A red flag waving is how I saw Siobhan Ambrose’s post a few days ago on why you should never search for free WordPress themes in Google or anywhere else.

What Ambrose presents in her post is the result of some credible and compelling research she carried out into what could be going on behind the scenes and unknown to you in the WordPress theme you might be running on your blog if you obtained that theme as a result of, well, googling for one.

With copious screenshots (including the one above), Ambrose analyses ten WordPress themes that showed up in the search results when she typed the phrase into Google “free wordpress themes.”

Most of the the themes she downloaded, installed on a local test server and then ran through builtBackwards Theme Authenticity Checker and Donncha O Caoimh‘s Exploit Scanner showed that the theme authors concerned very clearly didn’t have your blogging interests at heart when they wrote and made available their themes.

Here’s one of her conclusions that’s typical of most themes she analysed:

[…] Nice themes but contain 5 backlinks to random people who you probably aren’t interested in linking to. It goes so far as to tell you that if you remove the links your theme won’t work. Of course, we know that this isn’t true – but a beginner WordPress user might think twice about removing them. As for the eval function, well it could be harmless but I don’t know enough about javascript (probably like many average WordPress users) to tell you if in this case it is or it isn’t.

My suggestion

Avoid!

Much of the issue with the themes that Ambrose writes about is that it’s hard to tell whether the stuff she uncovered is malicious or not. A lot of it is to do with Base64, an encoding scheme commonly used when there is a need to encode binary data that needs be stored and transferred over media that are designed to deal with textual data. This is to ensure that the data remains intact without modification during transport, and which may have a legitimate purpose. (That concise explanation comes from a detailed Wikipedia entry which you can read if you’re inclined to immerse yourself in a relatively complex technical subject.)

Still, as Ambrose points out, why would a theme developer include hidden code in a theme, with no explanation or notation about it anywhere in the theme documentation, including code that hides itself where you need a special software decoder to uncover it?

As a simple test, I ran the Theme Authenticity Checker plugin on my own blog. The themes I have installed including the one I’m currently using all came up clean: nothing going on in the background that rang any alarm bells. (Whew!)

I’m convinced that one reason for that is simple – every theme I have used in the past few years and use now are from trusted sources. That means either the WordPress Theme Directory or what I’ve discovered from friends’ recommendations.

So if you’re looking for a new theme for your blog, here are three tips:

1. If you’re running a recent version of WordPress, use the search capability within your WordPress dashboard. You’ll find it under Appearance -> Themes -> Install Theme. What that does is search the WordPress Theme Directory, a place you should have confidence in. Or just browse or search the directory directly (but doing it from within WordPress is likely easier for you as theme installation that way is automated).
2. If a friend or colleague has a design that appeals to you, ask them where they got it from (hopefully not by googling “free wordpress themes”).
3. Never download and install a theme that you find by googling “free wordpress themes” or variations of that – I googled “wordpress themes” and some of Ambrose’s results showed up there.

Check Amrose’s post for additional information including links for decoding tools, plugins and further reading.

Make sure you trust your sources. Stay safe!