Hacks embedded in Wordpress Themes

Interesting breaking news on a code chunk from WP-Sphere based themes that could allow a potentially evil person to send malicious code to a user via a wordpress theme. Of course all the attention o n this one is going to drive the code deeper into the PHP code, but in the mean time, maybe it is time to audit your themes and make sure that they match up with what is expected not necessarily what is intended by the bad guy.

Seattle-based designer Derek Punsalan makes acclaimed WordPress themes, and has released several of them to the world. Other theme sites have copied his themes. One such theme copier is WP-Sphere. When you download Punsalan’s theme from the WP-Sphere site, it contains some extra code that he didn’t include. It’s a long string of cryptic-looking characters that most users wouldn’t question. Source: Gigaom

You can see more technical detail here and here.

In all this is not all that surprising that there would be someone using software to do anything. Tracking and other issues arise all the time, and while the code chunk goes back to WP-Sphere, there is not a malicious intent yet that can be discovered. This could be simple tracking code, but then that also does not mean that later on the system will remain the way it is.

No one expects this to stop people from downloading and using Wordpress Themes, but it is always important to make sure you get your software from official distribution points. If someone is trying to take over the WordPress system, this is a great way of doing it, but this time they got caught. There should be a lot of folks looking at their themes, and making sure that they are clean, and safe for users to visit your web site.