Contractor Talk - Professional Construction and Remodeling Forum banner

1 - 13 of 13 Posts

·
Non-conformist
Joined
·
1,581 Posts
Discussion Starter #1
In the past, I have made recommendations to members here about using themes with WordPress. Those familiar with my posts also know that I am very apprehensive about free stuff on the Internet. The article linked to below will give you a good idea why.

Since I have given the advice to use themes for those seeking a DIY web site, here is a qualifier to go with that advice: Only use free themes from WordPress, NOT from other sites offering free themes!

Before you read the article below, I have a warning: It could be interpreted as scare tactics. IMO, there are things you should be scared about and this is one of them. But if you choose to classify every warning against potential disaster as a scare tactic, then you might not like this article.

Also be aware that it's very long and even technical, but you can get the gist of it very easily without having to go through all the details.

http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

Obviously when hidden and malicious code is being embedded in freebies on the Internet, it will spread easily because freebies are a great way to bait people and spread a payload. What is dangerous here though is the potential for a company web site to be contaminating most visitor's (and customer's) computers.

I've seen it happen here at CT many times, especially when reviewing sites for members here. My security software seems to be able to detect the kinds of threats talked about in the article. Don't count on an anti-virus to detect this kind of threat, it usually won't.

Every once in a while I get a site I can't access at all because my security blocks it entirely. What's more common is that it blocks only the threats so I can still see the page. Since there is nothing visible on the page when I get these alerts that matches what the alert is telling me is there, it's probably something very much like what the author of the article discovered.

Since the article is probably more technical than most members here are willing to subject themselves to, the takeaway value is that if you just assume your site using a free theme or template is safe, you could be guilty of putting malicious code on your customer's computers without knowing it. My security software has told me that some of you here are doing that. That's definitely not good for business.

This doesn't mean a paid theme is safe, but free is definitely risky, and that doesn't just apply to WP themes. I doubt most of you will want to talk about the technical side of this, but I figured you would find it worth knowing. It could help spare you from creating a poisonous web site. Or it could alert you to the mistake if you've already fallen victim to the ploy.
 

·
I own stock in FotoMat!
Joined
·
12,526 Posts
Is it safe to update to 3.0 now?
 

·
Roofer with a vision :)
Joined
·
232 Posts
That may be true for many WP "noobs". However, I've NEVER come across any "built-in Trojan downloads, or any redirects or other hackery.

Most I had to deal with was removing "built-in encrypted link" to some WP themes directory. I basically deleted all files that did not belong to the standard WP theme, and deleted encrypted crap from "functions.php" file.

With basic knowledge of HTML and understanding of how WP works, and the structure of pages - header -> content -> sidebar -> footer, you can easily modify any contaminated theme, by editing the above "files", and possibly deleting some some unnecessary files.

I have modified more than a dozen themes, to fit my needs and to remove the "contamination". For example the theme I'm using on this rubber roof repair site - it may not be the best theme, but I really wanted that look at the time, so I downloaded it, and deleted all unnecessary crap. Similar story with this geothermal energy site. I found a theme i REALLY liked, which had encrypted link... had is a key word :clap:

After you clean the theme, just do "CTRL+U" to view the source code and scan it for any unnecessary links. It's very easy to do. Do F3 (find text) and search for "http://" - this will show you all links. If you see any that don't belong, either remove them or get rid of the theme if you can't.

Basically, I never had any serious issues. PS - I did not read the article, but am sure, some bastards go as far ad injecting Trojans, hidden links and other crap.

@ tin man

Steve very good advice , if it's not from wordpress your sure to have problem.

This is crap man - there are so many useful tools and great themes that are not on wordperss.org, but are still safe to use.

@ 480 - yea man ... i think you really should upgrade to latest WP (3.04 i believe) as older versions contain many security holes which hackers are aware of. Most WP installs will display the version, so it's easier to hack if you know the vulnerabilities. Of course you can manually hide it, as well as any mention of WP :)

I once had an incident where ALL my wordpress sites (about 10) hosted on MediaTemple got infected with a trojan download link injected at the end of each post / page / category, etc. I even had my programmer friend write a script which would delete the link from every table in the database. But that did not work 100% for some reason, and we had to delete this crap manually (what a pain in the @SS).

I complained to MT tech support, and the ended up fixing the issue, though they never gave me a good explanation as to why it happened in the first place. Like I said the ling was injected into database - not the theme itself. But then as I tired to edit the theme files from different WP installs, Kaspersky AV would randomly tell me about possible virus, but then would tell me the file is clean... weird :whistling...

Anywho, I think it was the security hole in WP that allowed hackers to get access to the DB and insert the link... so yea - do upgrade, and of course back up your stuff first.
 

·
Non-conformist
Joined
·
1,581 Posts
Discussion Starter #7
I did not read the article
That's something you might want to do. Not all the goodies hidden in contaminated themes will be obvious.

