Follow @BPSPro

WordPress Hacked Themes – Pre-hacked Themes, WordPress Theme Hacked At The Factory

3 Comments RSS Site Feed Author: AITpro Admin
Published: January 31, 2011
Updated: January 31, 2011

Recently I was helping a new BulletProof Security user track down what appeared to be the second successful hack of BulletProof Security in 10 months.  Turns out the WordPress Theme was what I like to refer to as a “WordPress Theme hacked at the factory”.  Meaning yes you just downloaded and installed a WordPress Theme that is already coded to do something you don’t want it to do, with some nasty code that you had no idea was already in the WordPress Theme – pre-hacked right out of the box.  Now you could legitimately argue that if these links come with the WordPress Theme then they are part of the Theme design itself and well then technically it isn’t a hacked WordPress Theme at all.  The thing that cancels out any legitimacy for these pre-hacked WordPress Themes is that if you remove the links they will just come back again tomorrow because that is the way the coding is designed in these pre-hacked WordPress Themes.

In this particular case the WordPress Theme was displaying a link at the top of the page going to one of those obnoxious viagra-like sites.  I was curious about where the WordPress Theme came from so working with the owner of the website we did some back tracking.  The owner of the website (may or may not want to remain anonymous – have not asked for permission to share his name yet) discovered a very nasty picture.  Several mirrored websites with thousands of pre-hacked WordPress Themes ready to be downloaded by unsuspecting victims.

I can’t say with 100% certainty that this is 100% intentional, but all the evidence puts me at around 99.99% sure that these sites are intentionally offering pre-hacked WordPress Themes to unsuspecting victims.

BulletProof Security is not capable of stopping your website from being hacked if it is designed pre-hacked.  Meaning the Theme is already hacked right out of the box.  So BulletProof Security is not detecting an external threat because the hack is already built into the Theme itself.

There are too many WordPress Theme names to list since there appears to be thousands of them on these mirrored websites that are pre-hacked.  So be forewarned that if you downloaded a WordPress Theme from these websites you are probably downloading and installing a pre-hacked WordPress Theme with coding already in it that you do not want.  Unless of course you don’t mind having Viagra and other obnoxious spammy links on your website.  LOL

wpblogskins.com
wordpresstemplates.com
wordpressthemes2.com

These are just 3 of the mirrored sites and there appear to many more.  What is the smarter approach it so check your WordPress Theme for these following things:

filenames:  theme_licence.php and start_template.php (which can be easily changed to something else again)

Check your WordPress Theme header.php file and sidebar.php files.  If you see code like this in these files then you have a pre-hacked WordPress Theme.

require_once("theme_licence.php"); eval(base64_decode($f1)); bloginfo('html_type'); 

A note of caution:  If you are downloading a Free WordPress Theme from an individual website as opposed to downloading a Free WordPress Theme from WordPress.org you want to make sure that you check the Theme’s code for any suspicious coding.  When anyone submits a Free Theme to WordPress it is checked and approved by the WordPress folks before it is allowed to be listed in their Theme directory.  The same applies for Free WordPress Plugins – the coding is checked and approved by WordPress before they will list the plugin in their directory.

At some point BulletProof Security will include simple Alerting that will detect whether or not you have a pre-hacked WordPress Theme.

Skip to toolbar