For beginners, WordPress themes are not just images, icons and logos; they are programming code written in php. So a developer can essentially insert javascript and other frameworks to introduce certain functionality. Sliders, widgets etc are some of the common javascript nuggets inserted in the theme’s code. Hackers and spammers distribute free themes that have malicious code hidden in the free themes to gain a backdoor entry into the WordPress site and at times the server itself. Once installed in the blog, the embedded malicious code can then be used serve spam or inappropriate ads, redirect traffic to another website and to steal user data. Such mishaps can be avoided by ensuring that you follow the four simple steps briefed below:

1. Download themes directly from the Developer’s website

The most important and imperative thing to do is to download themes from the developer’s website. Famous developers like Bustatheme, Woo themes etc. release free themes from time to time. Hackers and spammers have a network of sites to aggregate, showcase and distribute these free themes to lure users. One famous example is wpsphere.com. So its very safe to download the theme directly from the developer’s site rather than a shady site. It does not make sense to download a Firefox browser from a warez forum rather than from Mozilla’s official website. Right?

2. Always use the WordPress theme repository or the built in theme browser

WordPress has an exhaustive collection of free themes in it’s theme repository. WordPress has ensured that all the themes uploaded are clean and are GPL(General Public License) compliant. GPL ensures that the theme is absolutely free with no strings attached.

In addition to the repository, WordPress team has integrated a theme browser in its core. So once you have the WordPress blog installed on your server, you can choose to select and install themes in a single click. To access the theme browser, login to the admin control panel and select the “Add new themes” from under Appearance on the left hand toolbar.

From there themes of various columns and colors can be installed. Installing a new theme as easy as clicking on a thumbnail.

Now if you have a theme installed in a WordPress blog sometime ago and not sure if the theme does not contain any malicious code, there is a plugin for that. Theme Authenticity Checker (TAC) plugin will scan all the theme files for potentially malicious or unwanted code and will let you know if there is any threat. The plugin can be downloaded from here. Alternatively,the TAC plugin can be installed directly from the built-in plugin browser in the WordPress control panel. Click on  “Add New” from under the Plugins section and search for TAC.

After installing the plugin, the TAC link can be found under Appearances section.

The result also shows the number of links that have been added in the theme’s code. To see what those links are, just click the details button and voila! we have all the external links.

Like themes, WordPress plugins are also available at all places. Steps 1 and 2 of this post also holds good for WordPress plugins. Always download the plugins from the author’s page or even better, download from the WordPress plugin repository.

After installing the plugin, the Exploit scanner option can be found under the Dashboard section.

Click on ‘Run the scan” to begin the exploit check.

If you find a compromised theme or plugin or a fake admin account, remove them and then please change the administrator password. In the long and short, whenever you plan to add a new theme or plugin, please follow the four tips, rinse and then repeat. It’s always better to be safe than sorry.