You're obviously more capable of detecting and deleting suspicious code than many of the members here. That makes you much less likely to get bitten, but if you read the article, you might be surprised by some of the tricks they use.

My bolded advice to only use themes from WP was primarily directed at less technical members here. There are other sites where you can get "clean" free themes, some are even mentioned in the article. But most contractors trying to build a DIY site with a WP theme and limited technical abilities shouldn't be taking risks. The themes on WP may not be as cutting edge as others out there, but those cutting edge features may not be anything more than fluff for a contractor site.

I agree that my post is primarily for the less techy members here, but paid themes are usually not very expensive. If you really need some of the nicer features, shelling out $25, or even $100 if necessary, should be something your business is worth.

Many of the free themes out there are contaminated knockoffs of paid themes. If you watch the video at the bottom of the article, you'll see an example of that where the author of the video recognized the theme and found the knockoff to contain added (and likely payloaded) code.

Even if you have the expertise to inspect and clean up a contaminated theme, is it really worth the trouble if you can get a clean one for 25 bucks?
 

·
Roofer with a vision :)
Joined
·
232 Posts
@ cbs

ok, so i read the article.

pretty scary - i'm gonna go ahead, and wipe clean my hard drive and shut down my email and cancel my internet and read only boston globe from now on, and listen to music on vinyl records....

so what... there is about as much crap everywhere online, as is in wp themes - viewer's discretion is advised.

so it's all rosy and peachy... top 10 google wp theme directories are contaminated... well ... i personally went through almost a hundred free themes and only 2 of them had encrypted code, which i just deleted and am now using those themes... and i used google to find those themes... and usually found them on similar wp theme directories... only difference - i was searching something like "green wp theme"

another option as shown in the video, is to find a theme you like and find its original developer and get it there.

PS... i don't care about $25 for a good theme... i just have not found a good commercial theme which i liked... they are all too flashy and complicated for me... at some point i even posted on craig's list looking for a wp theme developer, but no one responded, so i started modifying themes myself...

my friend hired a programmer in ukraine who developed a theme for her boston clown and magician website, together with graphics for $150 ... it is actually a heavily modified 2010 theme, but looks awesome imo... man they work for free in ukraine :)
 

·
Non-conformist
Joined
·
1,581 Posts
Discussion Starter #9
You're not over reacting a bit, are you cool? :)

The clown and magician site looks very appropriate to the subject. Your friend got a nice job done, and I didn't get any security alerts.

I will say that's more daring than I would ever be though. Aside from parts of Asia, the former Soviet Union is probably an even bigger hotbed of computer fraud. Maybe I'm not being fair by not giving someone from that part of the world a chance, but when I say hotbed, that's an understatement. To my knowledge, more cyber attacks originate from there than anywhere else. I've known people in corporate security, and they could scare you a lot more than the article featured in this thread. You might seriously want to disconnect from the Internet after hearing what they deal with.

I'm surprised you couldn't find a WP developer though. If the need comes up again, let me know. I know a few, but they don't come cheap—definitely a lot more than $150. Life is brutal and poverty is rampant in the Ukraine for sure. It's no wonder they have so much alcoholism and crime there.

Since I mentioned in my OP about the security alerts I often get when visiting sites, many of them are linked to Russian domains according to my alert messages. I'm glad you found an honest vendor there though. It's not that I would ever doubt they exist, I'm just too cowardly to take that risk.
 

·
Working Hard & Smart
Joined
·
18 Posts
I am looking for a good theme for a carpenter site. Needs to be black/yellow like the dewalt colors. Need a good gallery system too. Any ideas without breaking the bank? I can install myself.
 

·
Premium Member
Joined
·
6,938 Posts
I am looking for a good theme for a carpenter site. Needs to be black/yellow like the dewalt colors. Need a good gallery system too. Any ideas without breaking the bank? I can install myself.
If you can install yourself, you surely can edit a template to fit your needs. #CSS
 

·
Registered
Joined
·
207 Posts
Take a look at the Adventure Journal theme. It's free. (I'd post the link, but haven't been active enough in the forum for permission to do so.) Just Google it. :)

There are a few gallery plug-ins to choose from that would work well with this (and other) themes.

I thought you might like the wood design of the background -- appropriate for a carpenter site, eh?
 

·
Non-conformist
Joined
·
1,581 Posts
Discussion Starter #13
I am looking for a good theme for a carpenter site. Needs to be black/yellow like the dewalt colors. Need a good gallery system too. Any ideas without breaking the bank? I can install myself.
Like Cole said, don't worry about the colors. Look for something with the structure to suit your needs. Changing colors and graphics is easy. If you're not comfortable with customizing a theme, you can get that done at a reasonable rate.
 
1 - 13 of 13 Posts
Top