Lynne Simpson

You’d think a person with more than twenty years’ experience in the computer biz wouldn’t be foolish enough to download and install applications from untrusted sources, but sometimes even those who ought to know better get distracted by shiny, pretty graphics. Oh, the humiliation. :-)

I’ve been working on my pseudonyms’ web sites lately to get them ready before any submissions go out, and I followed a bunch of links to various WordPress template sites. Some of the themes were absolutely gorgeous and captured just exactly the kind of mood I was hoping to create, so I happily downloaded them and applied them to my sites.

Stupid.

Very stupid.

The prettiest templates I downloaded had seriously nasty hostile code embedded in the footer.php file. And how did I find this out? Hitting the sites from somewhere other than home. I usually don’t set up my personal security software to filter that kind of thing, but that’s not the case for everyone, certainly not corporations.

Now what do you suppose would’ve happened if I’d left that code in there and an editor who was reviewing one of my manuscripts tried to hit the site from her office? Her corporate web filtering software would’ve blocked my site, and the same thing may have happened when she tried to hit it from home, the library, or Starbucks.

Zoinks.

Lesson learned? Only download WordPress templates from trusted sites, like the WordPress Theme Directory. They automatically reject any themes that contain weird code like I found in footer.php. Still, it doesn’t hurt to take a quick browse through your theme files, even if you don’t know PHP. Any long strings of characters inside parentheses (basically a huge encrypted string passed to a function call or nested function calls) is probably a sign that the template designer is trying to do something sneaky, and you’d be well advised to steer clear. Pay particular attention to anything like base64_encode.