Forums

WordPress › Support » Themes and Templates

Obfuscated code in WordPress themes. (6 posts)

  1. winchip
    Member
    Posted 12 months ago #

    In a number of free WordPress themes, I've run across obfuscated code. I mean, encoded sections, such as this in the Ellise Theme and several others similarly. In some, it's in the footer.php file (different code, though), but in the Ellise Theme it's in the "functions.php" file:

    [Code moderated as per the Forum Rules. Please use the pastebin]

    Running this through one of the online decoders, I get:

    [Code moderated as per the Forum Rules. Please use the pastebin]

    Not being as up to snuff on my PHP as I should be yet, I need help in deciding if this is just harmless, a nuisance, or something I should get rid of for good. I see it's putting stuff into the database, but for what purpose?

    For the time being, I've commented out the entire block.

  2. mrmist
    Forum Janitor
    Posted 12 months ago #

    Personally, I'd not use any theme with that sort of code in it.

    Where did you get it?

  3. winchip
    Member
    Posted 12 months ago #

    Hmmm ...I'll be darned.

    When I check the 'Net now for this theme, I don't see that code in the 'functions.php' file! It's still in the Zip file on my hard drive, though, from when I first downloaded it, maybe two years ago. Either it's been cleaned up by now or I happened onto some 'more than just free WordPress themes site' so to speak!

    I deleted a number of themes earlier this afternoon that had some sort of encrypted code like that in the 'footer.php' files, but the code looked like it went to various Slavic sites (varied with the particular Theme) after some number of posts had been made. I'll try to get a couple of those back and track them down.

    I guess I'd taken it for granted that the encoded sections were just to protect some proprietary stuff and was common in Themes code, but I'm beginning to suspect that's not really the case?

  4. fonglh
    Member
    Posted 12 months ago #

    I guess I'd taken it for granted that the encoded sections were just to protect some proprietary stuff and was common in Themes code, but I'm beginning to suspect that's not really the case?

    it's not. it's usually to hide a backdoor or code which adds spam links to your site.

    to be safe, get themes from the official theme repository.

  5. winchip
    Member
    Posted 12 months ago #

    You know, it's just recently that I'd decided to scan my library of themes, looking for the 'eval(base64_decode(' string.

    There were also about a half dozen themes from another prominent themes site that had some 'special' code in them, but they were all in the footer.php files.

    Just another awareness step ...checking those files, that is.

  6. winchip
    Member
    Posted 12 months ago #

    Sorry that first post got moderated ...I've placed the original code onto Pastebin as suggested.

    The undecoded file functions.php looked like this: http://pastebin.com/k6tU0adX

    The encoded portion inside that file looked like this after running it through an online decoder: http://pastebin.com/Jrj0dm4w (I added CR's and formatted it to look somewhat readable)

    I'm still hoping someone with more PHP experience can tell me what it might have been doing if I'd had it live ...

Reply

You must log in to post.

About this Topic

Tags

No tags yet.