What is encrypted code in WordPress themes?

Recently there has been a lot of Buzz among WordPress users regarding the use for free themes! Some Free themes were found malicious, which included encrypted codes into them. So this has given rise to suspicion in the minds of a theme users against the theme creators.

Some Bloggers don’t give proper credits to the Theme creator and remove their names from the Footer Credits. This has caused a lot of Theme designers to take this unusual step!

For keeping somethings in the Theme as unknown to the Theme user, the designers tend to encrypt it and embed it into the theme. They attach encrypted codes into a separate PHP file in the theme or into some important file in the existing theme. This encrypted code is not understandable to normal users.

What does this Encrypted code do?

This Encrypted code can do many things!

  1. It may cause your theme to work in a weird way.
  2. It may corrupt your database.
  3. It may cause Hacking of Internet accounts of your Blog visitors by your Theme Developer.
  4. It will show Footer Credits of the Theme designer.
  5. It won’t show any observable results.

Removing this Encrypted code may cause your theme to show some annoying behavior. It may cause harm or Destroy your Database. It is also possible that this encrypted code is completely redundant and removing it won’t affect your theme in any way.

Isn’t it shocking? Of course, it is!

I have experienced this before in one of the themes I was testing for this Blog! Let me share my experience with you.

I won’t disclose the name of the Theme, but it was a Freely available theme. It contained a file named RELAY.PHP(Have a look at it here) I was not able to understand anything from this file, So I consulted a good friend of mine named Shashank, who is a WordPress genius.

He observed the file and told me that the encrypted code in the theme is sending unusual information about my Blog visitors to the Theme developers. It was sending the following information about my Blog visitors to the Theme designer:

  • Server Address
  • Server Software
  • HTTP user agent
  • Server Signature
  • HTTP Referrer
  • Required URL

I was quite irritated upon hearing this and I interrogated more about this topic. Shashank also told me that because of these requests by the encrypted code, I was unnecessary wasting bandwidth. He also told me that removing this file from my theme won’t affect the theme in any way because it did not contain any WordPress functions that my theme depended upon. So, I removed this Relay.php file from my theme and the Theme worked fine even without it.

I faced such encrypted code yet again in one more Theme! It was placed in the Header.php file, but to my surprise, it was affecting the Footer of the Theme. It contained the copyright information about the Theme designer. Deleting the code caused my Database to be deleted and I was left totally irritated. Thankfully, I was not testing it on this running blog.

How to find this encrypted code in WordPress themes?

There is a WordPress Plugin named Theme Authenticity Checker[TAC], which checks all your Uploaded themes for any possible malicious Encrypted codes. Using this plugin is highly recommended!

How to check, What does this Encrypted codes do?

I am specifying two online Decoders or Decryptors whatever you call them! Taree Internet Online Decode Tool and Raxor GzInflate Decryptor. For your general information, remember that these codes generally start with “eval(gzinflate(base64_decode(…”  or  “eval(gzinflate(str_rot13(base64_decode(…

I think now I have given you enough information about these malicious codes in WordPress themes. If you need some more, you can always ask in comments!!

  • http://www.techfreakstuff.com Rohit Sane

    @Tad: Is the link code encrypted? Just check out the real meaning of the code using the Decryptors I have linked to.. Else, you can get back to me again!

  • http://stacy-anderson.com/ Stacy

    I have absolutely no problem with displaying the Theme author on my blog, even though I tweaked the heck out of each theme I use. But it truly annoys me when they place encoded ads into the theme. That’s just rude.

    Here’s what I discovered:

    1) Find the encrypted code (I found my in the Footer php).
    2) Highlight & copy the code
    3) Paste it here: http://www.motobit.com/util/base64-decoder-encoder.asp
    4) Choose ‘Decode’
    5) Highlight & copy the decoded php
    6) Replace (paste it over) the encrypted code
    7) Replace the ad url with your blog url
    8) Problem solved

    That’s what worked for me, and is still working.

    I have to say, without reading this blog post first, I wouldn’t have known how to recognize the encrypted code. So, thank you very much for posting this! :)

  • http://tomaszmatejunas.pl tommat

    Thanks for post and comments.It helps ! :>

  • http://facebook.com dd

    d6e3acf860b1b136a7718d515274a84a ineed it

  • http://www.poptropicap.com poptropica

    This is bad news to those who doesn’t understand much about encriptions. This is really unbelievable, are they really doing this? wew, bad thing for those who bow to wordpress. great topic admin, you’ve been so helpful and great.

  • Andy

    hate to say but TAC wont pick up crap from the new way of encoding, I got a theme from
    free-wordpress-theme(dot)net and they load the functions.php with code not starting with base64 or eval, blah, blah, blah…
    the decoders wont decode it and removing it of course breaks the theme.
    too bad because they have some nice looking themes