Not again! I’ve posted about a suspiciously edited WordPress theme a while ago. It seems there are a lot more out there. It is the the Internet after all. It’s a pretty big place. There are a lot of websites dedicated to collecting WordPress themes then redistributing them. The problem is that most, if not all of these unofficial repositories, maliciously edit the themes before packaging them for download. Aside from the Russian sites I’ve mentioned from my other post like wp-templates, skinwp (.ru TLDs), I’ve come across another (alihan.com.tr/blog/) that distributes free themes that have been edited to contain bad backlinks.
The edited theme replaces 2 files (BAK) and has an edited functions.php.
As I’ve mentioned on my other post, there’s nothing wrong about editing WordPress Themes then redistributing them as they are licensed under GPL. But you can’t help but feel a little frustrated with what’s done here.
In this case, the intent is clearly malicious. Here, the potential user gets a theme that contains bad links to shady sites. By appending the text “new” to the theme name, the user is also prevented from updating the theme to the official version. On other sites, the technique was to set the theme version to a value that wouldn’t likely be reached by the official version.
The footer.php has an added call to a certain function, wp_footer_hook() which is not actually a WordPress action hook but is named to seem like one.
And on the functions.php you see the actual function that is called. It outputs seo-seeded links to various game sites. The anchor text is set to change per page request to maximize the supposed seo benefits.
Here is what the actual footer looks like with the said function working.
If you don’t want your website to look suspicious in both human eyes and Google eyes, don’t just download WordPress themes from anywhere you may find them. Not only do spammy WordPress themes affect your rankings negatively, it might also prove to be insecure which will likely make your site more vulnerable to being hacked. Always get your themes from sources that you could trust.
For free WordPress themes, download them from wordpress.org, that’s obvious enough, or from a verifiable author’s website. For premium themes, buy them from a respected theme vendor or theme marketplace. Don’t download paid themes for free. It’s bad for your health. Or even better, you could try to create your own WordPress themes from scratch. It’s a lot easier than you might think and it provides a really good learning experience.