Malware in WordPress Themes and Joomla! Templates

Moving forward with my web content series I was looking at some easy ways to spruce up the default templates for both my WordPress and Joomla! installations. In the course of doing so, and like most predominantly via search engines, surely many of us have come across dozens of premium as well as free websites that offer just what we need. I’ve come to trust the basic default offerings more than the pre-configured ones for the simple reasoned assumption that given the large user base of most content management systems they have usually done the cautious job of vetting every piece of code. Granted we’ve heard of site compromises from time-to-time but those yet again get the proper response of re-validation — not so similar it appears when considering all these free stuff one can download from elsewhere.

In the year review for 2010, Trend Micro called out WordPress as one of the most dangerous website software owing to the numerous attacks and exploits that happened that year. By itself, that statement caused an uproar in the community and perhaps rightly so. Personally, I attribute this to the fact that WordPress alongside Blogger/Blogspot have the largest chunk of user-base out there. Blogging in itself is just a means to an end which is to get your thoughts out there and focus on content rather than the usual to-do-list of first securing one’s blog from the threat of attack. It goes without saying that a lot of bloggers could be facing several levels of security issues including mis-configured databases, easy to guess passwords, publicly shared directories, and so on. However, at the bottom of it is the fact that it’s your blog so pay attention. I’d also like to mention that as part of protecting users from compromised blog sites this could result in your site being temporarily blocked until its been cleaned out. Thus, let me revise that statement with the above lengthy explanation of the many underlying issues that brought about this situation.

One of the oldest examples of bad guys redistributing a hack modified WordPress plugin that I was able to find in my haste was a blog entry from Derek in 2007. He points out one important security tip which is to always download from the original author’s site when considering any add-on to your public blog.

An example of a sneaky trojanized WordPress theme was analyzed in detail by Otto in December of 2010. In it he points out another rule of thumb which is to only download themes from the official WordPress distribution site (which, as I’ve mentioned above will at least go through community review and follow some rules).

ThemeLab’s Leland called out to stop downloading templates from untrusted sites and even addresses that fact that one of his seem to be victim back in 2009. In it he suggests using the Theme Authenticity Checker (TAC) plugin, except for the fact that its now 2012 and the latest from BuiltBackwards only shows tested compatibility for WordPress 2.8? However, it still looks to be working when combined with other tools like Donncha’s Exploit Scanner plugin (incidentally he’s also the developer for the WP MU Domain Mapping plugin). Siobhan in his blog entry at WPMU in early January 2011 notes why you shouldn’t look for WordPress themes using a search engine and does a follow-up review a week later on some alternative sites that have gone through the knife in a separate development sandbox.

Yet, again I digress. I was telling you about using search engines to find your next content management theme or template earlier. There are a bunch of templates in my downloads directory, mostly Joomla!-based as thats whats on my plate now, that I’m now considering. Its so tempting to just go through the pile and see what works.

I went through the Joomla! forums looking for some good sites to download 1.7.xx compatible templates. It was in the second page where Ken mentioned that a bunch of these apparently free goodies were being distributed with untrusted and a bunch of embedded encrypted code. That sent my Spidey senses on overdrive and will explain my decision. There are just too many pieces of code to check and its a little more cumbersome to sift through the various code modules each time. Perhaps I’ll go back to these downloaded templates when I have the proper tools and mindset. But for now, Let’s not.

The next steps for me seem to be really learning about the innards of Joomla! with several nice guidebook and build my site from scratch. If you decided to do otherwise, then please ….

Let me reiterate:

  1. download themes and templates from the official content management distribution site
  2. download the original items from the author’s own website
  3. be careful or refrain from using a search engine to grab your extensions from a possible blackhat SEO site

Stay safe out there.

Leave a Reply