Recently I was helping a new BulletProof Security user track down what appeared to be the second successful hack of BulletProof Security in 10 months.\u00a0 Turns out the WordPress Theme was what I like to refer to as a “WordPress Theme hacked at the factory”.\u00a0 Meaning yes you just downloaded and installed a WordPress Theme that is already\u00a0coded to do something you don’t want it to do, with some nasty code that you had no idea was already in the WordPress Theme\u00a0– pre-hacked right out of the box.\u00a0 Now you could legitimately argue that if these links come with the WordPress Theme then they are part of the Theme design itself and well then technically it isn’t a hacked WordPress Theme at all.\u00a0 The thing that cancels out\u00a0any legitimacy for these pre-hacked WordPress Themes is that if you remove the links\u00a0they will just come back again tomorrow because that is the way the coding is designed in these pre-hacked WordPress Themes.<\/p>\n
In this particular case the WordPress Theme was displaying a link at the top of the page going to one of those obnoxious viagra-like sites.\u00a0 I was curious about where the WordPress Theme came from so working with the owner of the website we\u00a0did\u00a0some back tracking.\u00a0 The owner of the website (may or may not want to remain anonymous – have not asked for permission to share his name yet) discovered a very nasty picture.\u00a0 Several mirrored websites with thousands of pre-hacked WordPress Themes ready to be downloaded by unsuspecting victims.<\/p>\n
I can’t say with 100% certainty that this is 100% intentional, but all the evidence puts me at around 99.99% sure that these sites are intentionally offering pre-hacked WordPress Themes to unsuspecting victims.<\/p>\n
BulletProof Security is not capable of stopping your website from being hacked if\u00a0it is designed pre-hacked.\u00a0 Meaning the Theme is already hacked right out of the box.\u00a0 So BulletProof Security is not detecting an external threat because the hack is already built into the Theme itself.<\/p>\n
There are too many WordPress Theme names to list since there appears to be thousands of them on these mirrored websites that are pre-hacked.\u00a0 So be forewarned that if you downloaded a WordPress Theme from these websites you are probably downloading and installing a pre-hacked WordPress Theme\u00a0with coding already in it that you do not want.\u00a0 Unless of course you don’t mind having Viagra and other obnoxious spammy links on your website.\u00a0 LOL<\/p>\n
wpblogskins.com
\nwordpresstemplates.com
\nwordpressthemes2.com<\/p>\n
These are just 3 of the mirrored sites and there appear to many more.\u00a0 What is the smarter approach it so check\u00a0your WordPress Theme for these following things:<\/p>\n
filenames:\u00a0 theme_licence.php and\u00a0start_template.php (which can be easily changed to something else again)<\/p>\n
Check your WordPress Theme header.php file and sidebar.php files.\u00a0\u00a0If you see code like this in these files then you have a pre-hacked WordPress Theme.<\/p>\n
require_once(\"theme_licence.php\"); eval(base64_decode($f1)); bloginfo('html_type');\u00a0\r\n<\/pre>\nA\u00a0note of caution:\u00a0 If you are downloading a\u00a0Free WordPress Theme from an individual website\u00a0as opposed to downloading a Free\u00a0WordPress Theme from WordPress.org you want to make sure that you check the Theme’s code for any suspicious coding.\u00a0 When anyone submits a Free Theme to WordPress it is checked and approved by the WordPress folks before it is allowed to be listed in their Theme directory.\u00a0 The same applies for Free WordPress Plugins – the coding is checked and approved by WordPress before they will list the plugin in their directory<\/strong>.<\/p>\nAt some point BulletProof Security will include simple Alerting that will detect whether or not you have a pre-hacked WordPress Theme.<\/p>\n","protected":false},"excerpt":{"rendered":"
Recently I was helping a new BulletProof Security user track down what appeared to be the second successful hack of BulletProof Security in 10 months.\u00a0 Turns out the WordPress Theme was what I like to refer to as a “WordPress Theme hacked at the factory”.\u00a0 Meaning yes you just downloaded and installed a WordPress Theme […]<\/p>\n","protected":false},"author":167,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[243],"tags":[346,347,345,344],"class_list":["post-2376","post","type-post","status-publish","format-standard","hentry","category-exposed-scams","tag-pre-hacked-wp-themes","tag-require_once-theme_licence-php","tag-wordpress-hacked-themes","tag-wordpress-pre-hacked-themes"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/2376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/users\/167"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/comments?post=2376"}],"version-history":[{"count":0,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/2376\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/media?parent=2376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/categories?post=2376"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/tags?post=2376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}