WordPress user: Be careful where you get your theme from

WordPress themes are not just design templates, they contain PHP code and must be validated before use. Not only because of bugs, but some may contain malicious code in there. Specially if you download from random web sites and not from WordPress.org (not saying that every theme at WordPress.org is safe).

One example popped this week, regarding the themes from http://hirewordpressexperts.com/. They added some hidden code inside their themes to track which sites are using them (and track the users as well). However, their tracking server went offline and every site using it got this error on the sidebar:

Warning: file_get_contents(
http://24365online.com/_YTG_yu/_dl/get_info.php?host=site&referer;=&visitor;_ip=ip)

Can you see what they are doing? For every request they send to 24365online.com the site name AND the visitor’s IP address. Want to see how many sites have this embeded? Search on Google for http://24365online.com/. Now restrict for the last 24 hours and you will see more than 9 thousand sites with this error.

Can you imagine if their tracking server gets hacked? They could automatically load malware to all those sites. But the worse is how they are hiding this code:

Surprisingly “this” string was found from image file wp.gif. Soon I discovered that functions.php file tried to include wp.gif file into source code. Wp.gif file was adding additional code into get_footer function.

Some discussion here as well about them: http://mu.wordpress.org/forums/topic/15407

My recommendation is to do not use any theme from hirewordpressexperts.com and always double check any theme you decide to use.

If your site is hacked (or with malware) and you need help, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

6 comments
  1. I just found that this plugin claiming to give wordpress users automatic backlinks based on the content of their posts – blogpressSEO – contains this server url in their plugin.. just a warning to all concerned users.

Comments are closed.

You May Also Like