scammer’s server went down and the code started generating errors. Read Be Careful Where You Get Your Theme From for more information. According to the article, over 9,000 web site using the scammer’s free themes started generating the errors.
What Does The Code In An Encoded Theme Look Like?
Most often, we see encoded sections in the footer.php script, but it can reside in the functions.php script or just about anywhere in the theme. Look for sections of code that look like this:
In the the case of the partial section of theme code that we used for the example, the entire footer.php file is encoded. There are 13,200 bytes of code in the footer, so it is a large block of code. This encoded footer appears to merely prevent the removal of embedded footer links, but with that much code, what else could it be doing? Any encoded PHP could potentially be sending your database name, username and password–or perhaps your WordPress admin password–to a hacker’s server in China.
The issue at hand is not only the fact that malicious code may be hidden in the encoded PHP. Any time a web site contains numerous links to unrelated sites, Google may interpret that as purchased links, which is something that they been on a vendetta about for the past few years. IN other words, even if the theme is legitimate, but contains links to ring tone sites, casinos or any type of site that is unrelated to the theme for your site, you put your site at risk for receiving a penalty from Google. This can reduce the ability for your site to rank well.
What is legitimate and acceptable is for the theme author to include links back to their own web site. It is common to find links to WordPress theme sites or a designer’s web site, so you do not need to be concerned about those types of links.
It is up to you to decide what to do when you find encoded PHP in a WordPress theme. Personally, I would never consider using a WordPress theme if any section of it is encoded. Keep in mind that you cannot simply use the author’s images and CSS code and move them to a new theme without violating copyrights. However, it does appear that you are free to alter the PHP (encoded or not) in any way that you wish.