Pinterest Stumbleupon Whatsapp

For the most part, the themes that come with an installation of WordPress are good enough for the casual blogger and writer. The problem is when you want to stand out in the crowd. With millions of installations of WordPress and only a handful of free themes shipping, your blog can look… a bit samey. So, what do you do? You get a premium theme.

You might be tempted to pirate a theme, instead of legitimately buying one. Whilst some themes can be quite costly, it’s always worth paying for the real deal. Here’s why, and how you can identify if your theme is pirated (you might not even know your theme is copied).

Security Issues

WordPress themes are written using front-end technologies (namely CSS, Javascript and HTML), along with some back-end logic implemented in the PHP programming language FREE EBOOK: Learn To Build With PHP, A Crash Course FREE EBOOK: Learn To Build With PHP, A Crash Course You've heard of PHP. This is the language that Facebook, WordPress and Wikipedia use to serve billions of requests, daily. It is the de-facto language used for teaching people to program for the Web. Read More .

Sign up for a Bluehost plan from just from $3.95 a month.

When you download a theme, 10+ Resources For Free Professional WordPress Themes 10+ Resources For Free Professional WordPress Themes Read More it’s always possible (although not always permitted) to tweak and extend its functionality. Which means it’s entirely possible for a third-party to add some malicious, obfuscated code and then re-upload it for cheapskate WordPress users.

wordpress-sec-security

If your WordPress install starts sending out spam emails, you’ll start to notice that the legitimate emails your site sends out will be getting caught in spam filters. You won’t endear yourself to your web-host either. You’ve also got to consider the implications that any security threat has to your users. If you handle user-information, and your database gets leaked, you may find yourself with a lot of people who are quite irate with you.

SEO Issues

Have you ever wonder about the motivations behind why one would release a pirated theme? Indeed, whilst some are interested only in sharing products and themes they enjoy using, others have a more nefarious reasons. Like we mentioned before, it’s entirely possible for someone to inject their own malicious code. Which means that it’s also possible for the theme distributor to use your site for some blackhat SEO 5 Blackhat Tools Used By Internet Spammers 5 Blackhat Tools Used By Internet Spammers Email spam is annoying, but pretty easy to ignore nowadays. But have you ever wondered how and why your favourite forum died and was suddenly filled with viagra adverts? How about those nonsensical blog comments... Read More shenanigans.

So, how does it work? Low-quality links are programatically added to your WordPress pages. These tend to go to questionable loan, betting and pharmaceutical websites, and if Google notices that your website is being used as a platform for blackhat SEO tactics, you’ll soon see yourself penalized.

What would that look like? Well, you’ll see your rankings in Google drop precipitously, requiring you to rehabilitate your site in the eyes of Google. By all accounts, this isn’t easy.

Legal Issues

And then there’s the legal issues.

wordpress-sec-justice

Using unlicensed software is illegal. Sorry, but it’s true. Whilst it’s unlikely, the person who created the theme you are using could potentially drag you through the legal system, racking up thousands of dollars in court fees and legal costs.

It’s just so much cheaper to pay the $30 or so to get a legitimate theme.

How To Tell If Your Theme Is Legit

Oh boy. This isn’t easy, or perfect.

So, you’ve just acquired your new theme. You might have downloaded it for free, or exchanged good money for it from the likes of ThemeForest. How do you work out if your theme is stolen?

Admittedly, it probably won’t advertise openly that it’s not exactly kosher. Although, there are a couple of things you can look for.

Check The Source

Did you get the theme from a reputable source? Do you know who wrote it? Does the site you downloaded it from give credit to the author? Does the author have a public-facing web presence where he acknowledges that he is the creator of the plugin, and links back to the site distributing it?

wordpress-sec-theme

These are all important questions when trying to identify a suspect theme.

Check The Stylesheet Header

Each theme has a header in its CSS file that provides detailed information about the theme and its author. Here’s the one for the popular twenty-thirteen theme:


/*
Theme Name: Twenty Thirteen
Theme URI: http://wordpress.org/themes/twentythirteen
Author: the WordPress team
Author URI: http://wordpress.org/
Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each displayed beautifully in their own unique way. Design details abound, starting with a vibrant color scheme and matching header images, beautiful typography and icons, and a flexible layout that looks great on any device, big or small.
Version: 1.0
License: GNU General Public License v2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
Tags: black, brown, orange, tan, white, yellow, light, one-column, two-columns, right-sidebar, flexible-width, custom-header, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, translation-ready
Text Domain: twentythirteen

This theme, like WordPress, is licensed under the GPL.
Use it to make something cool, have fun, and share what you've learned with others.
*/

So, what does this tell us? Firstly, it tells us the author, as well as a link to the official website of the plugin. Did you get the plugin from that site? Does the author name match the the one you saw when you downloaded the plugin?

