Pinterest Stumbleupon Whatsapp

For the most part, the themes that come with an installation of WordPress are good enough for the casual blogger and writer. The problem is when you want to stand out in the crowd. With millions of installations of WordPress and only a handful of free themes shipping, your blog can look… a bit samey. So, what do you do? You get a premium theme.

You might be tempted to pirate a theme, instead of legitimately buying one. Whilst some themes can be quite costly, it’s always worth paying for the real deal. Here’s why, and how you can identify if your theme is pirated (you might not even know your theme is copied).

Security Issues

WordPress themes are written using front-end technologies (namely CSS, Javascript and HTML), along with some back-end logic implemented in the PHP programming language FREE EBOOK: Learn To Build With PHP, A Crash Course FREE EBOOK: Learn To Build With PHP, A Crash Course You've heard of PHP. This is the language that Facebook, WordPress and Wikipedia use to serve billions of requests, daily. It is the de-facto language used for teaching people to program for the Web. Read More .

Sign up for a Bluehost plan from just from $3.95 a month.

When you download a theme, 10+ Resources For Free Professional WordPress Themes 10+ Resources For Free Professional WordPress Themes Read More it’s always possible (although not always permitted) to tweak and extend its functionality. Which means it’s entirely possible for a third-party to add some malicious, obfuscated code and then re-upload it for cheapskate WordPress users.


If your WordPress install starts sending out spam emails, you’ll start to notice that the legitimate emails your site sends out will be getting caught in spam filters. You won’t endear yourself to your web-host either. You’ve also got to consider the implications that any security threat has to your users. If you handle user-information, and your database gets leaked, you may find yourself with a lot of people who are quite irate with you.

SEO Issues

Have you ever wonder about the motivations behind why one would release a pirated theme? Indeed, whilst some are interested only in sharing products and themes they enjoy using, others have a more nefarious reasons. Like we mentioned before, it’s entirely possible for someone to inject their own malicious code. Which means that it’s also possible for the theme distributor to use your site for some blackhat SEO 5 Blackhat Tools Used By Internet Spammers 5 Blackhat Tools Used By Internet Spammers Email spam is annoying, but pretty easy to ignore nowadays. But have you ever wondered how and why your favourite forum died and was suddenly filled with viagra adverts? How about those nonsensical blog comments... Read More shenanigans.

So, how does it work? Low-quality links are programatically added to your WordPress pages. These tend to go to questionable loan, betting and pharmaceutical websites, and if Google notices that your website is being used as a platform for blackhat SEO tactics, you’ll soon see yourself penalized.

What would that look like? Well, you’ll see your rankings in Google drop precipitously, requiring you to rehabilitate your site in the eyes of Google. By all accounts, this isn’t easy.

Legal Issues

And then there’s the legal issues.


Using unlicensed software is illegal. Sorry, but it’s true. Whilst it’s unlikely, the person who created the theme you are using could potentially drag you through the legal system, racking up thousands of dollars in court fees and legal costs.

It’s just so much cheaper to pay the $30 or so to get a legitimate theme.

How To Tell If Your Theme Is Legit

Oh boy. This isn’t easy, or perfect.

So, you’ve just acquired your new theme. You might have downloaded it for free, or exchanged good money for it from the likes of ThemeForest. How do you work out if your theme is stolen?

Admittedly, it probably won’t advertise openly that it’s not exactly kosher. Although, there are a couple of things you can look for.

Check The Source

Did you get the theme from a reputable source? Do you know who wrote it? Does the site you downloaded it from give credit to the author? Does the author have a public-facing web presence where he acknowledges that he is the creator of the plugin, and links back to the site distributing it?


These are all important questions when trying to identify a suspect theme.

Check The Stylesheet Header

Each theme has a header in its CSS file that provides detailed information about the theme and its author. Here’s the one for the popular twenty-thirteen theme:

Theme Name: Twenty Thirteen
Theme URI:
Author: the WordPress team
Author URI:
Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each displayed beautifully in their own unique way. Design details abound, starting with a vibrant color scheme and matching header images, beautiful typography and icons, and a flexible layout that looks great on any device, big or small.
Version: 1.0
License: GNU General Public License v2 or later
License URI:
Tags: black, brown, orange, tan, white, yellow, light, one-column, two-columns, right-sidebar, flexible-width, custom-header, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, translation-ready
Text Domain: twentythirteen

This theme, like WordPress, is licensed under the GPL.
Use it to make something cool, have fun, and share what you've learned with others.

So, what does this tell us? Firstly, it tells us the author, as well as a link to the official website of the plugin. Did you get the plugin from that site? Does the author name match the the one you saw when you downloaded the plugin?

These pieces of information can help us discern whether a theme is legit or not.

Look For Obfuscated PHP Code

This isn’t easy, and requires a bit of PHP know-how. You see, the attacker will do his damnedest to ensure that you can’t read his custom code easily, so he’ll try to use a few clever tricks to make it harder to read. If you see a call to base64_decode nested in an eval function, that’s cause for alarm. For example:


When executed, base64_decode will convert that string into plaintext, and eval will then execute it. In this case, the code above will print out ‘MakeUseOf is awesome’. However, a malicious attacker would be able to execute any code he sees fit.

If you see this in your theme, you could have cause for concern, although it’s worth noting that some theme developers use this to ‘phone home’ and see if a theme is properly licensed. Try decoding the string Decoder / Encoder for Sha1, MD4, URL, Base64, Base85 & MD5 Decoder / Encoder for Sha1, MD4, URL, Base64, Base85 & MD5 Read More and have a look at what it’s doing.

Starting your own WordPress site? Get hosted by Bluehost at an affordable from $3.95 a month.


There’s one simple, fool-proof way to avoid getting a phony WordPress theme. You source them from legitimate, reputable sources. That’s it. It really is that simple. Whilst it’s certainly possible to cheap out and get a fake theme, the consequences can be severe.

Have you been stung by a fake theme? Are you a theme developer who has seen sales suffer due to piracy? Drop me a comment below and tell me about it.

Photo Credit: The Art Of WordPress (MKHMarketing), Justice (Bill Tyne), Security in the dictionary (Perspectys Photos)

Leave a Reply

Your email address will not be published. Required fields are marked *