It’s no more news that “free downloaded Premuim / Free wordpress themes” are now widely used as means to spread malware, malicious codes, cheap backlinks, legal spamming and many unethical activities.
Just recently I got contacted from fiverr to correct a malicious spam bugs from a popular site built on wordpress platform.
On logging in to the cpanel of the site I discovered that the theme generates automatic spam messages (linking to some some hotels, drugs and sales pages) unrelated to the site. And sends them to unlimited list of email addresses hosted on an external server, using “uri request” to send query thereby causing server load, lagging and periodic breaking of the website.
I contacted the site owner asking him about how he purchased the theme, I became very shocked when he told me that he got the theme long time ago via a third party (a friend) who used it to pay him for a service.
Must Read: Completely Conceal (Hide) your wordpress , Joomla , Smf & Drupal Theme Information From the Public
10 Reasons To Avoid Downloading “Premium WordPress Themes for Free”
- It is illegal and equals stealing
- Spam links are sold via this medium
- Google may ban your sites for linking to those malicious sites dropped at the footer (eg. fake anti-virus sites , already blacklisted site and some malware infected sites)
- You may have difficulties removing the footer links ‘cos they encrypt most of the footer links with base64 encoding tools and the likes
- They will never offer you support
- There is no update for any premium theme downloaded for free
- Hackers can easily penetrate such themes easily ‘cos they must have downloaded it themselves and looked through it for possible easy vulnerability or loopholes
- Malicious codes and malware are usually found in such themes
- Most of this themes are shared for free by hackers and technically superior spammers
- Themes gotten via this medium is usually buggy, contains error and may even break when used with other plugins
Security tips when Testing Nulled WordPress Templates
If for any reason, you want to test a nulled theme before buying the licensed copy, it is necessary to follow after best practices and try as much as possible to avoid using such themes for commercial purposes.
The tips below will help you scan any of such themes to do away with malicious codes, dangerous scripts, spam codes and suspicious links.
Tools to Verify Your Theme’s Integrity Before Using them on your WebSite
For the purpose of this tutorial only we are providing links to two themes (one premium and one free) for you to evaluate with your wamp server only to understand how this thing works.
We are only sure of one thing this themes uploaded here will never infect / damage your computer. But it will render your server useless if you try uploading it there. Do not ever try to use any of these themes for any of your site already hosted on a web server . You can purchase this themes from the seller if you love them. Uploading them (this copies) will bring your entire site down from my own point of view .
Evaluation : below is the screenshot of the initial red flag we observed while trying to use this themes after testing them with the Superior tools we are going to discuss below
Note that the tips we are giving you here does not necessarily apply to the personal url of the theme Arthur but may include third part sites selling those themes to you as affiliates, giving them out as a give-away or providing them for free download . You must take this actions to double-verify such themes so as not to ruin your site .
The only legal and trusted place to download free wordpress themes is wordpress.org . While others might be legit enough you can’t just be too sure of them as hackers can easily exploit such directories with innocent looking themes infested with tons of malicious codes and exploit urls. It is recommended you follow this instruction below if you must use such themes safely without fear of future hackers attack .
- Install wamp server : Churning out 15 minutes to download, install and configure wamp server on your computer might save you 2weeks of searching for programmers to restore and harden your wordpress site once it is exploited. Wamp server will help you to install a flexible version of wordpress site on your computer where you can test new themes and plugins for bugs, compatibility, and security before uploading them to your site. It is completely free and can be downloaded by going through the link above and choosing a version that matches your computer operating system.
- Install Theme Authenticity Checker (TAC) : This plugin is a must have for your wamp server since it will help you spot out the files in your themes having the malicious and encoded php scripts. With this plugin installed in your wamp server you should be 80% certain of spotting out those malicious links and encoded url .
- Install Exploit Scanner : Just like the theme authenticity checker this plugin provides a more detailed report on possible exploitable loopholes in your themes. It should be installed in your wamp server as well
Having this three must have tools in your wamp server ensures that all plugins and themes are in good state before they are uploaded to your main site. The tools will help you detect and correct possible vulnerabilities either through direct theme files editing or simply decoding those suspicious base64 codes via these decoding tools listed below .
Tools to Decode / Decrypt Different type of Encrypted Php codes Found in Most WordPress Themes:
From all we ‘ve discussed so far it’s no more news to understand that most of this encrypted php codes are damn malicious and can cause really serious damage to our sites either direct or seo wise. Having this in view we are providing this online free tools you can use to spot out what is contained in those encrypted codes so as to ascertain their usefulness to the theme and your site as a whole .
Concluding Lines: As a webmaster or wordpress admin, you are required to take your site’s overall security as an optimum priority. Take all possible recommended wordpress security measures like ;
- making sure that all your plugin and theme is up to date
- installing security plugins
- changing the default user id from 1 to something else
- changing your admin log in to something else
- changing your log in url
- Hiding special header and theme information from the public
- Restricting public access to wp-config, .htcss, wp-install and etc.
very seriously and watch out for known exploit means so as to get them corrected .
Think I ‘ve omitted something? Let’s know about it in the comments