For the most part, the themes that come with an installation of WordPress are good enough for the casual blogger and writer. The problem is when you want to stand out in the crowd. With millions of installations of WordPress and only a handful of free themes shipping, your blog can look… a bit samey. So, what do you do? You get a premium theme.
You might be tempted to pirate a theme, instead of legitimately buying one. Whilst some themes can be quite costly, it’s always worth paying for the real deal. Here’s why, and how you can identify if your theme is pirated (you might not even know your theme is copied).
When you download a theme, it’s always possible (although not always permitted) to tweak and extend its functionality. Which means it’s entirely possible for a third-party to add some malicious, obfuscated code and then re-upload it for cheapskate WordPress users.
If your WordPress install starts sending out spam emails, you’ll start to notice that the legitimate emails your site sends out will be getting caught in spam filters. You won’t endear yourself to your web-host either. You’ve also got to consider the implications that any security threat has to your users. If you handle user-information, and your database gets leaked, you may find yourself with a lot of people who are quite irate with you.
Have you ever wonder about the motivations behind why one would release a pirated theme? Indeed, whilst some are interested only in sharing products and themes they enjoy using, others have a more nefarious reasons. Like we mentioned before, it’s entirely possible for someone to inject their own malicious code. Which means that it’s also possible for the theme distributor to use your site for some blackhat SEO shenanigans.
So, how does it work? Low-quality links are programatically added to your WordPress pages. These tend to go to questionable loan, betting and pharmaceutical websites, and if Google notices that your website is being used as a platform for blackhat SEO tactics, you’ll soon see yourself penalized.
What would that look like? Well, you’ll see your rankings in Google drop precipitously, requiring you to rehabilitate your site in the eyes of Google. By all accounts, this isn’t easy.
And then there’s the legal issues.
Using unlicensed software is illegal. Sorry, but it’s true. Whilst it’s unlikely, the person who created the theme you are using could potentially drag you through the legal system, racking up thousands of dollars in court fees and legal costs.
It’s just so much cheaper to pay the $30 or so to get a legitimate theme.
How To Tell If Your Theme Is Legit
Oh boy. This isn’t easy, or perfect.
So, you’ve just acquired your new theme. You might have downloaded it for free, or exchanged good money for it from the likes of ThemeForest. How do you work out if your theme is stolen?
Admittedly, it probably won’t advertise openly that it’s not exactly kosher. Although, there are a couple of things you can look for.
Check The Source
Did you get the theme from a reputable source? Do you know who wrote it? Does the site you downloaded it from give credit to the author? Does the author have a public-facing web presence where he acknowledges that he is the creator of the plugin, and links back to the site distributing it?
These are all important questions when trying to identify a suspect theme.
Check The Stylesheet Header
Each theme has a header in its CSS file that provides detailed information about the theme and its author. Here’s the one for the popular twenty-thirteen theme:
/* Theme Name: Twenty Thirteen Theme URI: http://wordpress.org/themes/twentythirteen Author: the WordPress team Author URI: http://wordpress.org/ Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each displayed beautifully in their own unique way. Design details abound, starting with a vibrant color scheme and matching header images, beautiful typography and icons, and a flexible layout that looks great on any device, big or small. Version: 1.0 License: GNU General Public License v2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html Tags: black, brown, orange, tan, white, yellow, light, one-column, two-columns, right-sidebar, flexible-width, custom-header, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, translation-ready Text Domain: twentythirteen This theme, like WordPress, is licensed under the GPL. Use it to make something cool, have fun, and share what you've learned with others. */
So, what does this tell us? Firstly, it tells us the author, as well as a link to the official website of the plugin. Did you get the plugin from that site? Does the author name match the the one you saw when you downloaded the plugin?
These pieces of information can help us discern whether a theme is legit or not.
Look For Obfuscated PHP Code
This isn’t easy, and requires a bit of PHP know-how. You see, the attacker will do his damnedest to ensure that you can’t read his custom code easily, so he’ll try to use a few clever tricks to make it harder to read. If you see a call to base64_decode nested in an eval function, that’s cause for alarm. For example:
When executed, base64_decode will convert that string into plaintext, and eval will then execute it. In this case, the code above will print out ‘MakeUseOf is awesome’. However, a malicious attacker would be able to execute any code he sees fit.
If you see this in your theme, you could have cause for concern, although it’s worth noting that some theme developers use this to ‘phone home’ and see if a theme is properly licensed. Try decoding the string and have a look at what it’s doing.
There’s one simple, fool-proof way to avoid getting a phony WordPress theme. You source them from legitimate, reputable sources. That’s it. It really is that simple. Whilst it’s certainly possible to cheap out and get a fake theme, the consequences can be severe.
Have you been stung by a fake theme? Are you a theme developer who has seen sales suffer due to piracy? Drop me a comment below and tell me about it.