Herself's Webtools

It is up to you as webmasters to know what is on your site. Serve up a virus or trouble just once and you’ll be blacklisted far and wide. Many WordPress users do not like to edit or dig into their themes. If that is you, you need to stick with themes from the WordPress site. If you are downloading themes elsewhere you need to roll up your sleeves, break out an editor and take a wander through those themes.

. . . Here’s a real example.

Seattle-based designer Derek Punsalan makes acclaimed WordPress themes, and has released several of them to the world. Other theme sites have copied his themes. One such theme copier is WP-Sphere.

When you download Punsalan’s theme from the WP-Sphere site, it contains some extra code that he didn’t include. It’s a long string of cryptic-looking characters that most users wouldn’t question:
( click read more link for images and more information )

The first part of the string offers a clue: It’s using a PHP function to decode the string of text, which is encoded as base64. If we pass this through a decoder, the string looks a lot more malicious:
( click read more link for images and more information )

The code establishes a connection from the WordPress server to several sites wpssr.com, wpsnc.com, and wpsnc2.com, and allows the site operator to download an arbitrary piece of Javascript. The sites are registered to an anonymous registrar in Vancouver, British Columbia.

[read more ]Are Hackers Exploiting WordPress Themes?