Watch: WordPress Theme? Check. Hidden Malware? Test!

By Charles Costa
We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now

The internet is filled with plenty of WordPress themes, yet the scary thing is that there’s almost no level of quality assurance with them. Yikes! What this means is, that fancy WordPress theme you’re considering… might have some malware hidden within it’s theme. That’s no reason for you to dump your theme shopping cart.

In this screencast I will show you a simple way to make sure that the themes you download are clean and you on longer have to fear the hidden malware.

Loading the player…

We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now
  • What about some obfuscation like strrev(“lave”)(“some php code here”)
    ..or something like that:
    $arr = [“ba”, “64”, “se”, “de”, “_” “deco”]; $func = $arr[0].$arr[2].$arr[1].$arr[4].$arr[5].$arr[3]; $func(“some base64 code”);

    Solutions like this plugin basically do nothing, I think. Because there is a million ways to write malware code in PHP, no one program can know all of them.

    • I can’t really speak for the plugin makers – but I believe the code which is executed from a theme is going to be much more limited than plugin code. It’s a good point I’ll need to consider for pieces covering plugin security.

  • Nice, focused video about how your normal WordPress user (not a developer) can protect themselves and their websites. There are many security enhancing plugins around, but most of them deal with configurations and settings. In cases like this the best rule to follow is “if it looks to good to be true, it probably isn’t.”

    • Hey Adrian,

      Glad you liked the video. As far as choosing plugins go, I tend to focus on active installs and also check to see how well known the development company is. I have a few pieces in the pipe on this theme – but in general I prefer avoiding plugins when possible for functionality.

      If it’s needed, then I’ll focus on active installs and also look into the developer reputation.

  • WordPress comes with enhanced security features that if used properly can mitigate almost any of the threats. However, due to the popularity of WordPress, it is still vulnerable to security threats. It is important to understand the sources from which malware can enter and create a sound plan to counter them. Database injection is one of the major sources of malware. WordPress provides plugins like WP-DB manager and All in one WP Security and firewall that are reliable sources to secure the database from unwanted entries. Make sure to utilize them properly and keep them updated. Developers can also opt for customized security tools to enhance website security.

    • Hey Hemang,

      Thanks for your comment. Great point about understanding the source of threats. As great as the security suites are, if you don’t understand what you’re protecting against, you won’t be able to use the solutions properly.