These pieces of information can help us discern whether a theme is legit or not.

Look For Obfuscated PHP Code

This isn’t easy, and requires a bit of PHP know-how. You see, the attacker will do his damnedest to ensure that you can’t read his custom code easily, so he’ll try to use a few clever tricks to make it harder to read. If you see a call to base64_decode nested in an eval function, that’s cause for alarm. For example:


eval(base64_decode('ZWNobyAoIk1ha2VVc2VPZiBpcyBhd2Vzb21lIik7');

When executed, base64_decode will convert that string into plaintext, and eval will then execute it. In this case, the code above will print out ‘MakeUseOf is awesome’. However, a malicious attacker would be able to execute any code he sees fit.

If you see this in your theme, you could have cause for concern, although it’s worth noting that some theme developers use this to ‘phone home’ and see if a theme is properly licensed. Try decoding the string Decoder / Encoder for Sha1, MD4, URL, Base64, Base85 & MD5 Decoder / Encoder for Sha1, MD4, URL, Base64, Base85 & MD5 Read More and have a look at what it’s doing.

Starting your own WordPress site? Get hosted by Bluehost at an affordable from $3.95 a month.

Conclusion

There’s one simple, fool-proof way to avoid getting a phony WordPress theme. You source them from legitimate, reputable sources. That’s it. It really is that simple. Whilst it’s certainly possible to cheap out and get a fake theme, the consequences can be severe.

Have you been stung by a fake theme? Are you a theme developer who has seen sales suffer due to piracy? Drop me a comment below and tell me about it.

Photo Credit: The Art Of WordPress (MKHMarketing), Justice (Bill Tyne), Security in the dictionary (Perspectys Photos)

  1. Natalya
    November 15, 2016 at 9:56 pm

    So if we get the themed off of WordPress.com we should be fine, correct?

  2. racha
    November 22, 2015 at 6:30 pm

    I have seen many sites are allowing premium themes for free.
    Can you show did any theme author sued them ?
    Is it possible to sue all of them ?
    I think Author should have his own techniques to save his theme

  3. rob
    May 28, 2014 at 8:21 pm

    Great article! In fact, a wordpress site that I had online a couple of years back kept having links added to the footer. It took me a long time to realise but now I know why! Thanks!

    • Matthew H
      May 28, 2014 at 9:44 pm

      Thanks for the kind words! Yeah, it's a startlingly common predicament, I've found. ;)

  4. Ryan
    May 22, 2014 at 9:18 pm

    Since we are on the topic...

    I've been really curious what theme/framework MakeUseOf uses, Any chance of letting the secret out?

    • Matthew H
      May 26, 2014 at 9:43 pm

      We're a wordpress site, obviously. The theme is actually developed in-house by our crack team of web developers. :) Totally bespoke.

  5. Anonymous
    May 22, 2014 at 1:10 pm

    Word Press is GAYYYYYYYYYYY

  6. @SteeveCo
    May 21, 2014 at 5:40 pm

    Great article. Will clear up a lot of things for people that don't understand problems inherent with dodgy themes.

    • Matthew H
      May 26, 2014 at 10:06 pm

      Thanks man. I appreciate it!

  7. Philip
    May 21, 2014 at 11:11 am

    Maybe authors could provide a md5 sum of the code and check against that.

    • Matthew H
      May 26, 2014 at 9:41 pm

      I don't think that's the best solution. The hash would change whenever the theme gets updated. Plus, MD5 is collision central.

      It's a tricky problem to solve.

    • Matthew H
      May 26, 2014 at 9:41 pm

      I don't think that's the best solution. The hash would change whenever the theme gets updated. Plus, MD5 is collision central.

      It's a tricky problem to solve.

  8. Jean
    May 21, 2014 at 5:48 am

    Thanks for this.

    Obfuscated PHP Code can easily be detected with the free plugin Theme Authenticity Checker (TAC).

    • Othniel
      May 21, 2014 at 7:00 am

      Omg, thanks for this!

    • Matthew H
      May 26, 2014 at 9:43 pm

      Thanks for the tip!

Leave a Reply

Your email address will not be published. Required fields are marked *