Recently there has been a lot of Buzz among Wordpress users regarding the use for free themes! Some Free themes were found malicious, which included encrypted codes into them. So this has given rise to suspicion in the minds of a theme users against the theme creators.

Some Bloggers don’t give proper credits to the Theme creator and remove their names from the Footer Credits. This has caused a lot of Theme designers to take this unusual step!

For keeping somethings in the Theme as unknown to the Theme user, the designers tend to encrypt it and embed it into the theme. They attach encrypted codes into a separate PHP file in the theme or into some important file in the existing theme. This encrypted code is not understandable to normal users.

What does this Encrypted code do?

This Encrypted code can do many things!

1. It may cause your theme to work in a weird way.
2. It may corrupt your database.
3. It may cause Hacking of Internet accounts of your Blog visitors by your Theme Developer.
4. It will show Footer Credits of the Theme designer.
5. It won’t show any observable results.

Removing this Encrypted code may cause your theme to show some annoying behavior. It may cause harm or Destroy your Database. It is also possible that this encrypted code is completely redundant and removing it won’t affect your theme in any way.

Isn’t it shocking? Of course, it is!

I have experienced this before in one of the themes I was testing for this Blog! Let me share my experience with you.

I won’t disclose the name of the Theme, but it was a Freely available theme. It contained a file named RELAY.PHP. I was not able to understand anything from this file, So I consulted a good friend of mine named Shashank, who is a Wordpress genius.

He observed the file and told me that the encrypted code in the theme is sending unusual information about my Blog visitors to the Theme developers. It was sending the following information about my Blog visitors to the Theme designer:

• Server Address
• Server Software
• HTTP user agent
• Server Signature
• HTTP Referrer
• Required URL

I was quite irritated upon hearing this and I interrogated more about this topic. Shashank also told me that because of these requests by the encrypted code, I was unnecessary wasting bandwidth. He also told me that removing this file from my theme won’t affect the theme in any way because it did not contain any Wordpress functions that my theme depended upon. So, I removed this Relay.php file from my theme and the Theme worked fine even without it.

I faced such encrypted code yet again in one more Theme! It was placed in the Header.php file, but to my surprise, it was affecting the Footer of the Theme. It contained the copyright information about the Theme designer. Deleting the code caused my Database to be deleted and I was left totally irritated. Thankfully, I was not testing it on this running blog.

How to find this encrypted code in Wordpress themes?

There is a Wordpress Plugin named Theme Authenticity Checker[TAC], which checks all your Uploaded themes for any possible malicious Encrypted codes. Using this plugin is highly recommended!

How to check, What does this Encrypted codes do?

I am specifying two online Decoders or Decryptors whatever you call them! Taree Internet Online Decode Tool and Raxor GzInflate Decryptor. For your general information, remember that these codes generally start with “eval(gzinflate(base64_decode(…“  or  “eval(gzinflate(str_rot13(base64_decode(…”

I think now I have given you enough information about these malicious codes in Wordpress themes. If you need some more, you can always ask in comments!!